1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
--- # Sproxy configuration. Don't remove this line. This is YAML: https://en.wikipedia.org/wiki/YAML
# The port Sproxy listens on (HTTPS).
# Optional. Default is 443.
#
# listen: 443
# Listen on port 80 and redirect HTTP requests to HTTPS.
# Optional. Default is true when listen == 443, otherwise false.
#
# listen80: true
# Whether HTTP2 is enabled. Optional. Default is "true"
#
# http2: true
# The system user Sproxy switches to if launched as root (after opening the ports).
# Optional. Default is sproxy.
#
# user: sproxy
# Home directory for various files including SQLite3 authorization database.
# Optional. Default is current directory.
#
# home: "."
# PostgreSQL database connection string.
# Optional. If specified, sproxy will periodically pull the data from this
# database into internal SQLite3 database. Define password in a file
# referenced by the PGPASSFILE environment variable. Or use the "pgpassfile" option.
# Example:
# database: "user=sproxy-readonly dbname=sproxy port=6001"
#
# database:
# PostgreSQL password file.
# Optional. If specified, sproxy will set PGPASSFILE environment variable pointing to this file
# Example:
# pgpassfile: /run/keys/sproxy.pgpass
#
# pgpassfile:
# Logging level: debug, info, warn, error.
# Optional. Default is debug.
#
# log_level: debug
# A file with arbitrary content used to sign sproxy cookie and other things (secret!).
# Optional. If not specified, a random key is generated on startup, and
# as a consequence, restaring sproxy will invalidate existing user sessions.
# This option could be useful for load-balancing with multiple sproxy instances,
# when all instances must understand cookies created by each other.
# This should not be very large, a few random bytes are fine.
#
# key: /run/keys/sproxy.secret
# File with SSL certificate. Required.
# It can be a bundle with the server certificate coming first:
# cat me-cert.pem CA-cert.pem > cert.pem
# Once again: most wanted certs go first ;-)
# Or you can opt in using of `ssl_cert_chain`
ssl_cert: /path/cert.pem
# File with SSL key (secret!). Required.
ssl_key: /path/key.pem
# Chain SSL certificate files.
# Optional. Default is an empty list
# Example:
# ssl_cert_chain:
# - /path/foo.pem
# - /path/bar.pem
#
# ssl_cert_chain: []
# Credentials for supported OAuth2 providers.
# Currently supported: "google", "linkedin"
# At least one provider is required.
# Attributes:
# client_id - OAuth2 client ID (string)
# client_secret - OAuth2 client secret. Regardless of its name, this is a file.
# The secret is read from the file which you should keep secret.
# Only the first line of this file is read.
#
# Example:
# oauth2:
# google:
# client_id: "XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com"
# client_secret: "/run/keys/XXXXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.apps.googleusercontent.com"
#
# linkedin:
# client_id: "xxxxxxxxxxxxxx"
# client_secret: "/run/keys/xxxxxxxxxxxxxx"
#
#
# oauth2:
# google:
# client_id:
# client_secret:
# Backend servers. At least one is required.
# NOTE: backends at TCP port are not secure, even on localhost,
# because any local user can connect to the backend bypassing sproxy
# authentication and authorization.
#
# It is recommended to communicate with backends via unix sockets only.
# Unix sockets should be secured with proper unix file permissions.
#
# Backend attributes:
# name - the host name as in the Host HTTP header.
# May include wildcards * and ?. The first matching
# backend will be used. Examples: "*.example.com", "wiki.corp.com".
# Optional. Default is "*". Note, that the name must include
# port number if non-standard.
# address - backend IP address. Optional. Default is 127.0.0.1.
# port - backend TCP port. Required unless unix socket is defined.
# socket - unix socket. Highly recommended for security reasons.
# If defined, IP address and TCP port are ignored.
#
# cookie_name - sproxy cookie name. Optional. Default is "sproxy".
# cookie_domain - sproxy cookie domain. Optional. Default is the request host name as per RFC2109.
# cookie_max_age - sproxy cookie shelflife in seconds. Optional. Default is 604800 (7 days).
# conn_count - number of connections to keep alive. Optional. Default is 32.
# This is specific to Haskell HTTP Client library, and is per host name,
# not per backend. HTTP Client's default is 10.
#
# backends:
# - name: wiki.example.com
# port: 9090
# cookie_name: sproxy_example
# cookie_max_age: 86400
#
backends:
- port: 8080
... # End of configuration. Don't remove this line. This is YAML: https://en.wikipedia.org/wiki/YAML
|