Enable TLS by default

README.md

@@ -31,17 +31,25 @@ A lightweight Go service that acts as a middleware between Slack webhooks and nt
 3. **Configure Slack**:
    - Go to Slack Integrations → Incoming Webhooks
    - Add new webhook
-   - Webhook URL: `http://your-server-ip:8080/your-topic-name`
+   - Webhook URL: `https://your-server-ip:8080/your-topic-name`
 
 4. **Test the service**:
    ```bash
-   # Test webhook
-   curl -X POST http://localhost:8080/test-topic \
+   # Test webhook with HTTP (if TLS is disabled)
+   curl -X POST https://localhost:8080/test-topic \
         -H 'Content-Type: application/json' \
         -d '{"text": "Test alert from Slack to ntfy"}'
-   
-   # Check health
+
+   # Test webhook with HTTPS (if TLS is enabled, and if using self-signed certs, add -k or --insecure)
+   curl -k -X POST https://localhost:8080/test-topic -k \
+        -H 'Content-Type: application/json' \
+        -d '{"text": "Test alert from Slack to ntfy (TLS)"}'
+
+   # Check health with HTTP (if TLS is disabled)
    curl http://localhost:8080/health
+
+   # Check health with HTTPS (if TLS is enabled, and if using self-signed certs, add -k or --insecure)
+   curl https://localhost:8080/health -k
    ```
 
 ## Configuration
@@ -54,6 +62,43 @@ A lightweight Go service that acts as a middleware between Slack webhooks and nt
 | `NTFY_PASSWORD` | `""` | Password for ntfy basic authentication |
 | `BIND_ADDRESS` | `0.0.0.0` | Interface to bind to |
 | `BIND_PORT` | `8080` | Port to listen on |
+| `TLS_CERT_FILE` | `""` | Path to TLS certificate file (e.g., `/app/certs/server.crt`) |
+| `TLS_KEY_FILE` | `""` | Path to TLS private key file (e.g., `/app/certs/server.key`) |
+
+### Enabling TLS
+
+TLS is enabled by default. If `TLS_CERT_FILE` and `TLS_KEY_FILE` environment variables are not set, a self-signed certificate and key will be automatically generated on startup.
+
+**To provide your own certificate and key files (optional)**:
+
+1.  **Create a `certs` directory** in the root of your project:
+    ```bash
+    mkdir certs
+    # Copy your server.crt and server.key into the certs/ directory
+    ```
+2.  **Uncomment and set `TLS_CERT_FILE` and `TLS_KEY_FILE`** in your `docker-compose.yml` (e.g., pointing to `/app/certs/server.crt` and `/app/certs/server.key`):
+    ```yaml
+    environment:
+      # ... existing environment variables ...
+      - TLS_CERT_FILE=/app/certs/server.crt
+      - TLS_KEY_FILE=/app/certs/server.key
+    ```
+3.  Ensure the `volumes` section is uncommented and correctly mounts the `certs` directory:
+    ```yaml
+    volumes:
+      - ./certs:/app/certs
+    ```
+
+**Important:** Regardless of whether you use generated or custom certificates:
+
+*   **Update your Slack webhook URL** to use `https`.
+*   **Restart your Docker service**:
+    ```bash
+    docker compose down
+    docker compose up -d
+    ```
+*   When testing with `curl` against a self-signed certificate, you may need to add the `-k` or `--insecure` flag to bypass certificate validation.
+*   **Exposing on standard HTTPS port (443) in production**: While the service runs on port 8080 internally, it's common to map it to port 443 externally (e.g., `- "443:8080"` in `docker-compose.yml`) or use a reverse proxy to handle TLS termination on port 443 and forward traffic to the container's port 8080.
 
 ## Development