TLS & HTTPS Guide

Automatic TLS & HTTPS

Free Let's Encrypt certificates, automatic renewal, OCSP stapling and the version floor.

ARC2 Proxy terminates TLS at the edge. Certificates are issued from Let's Encrypt over the HTTP-01 challenge the first time a verified hostname is seen, renewed automatically well before expiry, and served with OCSP stapling so clients don't make a separate revocation round-trip.

What you control

lets_encrypt_contact_email — the contact address registered with the ACME account.
proxy_min_tls_version — the minimum TLS version the proxy will negotiate with clients.
redirect_to_https — upgrade plain-HTTP visitors to HTTPS for a domain.

🛡️Modern by default

The negotiated floor defaults to TLS 1.3. Only lower it if you must support genuinely ancient clients — every step down weakens every connection to that proxy.

← Back to all documentation