1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
# NOTE: You can use the !include directive to import parts of this file.
# Logging level: debug, info, warn, error.
# Optional. Default is debug.
#
# log_level: debug
# The port Sproxy listens on (HTTPS).
# Optional. Default is 443.
#
# Example:
# listen: 8443
#
# listen:
# Whether SSL is used on port defined by `listen`.
# You should only set it to false iff you intent to do SSL-termination
# somewhere else, e. g. at a load-balancer in a local network.
# If true, you also have to specify `ssl_key` and `ssl_cert`.
# Note that there is no way Sproxy can be usable without HTTPS/SSL at the user side,
# because Sproxy sets cookie for HTTPS only.
# Optional. Default is true.
# ssl: true
# Listen on port 80 and redirect HTTP requests to HTTPS (see `https_port`).
# Optional. Default is true when `listen` == 443, otherwise false.
#
# listen80: true
# Port used in redirection of HTTP requests to HTTPS.
# I. e., http://example.com -> https://example.com[:https_port],
# If `https_port` == 443, the port part if omitted.
# This is useful when behind a dumb proxy or load-balancer, like Amazon ELB,
# (and`ssl` == false). It's unlikely that something other than 443
# is exposed to users, but if you are behind a proxy
# you can't really know the correct https port.
# Optional. Default is as `listen`.
#
# Example:
# https_port: 4040
#
# https_port:
# Whether HTTP2 is enabled. Optional. Default is true.
#
# http2: true
# The system user Sproxy switches to if launched as root (after opening the ports).
# Optional. Default is sproxy.
#
# user: sproxy
# Home directory for various files including SQLite3 authorization database.
# Optional. Default is current directory.
#
# home: "."
# File with SSL certificate. Required if `ssl` == true.
# It can be a bundle with the server certificate coming first:
# cat me-cert.pem CA-cert.pem > cert.pem
# Once again: most wanted certs go first ;-)
# Or you can opt in using of `ssl_cert_chain`
ssl_cert: /path/cert.pem
# File with SSL key (secret!). Required if `ssl` = true.
ssl_key: /path/key.pem
# Chain SSL certificate files.
# Optional. Default is an empty list
# Example:
# ssl_cert_chain:
# - /path/foo.pem
# - /path/bar.pem
#
# ssl_cert_chain: []
# PostgreSQL database connection string.
# Optional. If specified, sproxy will periodically pull the data from this
# database into internal SQLite3 database. Define password in a file
# referenced by the PGPASSFILE environment variable. Or use the `pgpassfile` option.
# Cannot be used with the `datafile` option.
# Example:
# database: "user=sproxy-readonly dbname=sproxy port=6001"
#
# database:
# PostgreSQL password file.
# Optional. If specified, sproxy will set PGPASSFILE environment variable pointing to this file
# Example:
# pgpassfile: /run/keys/sproxy.pgpass
#
# pgpassfile:
# YAML file used to fill internal SQLite3 database.
# Optional. If specified, Sproxy will import it on start overwriting
# and existing data in the internal database.
# Useful for development or some simple deployments.
# Cannot be used with the `database` option.
# For example see the datafile.example.yml
#
# datafile: /path/data.yml
# Arbitrary string used to sign sproxy cookie and other things (secret!).
# Optional. If not specified, a random key is generated on startup, and
# as a consequence, restaring sproxy will invalidate existing user sessions.
# This option could be useful for load-balancing with multiple sproxy instances,
# when all instances must understand cookies created by each other.
# This should not be very large, a few random bytes are fine.
#
# key: !include /run/keys/sproxy.secret
# Credentials for supported OAuth2 providers.
# Currently supported: "google", "linkedin"
# At least one provider is required.
# Attributes:
# client_id - OAuth2 client ID.
# client_secret - OAuth2 client secret.
#
# Examples:
#
# oauth2:
# google:
# client_id: "XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com"
# client_secret: !include /run/keys/XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com
#
# linkedin:
# client_id: "xxxxxxxxxxxxxx"
# client_secret: !include "/run/keys/xxxxxxxxxxxxxx"
#
# yandex:
# client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# client_secret: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
#
#
# oauth2:
# google:
# client_id:
# client_secret:
# Backend servers. At least one is required.
# NOTE: backends at TCP port are not secure, even on localhost,
# because any local user can connect to the backend bypassing sproxy
# authentication and authorization.
#
# It is recommended to communicate with backends via unix sockets only.
# Unix sockets should be secured with proper unix file permissions.
#
# Backend attributes:
# name - the domain name as in the Host HTTP header (without optional colon and port).
# May include wildcards * and ?. The first matching
# backend will be used. Examples: "*.example.com", "wiki.corp.com".
# Optional. Default is "*".
# address - backend IP address. Optional. Default is 127.0.0.1.
# port - backend TCP port. Required unless unix socket is defined.
# socket - unix socket. Highly recommended for security reasons.
# If defined, IP address and TCP port are ignored.
#
# cookie_name - sproxy cookie name. Optional. Default is "sproxy".
# cookie_domain - sproxy cookie domain. Optional. Default is the request host name as per RFC2109.
# cookie_max_age - sproxy cookie shelflife in seconds. Optional. Default is 604800 (7 days).
#
# timeout - response timeout in seconds. Optional. Default is 30.
# conn_count - number of connections to keep alive. Optional. Default is 32.
# This is specific to Haskell HTTP Client library, and is per host name,
# not per backend. HTTP Client's default is 10.
#
# backends:
# - name: wiki.example.com
# port: 9090
# cookie_name: sproxy_example
# cookie_max_age: 86400
#
backends:
- port: 8080
|