metrics_exp: add nginx TLS overlay for public-IP deployments#239
Merged
Conversation
Introduces an opt-in nginx reverse proxy layer (docker-compose.nginx.yml) that terminates TLS on port 443 and proxies to Grafana and Fleet Manager over the internal Docker network. Required for deployments on public IPs where Zscaler performs SSL inspection and blocks non-standard ports. - docker-compose.nginx.yml: compose override adding fleet-nginx container; overrides GF_SERVER_ROOT_URL via GRAFANA_ROOT_URL env var; mounts /etc/letsencrypt and /var/www/certbot for Let's Encrypt integration - server/config/nginx/nginx.conf: nginx config with ACME HTTP-01 challenge support on port 80, TLS termination on 443, WebSocket proxy headers for Grafana live, and /fleet/ path for Fleet Manager API - server/config/nginx/ssl/.gitkeep: placeholder keeps ssl/ dir in tree; certs are gitignored (*.pem, *.key already in .gitignore) - .env.example: documents three GRAFANA_ROOT_URL deployment tracks: private/VPN (no TLS), nip.io + Let's Encrypt (staging/test), AMD-issued cert (production) Validated on chi-metrics-exp-mon (137.220.56.231) with Let's Encrypt cert for 137.220.56.231.nip.io — clears Zscaler SSL inspection. Rollback (base stack untouched): docker compose -f docker-compose.yml -f docker-compose.nginx.yml rm -sf fleet-nginx Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cijohnson
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in nginx reverse proxy layer for
metrics_expmonitoring VMs deployed on public IPs where Zscaler performs SSL inspection and blocks non-standard ports (30030, 30080).docker-compose.yml) is completely untouched — compose override is fully opt-inchi-metrics-exp-mon(Vultr Chicago ORD) with Let's Encrypt cert vianip.io— clears AMD Zscaler SSL inspectionFiles changed
docker-compose.nginx.yml— compose override: addsfleet-nginx(nginx:alpine), overridesGF_SERVER_ROOT_URLviaGRAFANA_ROOT_URLenv var, mounts/etc/letsencryptand/var/www/certbotfor Let's Encryptserver/config/nginx/nginx.conf— TLS termination on 443, ACME HTTP-01 challenge on port 80, WebSocket headers for Grafana live,/fleet/path for Fleet Manager APIserver/config/nginx/ssl/.gitkeep— preservesssl/dir in tree; certs are gitignored.env.example— documents threeGRAFANA_ROOT_URLdeployment tracksUsage
Deploy with nginx overlay:
TLS cert tracks:
<ip>.nip.io— free, no DNS setupdl.casbsecurity@amd.comRollback (base stack untouched):
Test plan
https://<domain>/loginloads Grafana correctly through Zscalerhttps://<domain>/fleet/proxies to Fleet Manager APIhttp://→301)🤖 Generated with Claude Code