forked from louketo/louketo-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config_sample.yml
90 lines (88 loc) · 3.46 KB
/
config_sample.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# is the url for retrieving the openid configuration - normally the <server>/auth/realm/<realm_name>
discovery-url: https://keycloak.example.com/auth/realms/commons
# skip the tls verification of openid provider
skip-openid-provider-tls-verify: true|false
# the client id for the 'client' application
client-id: <CLIENT_ID>
# the secret associated to the 'client' application - note the client_secret is optional, required for
# oauth2 access_type=confidential i.e. the client is being verified
client-secret: <CLIENT_SECRET>
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>'
listen: 127.0.0.1:3000
# whether to request offline access and use a refresh token
enable-refresh-tokens: true
# log all incoming requests
enable-logging: true
# log in json format
enable-json-logging: true
# should the access token be encrypted - you need an encryption-key if 'true'
enable-encrypted-token: false
# do not redirect the request, simple 307 it
no-redirects: false
# the location of a certificate you wish the proxy to use for TLS support
tls-cert:
# the location of a private key for TLS
tls-private-key:
# the public key for the ca, used for mutual TLS
tls-ca-certificate:
# the redirection url, essentially the site url, note: /oauth/callback is added at the end
redirection-url: http://127.0.0.3000
# the encryption key used to encode the session state
encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6T8xKHWf5RPfqAocuiQ6nUbNHyc3oF2toO2tr
# the name of the access cookie, defaults to kc-access
cookie-access-name: kc-access
# the name of the refresh cookie, default to kc-state
cookie-refresh-name: kc-state
# the upstream endpoint which we should proxy request
upstream-url: http://127.0.0.1:80
# upstream-keepalives specified wheather you want keepalive on the upstream endpoint
upstream-keepalives: true
# skip the tls verification of the upstream url
skip-upstream-tls-verify: true|false
# additional scopes to add to the default (openid+email+profile)
scopes: []
# enables more extra security features
enable-security-filter: true
# headers permits you to inject custom headers into all requests
headers:
myheader_name: my_header_value
# a map of claims that MUST exist in the token presented and the value it MUST match
# So for example, you could match the audience or the issuer or some custom attribute
match-claims:
aud: openvpn
iss: https://keycloak.example.com/auth/realms/commons
# a list of claims to inject into the authentication headers i.e. given_name -> X-Auth-Given-Name
add-claims:
- given_name
- family_name
- name
# a collection of resources i.e. urls that you wish to protect
resources:
- uri: /admin/test*
# the methods on this url that should be protected, if missing, we assuming all
methods:
- GET
# a list of roles the user must have in order to accces urls under the above
roles:
- openvpn:vpn-test
- uri: /admin/white_listed
# permits a url prefix through, bypassing the admission controls
white-listed: true
- uri: /admin/*
methods:
- GET
roles:
- openvpn:vpn-user
- openvpn:prod-vpn
# an array of origins (Access-Control-Allow-Origin)
cors-origins: []
# an array of headers to apply (Access-Control-Allow-Headers)
cors-headers: []
# an array of expose headers (Access-Control-Expose-Headers)
cors-exposed-headers: []
# an array of methods (Access-Control-Allow-Methods)
cors-methods: []
# the credentials flag (Access-Control-Allow-Credentials)
cors-credentials: true|false
# the max age (Access-Control-Max-Age)
cors-max-age: 1h