Remove proxy-only env variables

CLAUDE.md

@@ -109,8 +109,6 @@ Both install.sh and deploy-to-swarm.sh check for the other's naming convention t
 - `COLLECTOR_SECRET` (required) — Authentication token
 - `BASE_URL` — API endpoint (default: https://telemetry.betterstack.com)
 - `CLUSTER_COLLECTOR` — Force cluster collector mode (default: false)
-- `PROXY_PORT` (optional) — Host port for upstream proxy (cannot be 80 with USE_TLS, cannot be 33000/34320/39090)
-- `USE_TLS` (optional) — Enable TLS; port 80 exposed for ACME validation. Only used by install.sh.
 - `MOUNT_HOST_PATHS` (optional) — Comma-separated host paths instead of default `/:/host:ro`
 - `COLLECT_OTEL_HTTP_PORT` / `COLLECT_OTEL_GRPC_PORT` (optional) — OTel ingestion ports
 

deploy-to-swarm.sh

@@ -27,7 +27,6 @@
 # - BASE_URL: Better Stack API endpoint (default: https://telemetry.betterstack.com)
 # - CLUSTER_COLLECTOR: Enable cluster collector mode (default: false)
 # - ENABLE_DOCKERPROBE: Enable Docker container metadata collection (default: true)
-# - PROXY_PORT: Optional proxy port for upstream proxy mode
 # - COLLECT_OTEL_HTTP_PORT: Port to expose for OTel HTTP ingestion (e.g., 4318)
 # - COLLECT_OTEL_GRPC_PORT: Port to expose for OTel gRPC ingestion (e.g., 4317)
 #
@@ -97,7 +96,6 @@ ATTACH_NETWORKS="${ATTACH_NETWORKS:-}"
 BASE_URL="${BASE_URL:-https://telemetry.betterstack.com}"
 CLUSTER_COLLECTOR="${CLUSTER_COLLECTOR:-false}"
 ENABLE_DOCKERPROBE="${ENABLE_DOCKERPROBE:-true}"
-PROXY_PORT="${PROXY_PORT:-}"
 COLLECT_OTEL_HTTP_PORT="${COLLECT_OTEL_HTTP_PORT:-}"
 COLLECT_OTEL_GRPC_PORT="${COLLECT_OTEL_GRPC_PORT:-}"
 
@@ -178,7 +176,6 @@ deploy_collector_stack() {
     local collector_secret="$COLLECTOR_SECRET"
     local base_url="$BASE_URL"
     local cluster_collector="$CLUSTER_COLLECTOR"
-    local proxy_port="$PROXY_PORT"
     local otel_http_port="$COLLECT_OTEL_HTTP_PORT"
     local otel_grpc_port="$COLLECT_OTEL_GRPC_PORT"
     local use_labeled_nodes="$USE_LABELED_NODES"
@@ -336,7 +333,6 @@ MOUNT_ENTRY
         COLLECTOR_SECRET="$collector_secret" \\
         BASE_URL="$base_url" \\
         CLUSTER_COLLECTOR="$cluster_collector" \\
-        PROXY_PORT="$proxy_port" \\
         COLLECT_OTEL_HTTP_PORT="$otel_http_port" \\
         COLLECT_OTEL_GRPC_PORT="$otel_grpc_port" \\
             docker stack deploy -c docker-compose.yml better-stack

development.md

@@ -44,24 +44,6 @@ Tail collector logs:
 - `BASE_URL` (optional): Better Stack base URL (default: <https://telemetry.betterstack.com>)
 - `CLUSTER_COLLECTOR` (optional): Should we collect metrics from databases in the cluster? Only one collector instance per cluster should have the variable set to true. By default betterstack.com chooses one of the collector instances automatically, use this ENV variable if you want to override this behavior (default: false)
 
