HTTPS
Enable TLS encryption with built-in HTTPS or a reverse proxy.
Comicarr supports HTTPS natively through CherryPy's built-in TLS, but a reverse proxy is the recommended approach for production deployments.
Reverse proxy recommended
A reverse proxy (nginx, Caddy, Traefik) handles certificate renewal automatically, supports HTTP/2, and keeps TLS configuration outside your application. Use built-in HTTPS only if a reverse proxy is not an option.
Built-in HTTPS
Enable TLS directly in Comicarr by setting these values in config.ini or through Settings > General:
| Setting | Description |
|---|---|
ENABLE_HTTPS | Set to True to enable built-in HTTPS |
HTTPS_CERT | Path to the SSL certificate file (PEM format) |
HTTPS_KEY | Path to the private key file (PEM format) |
HTTPS_CHAIN | Path to the certificate chain file (optional) |
Self-Signed Certificate
For testing or internal networks, generate a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /config/ssl/server.key \
-out /config/ssl/server.crt \
-days 365 \
-subj "/CN=comicarr"Then configure Comicarr:
[General]
ENABLE_HTTPS = True
HTTPS_CERT = /config/ssl/server.crt
HTTPS_KEY = /config/ssl/server.keyReverse Proxy
Caddy handles certificate provisioning and renewal automatically via Let's Encrypt.
comics.example.com {
reverse_proxy comicarr:8090
}server {
listen 443 ssl;
server_name comics.example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
location / {
proxy_pass http://comicarr:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}services:
comicarr:
labels:
- "traefik.enable=true"
- "traefik.http.routers.comicarr.rule=Host(`comics.example.com`)"
- "traefik.http.routers.comicarr.tls.certresolver=letsencrypt"
- "traefik.http.services.comicarr.loadbalancer.server.port=8090"When using a reverse proxy, leave ENABLE_HTTPS set to False in Comicarr. The proxy terminates TLS and forwards plain HTTP to port 8090.