the-bastion/doc/sphinx/administration/configuration/osh-http-proxy_conf.rst

===================
osh-http-proxy.conf
===================

 .. note::

    This module is optional, and disabled by default.
    To know more about the HTTP Proxy feature of The Bastion,
    please check the :doc:`/using/http_proxy` section

Option List
===========

HTTP Proxy configuration options
--------------------------------

These options modify the behavior of the HTTP Proxy, an optional module of The Bastion

- `enabled`_
- `port`_
- `ssl_certificate`_
- `ssl_key`_
- `ciphers`_
- `insecure`_
- `min_servers`_
- `max_servers`_
- `min_spare_servers`_
- `max_spare_servers`_
- `timeout`_
- `log_request_response`_
- `log_request_response_max_size`_

Option Reference
================

HTTP Proxy configuration
------------------------

enabled
*******

:Type: ``bool``

:Default: ``false``

Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started.
Of course, if you want to enable this daemon, you should **also** configure your init system to start it
for you. Both sysV-style scripts and systemd unit files are provided.
For systemd, using `systemctl enable osh-http-proxy.service` should be enough.
For sysV-style inits, it depends on the scripts provided for your distro,
but usually `update-rc.d osh-http-proxy defaults` then `update-rc.d osh-http-proxy enable` should
do the trick.

port
****

:Type: ``int, 1 to 65535``

:Default: ``8443``

The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding,
but please ensure your systemd unit file starts the daemon as root in that case.

ssl_certificate
***************

:Type: ``string``

:Default: ``/etc/ssl/certs/ssl-cert-snakeoil.pem``

The file that contains the server SSL certificate in PEM format.
For tests, install the ``ssl-cert`` package and point this configuration item
to the snakeoil certs (which is the default).

ssl_key
*******

:Type: ``string``

:Default: ``/etc/ssl/private/ssl-cert-snakeoil.key``

The file that contains the server SSL key in PEM format.
For tests, install the ``ssl-cert`` package and point this configuration item
to the snakeoil certs (which is the default).

ciphers
*******

:Type: ``string``

:Default: ``""``

:Example: ``"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"``

The ordered list the TLS server ciphers, in ``openssl`` classic format. Use ``openssl ciphers``
to see what your system supports, an empty list leaves the choice to your openssl libraries default
values (system-dependent)

insecure
********

:Type: ``bool``

:Default: ``false``

Whether to ignore SSL certificate verification for the connection between the bastion and the devices

min_servers
***********

:Type: ``int, 1 to 512``

:Default: ``8``

Number of child processes to start at launch

max_servers
***********

:Type: ``int, 1 to 512``

:Default: ``32``

Hard maximum number of child processes that can be active at any given time no matter what

min_spare_servers
*****************

:Type: ``int, 1 to 512``

:Default: ``8``

The daemon will ensure that there is at least this number of children idle & ready to accept
new connections (as long as max_servers is not reached)

max_spare_servers
*****************

:Type: ``int, 1 to 512``

:Default: ``16``

The daemon will kill *idle* children to keep their number below this maximum when traffic is low

timeout
*******

:Type: ``int, 1 to 3600``

:Default: ``120``

Timeout delay (in seconds) for the connection between the bastion and the devices

log_request_response
********************

:Type: ``bool``

:Default: ``true``

When enabled, the complete response of the device to the request we forwarded will be logged,
otherwise we'll only log the response headers

log_request_response_max_size
*****************************

:Type: ``int, 0 to 2^30 (1 GiB)``

:Default: ``65536``

This option only applies when `log_request_response` is true (see above).
When set to zero, the complete response will be logged in the account's home log directory,
including the body, regardless of its size. If set to a positive integer,
the query response will only be partially logged, with full status and headers but the body only up
to the specified size. This is a way to avoid turning off request response logging completely on
very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can
take megabytes, with possibly limited added value to traceability.
chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`===================`
			`osh-http-proxy.conf`
			`===================`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`.. note::`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`This module is optional, and disabled by default.`
			`To know more about the HTTP Proxy feature of The Bastion,`
			please check the :doc:`/using/http_proxy` section
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`Option List`
			`===========`

doc: use autosectionlabel 2021-07-30 19:55:03 +08:00			`HTTP Proxy configuration options`
			`--------------------------------`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`These options modify the behavior of the HTTP Proxy, an optional module of The Bastion`

doc: use autosectionlabel 2021-07-30 19:55:03 +08:00			- `enabled`_
			- `port`_
			- `ssl_certificate`_
			- `ssl_key`_
			- `ciphers`_
			- `insecure`_
			- `min_servers`_
			- `max_servers`_
			- `min_spare_servers`_
			- `max_spare_servers`_
			- `timeout`_
			- `log_request_response`_
			- `log_request_response_max_size`_
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`Option Reference`
			`================`

