diff --git a/src/lib/config/read.ts b/src/lib/config/read.ts
index 21733892..2b89012e 100755
--- a/src/lib/config/read.ts
+++ b/src/lib/config/read.ts
@@ -121,6 +121,10 @@ export const rawConfig: any = {
     onUpload: undefined,
     onShorten: undefined,
   },
+  ssl: {
+    key: undefined,
+    cert: undefined,
+  },
 };
 
 export const PROP_TO_ENV = {
@@ -246,6 +250,9 @@ export const PROP_TO_ENV = {
 
   'httpWebhook.onUpload': 'HTTP_WEBHOOK_ONUPLOAD',
   'httpWebhook.onShorten': 'HTTP_WEBHOOK_ONSHORTEN',
+
+  'ssl.key': 'SSL_KEY',
+  'ssl.cert': 'SSL_CERT',
 };
 
 const logger = log('config').c('read');
@@ -369,6 +376,9 @@ export function readEnv() {
 
     env('httpWebhook.onUpload', 'string'),
     env('httpWebhook.onShorten', 'string'),
+
+    env('ssl.key', 'string'),
+    env('ssl.cert', 'string'),
   ];
 
   // clone raw
diff --git a/src/lib/config/validate.ts b/src/lib/config/validate.ts
index fc2559b8..a865cdad 100755
--- a/src/lib/config/validate.ts
+++ b/src/lib/config/validate.ts
@@ -279,6 +279,18 @@ export const schema = z.object({
     onUpload: z.string().url().nullable().default(null),
     onShorten: z.string().url().nullable().default(null),
   }),
+  ssl: z.object({
+    key: z
+      .string()
+      .transform((s) => resolve(s))
+      .nullable()
+      .default(null),
+    cert: z
+      .string()
+      .transform((s) => resolve(s))
+      .nullable()
+      .default(null),
+  }),
 });
 
 export type Config = z.infer<typeof schema>;
diff --git a/src/server/index.ts b/src/server/index.ts
index 48c09d7e..88f95964 100755
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -24,6 +24,7 @@ import loadRoutes from './routes';
 import { filesRoute } from './routes/files.dy';
 import { urlsRoute } from './routes/urls.dy';
 import { isAdministrator } from '@/lib/role';
+import { notNull } from '@/lib/primitive';
 
 const MODE = process.env.NODE_ENV || 'production';
 const logger = log('server');
@@ -52,7 +53,15 @@ async function main() {
 
   await runMigrations();
 
-  const server = fastify({ ignoreTrailingSlash: true });
+  const server = fastify({
+    ignoreTrailingSlash: true,
+    https: notNull(config.ssl.key, config.ssl.cert)
+      ? {
+          key: config.ssl.key!,
+          cert: config.ssl.cert!,
+        }
+      : null,
+  });
 
   await server.register(fastifyCookie, {
     secret: config.core.secret,