Skip to content

Functions

This guide covers how to configure functions in your self-hosted Appwrite instance. For GitHub repository integration with functions, see the version control configuration.

Configure function runtimes

Not all function runtimes are enabled by default. Enable the runtimes that you need and disable unused runtimes to save disk space on your server. To enable a runtime, add it to the _APP_FUNCTIONS_RUNTIMES environment variable as a comma-separated list.

The example below would enable Dart 2.15, .NET 6.0, and Java 18 runtimes.

Bash
_APP_FUNCTIONS_RUNTIMES=dart-2.15,dotnet-6.0,java-18.0

You can find a full list of supported runtimes here.

You can also configure the maximum timeout that can be set on individual Appwrite Functions. The maximum configurable timeout can be increased by changing the _APP_FUNCTIONS_TIMEOUT environment variable. This environment variable changes the configurable maximum but does not alter existing configurations of individual functions.

Applying changes

After editing your docker-compose.yml or .env files, you will need to recreate your Appwrite stack by running the following compose command in your terminal.

Shell
docker compose up -d

You can verify if the changes have been successfully applied by running this command:

Shell
docker compose exec appwrite vars

SSL certificates for function domains

Before setting up SSL certificates, ensure you have configured your DNS settings properly. You'll need to create a CNAME record that points your wildcard function domain (e.g. *.functions.appwrite.myapp.com) to your Appwrite domain.

Appwrite does not handle certificates for function domains (e.g. 6772722a00331315adc3.functions.appwrite.myapp.com) out of the box, since they require wildcard certificates. There are two ways to handle certificate generation.

Manual certificate generation

The simplest way to generate certificates for function domains is to use the Appwrite SSL command.

Bash
docker compose exec appwrite ssl --domain="6772722a00331315adc3.functions.appwrite.myapp.com"

The certificate should be generated within a few seconds. If you encounter any issues, you can check the certificate worker logs.

Bash
docker compose logs appwrite-worker-certificates

Note that you'll need to run this command for each function domain, and repeat it every time you create a new function. If you have many functions or frequently create new ones, consider using the automated certificate generation method below.

Automated certificate generation

For automated certificate generation, Appwrite uses Traefik's DNS Challenge feature. This is required for wildcard certificates (like *.functions.appwrite.myapp.com) because Let's Encrypt uses the DNS-01 challenge to validate wildcard domain ownership.

Using DNS challenge with DigitalOcean

To configure Traefik for automated certificate generation with DigitalOcean, you need to modify your docker-compose.yml:

  1. Add the following under the traefik service's command section.
YAML
command:
    # ... existing commands ...
    - --certificatesresolvers.digitalocean.acme.dnschallenge=true
    - --certificatesresolvers.digitalocean.acme.dnschallenge.provider=digitalocean
    - --certificatesresolvers.digitalocean.acme.email=$_APP_SYSTEM_SECURITY_EMAIL_ADDRESS
    - --certificatesresolvers.digitalocean.acme.storage=/storage/certificates/digitalocean.json
  1. Add environment variables under the traefik service.
YAML
environment:
    - DO_AUTH_TOKEN=$_APP_DOMAIN_DO_TOKEN
  1. Add the following labels under the appwrite service.
YAML
labels:
    # ... existing labels ...
    - traefik.http.routers.appwrite_api_https.tls.certresolver=digitalocean
    - traefik.http.routers.appwrite_api_https.tls.domains[0].main=$_APP_DOMAIN_FUNCTIONS
    - traefik.http.routers.appwrite_api_https.tls.domains[0].sans=*.$_APP_DOMAIN_FUNCTIONS

  1. Ensure these environment variables are properly configured in your .env file before proceeding:

    • _APP_SYSTEM_SECURITY_EMAIL_ADDRESS must be set to a valid email for Let's Encrypt notifications
    • _APP_DOMAIN_FUNCTIONS must be correctly set to your function domain (e.g., functions.example.com)
    • _APP_DOMAIN_DO_TOKEN must be set to a valid DigitalOcean API token (generate this in the DigitalOcean Console)

  2. Apply the changes.

Bash
docker compose up -d --force-recreate

Troubleshooting DNS propagation

If certificate generation fails, first check the Traefik logs to identify the specific issue.

Bash
docker compose logs traefik

A common issue is DNS propagation delays. If the logs show DNS verification failures, you can configure longer timeouts in your docker-compose.yml under the traefik service.

YAML
environment:
    - DO_AUTH_TOKEN=$_APP_DOMAIN_DO_TOKEN
    - DO_POLLING_INTERVAL=1m
    - DO_PROPAGATION_TIMEOUT=1h

Note: Let's Encrypt has strict rate limits for certificate requests. If you encounter rate limit errors in the logs, you may need to wait a few hours before trying again.

For other DNS providers, refer to Traefik's DNS providers documentation.

Was this page helpful?