TLS & Certificates

The container listens on plain HTTP (port 80) by default. In almost every deployment, TLS is terminated upstream — at an Ingress controller, an ALB, or a cloud HTTPS load balancer — and the gateway sits behind it on the private network.

In-pod TLS (end-to-end)

For PCI / FedRAMP setups that require encryption all the way to the process, set both cert paths and the main listener serves HTTPS on PORT instead:

docker run -d --name secure-gateway \
  -p 443:443 \
  -e PORT=443 \
  -e TLS_CERT_FILE=/etc/ssl/certs/gateway.crt \
  -e TLS_KEY_FILE=/etc/ssl/private/gateway.key \
  -v /path/to/certs:/etc/ssl:ro \
  repo.roboflow.com/roboflow-edge/secure-gateway:0.1.0-70

Both TLS_CERT_FILE and TLS_KEY_FILE are required to enable inbound TLS, PEM-encoded. The MVP Helm chart does not mount certs — use an Ingress/LB, or extend the chart with a volume.

Outbound CA bundle (TLS inspection)

If the gateway's egress passes through a corporate TLS-inspection proxy (Zscaler, Netskope, a Palo Alto appliance), give it the inspection CA so outbound connections validate:

-e TLS_CA_BUNDLE=/etc/ssl/certs/corporate-ca.pem

Client note. When the gateway has TLS enabled, devices connect over HTTPS/443. The optional HTTP_REDIRECT_PORT listener on :80 is a 301-only redirector — a 301 drops POST bodies, so use HTTPS for clients that POST (RFDM telemetry, logs). See Connecting Clients.