beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de82d295fbf4613ad9e2dee279a805a051bd9fd1
docker/monitoring/mtls-bridge/README.md
T
beatz174-bit cd47fe324e Add internal mTLS bridge service for monitoring stack
2026-04-13 13:18:40 +10:00

1.2 KiB
Raw Blame History

mTLS Bridge Service

Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).

How it works

  1. Accepts plain HTTP requests inside the Docker network.
  2. Forwards requests to an HTTPS upstream.
  3. Presents a client certificate/key pair for mTLS authentication.

Environment variables

  • TARGET_URL (required): HTTPS upstream base URL.
  • CLIENT_CERT (default /certs/client.crt): client certificate path.
  • CLIENT_KEY (default /certs/client.key): client private key path.
  • CA_CERT (default /certs/ca.crt): CA certificate bundle used to verify upstream TLS.
  • TIMEOUT (default 5): request timeout in seconds.
  • LOG_LEVEL (default INFO): Python logging level.

Endpoints

  • GET /health returns 200 OK for container health checks.
  • /* proxies requests to ${TARGET_URL} with method/body/headers preserved.

Compose integration

This repository includes monitoring/mtls-bridge/docker-compose.yml:

  • No public port exposure.
  • Read-only cert mount (${PROJECT_ROOT}/core/traefik/certs:/certs:ro).
  • Joined to internal monitoring/traefik networks.

Example test

curl http://mtls-bridge:8080/health
curl -X POST http://mtls-bridge:8080
Reference in New Issue View Git Blame Copy Permalink