Sidecar Docs
Quickstart, ports, headers, TLS, observability, production, troubleshooting.
Quickstart (3 commands)
curl -fsSL https://treelineproxy.io/downloads/compose.quickstart.yml -o compose.yml docker compose -f compose.yml up -d curl -fsSL https://treelineproxy.io/downloads/smoke.sh -o smoke.sh && chmod +x smoke.sh && ./smoke.sh
Expect: LIVE on /ready, 403 on blocked, [REDACTED] in bodies, metrics at 127.0.0.1:9096/metrics.
Ports & Health
- Proxy:
127.0.0.1:15050 → 15000 - Metrics:
127.0.0.1:9096 → 9095 - Health:
127.0.0.1:18080 → 8080(GET /ready)
curl -fsS http://127.0.0.1:18080/ready
Decision headers
Default: OFF (prod-safe). Enable for local debug:
TREELINE_DECISION_HEADERS=true docker compose -f compose.yml up -d
When on: X-Decision, X-Duplicate, X-Rulepack-Version.
TLS body inspection
For HTTPS body redaction, trust the sidecar CA locally (dev only).
ls ./mitm
Observability
Add overlay:
docker compose -f compose.yml -f https://treelineproxy.io/downloads/compose.observability.yml up -d
- Grafana:
127.0.0.1:3030(admin/admin) - Prom:
127.0.0.1:9091
Metrics
treeline_requests_total{decision}treeline_decisions_total{action,rule}
curl -s http://127.0.0.1:9096/metrics | egrep 'treeline_requests_total|treeline_decisions_total' | sort
Baseline Policy (v1)
- Block:
Authorization: Bearer … - Block: OpenAI‑style keys (
sk-…) - Redact: emails, SSNs, credit cards, JWTs
- Audit: duplicate requests (60s)
Production notes
- Bind to localhost in dev; VPC/LB in prod.
- Keep headers OFF in prod; rely on metrics/logs.
- Ship policy as read‑only volume; tune by risk.
- Export telemetry to Prom/OTel/SIEM.
Troubleshooting
- Port in use → change host ports or stop the process.
- HTTPS body not redacted → trust sidecar CA locally.
- 503 from proxy → check FAIL_MODE and health.