From 66f1e2ea3b3840bd130c88719b4245afe6cbf456 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 6 Apr 2026 13:29:21 +0300 Subject: [PATCH] fix(meshcentral): re-enable TLSOffload for Traefik reverse proxy The previous init container incorrectly disabled TLSOffload, causing MeshCentral to serve HTTPS on port 443. Traefik connects via HTTP, resulting in protocol mismatch and 500 errors. Fix ensures TLSOffload is always enabled so MeshCentral serves plain HTTP behind Traefik. --- stacks/meshcentral/main.tf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index 4f3ac3b3..6731b6fb 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -115,8 +115,18 @@ resource "kubernetes_deployment" "meshcentral" { command = ["/bin/sh"] args = ["-c", <<-EOT if [ -f /opt/meshcentral/meshcentral-data/config.json ]; then - # Replace "certUrl" with "_certUrl" to disable it when using TLSOffload + # Disable certUrl when using Traefik reverse proxy with TLS offload sed -i 's/"certUrl":/"_certUrl":/g' /opt/meshcentral/meshcentral-data/config.json + + # Fix WebRTC value from string to boolean + sed -i 's/"WebRTC": "[^"]*"/"WebRTC": false/g' /opt/meshcentral/meshcentral-data/config.json + + # Ensure TLSOffload is enabled (Traefik terminates TLS, MeshCentral serves HTTP on 443) + # Re-enable if previously disabled by restoring _TLSOffload back to TLSOffload + sed -i 's/"_TLSOffload":/"TLSOffload":/g' /opt/meshcentral/meshcentral-data/config.json + # Set TLSOffload to true (accepts any reverse proxy) + sed -i 's/"TLSOffload": "[^"]*"/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json + sed -i 's/"TLSOffload": false/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json fi EOT ]