From af52021900292f71d539851d2c02bc8a1ec5e1ba Mon Sep 17 00:00:00 2001 From: Rich Turner <7072278+richturner@users.noreply.github.com> Date: Thu, 14 May 2026 17:46:07 +0100 Subject: [PATCH 1/4] Initial commit --- Dockerfile | 11 +++++++--- README.md | 50 ++++++++++++++++++++++----------------------- certs/01-selfsigned | 50 --------------------------------------------- entrypoint.sh | 44 +++++++++++++++++++++++++++++++-------- haproxy.cfg | 4 ++-- 5 files changed, 71 insertions(+), 88 deletions(-) delete mode 100644 certs/01-selfsigned diff --git a/Dockerfile b/Dockerfile index 59f9441..afaf43e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,7 @@ ARG LOGFILE=none ENV LOGFILE=${LOGFILE} ENV CERT_DIR=/deployment/certs +ENV CUSTOM_CERT_DIR=/custom/proxy/certs ENV LE_DIR=/deployment/letsencrypt ENV CHROOT_DIR=/etc/haproxy/webroot @@ -70,8 +71,10 @@ ADD acme-plugin.tar.gz /etc/haproxy/lua/ RUN mkdir -p "${CHROOT_DIR}" \ && mkdir -p "${CERT_DIR}" \ + && mkdir -p "${CUSTOM_CERT_DIR}" \ && mkdir -p /var/log/letsencrypt \ - && mkdir -p "${LE_DIR}" && chown haproxy:haproxy "${LE_DIR}" \ + && mkdir -p "${LE_DIR}" \ + && mkdir -p /etc/haproxy/certs \ && mkdir -p /etc/letsencrypt \ && mkdir -p /var/lib/letsencrypt \ && touch /etc/periodic/daily/cert-renew \ @@ -82,14 +85,16 @@ RUN mkdir -p "${CHROOT_DIR}" \ && chown -R haproxy:haproxy /var/lib/letsencrypt \ && chown -R haproxy:haproxy /var/log/letsencrypt \ && chown -R haproxy:haproxy "${CHROOT_DIR}" \ - && chown -R haproxy:haproxy "${CERT_DIR}" + && chown -R haproxy:haproxy "${CERT_DIR}" \ + && chown -R haproxy:haproxy "${CUSTOM_CERT_DIR}" \ + && chown -R haproxy:haproxy "${LE_DIR}" \ + && chown -R haproxy:haproxy /etc/haproxy/certs RUN apk del tar && \ rm -f /var/cache/apk/* COPY haproxy.cfg /etc/haproxy/haproxy.cfg COPY haproxy-edge-terminated-tls.cfg /etc/haproxy/haproxy-edge-terminated-tls.cfg -COPY certs /etc/haproxy/certs COPY cli.ini /root/.config/letsencrypt/ COPY entrypoint.sh / diff --git a/README.md b/README.md index 320a34d..1dfc5c4 100644 --- a/README.md +++ b/README.md @@ -4,35 +4,31 @@ HAProxy docker image with Lets Encrypt SSL auto renewal using certbot with built in support for wildcard certificates using AWS Route53. -## Paths - -* `/deployment/letsencrypt` - Certbot config directory where generated certificates are stored -* `/etc/haproxy/haproxy.cfg` - Default location of haproxy configuration file -* `/etc/haproxy/certs` - Static (non certbot) certificates includes self-signed and any other static certificates should be volume mapped into this folder -* `/var/log/*` - Location of log files (all are symlinked to stdout) - ## Environment variables -* `DOMAINNAME` - IANA TLD subdomain for which a Lets Encrypt certificate should be requested +* `CERT_DIR` - Automatically generated full chain PEM certificates directory (live reload of HA Proxy on changes) \[default: `/deployment/certs`\] +* `CUSTOM_CERT_DIR` - Additional custom full chain PEM certificates directory loaded by HAProxy but not managed by certbot \[default: `/custom/proxy/certs`\] +* `LE_DIR` - Certbot config directory where generated certificates are stored \[default: `/deployment/letsencrypt`\] +* \[DEPRECATED\] `DOMAINNAME` - IANA TLD subdomain for which a Lets Encrypt certificate should be requested * `DOMAINNAMES` - Comma separated list of IANA TLD subdomain names for which Lets Encrypt certificates should be -requested (this is a multi-value alternative to DOMAINNAME) +requested; wildcard domains should be specified with an '*' (e.g. `*.example.com) * `HAPROXY_USER_PARAMS` - Additional arguments that should be passed to the haproxy process during startup -* `HAPROXY_CONFIG` - Location of HAProxy config file (default: `/etc/haproxy/haproxy.cfg`) -* `PROXY_LOGLEVEL` - Log level for HAProxy (default: `notice`) -* `HTTP_PORT` - The container binds to this port for handling HTTP requests (default: `80`) -* `HTTPS_PORT` - The container binds to this port for handling HTTPS requests (default: `443`) -* `HTTPS_FORWARDED_PORT` - The port set in the `X-Forwarded-Port` header of requests sent to the Manager/Keycloak (default: `%[dst_port]` this is the HAProxy port) -* `NAMESERVER` - The nameserver hostname and port used for resolving the Manager/Keycloak hosts (default: `127.0.0.11:53`) -* `MANAGER_HOST` - Hostname of OpenRemote Manager (default: `manager`) -* `MANAGER_WEB_PORT` - Web server port of OpenRemote Manager (default `8080`) -* `MANAGER_MQTT_PORT` - MQTT broker port of OpenRemote Manager (default `1883`) -* `MANAGER_PATH_PREFIX` - The path prefix used for OpenRemote Manager HTTP requests (default not set, example: `/openremote`) -* `KEYCLOAK_HOST` - Hostname of the Keycloak server (default: `keycloak`) -* `KEYCLOAK_PORT` - Web server port of Keycloak server (default `8080`) -* `KEYCLOAK_PATH_PREFIX` - The path prefix used for Keycloak HTTP requests (default not set, example: `/keycloak`) -* `LOGFILE` - Location of log file for entrypoint script to write to in addition to stdout (default `none`) -* `AWS_ROUTE53_ROLE` - AWS Route53 Role ARN to be assumed when trying to generate wildcard certificates using Route53 DNS zone, specifically for cross account updates (default `none`) -* `LE_EXTRA_ARGS` - Can be used to add additional arguments to the certbot command (default `none`) +* `HAPROXY_CONFIG` - Location of HAProxy config file (live reload of HA Proxy on changes) \[default: `/etc/haproxy/haproxy.cfg`\] +* `PROXY_LOGLEVEL` - Log level for HAProxy \[default: `notice`\] +* `HTTP_PORT` - The container binds to this port for handling HTTP requests \[default: `80`\] +* `HTTPS_PORT` - The container binds to this port for handling HTTPS requests \[default: `443`\] +* `HTTPS_FORWARDED_PORT` - The port set in the `X-Forwarded-Port` header of requests sent to the Manager/Keycloak \[default: `%[dst_port]` this is the HAProxy port\] +* `NAMESERVER` - The nameserver hostname and port used for resolving the Manager/Keycloak hosts \[default: `127.0.0.11:53`\] +* `MANAGER_HOST` - Hostname of OpenRemote Manager \[default: `manager`\] +* `MANAGER_WEB_PORT` - Web server port of OpenRemote Manager \[default: `8080`\] +* `MANAGER_MQTT_PORT` - MQTT broker port of OpenRemote Manager \[default: `1883`\] +* `MANAGER_PATH_PREFIX` - The path prefix used for OpenRemote Manager HTTP requests (e.g. `/openremote`) \[default: not set\] +* `KEYCLOAK_HOST` - Hostname of the Keycloak server \[default: `keycloak`\] +* `KEYCLOAK_PORT` - Web server port of Keycloak server \[default: `8080`\] +* `KEYCLOAK_PATH_PREFIX` - The path prefix used for Keycloak HTTP requests (e.g. `/keycloak`) \[default: not set\] +* `LOGFILE` - Location of log file for entrypoint script to write to in addition to stdout \[default: `none`\] +* `AWS_ROUTE53_ROLE` - AWS Route53 Role ARN to be assumed when trying to generate wildcard certificates using Route53 DNS zone, specifically for cross account updates \[default: not set\] +* `LE_EXTRA_ARGS` - Can be used to add additional arguments to the certbot command \[default: not set\] * `DISABLE_ACME` - Disable certbot/ACME initialization and renewal logic in the entrypoint; useful when TLS is terminated externally such as with ACM on an AWS load balancer (accepted true values: `1`, `true`, `yes`, `on`) * `SISH_HOST` - Defines the destination hostname for forwarding requests that begin with `gw-` used in combination with `SISH_PORT` * `SISH_PORT` - Defined the destination port for forwarding requests tha begin with `gw-` used in combination with `SISH_HOST` @@ -76,3 +72,7 @@ For MQTT in the same setup, if MQTT TLS is also terminated upstream: * The provided `haproxy-edge-terminated-tls.cfg` listens for MQTT on `MANAGER_MQTT_PORT` and forwards it to the configured manager MQTT backend The `haproxy-edge-terminated-tls.cfg` file removes local TLS certificate usage from the pod and preserves the usual `X-Forwarded-*` HTTP headers for upstream applications. Do not use this config if HTTPS or MQTT TLS is still passed through to the pod. + +## Logs + +* `/var/log/*` - Location of log files (all are symlinked to stdout) \ No newline at end of file diff --git a/certs/01-selfsigned b/certs/01-selfsigned deleted file mode 100644 index c0e9848..0000000 --- a/certs/01-selfsigned +++ /dev/null @@ -1,50 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCrKEk77HcJB5Sq -voN2UbRsDh9d0ECN8tOU5hC2poih+6XBJgikQ8gdy7ptt477KRh3ZIiw3ZTXHg0/ -/Ju71D/4EDBYwHxoSK9WehP5Kz/LrBHhtArXK3RYH8pFS13CDOPjXnm6LMN52mRG -wm2gCwKwRTbfm+D9hjpVuwt0sfHaXVETlUc4JystlfYVurMcfsox9tsbRuzlEaky -K9Cr1V7bgaLMosHDX3NSuEyzb9DQZ3PBK3JjJhSeYkGNuP/NocMrWy/JHd2v2Wev -9W+D1Pv46Sqfrvd6K7oP00FL0CdODkMRBVTlb1wq/6uJdRbnVUM0PGA9enrQvMB1 -1fFglHa3AgMBAAECggEBAINFKqXi/ojWX5d09q7Qi2g0jKoPBvPXwZ75tOfhYfma -X857tTUHJ3xyvFFZ7zeClVk8qfm8eGNkkRT6URcF+unuwKXRO5lf5dqVVqxMF2nG -VxCcXZQZp+nOt/vdidNCv6Wq2AGKQ4I5lZ8Pj7SnvTAkZamqjCzlvefyxR6DO9MV -beJFscRp9OWCEPwscioWfP5/Df5luGZapDeIZz/Omt0GMHdKo4n/NRGZmQrZstlE -DoPKQvN3v7Y8UGrHERJJmQ5m/C01jy6cS9GRwwN3uKMLajcQ2TW/UZSeuHbWVdLu -utHk4Fzeze1WSbz2Mmc0hm3WVQ3UcA7pudRRRLvGQIECgYEA1n6iI+Xwm5DyaMf9 -mRwdivzPh9ZSt1FeT4aZG7oR2BeGN0LkFIVDrKtpjDCmyQU2G8Rp2/6HkbAm6Jdf -oM4x3Usb1icrHFMjXd6GFxgyHFMvLc2FvOleWeP7VvTRiAvwq+RgyAYn/s6MhVG4 -O4hPsdzMeTd00n373L45mc9JzWkCgYEAzEbdRzTmCt4pcoCkYL32YLcb70DxKNgD -pTM63fkwtYWth1bB1yU9egyQvsblkEYgJoYaau4Jsetwz8dp5NZ5lAT/xmZpQoCM -gcgoTcJoq0awWFI/T6NMN8Xl8kwpn/w3BtpW9edPS7KQH6Qo/z1ppjDeQ/tru/H5 -ryAlcXSh/x8CgYEAwPtmPg4fkJe0wflNfXgCTI5w2bJG8ZBP3hUno/6hF17y7r1M -H/pWjQAcEnmjVbFOoWTyKXCz4KwwFYw8CZ361zNAdEkBTJawd0BCPH0UeM+O3xLO -hM0iipXICNBzxIeZnc34FX8UdPi5DSodK9LUgR47CcSPYuLevBiaEnyh1iECgYA3 -vzsR/Kiu3JQZEGxLjmvXVwFDmMh3agQMqF9vRlr5nsKNhaqeqSYO0bEKr0LkzY5m -lQBOoCl7KZJ+0Z/feHxzXa3jmf0tzeEKZfJBzkU8QK1NXRy0Ag+BxPsM1aYiZ/Uo -ZJuIvhhQwyk7yVP62+qiFQIDMXDkOJP4K+CsBrVS5wKBgQCZbvzbdVhjKgjhB3hZ -fkA5KkQgHHhho3AJykARehPEDn3q37nhOH6QcDKAQD8wpXJN+zdAxsC4Nk/HBRyk -xA67RhwbXK5yL+3vlWG1Fs863tUlYxjF9xJV+qDpNRxAnR2Kz2iHICzcQ/93Vg6S -o7rEM/D7upgD89q9LqmqM+U3vg== ------END PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIUE3jYzxKpepVM0CSLZd9GNv6BHj8wDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCR0IxHTAbBgNVBAMMFE9wZW5SZW1vdGUgRGVtbyBDZXJ0 -MRMwEQYDVQQKDApPcGVuUmVtb3RlMQ0wCwYDVQQLDAREZW1vMCAXDTIwMDYwODE5 -MTc1MVoYDzIwNTAwNjAxMTkxNzUxWjBQMQswCQYDVQQGEwJHQjEdMBsGA1UEAwwU -T3BlblJlbW90ZSBEZW1vIENlcnQxEzARBgNVBAoMCk9wZW5SZW1vdGUxDTALBgNV -BAsMBERlbW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrKEk77HcJ -B5SqvoN2UbRsDh9d0ECN8tOU5hC2poih+6XBJgikQ8gdy7ptt477KRh3ZIiw3ZTX -Hg0//Ju71D/4EDBYwHxoSK9WehP5Kz/LrBHhtArXK3RYH8pFS13CDOPjXnm6LMN5 -2mRGwm2gCwKwRTbfm+D9hjpVuwt0sfHaXVETlUc4JystlfYVurMcfsox9tsbRuzl -EakyK9Cr1V7bgaLMosHDX3NSuEyzb9DQZ3PBK3JjJhSeYkGNuP/NocMrWy/JHd2v -2Wev9W+D1Pv46Sqfrvd6K7oP00FL0CdODkMRBVTlb1wq/6uJdRbnVUM0PGA9enrQ -vMB11fFglHa3AgMBAAGjbzBtMB0GA1UdDgQWBBT0ixs03BOrns+E2+xSU+nfP9KX -iTAfBgNVHSMEGDAWgBT0ixs03BOrns+E2+xSU+nfP9KXiTAPBgNVHRMBAf8EBTAD -AQH/MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC -AQEAawmLoD7bzFTM0Z58PR6jQR3ypD6IAyei6xiBI7wvxbjyxqQrk1i0rK2Aexjk -v2ZsAUmtrm5k5pWpBsokNuRddPV1K2OZjTj9HPc9AxqjyHKyqRXmVKWkzbWQDLVS -lGRk7yviUFS8nRuY0vLfqZzF7e2HeasThILJibY8rUVLuq+iMS35RDwQ9usIOiYz -dF4CO3HFZ6NtDheM1mPAy4Q76H1P1fINuA8mp/by9J8heexqjgpBKYexiQhjb1A7 -NBdWbJPXoNJplGXjGIbj8KxW61ih1wDRE2ZseOflRstO9/Txm7+Cuqo+WBOK39cU -CXPKre2pqmkIu65wJ6VcTKeSqw== ------END CERTIFICATE----- diff --git a/entrypoint.sh b/entrypoint.sh index 44db507..8c960d1 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -32,8 +32,9 @@ HAPROXY_RESTART_CMD="kill -s HUP 1" HAPROXY_CHECK_CONFIG_CMD="haproxy -f ${HAPROXY_CONFIG} -c" # Make dirs and files -mkdir -p /deployment/letsencrypt/live -mkdir -p /deployment/certs +mkdir -p $LE_DIR/live +mkdir -p $CERT_DIR +mkdir -p $CUSTOM_CERT_DIR if [ "$DOMAINNAME" == 'localhost' ]; then # To maintain support for existing setups @@ -79,10 +80,13 @@ run_proxy() { log_info "PROXY_LOGLEVEL: ${PROXY_LOGLEVEL}" log_info "LUA_PATH: ${LUA_PATH}" log_info "CERT_DIR: ${CERT_DIR}" + log_info "CUSTOM_CERT_DIR: ${CUSTOM_CERT_DIR}" log_info "LE_DIR: ${LE_DIR}" log_info "LE_CMD: ${LE_CMD}" log_info "AWS_ROUTE53_ROLE: ${AWS_ROUTE53_ROLE}" + ensure_selfsigned_cert + if check_proxy; then start_monitor @@ -123,10 +127,10 @@ run_proxy() { monitor() { while true; do - log_info "Monitoring config file '$HAPROXY_CONFIG' and certs in '$CERT_DIR' for changes..." + log_info "Monitoring config file '$HAPROXY_CONFIG' and certs in '/etc/haproxy/certs', '$CERT_DIR' and '$CUSTOM_CERT_DIR' for changes..." # Wait if config or certificates were changed, block this execution - inotifywait -q -r --exclude '\.git/' -e modify,create,delete,move,move_self "$HAPROXY_CONFIG" "$CERT_DIR" + inotifywait -q -r --exclude '\.git/' -e modify,create,delete,move,move_self "$HAPROXY_CONFIG" "/etc/haproxy/certs" "$CERT_DIR" "$CUSTOM_CERT_DIR" log_info "Change detected..." && sleep 5 && restart @@ -260,6 +264,8 @@ renew() { } auto_renew() { + ensure_selfsigned_cert + if ! acme_enabled; then log_info "ACME is disabled; skipping auto renew" return 0 @@ -367,10 +373,6 @@ cert_init() { rm -rf "${LE_DIR}/live/${FNAME}" 2>/dev/null add "${DOMAIN}" fi - if [ $i -eq 1 ]; then - log_info "Symlinking first domain to built in cert directory to take precedence over self signed cert" - ln -sfT ${CERT_DIR}/${FNAME} /etc/haproxy/certs/00-cert - fi done IFS=$IFS_OLD @@ -440,6 +442,32 @@ sync_haproxy() { return $? } +ensure_selfsigned_cert() { + SELF_SIGNED_CERT="/etc/haproxy/certs/00-selfsigned" + mkdir -p /etc/haproxy/certs + + # Check if self-signed cert exists and is valid for at least 30 more days (2592000 seconds) + if [ -f "$SELF_SIGNED_CERT" ]; then + if openssl x509 -checkend 2592000 -noout -in "$SELF_SIGNED_CERT" >/dev/null 2>&1; then + return 0 + else + log_info "Self-signed certificate is expired or expiring within 30 days. Regenerating..." + fi + else + log_info "No self-signed HAProxy certificate found; generating one." + fi + + # Generate a new certificate valid for 365 days + openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 365 \ + -subj "/CN=localhost" \ + -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \ + -keyout /tmp/selfsigned.key \ + -out /tmp/selfsigned.crt || return $? + + cat /tmp/selfsigned.key /tmp/selfsigned.crt > "$SELF_SIGNED_CERT" + rm -f /tmp/selfsigned.key /tmp/selfsigned.crt +} + if [ $# -eq 0 ] then print_help diff --git a/haproxy.cfg b/haproxy.cfg index d415862..794642c 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -55,7 +55,7 @@ frontend http redirect scheme https code 301 if !url_acme_http01 !url_docker_health frontend https - bind *:"${HTTPS_PORT}" ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets + bind *:"${HTTPS_PORT}" ssl crt /etc/haproxy/certs crt "${CERT_DIR}" crt "${CUSTOM_CERT_DIR}" no-tls-tickets # Optional: redirects for root requests with certain host names