TLS termination

Configure MinIO Sidekick to terminate TLS connections from clients while communicating with backends over HTTP or HTTPS.

Certificate configuration

Provide a TLS certificate and private key using the --cert and --key flags:

sidekick --cert /path/to/cert.pem --key /path/to/key.pem \
  --health-path=/ready \
  http://backend1:8000 http://backend2:8000

Sidekick listens for HTTPS connections and presents the provided certificate to clients. Backend connections use HTTP by default. Use https:// backend URLs for end-to-end encryption.

Encrypted private keys

If the private key file is encrypted with a password, provide the password using --key-password:

sidekick --cert /path/to/cert.pem --key /path/to/encrypted-key.pem \
  --key-password "passphrase" \
  --health-path=/ready \
  http://backend1:8000

Sidekick decrypts the private key at startup using the provided password. Store the password securely and avoid passing it directly on the command line in production environments.

Certificate reloading

Sidekick automatically reloads certificates when the certificate files change on disk. This allows certificate renewal without restarting the Sidekick process. The certificate manager monitors the file paths specified in --cert and --key for modifications.

TLS version configuration

Sidekick defaults to TLS 1.3 as the maximum supported version. Configure TLS 1.2 as the maximum version using the --tls-max flag:

sidekick --cert /path/to/cert.pem --key /path/to/key.pem \
  --tls-max 1.2 \
  --health-path=/ready \
  http://backend1:8000

The minimum supported TLS version is 1.2. Sidekick rejects connections using older protocol versions.