Environment Variables
Environment variables for the proxy service
| Name | Introduction Version | Type | Description | Default Value |
|---|---|---|---|---|
OC_TRACING_ENABLEDPROXY_TRACING_ENABLED | 1.0.0 | bool | Activates tracing. | false |
OC_TRACING_TYPEPROXY_TRACING_TYPE | 1.0.0 | string | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. | |
OC_TRACING_ENDPOINTPROXY_TRACING_ENDPOINT | 1.0.0 | string | The endpoint of the tracing agent. | |
OC_TRACING_COLLECTORPROXY_TRACING_COLLECTOR | 1.0.0 | string | The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | |
OC_LOG_LEVELPROXY_LOG_LEVEL | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | |
OC_LOG_PRETTYPROXY_LOG_PRETTY | 1.0.0 | bool | Activates pretty log output. | false |
OC_LOG_COLORPROXY_LOG_COLOR | 1.0.0 | bool | Activates colorized log output. | false |
OC_LOG_FILEPROXY_LOG_FILE | 1.0.0 | string | The path to the log file. Activates logging to this file if set. | |
PROXY_DEBUG_ADDR | 1.0.0 | string | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | 127.0.0.1:9205 |
PROXY_DEBUG_TOKEN | 1.0.0 | string | Token to secure the metrics endpoint. | |
PROXY_DEBUG_PPROF | 1.0.0 | bool | Enables pprof, which can be used for profiling. | false |
PROXY_DEBUG_ZPAGES | 1.0.0 | bool | Enables zpages, which can be used for collecting and viewing in-memory traces. | false |
PROXY_HTTP_ADDR | 1.0.0 | string | The bind address of the HTTP service. | 0.0.0.0:9200 |
PROXY_HTTP_ROOT | 1.0.0 | string | Subdirectory that serves as the root for this HTTP service. | / |
PROXY_TRANSPORT_TLS_CERT | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy. | /home/chaser/.opencloud/proxy/server.crt |
PROXY_TRANSPORT_TLS_KEY | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy. | /home/chaser/.opencloud/proxy/server.key |
PROXY_TLS | 1.0.0 | bool | Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service an no reverse proxy is used. See the text description for details. | true |
OC_REVA_GATEWAY | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
OC_GRPC_CLIENT_TLS_MODE | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. | |
OC_GRPC_CLIENT_TLS_CACERT | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | |
OC_URLOC_OIDC_ISSUERPROXY_OIDC_ISSUER | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
OC_INSECUREPROXY_OIDC_INSECURE | 1.0.0 | bool | Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments. | false |
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD | 1.0.0 | string | Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IPD's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'. | jwt |
PROXY_OIDC_SKIP_USER_INFO | 1.0.0 | bool | Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'. | false |
OC_CACHE_STOREPROXY_OIDC_USERINFO_CACHE_STORE | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
OC_CACHE_STORE_NODESPROXY_OIDC_USERINFO_CACHE_STORE_NODES | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
OC_CACHE_DATABASE | 1.0.0 | string | The database name the configured store should use. | cache-userinfo |
PROXY_OIDC_USERINFO_CACHE_TABLE | 1.0.0 | string | The database table the store should use. | |
OC_CACHE_TTLPROXY_OIDC_USERINFO_CACHE_TTL | 1.0.0 | Duration | Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 10s |
OC_CACHE_DISABLE_PERSISTENCEPROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
OC_CACHE_AUTH_USERNAMEPROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | |
OC_CACHE_AUTH_PASSWORDPROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | |
PROXY_OIDC_JWKS_REFRESH_INTERVAL | 1.0.0 | uint64 | The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP. | 60 |
PROXY_OIDC_JWKS_REFRESH_TIMEOUT | 1.0.0 | uint64 | The timeout in seconds for an outgoing JWKS request. | 10 |
PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT | 1.0.0 | uint64 | Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud. | 60 |
PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID | 1.0.0 | bool | If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this. | true |
