From 9b956f7c90942e56e395b97d704bffdcc9d1c96c Mon Sep 17 00:00:00 2001
From: Chris Goller <goller@gmail.com>
Date: Tue, 14 Feb 2017 10:32:37 -0600
Subject: [PATCH] Add documentation for running Chronograf with TLS

---
 README.md   |  3 +++
 docs/tls.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 docs/tls.md

diff --git a/README.md b/README.md
index f28731bbf..70a47df98 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,9 @@ A UI for [Kapacitor](https://github.com/influxdata/kapacitor) alert creation and
 * View all active alerts at a glance on the alerting dashboard
 * Enable and disable existing alert rules with the check of a box
 
+### TLS/HTTPS support
+See [Chronograf with TLS](https://github.com/influxdata/chronograf/blob/master/docs/tls.md) for more information.
+
 ### GitHub OAuth Login
 See [Chronograf with OAuth 2.0](https://github.com/influxdata/chronograf/blob/master/docs/auth.md) for more information.
 
diff --git a/docs/tls.md b/docs/tls.md
new file mode 100644
index 000000000..e09b273d2
--- /dev/null
+++ b/docs/tls.md
@@ -0,0 +1,74 @@
+## Chronograf TLS
+
+Chronograf supports TLS to securely communicate between the browser and server via
+HTTPS.
+
+We recommend using HTTPS with Chronograf.  If you are not using a TLS termination proxy,
+you can run Chronograf's server with TLS connections.
+### TL;DR
+
+```sh
+chronograf --cert=my.crt --key=my.key
+```
+
+### Running Chronograf with TLS
+
+Chronograf server has command line and environment variable options to specify
+the certificate and key files.  The server reads and parses a public/private key
+pair from these files. The files must contain PEM encoded data.
+
+In Chronograf all command line options also have a corresponding environment
+variable. 
+
+To specify the the certificate file either use the `--cert` CLI option or `TLS_CERTIFICATE`
+environment variable.
+
+To specify the key file either use the `--key` CLI option or `TLS_PRIVATE_KEY`
+environment variable.
+
+#### Example with CLI options
+```sh
+chronograf --cert=my.crt --key=my.key
+```
+
+#### Example with environment variables
+```sh
+TLS_CERTIFICATE=my.crt TLS_PRIVATE_KEY=my.key chronograf
+```
+
+#### Docker example with environment variables
+```sh
+docker run -v /host/path/to/certs:/certs -e TLS_CERTIFICATE=/certs/my.crt -e TLS_PRIVATE_KEY=/certs/my.key quay.io/influxdb/chronograf:latest
+```
+
+### Testing with self-signed certificates
+In a production environment you should not use self-signed certificates.  However,
+for testing it is fast to create your own certs.
+
+To create a cert and key in one file with openssl:
+
+```sh
+openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout testing.pem -out testing.pem -subj "/CN=localhost" -days 365
+```
+
+If the cert and the key are in the same file, you don't have to specify the 
+`TLS_PRIVATE_KEY` option.
+
+Next, set the environment variable `TLS_CERTIFICATE`:
+```sh
+export TLS_CERTIFICATE=$PWD/testing.pem
+```
+
+Run chronograf:
+
+```sh
+./chronograf
+INFO[0000] Serving chronograf at https://[::]:8888       component=server
+```
+
+In the first log message you should `https` rather than `http`.
+
+
+
+
+