2022-02-02 18:32:11 +08:00
|
|
|
###############################################################################
|
|
|
|
## Configuration for the HTTP Proxy of The Bastion.
|
|
|
|
##
|
|
|
|
## This is a JSON file, to verify its syntax:
|
|
|
|
## > grep -v ^# /etc/bastion/osh-http-proxy.conf|python -mjson.tool>/dev/null && echo OK
|
|
|
|
##
|
|
|
|
## You can also verify that the code can load the configuration file:
|
|
|
|
## > perl -I/opt/bastion/lib/perl -MOVH::Bastion -e 'die OVH::Bastion::load_configuration_file(file => "/etc/bastion/osh-http-proxy.conf")'
|
|
|
|
##
|
|
|
|
#@ .. note::
|
2022-01-26 18:19:52 +08:00
|
|
|
#@
|
2022-02-02 18:32:11 +08:00
|
|
|
#@ This module is optional, and disabled by default.
|
|
|
|
#@ To know more about the HTTP Proxy feature of The Bastion,
|
|
|
|
#@ please check the :doc:`/using/http_proxy` section
|
|
|
|
###############################################################################
|
2020-10-16 00:32:37 +08:00
|
|
|
{
|
2021-06-25 23:43:00 +08:00
|
|
|
# > HTTP Proxy configuration
|
|
|
|
# >> These options modify the behavior of the HTTP Proxy, an optional module of The Bastion
|
|
|
|
#
|
2020-10-16 00:32:37 +08:00
|
|
|
# enabled (bool)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started.
|
|
|
|
# Of course, if you want to enable this daemon, you should **also** configure your init system to start it
|
|
|
|
# for you. Both sysV-style scripts and systemd unit files are provided.
|
|
|
|
# For systemd, using `systemctl enable osh-http-proxy.service` should be enough.
|
|
|
|
# For sysV-style inits, it depends on the scripts provided for your distro,
|
|
|
|
# but usually `update-rc.d osh-http-proxy defaults` then `update-rc.d osh-http-proxy enable` should
|
|
|
|
# do the trick.
|
|
|
|
# DEFAULT: false
|
2020-10-16 00:32:37 +08:00
|
|
|
"enabled": false,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# port (int, 1 to 65535)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding,
|
|
|
|
# but please ensure your systemd unit file starts the daemon as root in that case.
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 8443
|
|
|
|
"port": 8443,
|
|
|
|
#
|
|
|
|
# ssl_certificate (string)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: The file that contains the server SSL certificate in PEM format.
|
|
|
|
# For tests, install the ``ssl-cert`` package and point this configuration item
|
|
|
|
# to the snakeoil certs (which is the default).
|
2021-06-25 23:43:00 +08:00
|
|
|
# DEFAULT: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
2020-10-16 00:32:37 +08:00
|
|
|
"ssl_certificate": "/etc/ssl/certs/ssl-cert-snakeoil.pem",
|
|
|
|
#
|
|
|
|
# ssl_key (string)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: The file that contains the server SSL key in PEM format.
|
|
|
|
# For tests, install the ``ssl-cert`` package and point this configuration item
|
|
|
|
# to the snakeoil certs (which is the default).
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
|
|
|
|
"ssl_key": "/etc/ssl/private/ssl-cert-snakeoil.key",
|
|
|
|
#
|
|
|
|
# ciphers (string)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: The ordered list the TLS server ciphers, in ``openssl`` classic format. Use ``openssl ciphers``
|
|
|
|
# to see what your system supports, an empty list leaves the choice to your openssl libraries default
|
|
|
|
# values (system-dependent)
|
2020-10-16 00:32:37 +08:00
|
|
|
# EXAMPLE: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
|
|
|
# DEFAULT: ""
|
|
|
|
"ciphers": "",
|
|
|
|
#
|
|
|
|
# insecure (bool)
|
2021-06-25 23:43:00 +08:00
|
|
|
# DESC: Whether to ignore SSL certificate verification for the connection between the bastion and the devices
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: false
|
|
|
|
"insecure": false,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# min_servers (int, 1 to 512)
|
|
|
|
# DESC: Number of child processes to start at launch
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 8
|
|
|
|
"min_servers": 8,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# max_servers (int, 1 to 512)
|
|
|
|
# DESC: Hard maximum number of child processes that can be active at any given time no matter what
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 32
|
|
|
|
"max_servers": 32,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# min_spare_servers (int, 1 to 512)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: The daemon will ensure that there is at least this number of children idle & ready to accept
|
|
|
|
# new connections (as long as max_servers is not reached)
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 8
|
|
|
|
"min_spare_servers": 8,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# max_spare_servers (int, 1 to 512)
|
|
|
|
# DESC: The daemon will kill *idle* children to keep their number below this maximum when traffic is low
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 16
|
|
|
|
"max_spare_servers": 16,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# timeout (int, 1 to 3600)
|
|
|
|
# DESC: Timeout delay (in seconds) for the connection between the bastion and the devices
|
2020-10-16 00:32:37 +08:00
|
|
|
# DEFAULT: 120
|
2021-06-03 22:26:06 +08:00
|
|
|
"timeout": 120,
|
|
|
|
#
|
|
|
|
# log_request_response (bool)
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: When enabled, the complete response of the device to the request we forwarded will be logged,
|
|
|
|
# otherwise we'll only log the response headers
|
2021-06-03 22:26:06 +08:00
|
|
|
# DEFAULT: true
|
|
|
|
"log_request_response": true,
|
|
|
|
#
|
2021-06-25 23:43:00 +08:00
|
|
|
# log_request_response_max_size (int, 0 to 2^30 (1 GiB))
|
2022-02-02 18:32:11 +08:00
|
|
|
# DESC: This option only applies when `log_request_response` is true (see above).
|
|
|
|
# When set to zero, the complete response will be logged in the account's home log directory,
|
|
|
|
# including the body, regardless of its size. If set to a positive integer,
|
|
|
|
# the query response will only be partially logged, with full status and headers but the body only up
|
|
|
|
# to the specified size. This is a way to avoid turning off request response logging completely on
|
|
|
|
# very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can
|
|
|
|
# take megabytes, with possibly limited added value to traceability.
|
2021-06-03 22:26:06 +08:00
|
|
|
# DEFAULT: 65536
|
|
|
|
"log_request_response_max_size": 65536
|
2020-10-16 00:32:37 +08:00
|
|
|
}
|