Appearance
Direct TLS
If you prefer not to run a reverse proxy, ApiMeld can terminate TLS directly using a certificate you supply. This is an alternative to the reverse proxy setup — use one or the other, not both.
PEM certificate (recommended)
Mount a directory containing your certificate and private key:
bash
docker run -d \
-p 8443:8443 \
-v /path/to/certs:/certs:ro \
-e TLS_ENABLED=true \
-e TLS_CERT_PATH=/certs/cert.pem \
-e TLS_KEY_PATH=/certs/key.pem \
...PFX / PKCS#12 certificate
bash
docker run -d \
-p 8443:8443 \
-v /path/to/certs:/certs:ro \
-e TLS_ENABLED=true \
-e TLS_CERT_PATH=/certs/cert.pfx \
-e TLS_CERT_PASSWORD=your-pfx-password \
...Omit TLS_CERT_PASSWORD if the PFX is not password-protected.
Custom port
The default HTTPS port is 8443. Override with TLS_PORT:
bash
-e TLS_PORT=443 \
-p 443:443Running on port 443
Ports below 1024 require elevated privileges. The container runs as a non-root user by default. Either use a higher port and have your DNS point there, or use a reverse proxy for standard port 443.
Let's Encrypt with Certbot
Certbot writes PEM files to /etc/letsencrypt/live/<domain>/. Mount that directory read-only:
bash
docker run -d \
-p 8443:8443 \
-v /etc/letsencrypt/live/tasks.example.com:/certs:ro \
-e TLS_ENABLED=true \
-e TLS_CERT_PATH=/certs/fullchain.pem \
-e TLS_KEY_PATH=/certs/privkey.pem \
...Certificate renewal: Certbot rotates certificates automatically but the container must be restarted to pick up the new files. Add a renewal hook:
bash
# /etc/letsencrypt/renewal-hooks/deploy/restart-apimeld.sh
#!/bin/bash
docker restart apimeldbash
chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-apimeld.shHSTS
In direct TLS mode, ApiMeld automatically adds:
Strict-Transport-Security: max-age=31536000; includeSubDomainsThis tells browsers to always use HTTPS for your domain for one year. Make sure HTTPS is fully working before enabling direct TLS mode, as HSTS is hard to undo once browsers cache it.