			`HTTP Proxy configuration`
			`------------------------`

			`enabled`
			`*******`

			:Type: ``bool``

			:Default: ``false``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started.`
			`Of course, if you want to enable this daemon, you should also configure your init system to start it`
			`for you. Both sysV-style scripts and systemd unit files are provided.`
			For systemd, using `systemctl enable osh-http-proxy.service` should be enough.
			`For sysV-style inits, it depends on the scripts provided for your distro,`
			but usually `update-rc.d osh-http-proxy defaults` then `update-rc.d osh-http-proxy enable` should
			`do the trick.`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`port`
			`****`

			:Type: ``int, 1 to 65535``

			:Default: ``8443``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding,`
			`but please ensure your systemd unit file starts the daemon as root in that case.`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`ssl_certificate`
			`***************`

			:Type: ``string``

			:Default: ``/etc/ssl/certs/ssl-cert-snakeoil.pem``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`The file that contains the server SSL certificate in PEM format.`
			For tests, install the ``ssl-cert`` package and point this configuration item
			`to the snakeoil certs (which is the default).`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`ssl_key`
			`*******`

			:Type: ``string``

			:Default: ``/etc/ssl/private/ssl-cert-snakeoil.key``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`The file that contains the server SSL key in PEM format.`
			For tests, install the ``ssl-cert`` package and point this configuration item
			`to the snakeoil certs (which is the default).`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`ciphers`
			`*******`

			:Type: ``string``

			:Default: ``""``

			:Example: ``"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			The ordered list the TLS server ciphers, in ``openssl`` classic format. Use ``openssl ciphers``
			`to see what your system supports, an empty list leaves the choice to your openssl libraries default`
			`values (system-dependent)`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`insecure`
			`********`

			:Type: ``bool``

			:Default: ``false``

			`Whether to ignore SSL certificate verification for the connection between the bastion and the devices`

			`min_servers`
			`***********`

			:Type: ``int, 1 to 512``

			:Default: ``8``

			`Number of child processes to start at launch`

			`max_servers`
			`***********`

			:Type: ``int, 1 to 512``

			:Default: ``32``

			`Hard maximum number of child processes that can be active at any given time no matter what`

			`min_spare_servers`
			`*****************`

			:Type: ``int, 1 to 512``

			:Default: ``8``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`The daemon will ensure that there is at least this number of children idle & ready to accept`
			`new connections (as long as max_servers is not reached)`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`max_spare_servers`
			`*****************`

			:Type: ``int, 1 to 512``

			:Default: ``16``

			`The daemon will kill idle children to keep their number below this maximum when traffic is low`

			`timeout`
			`*******`

			:Type: ``int, 1 to 3600``

			:Default: ``120``

			`Timeout delay (in seconds) for the connection between the bastion and the devices`

			`log_request_response`
			`********************`

			:Type: ``bool``

			:Default: ``true``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			`When enabled, the complete response of the device to the request we forwarded will be logged,`
			`otherwise we'll only log the response headers`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00
			`log_request_response_max_size`
			`*****************************`

			:Type: ``int, 0 to 2^30 (1 GiB)``

			:Default: ``65536``

chore: standardize doc generation for config files 2022-02-02 18:32:11 +08:00			This option only applies when `log_request_response` is true (see above).
			`When set to zero, the complete response will be logged in the account's home log directory,`
			`including the body, regardless of its size. If set to a positive integer,`
			`the query response will only be partially logged, with full status and headers but the body only up`
			`to the specified size. This is a way to avoid turning off request response logging completely on`
			`very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can`
			`take megabytes, with possibly limited added value to traceability.`
documentation: add a lot of new documentation topics 2021-06-25 23:43:00 +08:00