-### Domain-based TLS (optional)
-
-- SSL certificate domain is now managed remotely via Better Stack API
-- `PROXY_PORT` (optional): Host port mapped to the in-container proxy. Must be an integer and must not equal `33000` or `34320`. Must not equal `80` when domain is given - certbot binds to it.
-- Domain configuration:
-  - Domain is received in `ssl_certificate_host.txt` file with other configuration files
-  - Stored at `/etc/ssl_certificate_host.txt` in the container
-  - Certbot reads domain from this file instead of environment variable
-- Certificate locations after issuance or renewal:
-  - `/etc/ssl/<domain>.pem` (symlink to fullchain.pem)
-  - `/etc/ssl/<domain>.key` (symlink to privkey.pem)
-- Vector reload behavior:
-  - On successful issuance or renewal, Vector is signaled (HUP) to reload without container restart.
-  - When domain changes, Vector validation is skipped for one ping cycle (30s) to allow certificate acquisition
-- Retry cadence:
-  - Issuance attempts: immediate on domain change, then every 10 minutes until a valid cert exists
-  - Renewals: every 6 hours when a valid cert exists
-
 ## Topology
 
 - eBPF container talks to collector via host network on port 34320. Only localhost is allowed to connect to this port.

docker-compose.seccomp.yml

@@ -22,8 +22,6 @@ services:
       - VECTOR_LOG_FORMAT=json
       # Pass hostname of host machine to collector
       - HOSTNAME
-      # Optional proxy port for upstream proxy mode
-      - PROXY_PORT
       - COLLECT_OTEL_HTTP_PORT
       - COLLECT_OTEL_GRPC_PORT
       - INSTALLED_AS=docker

docker-compose.yml

@@ -20,8 +20,6 @@ services:
       - VECTOR_LOG_FORMAT=json
       # Pass hostname of host machine to collector
       - HOSTNAME
-      # Optional proxy port for upstream proxy mode
-      - PROXY_PORT
       - COLLECT_OTEL_HTTP_PORT
       - COLLECT_OTEL_GRPC_PORT
       - INSTALLED_AS=docker

install.sh

@@ -64,33 +64,11 @@ if [ -z "$COLLECTOR_SECRET" ]; then
     exit 1
 fi
 
-# Optional proxy port and TLS indicator
-PROXY_PORT="${PROXY_PORT:-}"
-USE_TLS="${USE_TLS:-}"
-
 # Optional custom host mount paths (comma-separated)
 MOUNT_HOST_PATHS="${MOUNT_HOST_PATHS:-}"
 COLLECT_OTEL_HTTP_PORT="${COLLECT_OTEL_HTTP_PORT:-}"
 COLLECT_OTEL_GRPC_PORT="${COLLECT_OTEL_GRPC_PORT:-}"
 
-# Validate PROXY_PORT if set
-if [ -n "$PROXY_PORT" ]; then
-    if ! [[ "$PROXY_PORT" =~ ^[0-9]+$ ]]; then
-        echo "Error: PROXY_PORT must be an integer."
-        exit 1
-    fi
-    # Check for conflicts with internal ports
-    if [ "$PROXY_PORT" -eq 33000 ] || [ "$PROXY_PORT" -eq 34320 ] || [ "$PROXY_PORT" -eq 39090 ]; then
-        echo "Error: PROXY_PORT cannot be 33000, 34320, or 39090 as these are internal collector ports."
-        exit 1
-    fi
-    # If USE_TLS is set and PROXY_PORT is 80, that's a conflict
-    if [ -n "$USE_TLS" ] && [ "$PROXY_PORT" -eq 80 ]; then
-        echo "Error: PROXY_PORT cannot be 80 when USE_TLS is set (port 80 is reserved for ACME HTTP-01)."
-        exit 1
-    fi
-fi
-
 # Set hostname if not provided (use empty string HOSTNAME="" to trigger runtime detection via uts:host)
 if [ -z "${HOSTNAME+x}" ]; then
     HOSTNAME=$(hostname)
@@ -133,23 +111,17 @@ fi
 
 # Adjust Compose port exposure rules
 # - Adds ports section to collector service (inserted before volumes section)
-# - If PROXY_PORT present, add host mapping: ${PROXY_PORT}:${PROXY_PORT} (for upstream proxy in Vector)
-# - Add port 80 for ACME validation when PROXY_PORT==443 or USE_TLS is set (and PROXY_PORT!=80)
+# - If OTel ports are set, add host mappings for them
 
 adjust_compose_ports() {
   local file="$1"
   local tmpfile
   tmpfile="$(mktemp)"
 
