Hi Johannes,

the /status URL is only provided on an http connector listening on 127.0.0.1:10001 for the DSF FHIR server or127.0.0.1:10002 for the DSF BPE server. Which of course means, that it is only accessible from within the docker container. And since it is hard-coded you would need to fork the DSF in order to change this. I was debating to either make this accessible from outside the container by default or make it configurable, but I deemed the risk to high, that due to coding errors other resource may get accessible without authentication as well.

Since the docker daemon should know (via health-check) if the DSF containers are healthy you may want to monitor the docker daemon via Prometheus.

I see the point that it might still be visible through the dockerd metrics. However, it would be much more efficient to be able to monitor the application the same way as we do with our other 100+ domains, plus, http probes are the common way to achieve this. They also provide additional info, such as certificate expiry etc.

Are there any chances this might be made accessible in a future release? Would it be a reasonable compromise to remove the 127.0.0.1 restriction from the http connector, but without exposing the port outside the container by default?

As a side note, the endpoint accessibility could still be restricted by the fhir_proxy.

I do not want to add any endpoint that circumvents our authentication/authorization layer and is accessible from outside the docker container.

But I think we should add the status URL to the regular HTTP port (80) after we have added authentication for local users using OAuth2/OpenID Connect. The status URL could than be accessible to users with a specific "status monitoring" role.

I will reopen this issue and reclassify it as low priority (for now) enhancement.