From 75bb1478fbb1c9cb6f25635023ea270f07259766 Mon Sep 17 00:00:00 2001
From: Ellie Huxtable <ellie@atuin.sh>
Date: Thu, 22 Jan 2026 16:12:12 -0800
Subject: chore(deps)!: update tls deps, remove built-in tls server support
 (#3091)

Update reqwest from 0.12 to 0.13 and remove the built-in TLS termination
from atuin-server. Users should use a reverse proxy (nginx, caddy,
traefik) for TLS/HTTPS support instead.

This removes:
- axum-server and rustls dependencies
- The [tls] configuration section
- The launch_with_tls function

Also updates metrics-exporter-prometheus from 0.17 to 0.18.

The reverse proxy approach is standard and provides better flexibility
for certificate management. I'd rather keep our server stack as minimal
as possible.

<!-- Thank you for making a PR! Bug fixes are always welcome, but if
you're adding a new feature or changing an existing one, we'd really
appreciate if you open an issue, post on the forum, or drop in on
Discord -->

## Checks
- [ ] I am happy for maintainers to push small adjustments to this PR,
to speed up the review cycle
- [ ] I have checked that there are no existing pull requests for the
same thing
---
 docs/docs/self-hosting/server-setup.md | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

(limited to 'docs')

diff --git a/docs/docs/self-hosting/server-setup.md b/docs/docs/self-hosting/server-setup.md
index 942312fe..e983fa0b 100644
--- a/docs/docs/self-hosting/server-setup.md
+++ b/docs/docs/self-hosting/server-setup.md
@@ -56,11 +56,6 @@ You will need to map some sort of persistent volume for the /config directory an
 
 ### TLS
 
-The server supports TLS through the `[tls]` section:
+For TLS/HTTPS support, we recommend using a reverse proxy such as nginx, caddy, or traefik in front of the Atuin server. This is the standard approach for containerized applications and provides better flexibility for certificate management.
 
-```toml
-[tls]
-enable = true
-cert_path = "/path/to/letsencrypt/live/fully.qualified.domain/fullchain.pem"
-pkey_path = "/path/to/letsencrypt/live/fully.qualified.domain/privkey.pem"
-```
+> **Note:** The built-in `[tls]` configuration option has been removed. If you were previously using it, please migrate to a reverse proxy setup. Any existing `[tls]` sections in your config will be ignored.
-- 
cgit v1.3.1