Edge & TLS
The docker/front stack ships Ambilobe.Front, a YARP edge proxy. It terminates TLS for
your public hostnames and routes by Host header to the admin console and the ingest
receiver.
Bring it up last. The admin and ingest stacks must already be running and reachable by service name on
the shared ambilobe network.
What the edge proxy does #
- Publishes HTTPS on the host (default port
443, mapped to container port4433). - Downloads the edge TLS certificate from Azure Key Vault on startup.
- Routes each public hostname to its internal upstream by
Hostheader. - Appends the real client IP to
X-Forwarded-Forfor the backends.
TLS from Azure Key Vault #
On startup the proxy downloads the secret named by FRONT_CERT_SECRET_NAME from the vault
at FRONT_CERT_VAULT_URI using DefaultAzureCredential, and uses it as the edge
certificate. The secret value must be a base64-encoded PKCS#12 blob, the default shape of a Key Vault
certificate read as a secret, and its SAN must cover every hostname the proxy answers for.
# docker/front/.env
FRONT_HTTPS_PORT=443 # host port, mapped to container 4433
# The edge TLS certificate is read from Azure Key Vault on startup.
# The secret value must be a base64-encoded PKCS#12 blob whose SAN
# covers every hostname under FRONT_*_HOST below.
FRONT_CERT_VAULT_URI=https://your-vault.vault.azure.net/
FRONT_CERT_SECRET_NAME=YOUR-CERT-SECRET
# DefaultAzureCredential authenticates to Key Vault. Leave empty when
# the host provides a managed identity reachable inside the container;
# otherwise set all three to a service principal that can read the vault.
AZURE_TENANT_ID=
AZURE_CLIENT_ID=
AZURE_CLIENT_SECRET= Host routing #
The proxy maps each public hostname to one internal upstream. The admin host forwards to the admin console; the ingest host forwards to the ingest receiver. The destinations address the sibling stacks by service name on the shared network.
# docker/front/.env
# Public hostname the proxy answers for -> internal upstream it forwards to.
# Hosts `admin` and `ingest` are the sibling docker/ service names on
# the shared `ambilobe` network.
FRONT_ADMIN_HOST=admin.example.com
FRONT_ADMIN_DESTINATION=http://admin:8080/
FRONT_INGEST_HOST=ingest.example.com
FRONT_INGEST_DESTINATION=http://ingest:8080/ With this in place, browsers send beacons to the ingest hostname and operators reach the console at the admin hostname, both over one TLS endpoint.
Forwarded client IP #
YARP appends the real client IP to X-Forwarded-For. For the ingest receiver to honour it
for GeoIP and rate limiting, this proxy's address on the ambilobe network must fall inside
the receiver's Ingest:Forwarding:TrustedProxies list. Widen that list on the ingest stack
if the network subnet is outside its default 10.0.0.0/8.