> ## Documentation Index
> Fetch the complete documentation index at: https://developer.verilock.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SSL / HTTPS

> Configure HTTPS for your Verilock Identity instance

The Verilock container serves HTTP on port 8080. For production, you should terminate SSL with a reverse proxy.

## Option 1: Caddy (Recommended)

Caddy provides automatic HTTPS with Let's Encrypt.

Add to your `docker-compose.yml`:

```yaml theme={null}
  caddy:
    image: caddy:2-alpine
    container_name: verilock-caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      - app
    networks:
      - verilock
```

Add volumes:

```yaml theme={null}
volumes:
  caddy-data:
  caddy-config:
```

Create a `Caddyfile`:

```
kyc.your-domain.com {
    reverse_proxy app:80
}
```

Then update your `.env`:

```env theme={null}
APP_URL=https://kyc.your-domain.com
APP_PORT=127.0.0.1:8080    # Only expose internally
```

```bash theme={null}
docker compose up -d caddy
```

<Info>
  Caddy automatically obtains and renews TLS certificates from Let's Encrypt. No configuration needed.
</Info>

## Option 2: Nginx Reverse Proxy

If you already have an Nginx reverse proxy:

```nginx theme={null}
server {
    listen 443 ssl http2;
    server_name kyc.your-domain.com;

    ssl_certificate     /etc/ssl/certs/your-cert.pem;
    ssl_certificate_key /etc/ssl/private/your-key.pem;

    client_max_body_size 50M;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 300;
    }
}

server {
    listen 80;
    server_name kyc.your-domain.com;
    return 301 https://$server_name$request_uri;
}
```

## Option 3: Traefik

If you use Traefik as your ingress controller, add labels to the `app` service:

```yaml theme={null}
  app:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.verilock.rule=Host(`kyc.your-domain.com`)"
      - "traefik.http.routers.verilock.entrypoints=websecure"
      - "traefik.http.routers.verilock.tls.certresolver=letsencrypt"
      - "traefik.http.services.verilock.loadbalancer.server.port=80"
```

## Trusted Proxies

When behind a reverse proxy, update your `.env` to trust the proxy headers:

```env theme={null}
# Trust all proxies in Docker network
TRUSTED_PROXIES=*
```
