in Connect, I cannot expose path for HTTPS endpoints inside the container

[Cottand]

Feature Description

Allow using Expose Paths with HTTPS, in addition to the existing http and http2 modes.

My alternatives

• I downgrade the server I want to expose from HTTP to HTTPS (not an option for me)
• I expose the HTTPS server outside of the Connect network (but intentions won't apply!)

Use Case(s)

I am using cockroachdb, set up with my own self-signed certificates manually (because otherwise it enters this restrictive 'insecure' mode).

It exposes health checks and metrics endpoints I would like to scrape with prometheus, but these are served via HTTPS only.

I tried using the expose config with Nomad, but it seems that TLS is terminated somewhere by the sidecar:

# the sidecar proxy exposes the path at 10.10.0.1:20373

❯ curl 10.10.0.1:20373/_status/vars
# this is returned by the cockroachdb HTTP server and forwarded appropriately:
<a href="https://10.10.0.1:20373/_status/vars">Temporary Redirect</a>.


❯ curl https://10.10.0.1:20373/_status/vars
# sidecar returned HTTP response?
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

I do not mind that the sidecar terminates HTTPS and exposes the path at HTTP (although ideally it would not terminate TLS at all) but in this case I would expect to be able to reach my container's HTTPS endpoint for scraping