TLS

This section explains how to add TLS support on Squest.

The TLS endpoint is managed by a reverse proxy on top of the default web server. This is not the only way to handle this part. Many tools like Nginx, Apache or Traefik could be used, and you are free to use the one you want instead of this proposed configuration. The only recommendation we have is to keep the default nginx web server as main http entrypoint.

TLS using Caddy

Caddy is a powerful webserver written in Go which provide a reverse proxy feature.

In the example below, we'll use self-signed certificate. Follow the official documentation if you want to configure it to use an ACME like "Let's Encrypt" instead.

Place your certificate and key file in the folder docker/certs.

E.g:

docker
├── Caddyfile
├── certs
│    ├── squest.crt
│    └── squest.key

Update the docker/Caddyfile with the FQDN of your server. By default, the FQDN is set to squest.domain.local

squest.domain.local {   # This line should match the ALLOWED_HOSTS in your Squest environment
    reverse_proxy nginx:8080
    encode gzip zstd
    tls /etc/ssl/private/squest.crt /etc/ssl/private/squest.key
    # or:
    # tls /etc/ssl/private/cert.pem

    log {
      level error
    }
}

Update the ALLOWED_HOSTS environment variable from the configuration file docker/environment_variables/squest.env to match your FQDN.

ALLOWED_HOSTS=squest.domain.local

Start docker compose with the TLS configuration:

docker-compose -f dev-env.docker-compose.yml -f full-env.docker-compose.yml -f tls.docker-compose.yml up

The squest service is then reachable via HTTP and HTTPS standard ports (80/443).

• http://squest.domain.local
• https://squest.domain.local