- Installation
- Documentation
- Getting Started
- Connect
- Data Import and Export
- Overview
- Data Sources
- CSV Files
- JSON Files
- Overview
- Creating JSON
- Loading JSON
- Writing JSON
- JSON Type
- JSON Functions
- Format Settings
- Installing and Loading
- SQL to / from JSON
- Caveats
- Multiple Files
- Parquet Files
- Partitioning
- Appender
- INSERT Statements
- Lakehouse Formats
- Client APIs
- Overview
- ADBC
- C
- Overview
- Startup
- Configuration
- Query
- Data Chunks
- Vectors
- Values
- Types
- Prepared Statements
- Appender
- Table Functions
- Replacement Scans
- API Reference
- C++
- CLI
- Overview
- Arguments
- Dot Commands
- Output Formats
- Editing
- Friendly CLI
- Safe Mode
- Autocomplete
- Syntax Highlighting
- Known Issues
- Go
- Java (JDBC)
- Node.js (Neo)
- ODBC
- Python
- Overview
- Data Ingestion
- Conversion between DuckDB and Python
- DB API
- Relational API
- Function API
- Types API
- Expression API
- Spark API
- API Reference
- Known Python Issues
- R
- Rust
- Wasm
- Tertiary Clients
- SQL
- Introduction
- Statements
- Overview
- ANALYZE
- ALTER TABLE
- ALTER VIEW
- ATTACH and DETACH
- CALL
- CHECKPOINT
- COMMENT ON
- COPY
- CREATE INDEX
- CREATE MACRO
- CREATE SCHEMA
- CREATE SECRET
- CREATE SEQUENCE
- CREATE TABLE
- CREATE VIEW
- CREATE TYPE
- DELETE
- DESCRIBE
- DROP
- EXPORT and IMPORT DATABASE
- INSERT
- LOAD / INSTALL
- MERGE INTO
- PIVOT
- Profiling
- SELECT
- SET / RESET
- SET VARIABLE
- SHOW and SHOW DATABASES
- SUMMARIZE
- Transaction Management
- UNPIVOT
- UPDATE
- USE
- VACUUM
- Query Syntax
- SELECT
- FROM and JOIN
- WHERE
- GROUP BY
- GROUPING SETS
- HAVING
- ORDER BY
- LIMIT and OFFSET
- SAMPLE
- Unnesting
- WITH
- WINDOW
- QUALIFY
- VALUES
- FILTER
- Set Operations
- Prepared Statements
- Data Types
- Overview
- Array
- Bitstring
- Blob
- Boolean
- Date
- Enum
- Geometry
- Interval
- List
- Literal Types
- Map
- NULL Values
- Numeric
- Struct
- Text
- Time
- Timestamp
- Time Zones
- Union
- Typecasting
- Expressions
- Overview
- CASE Expression
- Casting
- Collations
- Comparisons
- IN Operator
- Logical Operators
- Star Expression
- Subqueries
- TRY
- Functions
- Overview
- Aggregate Functions
- Array Functions
- Bitstring Functions
- Blob Functions
- Date Format Functions
- Date Functions
- Date Part Functions
- Enum Functions
- Geometry Functions
- Interval Functions
- Lambda Functions
- List Functions
- Map Functions
- Nested Functions
- Numeric Functions
- Pattern Matching
- Regular Expressions
- Struct Functions
- Text Functions
- Time Functions
- Timestamp Functions
- Timestamp with Time Zone Functions
- Union Functions
- Utility Functions
- Window Functions
- Constraints
- Indexes
- Meta Queries
- DuckDB's SQL Dialect
- Overview
- Indexing
- Friendly SQL
- Keywords and Identifiers
- Order Preservation
- PostgreSQL Compatibility
- SQL Quirks
- PEG Parser
- Samples
- Configuration
- Extensions
- Overview
- Installing Extensions
- Advanced Installation Methods
- Distributing Extensions
- Versioning of Extensions
- Troubleshooting of Extensions
- Core Extensions
- Overview
- AutoComplete
- Avro
- AWS
- Azure
- Delta
- DuckLake
- Encodings
- Excel
- Full Text Search
- httpfs (HTTP and S3)
- Iceberg
- Overview
- Iceberg REST Catalogs
- Amazon S3 Tables
- Amazon SageMaker Lakehouse (AWS Glue)
- Troubleshooting
- ICU
- inet
- jemalloc
- Lance
- MySQL
- ODBC
- Quack
- PostgreSQL
- Spatial
- SQLite
- TPC-DS
- TPC-H
- UI
- Unity Catalog
- Vortex
- VSS
- Quack Remote Protocol
- Guides
- Overview
- Data Viewers
- Database Integration
- File Formats
- Overview
- CSV Import
- CSV Export
- Directly Reading Files
- Directly Reading DuckDB Databases
- Excel Import
- Excel Export
- JSON Import
- JSON Export
- Parquet Import
- Parquet Export
- Querying Parquet Files
- File Access with the file: Protocol
- Network and Cloud Storage
- Overview
- HTTP Parquet Import
- S3 Parquet Import
- S3 Parquet Export
- S3 Iceberg Import
- S3 Express One
- GCS Import
- Cloudflare R2 Import
- DuckDB over HTTPS / S3
- Fastly Object Storage Import
- Tigris Import
- Meta Queries
- Describe Table
- EXPLAIN: Inspect Query Plans
- EXPLAIN ANALYZE: Profile Queries
- List Tables
- Summarize
- DuckDB Environment
- ODBC
- Performance
- Overview
- Environment
- Import
- Schema
- Indexing
- Join Operations
- File Formats
- How to Tune Workloads
- My Workload Is Slow
- Out-of-Memory Issues
- Benchmarks
- Working with Huge Databases
- Python
- Installation
- Executing SQL
- Jupyter Notebooks
- marimo Notebooks
- SQL on Pandas
- Import from Pandas
- Export to Pandas
- Import from Numpy
- Export to Numpy
- SQL on Arrow
- Import from Arrow
- Export to Arrow
- Relational API on Pandas
- Multiple Python Threads
- Integration with Ibis
- Integration with Polars
- Using fsspec Filesystems
- SQL Editors
- SQL Features
- AsOf Join
- Full-Text Search
- Graph Queries
- query and query_table Functions
- Merge Statement for SCD Type 2
- Timestamp Issues
- Snippets
- Creating Synthetic Data
- Dutch Railway Datasets
- Sharing Macros
