-
Notifications
You must be signed in to change notification settings - Fork 1
Configuration
Cole Brumley edited this page Apr 7, 2017
·
4 revisions
Configuration options can be defined via environment variables, YAML files, and flags. Config files for tlspxy must begin with #tlspxy. Default options can always be omitted.
The configuration for tlspxy is based on github.com/olebedev/config and uses a path-based mechanism for defining settings. Paths are always expressed the same way for each config method, the general template resembling something like this:
# Environment
SOME_SETTING_KEY=val
# Flag
-some-setting-key=val
# File
some:
setting:
key: val
Configuration is loaded in the following order. Later steps overwrite previous ones:
- Load hard-coded defaults
- Load any
.yaml(or.yml) files in the current directory - Parse the environment
- Parse command line flags
| Option Path | Environment | Flag | Default Value | Description |
|---|---|---|---|---|
log.contents |
LOG_CONTENTS |
-log-contents |
false |
When used in conjunction with log.level=debug on a TCP proxy, prints the raw contents of the TCP stream. If remote TLS is enabled, the output will be encrypted. |
log.destination |
LOG_DESTINATION |
-log-destination |
stdout |
Where to send log output. Options are stdout or syslog://your-syslog-server (ex: syslog://localhost:514) |
log.level |
LOG_LEVEL |
-log-level |
info |
The log-level to use. Options are debug, info, warning, or error. |
remote.addr |
REMOTE_ADDR |
-remote-addr |
Remote server address | |
remote.tls.enable |
REMOTE_TLS_ENABLE |
-remote-tls-enable |
true |
Connect to the remote server using TLS |
remote.tls.ca |
REMOTE_TLS_CA |
-remote-tls-ca |
The CA to present to the remote server | |
remote.tls.cert |
REMOTE_TLS_CERT |
-remote-tls-cert |
The client cert to present to the remote server | |
remote.tls.key |
REMOTE_TLS_KEY |
-remote-tls-key |
The key to present to the remote server | |
remote.tls.sysroots |
REMOTE_TLS_SYSROOTS |
-remote-tls-sysroots |
true |
Load the system's root CA list |
remote.tls.verify |
REMOTE_TLS_VERIFY |
-remote-tls-verify |
true |
Verify the remote server's TLS cert |
server.addr |
SERVER_ADDR |
-server-addr |
:9898 |
The local server listening address |
server.tls.ca |
SERVER_TLS_CA |
-server-tls-ca |
The local server's TLS CA | |
server.tls.cert |
SERVER_TLS_CERT |
-server-tls-cert |
The local server's TLS cert | |
server.tls.key |
SERVER_TLS_KEY |
-server-tls-key |
The local server's TLS key | |
server.tls.letsencrypt.cachedir |
SERVER_TLS_LETSENCRYPT_CACHEDIR |
-server-tls-letsencrypt-cachedir |
/tmp/letsencrypt |
Set the LetsEncrypt cache directory |
server.tls.letsencrypt.domain |
SERVER_TLS_LETSENCRYPT_DOMAIN |
-server-tls-letsencrypt-domain |
example.org |
Set the LetsEncrypt domain |
server.tls.letsencrypt.enable |
SERVER_TLS_LETSENCRYPT_ENABLE |
-server-tls-letsencrypt-enable |
false |
Use LetsEncrypt to generate a trusted certificate |
server.tls.require |
SERVER_TLS_REQUIRE |
-server-tls-require |
false |
Require that the client present an x509 cert |
server.tls.verify |
SERVER_TLS_VERIFY |
-server-tls-verify |
false |
Verify client certs presented to the server |
server.type |
SERVER_TYPE |
-server-type |
tcp |
The type of proxy to offer (http or tcp) |