PROXY_OIDC_REWRITE_WELLKNOWN | 1.0.0 | bool | Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider. | false |
OC_SERVICE_ACCOUNT_IDPROXY_SERVICE_ACCOUNT_ID | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. | |
OC_SERVICE_ACCOUNT_SECRETPROXY_SERVICE_ACCOUNT_SECRET | 1.0.0 | string | The service account secret. | |
PROXY_ROLE_ASSIGNMENT_DRIVER | 1.0.0 | string | The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims. | default |
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM | 1.0.0 | string | The OIDC claim used to create the users role assignment. | roles |
PROXY_ENABLE_PRESIGNEDURLS | 1.0.0 | bool | Allow OCS to get a signing key to sign requests. | true |
OC_CACHE_STOREPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE | 1.0.0 | string | The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details. | nats-js-kv |
OC_CACHE_STORE_NODESPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES | 1.0.0 | []string | A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
OC_CACHE_TTLPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL | 1.0.0 | Duration | Default time to live for signing keys. See the Environment Variable Types description for more details. | 12h0m0s |
OC_CACHE_DISABLE_PERSISTENCEPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE | 1.0.0 | bool | Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true. | true |
OC_CACHE_AUTH_USERNAMEPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | |
OC_CACHE_AUTH_PASSWORDPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | |
PROXY_ACCOUNT_BACKEND_TYPE | 1.0.0 | string | Account backend the PROXY service should use. Currently only 'cs3' is possible here. | cs3 |
PROXY_USER_OIDC_CLAIM | 1.0.0 | string | The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim. | preferred_username |
PROXY_USER_CS3_CLAIM | 1.0.0 | string | The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'. | username |
OC_MACHINE_AUTH_API_KEYPROXY_MACHINE_AUTH_API_KEY | 1.0.0 | string | Machine auth API key used to validate internal requests necessary to access resources from other services. | |
PROXY_AUTOPROVISION_ACCOUNTS | 1.0.0 | bool | Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running. | false |
PROXY_AUTOPROVISION_CLAIM_USERNAME | 1.0.0 | string | The name of the OIDC claim that holds the username. | preferred_username |
PROXY_AUTOPROVISION_CLAIM_EMAIL | 1.0.0 | string | The name of the OIDC claim that holds the email. | |
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME | 1.0.0 | string | The name of the OIDC claim that holds the display name. | name |
PROXY_AUTOPROVISION_CLAIM_GROUPS | 1.0.0 | string | The name of the OIDC claim that holds the groups. | groups |
PROXY_ENABLE_BASIC_AUTH | 1.0.0 | bool | Set this to true to enable 'basic authentication' (username/password). | false |
PROXY_INSECURE_BACKENDS | 1.0.0 | bool | Disable TLS certificate validation for all HTTP backend connections. | false |
PROXY_HTTPS_CACERT | 1.0.0 | string | Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services. | |
PROXY_ENABLE_APP_AUTH | 1.0.0 | bool | Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work. | true |
PROXY_POLICIES_QUERY | 1.0.0 | string | Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found. | |
PROXY_CSP_CONFIG_FILE_LOCATION | 1.0.0 | string | The location of the CSP configuration file. | |
OC_EVENTS_ENDPOINTPROXY_EVENTS_ENDPOINT | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 |
OC_EVENTS_CLUSTERPROXY_EVENTS_CLUSTER | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | opencloud-cluster |
OC_INSECUREPROXY_EVENTS_TLS_INSECURE | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
OC_EVENTS_TLS_ROOT_CA_CERTIFICATEPROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. | |
OC_EVENTS_ENABLE_TLSPROXY_EVENTS_ENABLE_TLS | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
OC_EVENTS_AUTH_USERNAMEPROXY_EVENTS_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | |
OC_EVENTS_AUTH_PASSWORDPROXY_EVENTS_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |