Allow dashboard to accept a CA certificate for validating remote agents

[wtsudlow]

Describe the feature you would like to see

I'd like to request an enhancement to the way the Dozzle dashboard verifies remote agent TLS connections.

Currently, the dashboard appears to require a pinned certificate (cert.pem) for each agent it connects to. In my setup, though, I use certificates generated by my internal certificate authority (CA), managed through my reverse proxy.

It would be great if Dozzle supported validating agent certificates based on a provided CA root certificate, rather than requiring an exact certificate match. This would make managing agent certificates much simpler, and better support automated certificate rotation.

Thanks for your consideration!

Describe how you would like to see this feature implemented

No response

Describe any alternatives you've considered

No response

[amir20]

I am not sure what this means practically. Can you provide your own TLS certificates?

managed through my reverse proxy

This is not a TLS that should be managed through a reverse proxy. It is mTLS for point to point communication. It's not HTTPS, it is gRPC.

Perhaps you can propose a solution since I am not sure what it means to accept CA certs.

[wtsudlow]

Hey Amir, thanks for the quick response. Sorry for the confusion, I'll attempt to clarify.

With the current implementation, I can provide both dashboard and agent instances a specific cert that the agent will always send, and the dashboard will always trust. This works, but it requires me to manually generate the cert and share it between the agent and dashboard, or create some automation to do the same.

What I'd prefer is a way to hand the dashboard instance the root cert for my CA and have it trust anything that CA signs. That way, I can auto-generate appropriate certs for the agent endpoint, and the dashboard could trust them on the basis of the signature.

This is not a TLS that should be managed through a reverse proxy. It is mTLS for point to point communication. It's not HTTPS, it is gRPC.

Thanks for clarifying that. While it does unfortunately torpedo my reverse proxy approach, I still think the underlying ask about trusting based on a CA root is valid.

Perhaps you can propose a solution since I am not sure what it means to accept CA certs.

Implementation specifics are beyond me, so I have to admit that this next part comes from a robot, but the logic seems at least superficially sound.

• Introduce an optional environment variable or config field (e.g. DOZZLE_REMOTE_AGENT_CA) that accepts a path to a ca.crt file.
• Load the certificate into a CertPool and set it on tls.Config.RootCAs.
• Retain current behavior as default (pinned cert), but allow CA-based trust if this value is provided.

Let me know if that clear things up, or if I'm still not making sense.

[wtsudlow]

On additional consideration, the context that this is a gRPC connection limits the value this feature would add for me. While I still think its addition would be added value for the project as a whole, the standard Dozzle self-signed certs are sufficient for my use case.

Thanks very much for your time, and for the project.

[amir20]

Thanks @wtsudlow for the update. I think this could take a while to even research and implement. If more people had asked for it then it might be worth it. But you are the first one. I'll change this to a discussion. No plans for me to work on it right now.