Skip to content
/ docs Public

Document Tenzir Gateway CORS and TLS certificate configuration#232

Open
lava wants to merge 1 commit intomainfrom
claude/implement-docs-changes-pFJIG
Open

Document Tenzir Gateway CORS and TLS certificate configuration#232
lava wants to merge 1 commit intomainfrom
claude/implement-docs-changes-pFJIG

Conversation

@lava
Copy link
Member

@lava lava commented Mar 3, 2026

Summary

This PR adds documentation for two important Tenzir Gateway configuration scenarios that users may encounter when setting up the platform with direct browser-to-gateway connections.

Key Changes

  • CORS Configuration Guide: Added documentation for the CORS_ALLOWED_ORIGINS environment variable on the websocket-gateway service. This explains when CORS restrictions apply (when the UI and gateway are on different origins) and how to properly configure allowed origins with full scheme and port information.

  • TLS Certificate Trust Guide: Added a caution section explaining the browser certificate trust issue that occurs when using self-signed certificates with direct gateway connections. Includes:

    • Explanation of why the browser doesn't show the typical untrusted certificate warning
    • How to identify the actual problem in browser developer console
    • Two resolution approaches: manually accepting the certificate or using the internal proxy mode

Notable Details

  • Both additions are context-aware, referencing the TENZIR_PLATFORM_USE_INTERNAL_WS_PROXY configuration flag to explain when these issues apply
  • The CORS documentation includes a concrete YAML example showing proper configuration syntax
  • The TLS documentation provides practical troubleshooting steps and alternative solutions

https://claude.ai/code/session_01GgSV84jmGtMoBNGDnYzWse

@lava @claude
docs: document gateway CORS config and browser certificate trust
14f9585 
Add CORS_ALLOWED_ORIGINS documentation for the Tenzir Gateway service,
needed when the UI frontend connects directly to the gateway from a
different origin (e.g. different port or domain).

Add a caution note in the self-signed certificates section explaining
that when the browser connects directly to the gateway, it must
explicitly trust the gateway certificate. The failure mode is subtle:
the UI shows only a vague "Unable to fetch pipelines" message because
the browser never navigates to the gateway port directly and therefore
never displays the normal untrusted-certificate warning page.

https://claude.ai/code/session_01GgSV84jmGtMoBNGDnYzWse
@github-actions github-actions bot added the guide How-to guides label Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

guide How-to guides

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lava