############################################################################################
# Config for the HTTP Proxy of The Bastion.
# This is a JSON file, its syntax must be valid at all times. To verify:
# => grep -v ^# /etc/bastion/osh-http-proxy.conf|python -mjson.tool>/dev/null && echo OK
#
# If you're on a production bastion you can verify it can properly load its configuration:
# => perl -I/opt/bastion/lib/perl -MOVH::Bastion -e 'die OVH::Bastion::load_configuration_file(file => "/etc/bastion/osh-http-proxy.conf")'
############################################################################################
{
# enabled (bool)
#    VALUE: true or false
#     DESC: whether the http proxy daemon is enabled or not (if not, it'll exit when launched)
#  DEFAULT: false
"enabled": false,
#
# port (int)
#    VALUE: 1 to 65535
#     DESC: port to listen to. you can set < 1024, in which case privileges will be dropped after binding,
#           but please ensure your systemd unit file starts the daemon as root in that case
#  DEFAULT: 8443
"port": 8443,
#
# ssl_certificate (string)
#    VALUE: a full path to a file
#     DESC: file that contains the server SSL certificate in PEM format. For tests, install the ssl-cert package and point to snakeoil (which is the default).
#  DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
"ssl_certificate": "/etc/ssl/certs/ssl-cert-snakeoil.pem",
#
# ssl_key (string)
#    VALUE: a full path to a file
#     DESC: file that contains the server SSL key in PEM format. For tests, install the ssl-cert package and point to snakeoil (which is the default).
#  DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
"ssl_key": "/etc/ssl/private/ssl-cert-snakeoil.key",
#
# ciphers (string)
#    VALUE: openssl-compatible colon-separated (':') ciphersuites
#     DESC: the ordered list the TLS server ciphers, in openssl classic format. Use `openssl ciphers' to see what your system supports,
#           an empty list leaves the choice to your openssl libraries default values (system-dependent)
#  EXAMPLE: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#  DEFAULT: ""
"ciphers": "",
#
# insecure (bool)
#    VALUE: true or false
#     DESC: whether to ignore SSL certificate verification for the connection between the bastion and the devices
#  DEFAULT: false
"insecure": false,
#
# min_servers (int)
#    VALUE: 1 to 512
#     DESC: number of child processes to start at launch
#  DEFAULT: 8
"min_servers": 8,
#
# max_servers (int)
#    VALUE: 1 to 512
#     DESC: hard maximum number of child processes that can be active at any given time no matter what
#  DEFAULT: 32
"max_servers": 32,
#
# min_spare_servers (int)
#    VALUE: 1 to 512
#     DESC: the daemon will ensure that there is at least this number of children idle & ready to accept new connections (as long as max_servers is not reached)
#  DEFAULT: 8
"min_spare_servers": 8,
#
# max_spare_servers (int)
#    VALUE: 1 to 512
#     DESC: the daemon will kill *idle* children to keep their number below this maximum when traffic is low
#  DEFAULT: 16
"max_spare_servers": 16,
#
# timeout (int)
#    VALUE: 1 to 3600
#     DESC: timeout delay (in seconds) for the connection between the bastion and the devices
#  DEFAULT: 120
"timeout": 120
}