SSL/TLS Termination on tines-app

This guide explains how to configure Tines to terminate SSL/TLS connections directly on the `tines-app` container, eliminating the need for a reverse proxy like Nginx.

Prerequisites 

Before enabling SSL termination on `tines-app`, ensure you have:

  • SSL certificate file (tines-app.crt)

  • Private key file (tines-app.key)

  • Both files must be accessible to the `tines-app` container

Quick Start 

1 - Generate or obtain SSL certificates 

Place your SSL certificate and private key in the application directory:

# Self-signed certificate (for testing only)
openssl req -x509 -newkey rsa:4096 -keyout tines-app.key \
  -out tines-app.crt -days 365 -nodes \
  -subj "/CN=your-domain.com"

# Production: Use certificates from your certificate authority
cp /path/to/your/certificate.crt tines-app.crt
cp /path/to/your/private-key.key tines-app.key

2 - Set file permissions 

chmod 644 tines-app.key
chmod 644 tines-app.crt

3 - Provide files to container 

The following files are checked at startup:

  • Certificate: /home/tines/tines/tines-app.crt

  • Private Key: /home/tines/tines/tines-app.key

If both files exist, SSL will be enabled automatically. In a Docker Compose installation, you can provide them via Docker volumes. Here is a sample docker-compose.yml service override for tines-app:

services:
  tines-app:
    image: tines/tines-app:latest
    # ...other config...
    volumes:
      - ./tines-app.crt:/home/tines/tines/tines-app.crt:ro
      - ./tines-app.key:/home/tines/tines/tines-app.key:ro
    environment:
      - TINES_WEB_SSL_PORT=3001 # Set to desired HTTPS port
      # - TINES_WEB_SSL_CIPHERSUITES=... (optional)
      # - TINES_WEB_SSL_CIPHER_FILTER=... (optional)

Make sure the paths and permissions for your .crt and .key files are correct.

4 - Start Tines 

The tines-app container will automatically detect the certificate files and enable SSL. The HTTPS server will be available on port 3001 by default.

ENV Configuration 

  • TINES_WEB_SSL_PORT - Port for HTTPS connections. Default when not provided: 3001

  • TINES_WEB_SSL_CIPHERSUITES - TLS 1.3 cipher suites (colon-separated)

  • TINES_WEB_SSL_CIPHER_FILTER - TLS 1.2 and earlier ciphers (colon-separated)

Disabling Weak Ciphers 

To explicitly exclude weak or compromised ciphers, use the ! operator:

# Exclude all CBC mode ciphers
TINES_WEB_SSL_CIPHER_FILTER="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!CBC"

# Exclude RC4, MD5, and export ciphers (with an explicit allowlist)
TINES_WEB_SSL_CIPHER_FILTER="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!RC4:!MD5:!EXPORT"

# Exclude CBC, RC4, and MD5 from the OpenSSL default set:
TINES_WEB_SSL_CIPHER_FILTER="DEFAULT:!CBC:!RC4:!MD5"

Testing Your Configuration 

Test SSL/TLS Connection 

openssl s_client -connect your-server:3001 -tls1_3
openssl s_client -connect your-server:3001 -tls1_2

Scan Available Ciphers 

Using nmap:

nmap --script ssl-enum-ciphers -p 3001 your-server
Was this helpful?