beatz174-bit
40 lines
1.4 KiB
Markdown
40 lines
1.4 KiB
Markdown
# mTLS Bridge Service
|
|
|
|
Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).
|
|
|
|
## How it works
|
|
|
|
1. Accepts plain HTTP requests inside the Docker network.
|
|
2. Forwards requests to an HTTPS upstream.
|
|
3. Presents a client certificate/key pair for mTLS authentication.
|
|
|
|
## Environment variables
|
|
|
|
- `TARGET_URL` (required): HTTPS upstream base URL.
|
|
- `CLIENT_CERT` (default `/certs/client.crt`): client certificate path.
|
|
- `CLIENT_KEY` (default `/certs/client.key`): client private key path.
|
|
- `CA_CERT` (default `/certs/ca.crt`): CA certificate bundle used to verify upstream TLS.
|
|
- `TIMEOUT` (default `5`): request timeout in seconds.
|
|
- `LOG_LEVEL` (default `INFO`): Python logging level.
|
|
- `MTLS_BRIDGE_BASIC_AUTH_USERS` (required for Traefik auth): value for `traefik.http.middlewares.*.basicauth.users` (e.g. `user:$$apr1$$...`).
|
|
|
|
## Endpoints
|
|
|
|
- `GET /health` returns `200 OK` for container health checks.
|
|
- `/*` proxies requests to `${TARGET_URL}` with method/body/headers preserved.
|
|
|
|
## Compose integration
|
|
|
|
This repository includes `monitoring/mtls-bridge/docker-compose.yml`:
|
|
|
|
- No public port exposure.
|
|
- Read-only cert mount (`${PROJECT_ROOT}/core/traefik/certs:/certs:ro`).
|
|
- Joined to internal monitoring/traefik networks.
|
|
|
|
## Example test
|
|
|
|
```bash
|
|
curl http://mtls-bridge:8080/health
|
|
curl -X POST http://mtls-bridge:8080
|
|
```
|