ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-12-26 09:35:01 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/etc/bastion/osh-http-proxy.conf.dist
Stéphane Lesimple ee776707c1 chore: standardize doc generation for config files
2022-02-09 14:31:33 +01:00

106 lines
5.1 KiB
Text
Raw Permalink Blame History

###############################################################################
## Configuration for the HTTP Proxy of The Bastion.
##
## This is a JSON file, to verify its syntax:
## > grep -v ^# /etc/bastion/osh-http-proxy.conf|python -mjson.tool>/dev/null && echo OK
##
## You can also verify that the code can load the configuration file:
## > perl -I/opt/bastion/lib/perl -MOVH::Bastion -e 'die OVH::Bastion::load_configuration_file(file => "/etc/bastion/osh-http-proxy.conf")'
##
#@ .. note::
#@
#@ This module is optional, and disabled by default.
#@ To know more about the HTTP Proxy feature of The Bastion,
#@ please check the :doc:`/using/http_proxy` section
###############################################################################
{
# > HTTP Proxy configuration
# >> These options modify the behavior of the HTTP Proxy, an optional module of The Bastion
#
# enabled (bool)
# DESC: Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started.
# Of course, if you want to enable this daemon, you should **also** configure your init system to start it
# for you. Both sysV-style scripts and systemd unit files are provided.
# For systemd, using `systemctl enable osh-http-proxy.service` should be enough.
# For sysV-style inits, it depends on the scripts provided for your distro,
# but usually `update-rc.d osh-http-proxy defaults` then `update-rc.d osh-http-proxy enable` should
# do the trick.
# DEFAULT: false
"enabled": false,
#
# port (int, 1 to 65535)
# DESC: The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding,
# but please ensure your systemd unit file starts the daemon as root in that case.
# DEFAULT: 8443
"port": 8443,
#
# ssl_certificate (string)
# DESC: The file that contains the server SSL certificate in PEM format.
# For tests, install the ``ssl-cert`` package and point this configuration item
# to the snakeoil certs (which is the default).
# DEFAULT: /etc/ssl/certs/ssl-cert-snakeoil.pem
"ssl_certificate": "/etc/ssl/certs/ssl-cert-snakeoil.pem",
#
# ssl_key (string)
# DESC: The file that contains the server SSL key in PEM format.
# For tests, install the ``ssl-cert`` package and point this configuration item
# to the snakeoil certs (which is the default).
# DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
"ssl_key": "/etc/ssl/private/ssl-cert-snakeoil.key",
#
# ciphers (string)
# DESC: The ordered list the TLS server ciphers, in ``openssl`` classic format. Use ``openssl ciphers``
# to see what your system supports, an empty list leaves the choice to your openssl libraries default
# values (system-dependent)
# EXAMPLE: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
# DEFAULT: ""
"ciphers": "",
#
# insecure (bool)
# DESC: Whether to ignore SSL certificate verification for the connection between the bastion and the devices
# DEFAULT: false
"insecure": false,
#
# min_servers (int, 1 to 512)
# DESC: Number of child processes to start at launch
# DEFAULT: 8
"min_servers": 8,
#
# max_servers (int, 1 to 512)
# DESC: Hard maximum number of child processes that can be active at any given time no matter what
# DEFAULT: 32
"max_servers": 32,
#
# min_spare_servers (int, 1 to 512)
# DESC: The daemon will ensure that there is at least this number of children idle & ready to accept
# new connections (as long as max_servers is not reached)
# DEFAULT: 8
"min_spare_servers": 8,
#
# max_spare_servers (int, 1 to 512)
# DESC: The daemon will kill *idle* children to keep their number below this maximum when traffic is low
# DEFAULT: 16
"max_spare_servers": 16,
#
# timeout (int, 1 to 3600)
# DESC: Timeout delay (in seconds) for the connection between the bastion and the devices
# DEFAULT: 120
"timeout": 120,
#
# log_request_response (bool)
# DESC: When enabled, the complete response of the device to the request we forwarded will be logged,
# otherwise we'll only log the response headers
# DEFAULT: true
"log_request_response": true,
#
# log_request_response_max_size (int, 0 to 2^30 (1 GiB))
# DESC: This option only applies when `log_request_response` is true (see above).
# When set to zero, the complete response will be logged in the account's home log directory,
# including the body, regardless of its size. If set to a positive integer,
# the query response will only be partially logged, with full status and headers but the body only up
# to the specified size. This is a way to avoid turning off request response logging completely on
# very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can
# take megabytes, with possibly limited added value to traceability.
# DEFAULT: 65536
"log_request_response_max_size": 65536
}
Reference in a new issue View git blame Copy permalink