The datalust/seq container can serve its web user interface and event ingestion endpoint over HTTPS. This page documents how to configure Seq to serve HTTPS directly. Another deployment option may be to use a reverse proxy to terminate SSL for you. This may let you take advantage of more advanced certificate management features provided by the proxy.


Seq always uses 443 as the HTTPS API port and 45341 as the HTTPS ingestion port.

To configure HTTPS for Seq, you'll first need a certificate for the hostname that Seq is listening on. That is, if you want to use Seq at then you'll need an SSL certificate for that domain.


For TLS to provide effective security, you need to ensure that both the apps writing log events, and the client machines used to browse to Seq web user interface, trust the certificate assigned to the Seq server.

It is possible to disable certificate validation in apps, or ignore certificate validation warnings in web browsers, but in both of these cases it is unlikely TLS provides any material protection against an observer intercepting communication with the server.

Certificates can be stored in the container-local /data/Certificates directory. Adding certificates at the following paths will cover both the regular UI and limited ingestion port:

  • /data/Certificates/443.pfx or .pem
  • /data/Certificates/45341.pfx or .pem

Configuring a PEM private key file

By default, if the certificate has a .pem extension, Seq will assume that the private key for the certificate is included in the same file.

To configure a separate private key file, place it in a file alongside the certificate with -key included in the filename, such as:

  • /data/Certificates/443-key.pem
  • /data/Certificates/45341-key.pem

Configuring a PFX file password

Seq can find the password to open the certificate file through the certificates.defaultPassword configuration value. This can either be passed using the SEQ_CERTIFICATES_DEFAULTPASSWORD environment variable, with seq secret set, or in an init scripts using seqsvr secret set:

cat /my/default-password.txt | seqsvr secret set -k certificates.defaultPassword --value-stdin
rm /my/default-password.txt