TL;DR

  • App passes App+Sidecar and Test-Proxy checklists first.
  • Health endpoints return 200: /__app_ok, /__gw_ok.
  • Main gateway handles TLS for the app domain.
  • Expose sidecar only on host loopback.

0) Prerequisites

  • App passes App+Sidecar and Test-Proxy integration.
  • Health endpoints return 200 for app and sidecar.
  • TLS and DNS are ready on the gateway.

1) Choose the upstream strategy

Option A: Loopback exposure (recommended)

  • Sidecar publishes 127.0.0.1:2001:2001 on the host.
  • Firewall confirms port 2001 is loopback-only.
  • Gateway upstream: proxy_pass http://127.0.0.1:2001;.

Option B: Shared network (gateway container)

  • Gateway container joins net_test.
  • Gateway upstream: proxy_pass http://appX:2001;.

2) Main gateway vhost

  • :80 -> ACME location + 301 to HTTPS.
  • :443 -> correct cert, HSTS, security headers.
  • Preserve Host and X-Forwarded-* headers.
  • Keep blackhole defaults for unknown hosts.

3) Remove test-proxy dependency

  • Remove the app block from test-proxy vhosts.
  • Reload test-proxy and verify no traffic reaches it.

4) Monitoring

  • Gateway probes /__gw_ok.
  • Use gateway access/error logs as the source of truth.
  • Alert on error rate and p95 latency.

5) Rollback

  • Restore test-proxy mapping.
  • Point gateway back to http://127.0.0.1:7777.