HTTPS (TLS/SSL)
The datalust/seq
container can serve its web user interface and event ingestion endpoint over HTTPS. This page documents how to configure Seq to serve HTTPS directly. Another deployment option may be to use a reverse proxy to terminate SSL for you. This may let you take advantage of more advanced certificate management features provided by the proxy.
Seq always uses 443 as the HTTPS API port and 45341 as the HTTPS ingestion port.
To configure HTTPS for Seq, you'll first need a certificate for the hostname that Seq is listening on. That is, if you want to use Seq at https://seq.example.com
then you'll need an SSL certificate for that domain.
For TLS to provide effective security, you need to ensure that both the apps writing log events, and the client machines used to browse to Seq web user interface, trust the certificate assigned to the Seq server.
It is possible to disable certificate validation in apps, or ignore certificate validation warnings in web browsers, but in both of these cases it is unlikely TLS provides any material protection against an observer intercepting communication with the server.
Certificates can be stored in the container-local /data/Certificates
directory. Adding certificates at the following paths will cover both the regular UI and limited ingestion port:
/data/Certificates/443.pfx
or.pem
/data/Certificates/45341.pfx
or.pem
Configuring a PEM private key file
By default, if the certificate has a .pem
extension, Seq will assume that the private key for the certificate is included in the same file.
To configure a separate private key file, place it in a file alongside the certificate with -key
included in the filename, such as:
/data/Certificates/443-key.pem
/data/Certificates/45341-key.pem
Configuring a PFX file password
Seq can find the password to open the certificate file through the certificates.defaultPassword
configuration value. This can either be passed using the SEQ_CERTIFICATES_DEFAULTPASSWORD
environment variable, with seq secret set
, or in an init scripts using seqsvr secret set
:
#!/bin/bash
cat /my/default-password.txt | seqsvr secret set -k certificates.defaultPassword --value-stdin
rm /my/default-password.txt
Updated 7 months ago