# NOTE: You can use the !include directive to import parts of this file. # Logging level: debug, info, warn, error. # Optional. Default is debug. # # log_level: debug # The port Sproxy listens on (HTTPS). # Optional. Default is 443. # # listen: 443 # Whether SSL is used on port defined by `listen`. # You should only set it to false iff you intent to do SSL-termination # somewhere else, e. g. at a load-balancer in a local network. # If true, you also have to specify `ssl_key` and `ssl_cert`. # Note that there is no way Sproxy can be usable without HTTPS/SSL at the user side, # because Sproxy sets cookie for HTTPS only. # Optional. Default is true. # ssl: true # Listen on port 80 and redirect HTTP requests to HTTPS (see `https_port`). # Optional. Default is true when `listen` == 443, otherwise false. # # listen80: true # Port used in redirection of HTTP requests to HTTPS. # I. e., http://example.com -> https://example.com[:https_port], # If `https_port` == 443, the port part if omitted. # This is useful when behind a dumb proxy or load-balancer, like Amazon ELB, # (and`ssl` == false). It's unlikely that something other than 443 # is exposed to users, but if you are behind a proxy # you can't really know the correct https port. # Optional. Default is as `listen`. # # Example: # https_port: 4040 # # https_port: # Whether HTTP2 is enabled. Optional. Default is true. # # http2: true # The system user Sproxy switches to if launched as root (after opening the ports). # Optional. Default is sproxy. # # user: sproxy # Home directory for various files including SQLite3 authorization database. # Optional. Default is current directory. # # home: "." # File with SSL certificate. Required if `ssl` == true. # It can be a bundle with the server certificate coming first: # cat me-cert.pem CA-cert.pem > cert.pem # Once again: most wanted certs go first ;-) # Or you can opt in using of `ssl_cert_chain` ssl_cert: /path/cert.pem # File with SSL key (secret!). Required if `ssl` = true. ssl_key: /path/key.pem # Chain SSL certificate files. # Optional. Default is an empty list # Example: # ssl_cert_chain: # - /path/foo.pem # - /path/bar.pem # # ssl_cert_chain: [] # PostgreSQL database connection string. # Optional. If specified, sproxy will periodically pull the data from this # database into internal SQLite3 database. Define password in a file # referenced by the PGPASSFILE environment variable. Or use the `pgpassfile` option. # Cannot be used with the `datafile` option. # Example: # database: "user=sproxy-readonly dbname=sproxy port=6001" # # database: # PostgreSQL password file. # Optional. If specified, sproxy will set PGPASSFILE environment variable pointing to this file # Example: # pgpassfile: /run/keys/sproxy.pgpass # # pgpassfile: # YAML file used to fill internal SQLite3 database. # Optional. If specified, Sproxy will import it on start overwriting # and existing data in the internal database. # Useful for development or some simple deployments. # Cannot be used with the `database` option. # For example see the datafile.yml.example # # datafile: /path/data.yml # Arbitrary string used to sign sproxy cookie and other things (secret!). # Optional. If not specified, a random key is generated on startup, and # as a consequence, restaring sproxy will invalidate existing user sessions. # This option could be useful for load-balancing with multiple sproxy instances, # when all instances must understand cookies created by each other. # This should not be very large, a few random bytes are fine. # # key: !include /run/keys/sproxy.secret # Credentials for supported OAuth2 providers. # Currently supported: "google", "linkedin" # At least one provider is required. # Attributes: # client_id - OAuth2 client ID. # client_secret - OAuth2 client secret. # # Example: # oauth2: # google: # client_id: "XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com" # client_secret: !include /run/keys/XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com # # linkedin: # client_id: "xxxxxxxxxxxxxx" # client_secret: !include "/run/keys/xxxxxxxxxxxxxx" # # # oauth2: # google: # client_id: # client_secret: # Backend servers. At least one is required. # NOTE: backends at TCP port are not secure, even on localhost, # because any local user can connect to the backend bypassing sproxy # authentication and authorization. # # It is recommended to communicate with backends via unix sockets only. # Unix sockets should be secured with proper unix file permissions. # # Backend attributes: # name - the host name as in the Host HTTP header. # May include wildcards * and ?. The first matching # backend will be used. Examples: "*.example.com", "wiki.corp.com". # Optional. Default is "*". Note, that the name must include # port number if non-standard. # address - backend IP address. Optional. Default is 127.0.0.1. # port - backend TCP port. Required unless unix socket is defined. # socket - unix socket. Highly recommended for security reasons. # If defined, IP address and TCP port are ignored. # # cookie_name - sproxy cookie name. Optional. Default is "sproxy". # cookie_domain - sproxy cookie domain. Optional. Default is the request host name as per RFC2109. # cookie_max_age - sproxy cookie shelflife in seconds. Optional. Default is 604800 (7 days). # conn_count - number of connections to keep alive. Optional. Default is 32. # This is specific to Haskell HTTP Client library, and is per host name, # not per backend. HTTP Client's default is 10. # # backends: # - name: wiki.example.com # port: 9090 # cookie_name: sproxy_example # cookie_max_age: 86400 # backends: - port: 8080