Skip to content
Oriel

TLS And Proxies

Prerequisites

Section titled “Prerequisites”
  • A public URL for browser and OIDC flows
  • Either native certificate/key files or a fronting proxy

Steps

Section titled “Steps”

Native TLS:

[server]
http_addr = ":6743"
public_url = "https://oriel.example.com"


[server.tls]
cert_file = "/etc/oriel/tls/fullchain.pem"
key_file = "/etc/oriel/tls/key.pem"

Proxy TLS:

[server]
http_addr = "127.0.0.1:6743"
public_url = "https://oriel.example.com"

Plaintext listeners are allowed on loopback. Plaintext non-loopback binds are rejected unless server.insecure = true.

The session cookie is marked Secure when native TLS is enabled or when server.public_url starts with https://.

For proxy deployments that should expose one public HTTP port for both the UI/API and OTLP/HTTP, enable the all-in-one same-port ingest path:

[ingest]
http_on_server = true

This mounts OTLP/HTTP on server.http_addr under /v1/traces, /v1/logs, and /v1/metrics when running oriel serve --role=all. OTLP gRPC remains on ingest.grpc_addr unless you proxy it separately, and the dedicated ingest.http_addr listener remains enabled by default.

Verify

Section titled “Verify”
Terminal window
oriel --config /etc/oriel/oriel.toml doctor

Check that the TLS checks report either native TLS enabled or plaintext loopback for proxy deployments.

Rollback/Recover

Section titled “Rollback/Recover”
  • If browser login works on HTTP but fails through the proxy, check server.public_url.
  • If OIDC callback generation fails, set server.public_url or explicit provider redirect_url.
  • If a service fails to bind on a public plaintext address, configure TLS or set server.insecure = true only when the network boundary is trusted.