mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 15:05:58 +08:00
79 lines
3.4 KiB
Plaintext
79 lines
3.4 KiB
Plaintext
############################################################################################
|
|
# Config for the HTTP Proxy of The Bastion.
|
|
# This is a JSON file, its syntax must be valid at all times. To verify:
|
|
# => grep -v ^# /etc/bastion/osh-http-proxy.conf|python -mjson.tool>/dev/null && echo OK
|
|
#
|
|
# If you're on a production bastion you can verify it can properly load its configuration:
|
|
# => perl -I/opt/bastion/lib/perl -MOVH::Bastion -e 'die OVH::Bastion::load_configuration_file(file => "/etc/bastion/osh-http-proxy.conf")'
|
|
############################################################################################
|
|
{
|
|
# enabled (bool)
|
|
# VALUE: true or false
|
|
# DESC: whether the http proxy daemon is enabled or not (if not, it'll exit when launched)
|
|
# DEFAULT: false
|
|
"enabled": false,
|
|
#
|
|
# port (int)
|
|
# VALUE: 1 to 65535
|
|
# DESC: port to listen to. you can set < 1024, in which case privileges will be dropped after binding,
|
|
# but please ensure your systemd unit file starts the daemon as root in that case
|
|
# DEFAULT: 8443
|
|
"port": 8443,
|
|
#
|
|
# ssl_certificate (string)
|
|
# VALUE: a full path to a file
|
|
# DESC: file that contains the server SSL certificate in PEM format. For tests, install the ssl-cert package and point to snakeoil (which is the default).
|
|
# DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
|
|
"ssl_certificate": "/etc/ssl/certs/ssl-cert-snakeoil.pem",
|
|
#
|
|
# ssl_key (string)
|
|
# VALUE: a full path to a file
|
|
# DESC: file that contains the server SSL key in PEM format. For tests, install the ssl-cert package and point to snakeoil (which is the default).
|
|
# DEFAULT: /etc/ssl/private/ssl-cert-snakeoil.key
|
|
"ssl_key": "/etc/ssl/private/ssl-cert-snakeoil.key",
|
|
#
|
|
# ciphers (string)
|
|
# VALUE: openssl-compatible colon-separated (':') ciphersuites
|
|
# DESC: the ordered list the TLS server ciphers, in openssl classic format. Use `openssl ciphers' to see what your system supports,
|
|
# an empty list leaves the choice to your openssl libraries default values (system-dependent)
|
|
# EXAMPLE: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
|
# DEFAULT: ""
|
|
"ciphers": "",
|
|
#
|
|
# insecure (bool)
|
|
# VALUE: true or false
|
|
# DESC: whether to ignore SSL certificate verification for the connection between the bastion and the devices
|
|
# DEFAULT: false
|
|
"insecure": false,
|
|
#
|
|
# min_servers (int)
|
|
# VALUE: 1 to 512
|
|
# DESC: number of child processes to start at launch
|
|
# DEFAULT: 8
|
|
"min_servers": 8,
|
|
#
|
|
# max_servers (int)
|
|
# VALUE: 1 to 512
|
|
# DESC: hard maximum number of child processes that can be active at any given time no matter what
|
|
# DEFAULT: 32
|
|
"max_servers": 32,
|
|
#
|
|
# min_spare_servers (int)
|
|
# VALUE: 1 to 512
|
|
# DESC: the daemon will ensure that there is at least this number of children idle & ready to accept new connections (as long as max_servers is not reached)
|
|
# DEFAULT: 8
|
|
"min_spare_servers": 8,
|
|
#
|
|
# max_spare_servers (int)
|
|
# VALUE: 1 to 512
|
|
# DESC: the daemon will kill *idle* children to keep their number below this maximum when traffic is low
|
|
# DEFAULT: 16
|
|
"max_spare_servers": 16,
|
|
#
|
|
# timeout (int)
|
|
# VALUE: 1 to 3600
|
|
# DESC: timeout delay (in seconds) for the connection between the bastion and the devices
|
|
# DEFAULT: 120
|
|
"timeout": 120
|
|
}
|