-  local bind80=""
-  if [ "$PROXY_PORT" = "443" ] || ([ -n "$USE_TLS" ] && [ "$PROXY_PORT" != "80" ]); then
-    bind80="yes"
-  fi
-
-  awk -v addport="$PROXY_PORT" -v add80="$bind80" -v otel_http="$COLLECT_OTEL_HTTP_PORT" -v otel_grpc="$COLLECT_OTEL_GRPC_PORT" '
+  awk -v otel_http="$COLLECT_OTEL_HTTP_PORT" -v otel_grpc="$COLLECT_OTEL_GRPC_PORT" '
     BEGIN { inserted=0; in_collector=0 }
     {
-      if ($0 ~ /# install: (proxy port|acme http-01|ports section|otel port)/) { next }
+      if ($0 ~ /# install: (ports section|otel port)/) { next }
       if ($0 ~ /^[[:space:]]*ports:[[:space:]]*$/ && in_collector==1) { next }
 
       if ($0 ~ /^  collector:[[:space:]]*$/) {
@@ -160,14 +132,8 @@ adjust_compose_ports() {
       }
 
       if (in_collector==1 && inserted==0 && $0 ~ /^[[:space:]]*volumes:[[:space:]]*$/) {
-        if (addport != "" || add80 != "" || otel_http != "" || otel_grpc != "") {
+        if (otel_http != "" || otel_grpc != "") {
           print "    ports: # install: ports section"
-          if (addport != "") {
-            print "      - \"" addport ":" addport "\" # install: proxy port"
-          }
-          if (add80 != "") {
-            print "      - \"80:80\" # install: acme http-01"
-          }
           if (otel_http != "") {
             print "      - \"" otel_http ":" otel_http "\" # install: otel port"
           }
@@ -287,10 +253,6 @@ docker_v1_compatibility() {
 adjust_compose_ports docker-compose.yml
 adjust_compose_volumes docker-compose.yml
 
-if [ -n "$PROXY_PORT" ]; then
-    sed -i.bak 's/INSTALLED_AS=docker/INSTALLED_AS=proxy/g' docker-compose.yml && rm -f docker-compose.yml.bak
-fi
-
 # Replace :latest tag if IMAGE_TAG is set
 if [ -n "$IMAGE_TAG" ]; then
     echo "Replacing :latest with :$IMAGE_TAG in compose file"
@@ -310,7 +272,6 @@ BASE_URL="$BASE_URL" \
 CLUSTER_COLLECTOR="$CLUSTER_COLLECTOR" \
 ENABLE_DOCKERPROBE="$ENABLE_DOCKERPROBE" \
 HOSTNAME="$HOSTNAME" \
-PROXY_PORT="$PROXY_PORT" \
 COLLECT_OTEL_HTTP_PORT="$COLLECT_OTEL_HTTP_PORT" \
 COLLECT_OTEL_GRPC_PORT="$COLLECT_OTEL_GRPC_PORT" \
     $COMPOSE_CMD -p better-stack-collector pull
@@ -331,7 +292,6 @@ BASE_URL="$BASE_URL" \
 CLUSTER_COLLECTOR="$CLUSTER_COLLECTOR" \
 ENABLE_DOCKERPROBE="$ENABLE_DOCKERPROBE" \
 HOSTNAME="$HOSTNAME" \
-PROXY_PORT="$PROXY_PORT" \
 COLLECT_OTEL_HTTP_PORT="$COLLECT_OTEL_HTTP_PORT" \
 COLLECT_OTEL_GRPC_PORT="$COLLECT_OTEL_GRPC_PORT" \
     $COMPOSE_CMD -p better-stack-collector up -d --no-build

swarm/docker-compose.swarm-collector.yml

@@ -34,8 +34,6 @@ services:
       - BASE_URL
       - CLUSTER_COLLECTOR
       - VECTOR_LOG_FORMAT=json
-      # Optional proxy port for upstream proxy mode
-      - PROXY_PORT
       - COLLECT_OTEL_HTTP_PORT
       - COLLECT_OTEL_GRPC_PORT
       - INSTALLED_AS=swarm