CH-UICH-UI

Configuration

Server and connector configuration for CH-UI

CH-UI works without config files out of the box. You only need config files when you want production defaults, service-managed startup, or want to avoid passing flags every time.

Priority Order

Values are resolved in this order (highest wins):

  • Server: CLI flags > environment variables > server.yaml > built-in defaults
  • Connector: CLI flags > environment variables > config.yaml > built-in defaults

Server Config

Default config path:

  • macOS: ~/.config/ch-ui/server.yaml
  • Linux: /etc/ch-ui/server.yaml

Server config explained

port: 3488
app_url: https://ch-ui.yourcompany.com
database_path: /var/lib/ch-ui/ch-ui.db
clickhouse_url: http://localhost:8123
connection_name: Local ClickHouse
app_secret_key: "change-this-in-production"
allowed_origins:
  - https://ch-ui.yourcompany.com
# optional override:
# tunnel_url: wss://ch-ui.yourcompany.com/connect
KeyExampleDefaultWhy it matters
port34883488HTTP port used by CH-UI server
app_urlhttps://ch-ui.yourcompany.comhttp://localhost:<port>Public URL for links and tunnel URL inference
database_path/var/lib/ch-ui/ch-ui.db./data/ch-ui.dbWhere CH-UI stores app state
clickhouse_urlhttp://localhost:8123http://localhost:8123Embedded local connection target
connection_nameLocal ClickHouseLocal ClickHouseDisplay name for embedded local connection
app_secret_keyrandom long stringbuilt-in dev valueEncrypts session credentials; must change in production
allowed_origins["https://ch-ui.yourcompany.com"]emptyCORS allowlist
tunnel_urlwss://ch-ui.yourcompany.com/connectderived from portExplicit tunnel endpoint advertised to agents
tls_cert_file/etc/ch-ui/tls/server.crtemptyPEM cert for native TLS (with tls_key_file)
tls_key_file/etc/ch-ui/tls/server.keyemptyPEM key for native TLS

Native TLS

Set both tls_cert_file and tls_key_file to have CH-UI serve HTTPS directly. If unset, CH-UI serves plaintext HTTP and expects a reverse proxy to terminate TLS; when bound to a non-loopback address without TLS it logs a startup warning. See Security.

Audit forwarding (SIEM)

Optionally stream audit events to your tooling (the authoritative copy stays in the database). See Monitoring & SIEM.

audit_forward_stdout: true
audit_log_file: /var/log/ch-ui/audit.jsonl
audit_webhook_url: https://siem.example.com/hook

OIDC SSO

oidc_issuer_url: https://accounts.google.com
oidc_client_id: your-client-id
oidc_client_secret: your-client-secret
oidc_redirect_url: https://ch-ui.yourcompany.com/api/auth/oidc/callback
# Optional:
oidc_allowed_domains: [yourcompany.com]
oidc_admin_groups: [ch-ui-admins]
oidc_analyst_groups: [data-analysts]

Full setup in Single Sign-On.

Server environment variables

VariableDescription
PORTHTTP port
APP_URLPublic base URL
DATABASE_PATHSQLite path
CLICKHOUSE_URLLocal ClickHouse URL for embedded connector
CONNECTION_NAMEDisplay name for embedded local connection
CONNECITION_NAMEBackward-compatible typo alias for CONNECTION_NAME
APP_SECRET_KEYSession/password encryption secret
ALLOWED_ORIGINSComma-separated CORS origins
TUNNEL_URLOverride gateway URL
TLS_CERT_FILE / TLS_KEY_FILEPEM cert/key for native TLS
AUDIT_FORWARD_STDOUT / AUDIT_LOG_FILE / AUDIT_WEBHOOK_URLAudit forwarding sinks
OIDC_ISSUER_URL / OIDC_CLIENT_ID / OIDC_CLIENT_SECRET / OIDC_REDIRECT_URLOIDC SSO
OIDC_ALLOWED_DOMAINS / OIDC_ADMIN_GROUPS / OIDC_ANALYST_GROUPS / OIDC_GROUPS_CLAIMOIDC mapping
CHUI_SQLITE_MAX_OPEN_CONNSMax SQLite connections (default 8)
CHUI_VITE_MINIFYToggle frontend build minification

Connector Config

Default config path:

  • macOS: ~/.config/ch-ui/config.yaml
  • Linux: /etc/ch-ui/config.yaml

Connector config explained

tunnel_token: "cht_your_token"
clickhouse_url: "http://127.0.0.1:8123"
tunnel_url: "wss://ch-ui.yourcompany.com/connect"
# insecure_skip_verify: false
KeyExampleDefaultWhy it matters
tunnel_tokencht_...none (required)Auth key created on server (ch-ui tunnel create)
clickhouse_urlhttp://127.0.0.1:8123http://localhost:8123Local ClickHouse for this VM
tunnel_urlwss://ch-ui.yourcompany.com/connectwss://cloud.ch-ui.com/connectServer gateway endpoint
insecure_skip_verifyfalsefalseOnly for insecure dev TLS setups

Connector environment variables

VariableDescription
TUNNEL_TOKENTunnel token (cht_...)
CLICKHOUSE_URLClickHouse HTTP endpoint
TUNNEL_URLWebSocket URL to /connect
TUNNEL_INSECURE_SKIP_VERIFYTLS skip verify (true/1/yes)

Minimal Production Templates

Server (/etc/ch-ui/server.yaml)

port: 3488
app_url: https://ch-ui.yourcompany.com
database_path: /var/lib/ch-ui/ch-ui.db
connection_name: Local ClickHouse
app_secret_key: "replace-with-a-long-random-secret"
allowed_origins:
  - https://ch-ui.yourcompany.com

Connector (/etc/ch-ui/config.yaml)

tunnel_token: "cht_replace_me"
clickhouse_url: "http://127.0.0.1:8123"
tunnel_url: "wss://ch-ui.yourcompany.com/connect"
  • Rotate APP_SECRET_KEY per environment.
  • Use wss:// for all connector tunnels.
  • Keep connector close to ClickHouse to reduce latency.
  • Use non-default file paths managed by system services.

Validation Commands

ch-ui server status
ch-ui service status

On this page