From 7f8e920fa1f5cb07bbb9d9203ff3966fe6c409cc Mon Sep 17 00:00:00 2001
From: beatz174-bit <beatz174@gmail.com>
Date: Tue, 14 Apr 2026 11:06:45 +1000
Subject: [PATCH] Add CORS and OPTIONS handling for mtls-bridge panel actions

---
 monitoring/mtls-bridge/README.md          |  2 ++
 monitoring/mtls-bridge/docker-compose.yml | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/monitoring/mtls-bridge/README.md b/monitoring/mtls-bridge/README.md
index 59f62cc..9dd3b7a 100644
--- a/monitoring/mtls-bridge/README.md
+++ b/monitoring/mtls-bridge/README.md
@@ -16,6 +16,8 @@ Internal HTTP-to-mTLS bridge for services that cannot present client certificate
 - `CA_CERT` (default `/certs/ca.crt`): CA certificate bundle used to verify upstream TLS.
 - `TIMEOUT` (default `5`): request timeout in seconds.
 - `LOG_LEVEL` (default `INFO`): Python logging level.
+- `MTLS_BRIDGE_BASIC_AUTH_USERS` (required for Traefik auth): value for `traefik.http.middlewares.*.basicauth.users` (e.g. `user:$$apr1$$...`).
+- `MTLS_BRIDGE_CORS_ALLOW_ORIGIN` (default `https://grafana.lan.ddnsgeek.com`): origin allowed for browser-based panel actions.
 
 ## Endpoints
 
diff --git a/monitoring/mtls-bridge/docker-compose.yml b/monitoring/mtls-bridge/docker-compose.yml
index c58d309..442d8d1 100644
--- a/monitoring/mtls-bridge/docker-compose.yml
+++ b/monitoring/mtls-bridge/docker-compose.yml
@@ -19,6 +19,19 @@ services:
        - "traefik.enable=true"
        - "traefik.http.routers.mtls-bridge.entrypoints=websecure"
        - "traefik.http.routers.mtls-bridge.tls.certresolver=myresolver"
+       - "traefik.http.routers.mtls-bridge.middlewares=mtls-bridge-auth,mtls-bridge-cors"
+       - "traefik.http.middlewares.mtls-bridge-auth.basicauth.users=${MTLS_BRIDGE_BASIC_AUTH_USERS}"
+       - "traefik.http.routers.mtls-bridge-preflight.rule=Host(`mtls-bridge.lan.ddnsgeek.com`) && Method(`OPTIONS`)"
+       - "traefik.http.routers.mtls-bridge-preflight.entrypoints=websecure"
+       - "traefik.http.routers.mtls-bridge-preflight.tls.certresolver=myresolver"
+       - "traefik.http.routers.mtls-bridge-preflight.middlewares=mtls-bridge-cors"
+       - "traefik.http.routers.mtls-bridge-preflight.priority=100"
+       - "traefik.http.routers.mtls-bridge-preflight.service=mtls-bridge"
+       - "traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolalloworiginlist=${MTLS_BRIDGE_CORS_ALLOW_ORIGIN:-https://grafana.lan.ddnsgeek.com}"
+       - "traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowmethods=GET,POST,PUT,PATCH,DELETE,OPTIONS"
+       - "traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowheaders=Authorization,Content-Type"
+       - "traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowcredentials=true"
+       - "traefik.http.middlewares.mtls-bridge-cors.headers.addvaryheader=true"
        - "io.portainer.accesscontrol.public"
 #       - "traefik.http.routers.searxng.middlewares=crowdsec@file,secHeaders@file,error-pages-middleware"
        - "traefik.http.services.mtls-bridge.loadbalancer.server.port=8080"