---
title: SSL/TLS termination
url: https://www.tines.com/docs/self-hosted/configuring-tines/ssltls-termination/
updated: 2026-03-18T10:01:48+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Self-Hosted](https://www.tines.com/llm/docs/self-hosted.md) › [Configuring Tines](https://www.tines.com/llm/docs/self-hosted/configuring-tines.md)*

# SSL/TLS termination

*[View on tines.com](https://www.tines.com/docs/self-hosted/configuring-tines/ssltls-termination/)*

This guide explains how to configure Tines to terminate SSL/TLS connections directly on the `tines-app` container, eliminating the need for a reverse proxy like Nginx.

## Prerequisites

Before enabling SSL termination on `tines-app`, ensure you have:

- SSL certificate file (`tines-app.crt`)
- Private key file (`tines-app.key`)
- Both files must be accessible to the `tines-app` container

## Quick Start

### 1 - Generate or obtain SSL certificates

Place your SSL certificate and private key in the application directory:

```bash
# Self-signed certificate (for testing only)
openssl req -x509 -newkey rsa:4096 -keyout tines-app.key \
  -out tines-app.crt -days 365 -nodes \
  -subj "/CN=your-domain.com"

# Production: Use certificates from your certificate authority
cp /path/to/your/certificate.crt tines-app.crt
cp /path/to/your/private-key.key tines-app.key
```

### 2 - Set file permissions

```bash
chmod 644 tines-app.key
chmod 644 tines-app.crt
```

### 3 - Provide files to container

The following files are checked at startup:

- **Certificate**: `/home/tines/tines/tines-app.crt`
- **Private Key**: `/home/tines/tines/tines-app.key`

If both files exist, SSL will be enabled automatically. In a Docker Compose installation, you can provide them via Docker volumes. Here is a sample `docker-compose.yml` service override for `tines-app`:

```yaml
services:
  tines-app:
    image: tines/tines-app:latest
    # ...other config...
    volumes:
      - ./tines-app.crt:/home/tines/tines/tines-app.crt:ro
      - ./tines-app.key:/home/tines/tines/tines-app.key:ro
    environment:
      - TINES_WEB_SSL_PORT=3001 # Set to desired HTTPS port
      # - TINES_WEB_SSL_CIPHERSUITES=... (optional)
      # - TINES_WEB_SSL_CIPHER_FILTER=... (optional)
```

Make sure the paths and permissions for your `.crt` and `.key` files are correct.

### 4 - Start Tines

The `tines-app` container will automatically detect the certificate files and enable SSL. The HTTPS server will be available on port 3001 by default.

## ENV Configuration

- `TINES_WEB_SSL_PORT` - Port for HTTPS connections. Default when not provided: `3001`
- `TINES_WEB_SSL_CIPHERSUITES` - TLS 1.3 cipher suites (colon-separated)
- `TINES_WEB_SSL_CIPHER_FILTER` - TLS 1.2 and earlier ciphers (colon-separated)

### Disabling Weak Ciphers

To explicitly exclude weak or compromised ciphers, use the `!` operator:

```bash
# Exclude all CBC mode ciphers
TINES_WEB_SSL_CIPHER_FILTER="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!CBC"

# Exclude RC4, MD5, and export ciphers (with an explicit allowlist)
TINES_WEB_SSL_CIPHER_FILTER="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!RC4:!MD5:!EXPORT"

# Exclude CBC, RC4, and MD5 from the OpenSSL default set:
TINES_WEB_SSL_CIPHER_FILTER="DEFAULT:!CBC:!RC4:!MD5"
```

## Testing Your Configuration

#### Test SSL/TLS Connection

```bash
openssl s_client -connect your-server:3001 -tls1_3
openssl s_client -connect your-server:3001 -tls1_2
```

#### Scan Available Ciphers

Using `nmap`:

```bash
nmap --script ssl-enum-ciphers -p 3001 your-server
```