ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-10 09:23:52 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/doc/sphinx/administration/configuration/osh-http-proxy_conf.rst
Stéphane Lesimple ee776707c1 chore: standardize doc generation for config files
2022-02-09 14:31:33 +01:00

178 lines
4.6 KiB
ReStructuredText
Raw Blame History

===================
osh-http-proxy.conf
===================
.. note::
This module is optional, and disabled by default.
To know more about the HTTP Proxy feature of The Bastion,
please check the :doc:`/using/http_proxy` section
Option List
===========
HTTP Proxy configuration options
--------------------------------
These options modify the behavior of the HTTP Proxy, an optional module of The Bastion
- `enabled`_
- `port`_
- `ssl_certificate`_
- `ssl_key`_
- `ciphers`_
- `insecure`_
- `min_servers`_
- `max_servers`_
- `min_spare_servers`_
- `max_spare_servers`_
- `timeout`_
- `log_request_response`_
- `log_request_response_max_size`_
Option Reference
================
HTTP Proxy configuration
------------------------
enabled
*******
:Type: ``bool``
:Default: ``false``
Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started.
Of course, if you want to enable this daemon, you should **also** configure your init system to start it
for you. Both sysV-style scripts and systemd unit files are provided.
For systemd, using `systemctl enable osh-http-proxy.service` should be enough.
For sysV-style inits, it depends on the scripts provided for your distro,
but usually `update-rc.d osh-http-proxy defaults` then `update-rc.d osh-http-proxy enable` should
do the trick.
port
****
:Type: ``int, 1 to 65535``
:Default: ``8443``
The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding,
but please ensure your systemd unit file starts the daemon as root in that case.
ssl_certificate
***************
:Type: ``string``
:Default: ``/etc/ssl/certs/ssl-cert-snakeoil.pem``
The file that contains the server SSL certificate in PEM format.
For tests, install the ``ssl-cert`` package and point this configuration item
to the snakeoil certs (which is the default).
ssl_key
*******
:Type: ``string``
:Default: ``/etc/ssl/private/ssl-cert-snakeoil.key``
The file that contains the server SSL key in PEM format.
For tests, install the ``ssl-cert`` package and point this configuration item
to the snakeoil certs (which is the default).
ciphers
*******
:Type: ``string``
:Default: ``""``
:Example: ``"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"``
The ordered list the TLS server ciphers, in ``openssl`` classic format. Use ``openssl ciphers``
to see what your system supports, an empty list leaves the choice to your openssl libraries default
values (system-dependent)
insecure
********
:Type: ``bool``
:Default: ``false``
Whether to ignore SSL certificate verification for the connection between the bastion and the devices
min_servers
***********
:Type: ``int, 1 to 512``
:Default: ``8``
Number of child processes to start at launch
max_servers
***********
:Type: ``int, 1 to 512``
:Default: ``32``
Hard maximum number of child processes that can be active at any given time no matter what
min_spare_servers
*****************
:Type: ``int, 1 to 512``
:Default: ``8``
The daemon will ensure that there is at least this number of children idle & ready to accept
new connections (as long as max_servers is not reached)
max_spare_servers
*****************
:Type: ``int, 1 to 512``
:Default: ``16``
The daemon will kill *idle* children to keep their number below this maximum when traffic is low
timeout
*******
:Type: ``int, 1 to 3600``
:Default: ``120``
Timeout delay (in seconds) for the connection between the bastion and the devices
log_request_response
********************
:Type: ``bool``
:Default: ``true``
When enabled, the complete response of the device to the request we forwarded will be logged,
otherwise we'll only log the response headers
log_request_response_max_size
*****************************
:Type: ``int, 0 to 2^30 (1 GiB)``
:Default: ``65536``
This option only applies when `log_request_response` is true (see above).
When set to zero, the complete response will be logged in the account's home log directory,
including the body, regardless of its size. If set to a positive integer,
the query response will only be partially logged, with full status and headers but the body only up
to the specified size. This is a way to avoid turning off request response logging completely on
very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can
take megabytes, with possibly limited added value to traceability.
Reference in a new issue View git blame Copy permalink