Sidecar MITM — 1‑Minute Quickstart

Transparent TLS proxy for OpenAI, Anthropic, Azure AI, Vertex, Bedrock and local LLMs. Enforce policy at the network edge.

Proxy 15000 Health 8080 Metrics 9095

Start the sidecar

curl -fsS https://treelineproxy.io/downloads/compose.quickstart.yml -o compose.yml
docker compose -f compose.yml up -d --build
curl -fsS http://127.0.0.1:8080/ready && echo LIVE

Need Prometheus + Grafana? Add the observability overlay below.

Verify policy

Expect 403 for risky headers & keys; redaction shows [REDACTED].

export PROXY=http://127.0.0.1:15000
# Header block → 403
curl -i -x "$PROXY" -k https://example.com/ -H 'Authorization: Bearer x' -d hi -o /dev/null -w "%{http_code}\n"
# OpenAI key block → 403
curl -i -x "$PROXY" -k https://example.com/ --data 'sk-123456789012345678901234' -o /dev/null -w "%{http_code}\n"
# Redaction visible in echo
curl -s -x "$PROXY" -k https://postman-echo.com/post -H 'content-type: text/plain' \
  --data 'email a@b.com SSN 123-45-6789 CC 4242 4242 4242 4242' | jq -r '.data'

Observability (optional)

Adds Prometheus + Grafana to your running compose.

curl -fsS https://treelineproxy.io/downloads/compose.observability.yml -o compose.obs.yml
docker compose -f compose.yml -f compose.obs.yml up -d
# Prometheus → http://localhost:9090   Grafana → http://localhost:3000 (admin/admin)

Metrics to watch

curl -s http://127.0.0.1:9095/metrics \
 | egrep 'treeline_requests_total|treeline_decisions_total' | sort

Metric	Meaning
`treeline_requests_total{decision}`	allow · redact · block
`treeline_decisions_total{action,rule}`	which rule fired

Headers & policy

Env	Value	Effect
`TREELINE_FAIL_MODE`	soft / hard	soft = observe; hard = enforce
`TREELINE_DECISION_HEADERS`	false (prod)	No `X-Decision` headers; use metrics/logs
`TREELINE_RULEPACK`	`/app/rules/baseline.yaml`	PII, secrets, OpenAI key, JWT, etc.

Baseline covers: API keys/secrets (incl. OpenAI), SSN/CC/PII, JWT; blocks via header & body; redacts sensitive spans.

Ports & binds

Host	Container	Purpose
15000	15000	HTTP/HTTPS proxy
8080	8080	Health (`/ready`)
9095	9095	Prometheus metrics

Change host ports by editing your compose file mapping on the left of host:container.

Kubernetes/ECS

# Sidecar example (K8s)
containers:
- name: app
  image: your/app
- name: treeline
  image: treeline/sidecar:latest
  env:
  - name: TREELINE_FAIL_MODE
    value: "hard"
  ports:
  - containerPort: 15000
# Point your app's HTTP(S)_PROXY to http://localhost:15000

Troubleshooting

Port in use: stop old containers; change host ports; or kill stray docker-proxy.
503 from proxy: target unreachable or TLS MITM blocked; try httpbin/postman-echo.
No headers: by design in prod (TREELINE_DECISION_HEADERS=false); use metrics.
Not capturing: ensure your client uses the proxy (env HTTP_PROXY/HTTPS_PROXY or curl -x).