TLS encryption

note

TLS encryption is Enterprise only.

TLS can be enabled globally for all QuestDB interfaces, or selectively for individual endpoints. Per-endpoint settings override the global configuration.

For OIDC-specific TLS settings (keystore, certificate validation), see the OIDC configuration.

Global

tls.cert.path

  • Default: none
  • Reloadable: no

Path to the certificate used for TLS encryption globally. The certificate should be DER-encoded and saved in PEM format.

tls.enabled

  • Default: false
  • Reloadable: no

Enables or disables TLS encryption globally for all QuestDB interfaces.

tls.private.key.path

  • Default: none
  • Reloadable: no

Path to the private key used for TLS encryption globally.

HTTP server

These settings override the global TLS settings for the HTTP server only.

http.tls.cert.path

  • Default: none
  • Reloadable: no

Path to the certificate used for TLS encryption for the HTTP server only. The certificate should be DER-encoded and saved in PEM format.

http.tls.enabled

  • Default: false
  • Reloadable: no

Enables or disables TLS encryption for the HTTP server only.

http.tls.private.key.path

  • Default: none
  • Reloadable: no

Path to the private key used for TLS encryption for the HTTP server only.

Minimal HTTP server

http.min.tls.cert.path

  • Default: none
  • Reloadable: no

Path to the certificate used for TLS encryption for the minimal HTTP server only. The certificate should be DER-encoded and saved in PEM format.

http.min.tls.enabled

  • Default: false
  • Reloadable: no

Enables or disables TLS encryption for the minimal HTTP server only.

http.min.tls.private.key.path

  • Default: none
  • Reloadable: no

Path to the private key used for TLS encryption for the minimal HTTP server only.

ILP over TCP

line.tcp.tls.cert.path

  • Default: none
  • Reloadable: no

Path to the certificate used for TLS encryption for ILP over TCP only. The certificate should be DER-encoded and saved in PEM format.

line.tcp.tls.enabled

  • Default: false
  • Reloadable: no

Enables or disables TLS encryption for ILP over TCP only.

line.tcp.tls.private.key.path

  • Default: none
  • Reloadable: no

Path to the private key used for TLS encryption for ILP over TCP only.