Skip to content

Commit 28cad97

Browse files
author
Ignacio Van Droogenbroeck
committed
docs: Add TLS/SSL configuration section
Add documentation for native HTTPS/TLS support: - TLS configuration options (tls_enabled, tls_cert_file, tls_key_file) - Environment variables (ARC_SERVER_TLS_*) - Usage guidance for native packages vs Docker/Kubernetes - Production (TLS) example configuration
1 parent 34579cb commit 28cad97

1 file changed

Lines changed: 60 additions & 1 deletion

File tree

docs/configuration/overview.md

Lines changed: 60 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,9 @@ Override any setting via environment variables with the `ARC_` prefix:
7676
```bash
7777
# Server
7878
ARC_SERVER_PORT=8000
79+
ARC_SERVER_TLS_ENABLED=false
80+
ARC_SERVER_TLS_CERT_FILE=/path/to/cert.pem
81+
ARC_SERVER_TLS_KEY_FILE=/path/to/key.pem
7982

8083
# Logging
8184
ARC_LOG_LEVEL=info
@@ -227,9 +230,39 @@ Basic HTTP server settings:
227230

228231
```toml
229232
[server]
230-
port = 8000 # HTTP port to listen on
233+
port = 8000 # HTTP/HTTPS port to listen on
231234
```
232235

236+
### TLS/SSL (HTTPS)
237+
238+
Arc supports native HTTPS/TLS without requiring a reverse proxy:
239+
240+
```toml
241+
[server]
242+
port = 443
243+
tls_enabled = true
244+
tls_cert_file = "/etc/letsencrypt/live/example.com/fullchain.pem"
245+
tls_key_file = "/etc/letsencrypt/live/example.com/privkey.pem"
246+
```
247+
248+
Environment variables:
249+
250+
```bash
251+
ARC_SERVER_TLS_ENABLED=true
252+
ARC_SERVER_TLS_CERT_FILE=/path/to/cert.pem
253+
ARC_SERVER_TLS_KEY_FILE=/path/to/key.pem
254+
```
255+
256+
:::tip When to Use Native TLS
257+
- **Native packages** (deb/rpm): Use native TLS for simple deployments
258+
- **Docker/Kubernetes**: Use a reverse proxy (Traefik, nginx, Ingress) for TLS termination
259+
- **Development**: Use self-signed certificates for local HTTPS testing
260+
:::
261+
262+
When TLS is enabled, Arc automatically:
263+
- Adds the `Strict-Transport-Security` (HSTS) header
264+
- Validates certificate and key files on startup
265+
233266
### Database (DuckDB)
234267

235268
DuckDB connection pool and resource settings:
@@ -426,6 +459,32 @@ s3_region = "us-east-1"
426459
[auth]
427460
enabled = true
428461

462+
[compaction]
463+
enabled = true
464+
hourly_enabled = true
465+
```
466+
467+
</TabItem>
468+
<TabItem value="prod-tls" label="Production (TLS)">
469+
470+
```toml
471+
[server]
472+
port = 443
473+
tls_enabled = true
474+
tls_cert_file = "/etc/letsencrypt/live/example.com/fullchain.pem"
475+
tls_key_file = "/etc/letsencrypt/live/example.com/privkey.pem"
476+
477+
[log]
478+
level = "info"
479+
format = "json"
480+
481+
[storage]
482+
backend = "local"
483+
local_path = "/var/lib/arc/data"
484+
485+
[auth]
486+
enabled = true
487+
429488
[compaction]
430489
enabled = true
431490
hourly_enabled = true

0 commit comments

Comments
 (0)