- Analyzing a Git Repository
- Importing Duckbox Tables
- Copying an In-Memory Database to a File
- Troubleshooting
- Glossary of Terms
- Browsing Offline
- Operations Manual
- Overview
- DuckDB's Footprint
- Installing DuckDB
- Logging
- User Agents
- Securing DuckDB
- Non-Deterministic Behavior
- Limits
- DuckDB Docker Container
- Development
- DuckDB Repositories
- Release Cycle
- Metrics
- Profiling
- Building DuckDB
- Overview
- Build Configuration
- Building Extensions
- Android
- Linux
- macOS
- Raspberry Pi
- Windows
- Python
- R
- Troubleshooting
- Unofficial and Unsupported Platforms
- Benchmark Suite
- Testing
- Internals
- Sitemap
- Live Demo
The Quack server speaks plain HTTP only and binds to localhost by default. See Security for the rationale behind these configurations. For any deployment beyond local-only, the recommended pattern is the same as for any other HTTP-based database / application server: put a proven HTTP reverse proxy in front of it, and let the proxy terminate TLS.
The Quack client cooperates with this: for non-local URIs it assumes HTTPS by default, so a properly fronted server “just works” from the client side too.
This guide walks through three setups, in order of likely usefulness:
- A local TLS test setup with Caddy, so you can exercise the full HTTPS path on your machine.
- nginx + Let's Encrypt in production.
- Caddy + Let's Encrypt in production.
The two production setups are interchangeable. Pick whichever fits your operational stack.
Local Test Setup with Caddy
You can exercise the full HTTPS path on your own machine using Caddy. Caddy issues itself a certificate for localhost from a local CA and installs the CA root into your system trust store, so DuckDB's HTTPS client trusts the cert without any extra config.
1. Run Caddy
Save this Caddyfile:
localhost:8443 {
reverse_proxy 127.0.0.1:9494 {
flush_interval -1
}
request_body {
max_size 256MB
}
}
Then start Caddy:
brew install caddy # macOS, for other platforms see https://caddyserver.com/docs/install
caddy run --config Caddyfile
The first run will prompt for elevation to install Caddy's local CA into your system trust store. After that, certs issued by Caddy for localhost are trusted system-wide.
2. Start Quack and Connect Through the Proxy
In one DuckDB session, start the server (this prints an authentication token):
CALL quack_serve('quack:localhost');
In the client session, connect through Caddy on :8443. Local URIs default to plain HTTP, so you have to force SSL on explicitly:
ATTACH 'quack:localhost:8443' AS quack (
TOKEN 'authentication_token-from-quack_serve',
DISABLE_SSL false
);
FROM quack.query('SELECT 42');
If the round-trip succeeds, your traffic just went out as TLS to Caddy, got terminated, and was forwarded as plain HTTP to Quack on :9494.
Nginx + Let's Encrypt
We expect this to be the most common choice. A minimal site for a Quack server listening on the loopback interface looks as follows:
# /etc/nginx/sites-enabled/quack.example.com
server {
listen 443 ssl http2;
server_name quack.example.com;
ssl_certificate /etc/letsencrypt/live/quack.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quack.example.com/privkey.pem;
# Quack RPC bodies can be large: PREPARE carries SQL, APPEND carries
# inserted DataChunks. The 1 MiB nginx default will fail mid-INSERT.
client_max_body_size 256M;
# Long-running queries can sit on the wire between FETCHes for
# minutes. Raise the timeouts above nginx's default 60s.
proxy_read_timeout 600s;
proxy_send_timeout 600s;
location / {
proxy_pass http://127.0.0.1:9494;
# Keep-alive against upstream. Quack relies on persistent
# connections to keep server-side `quack_connection_id` state alive.
proxy_http_version 1.1;
proxy_set_header Connection "";
# Quack streams results via repeated FETCH responses; buffering
# through nginx defeats the streaming and inflates memory.
proxy_buffering off;
}
}
On the Quack side, start the server bound to localhost (the default):
CALL quack_serve('quack:localhost');
Issue the certificate with certbot --nginx -d quack.example.com.
Clients connect over HTTPS automatically:
ATTACH 'quack:quack.example.com' AS quack; -- HTTPS auto-selected
Caddy + Let's Encrypt
Caddy auto-provisions certificates from Let's Encrypt and needs almost no configuration. A complete public-facing Quack proxy:
# /etc/caddy/Caddyfile
quack.example.com {
reverse_proxy 127.0.0.1:9494 {
# Equivalent of nginx `proxy_buffering off`. Required so Quack's
# streamed FETCH responses pass through immediately instead of
# being buffered in Caddy.
flush_interval -1
}
# Equivalent of nginx `client_max_body_size`. PREPARE / APPEND bodies
# can be much larger than the default request body cap.
request_body {
max_size 256MB
}
}
Caddy handles certificate issuance and renewal automatically. No certbot step is required.
On the Quack side, start the server bound to localhost (the default):
CALL quack_serve('quack:localhost');
Clients connect over HTTPS automatically:
ATTACH 'quack:quack.example.com' AS quack; -- HTTPS auto-selected