docker/monitoring/mtls-bridge

mTLS Bridge Service

Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).

How it works

1. Accepts plain HTTP requests inside the Docker network.
2. Forwards requests to an HTTPS upstream.
3. Presents a client certificate/key pair for mTLS authentication.

Environment variables

• TARGET_URL (required): HTTPS upstream base URL.
• CLIENT_CERT (default /certs/client.crt): client certificate path.
• CLIENT_KEY (default /certs/client.key): client private key path.
• CA_CERT (default /certs/ca.crt): CA certificate bundle used to verify upstream TLS.
• TIMEOUT (default 5): request timeout in seconds.
• LOG_LEVEL (default INFO): Python logging level.
• MTLS_BRIDGE_BASIC_AUTH_USERS (required for Traefik auth): value for traefik.http.middlewares.*.basicauth.users (e.g. user:$$apr1$$...).
• MTLS_BRIDGE_CORS_ALLOW_ORIGIN (default https://grafana.lan.ddnsgeek.com): origin allowed for browser-based panel actions.

Endpoints

• GET /health returns 200 OK for container health checks.
• /* proxies requests to ${TARGET_URL} with method/body/headers preserved.

Compose integration

This repository includes monitoring/mtls-bridge/docker-compose.yml:

• No public port exposure.
• Read-only cert mount (${PROJECT_ROOT}/core/traefik/certs:/certs:ro).
• Joined to internal monitoring/traefik networks.

Example test

curl http://mtls-bridge:8080/health
curl -X POST http://mtls-bridge:8080