to service paths acl is_root path -i / @@ -123,7 +123,7 @@ frontend https use_backend manager_backend listen mqtt - bind *:8883 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets + bind *:8883 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" crt "${CUSTOM_CERT_DIR}" no-tls-tickets mode tcp .if defined(MQTT_RATE_LIMIT) From dd55201da242980a408d639b386e3f23531f6171 Mon Sep 17 00:00:00 2001 From: Rich Turner <7072278+richturner@users.noreply.github.com> Date: Fri, 15 May 2026 13:49:40 +0100 Subject: [PATCH 2/4] WIP --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 8c960d1..adf422e 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -35,6 +35,7 @@ HAPROXY_CHECK_CONFIG_CMD="haproxy -f ${HAPROXY_CONFIG} -c" mkdir -p $LE_DIR/live mkdir -p $CERT_DIR mkdir -p $CUSTOM_CERT_DIR +mkdir -p /etc/haproxy/certs if [ "$DOMAINNAME" == 'localhost' ]; then # To maintain support for existing setups From bd1fcb2a3aafe9ac3a30cd7c735dbb28e9f0cfb8 Mon Sep 17 00:00:00 2001 From: Rich Turner <7072278+richturner@users.noreply.github.com> Date: Fri, 15 May 2026 14:39:25 +0100 Subject: [PATCH 3/4] WIP --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index afaf43e..ad22942 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ ARG LOGFILE=none ENV LOGFILE=${LOGFILE} ENV CERT_DIR=/deployment/certs -ENV CUSTOM_CERT_DIR=/custom/proxy/certs +ENV CUSTOM_CERT_DIR=/data/proxy/certs ENV LE_DIR=/deployment/letsencrypt ENV CHROOT_DIR=/etc/haproxy/webroot diff --git a/README.md b/README.md index 1dfc5c4..e90b343 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ HAProxy docker image with Lets Encrypt SSL auto renewal using certbot with built ## Environment variables * `CERT_DIR` - Automatically generated full chain PEM certificates directory (live reload of HA Proxy on changes) \[default: `/deployment/certs`\] -* `CUSTOM_CERT_DIR` - Additional custom full chain PEM certificates directory loaded by HAProxy but not managed by certbot \[default: `/custom/proxy/certs`\] +* `CUSTOM_CERT_DIR` - Additional custom full chain PEM certificates directory loaded by HAProxy but not managed by certbot \[default: `/data/proxy/certs`\] * `LE_DIR` - Certbot config directory where generated certificates are stored \[default: `/deployment/letsencrypt`\] * \[DEPRECATED\] `DOMAINNAME` - IANA TLD subdomain for which a Lets Encrypt certificate should be requested * `DOMAINNAMES` - Comma separated list of IANA TLD subdomain names for which Lets Encrypt certificates should be From 8dda1da0c1586ec9cd248d47fc88737be04c8953 Mon Sep 17 00:00:00 2001 From: Rich Turner <7072278+richturner@users.noreply.github.com> Date: Fri, 15 May 2026 22:23:26 +0100 Subject: [PATCH 4/4] WIP --- entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index adf422e..c87bef9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -88,6 +88,9 @@ run_proxy() { ensure_selfsigned_cert + log_info "Custom certs:" + ls -al ${CUSTOM_CERT_DIR} + if check_proxy; then start_monitor