datalust/seq container can serve its web user interface and event ingestion endpoint over HTTPS.
To configure HTTPS for Seq, you'll first need a certificate for the hostname that Seq is listening on. That is, if you want to use Seq at
https://seq.example.com then you'll need an SSL certificate for that domain.
For TLS to provide effective security, you need to ensure that both the apps writing log events, and the client machines used to browse to Seq web user interface, trust the certificate assigned to the Seq server.
It is possible to disable certificate validation in apps, or ignore certificate validation warnings in web browsers, but in both of these cases it is unlikely TLS provides any material protection against an observer intercepting communication with the server.
Certificates can be stored in the container-local
/data/Certificates directory. Adding certificates at the following paths will cover both the regular UI and limited ingestion port:
By default, if the certificate has a
.pem extension, Seq will assume that the private key for the certificate is included in the same file.
To configure a separate private key file, place it in a file alongside the certificate with
-key included in the filename, such as:
Seq can find the password to open the certificate file through the
certificates.defaultPassword configuration value. This can either be passed using the
SEQ_CERTIFICATES_DEFAULTPASSWORD environment variable, with
seq secret set, or in an init scripts using
seqsvr secret set:
#!/bin/bash cat /my/default-password.txt | seqsvr secret set -k certificates.defaultPassword --value-stdin rm /my/default-password.txt
Updated over 1 year ago