Zum Hauptinhalt springen
Version: rolling

Environment Variables

Environment variables for the proxy service

NameIntroduction VersionTypeDescriptionDefault Value
OC_LOG_LEVEL
PROXY_LOG_LEVEL
1.0.0stringThe log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."error"
PROXY_DEBUG_ADDR1.0.0stringBind address of the debug server, where metrics, health, config and debug endpoints will be exposed."127.0.0.1:9205"
PROXY_DEBUG_TOKEN1.0.0stringToken to secure the metrics endpoint.""
PROXY_DEBUG_PPROF1.0.0boolEnables pprof, which can be used for profiling."false"
PROXY_DEBUG_ZPAGES1.0.0boolEnables zpages, which can be used for collecting and viewing in-memory traces."false"
PROXY_HTTP_ADDR1.0.0stringThe bind address of the HTTP service."0.0.0.0:9200"
PROXY_HTTP_ROOT1.0.0stringSubdirectory that serves as the root for this HTTP service."/"
PROXY_TRANSPORT_TLS_CERT1.0.0stringPath/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy."/var/lib/opencloud/proxy/server.crt"
PROXY_TRANSPORT_TLS_KEY1.0.0stringPath/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy."/var/lib/opencloud/proxy/server.key"
PROXY_TLS1.0.0boolEnable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service and no reverse proxy is used. See the text description for details."true"
OC_REVA_GATEWAY1.0.0stringThe CS3 gateway endpoint."eu.opencloud.api.gateway"
OC_GRPC_CLIENT_TLS_MODE1.0.0stringTLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.""
OC_GRPC_CLIENT_TLS_CACERT1.0.0stringPath/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.""
OC_URL
OC_OIDC_ISSUER
PROXY_OIDC_ISSUER
1.0.0stringURL of the OIDC issuer. It defaults to URL of the builtin IDP."https://localhost:9200"
OC_INSECURE
PROXY_OIDC_INSECURE
1.0.0boolDisable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments."false"
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD1.0.0stringSets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'."jwt"
PROXY_OIDC_SKIP_USER_INFO1.0.0boolDo not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'."false"
OC_CACHE_STORE
PROXY_OIDC_USERINFO_CACHE_STORE
1.0.0stringThe type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details."memory"
OC_CACHE_STORE_NODES
PROXY_OIDC_USERINFO_CACHE_STORE_NODES
1.0.0[]stringA list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."[127.0.0.1:9233]"
OC_CACHE_DATABASE1.0.0stringThe database name the configured store should use."cache-userinfo"
PROXY_OIDC_USERINFO_CACHE_TABLE1.0.0stringThe database table the store should use.""
OC_CACHE_TTL
PROXY_OIDC_USERINFO_CACHE_TTL
1.0.0DurationDefault time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details."10s"
OC_CACHE_DISABLE_PERSISTENCE
PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE
1.0.0boolDisables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false."false"
OC_CACHE_AUTH_USERNAME
PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME
1.0.0stringThe username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_AUTH_PASSWORD
PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD
1.0.0stringThe password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_ENABLE_TLS
PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS
nextboolEnable TLS for the connection to file metadata cache."false"
OC_INSECURE
OC_CACHE_TLS_INSECURE
PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE
nextboolWhether to verify the server TLS certificates."false"
OC_CACHE_TLS_ROOT_CA_CERTIFICATE
PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE
nextstringThe root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false.""
PROXY_OIDC_JWKS_REFRESH_INTERVAL1.0.0uint64The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP."60"
PROXY_OIDC_JWKS_REFRESH_TIMEOUT1.0.0uint64The timeout in seconds for an outgoing JWKS request."10"
PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT1.0.0uint64Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud."60"
PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID1.0.0boolIf set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this."true"
PROXY_OIDC_REWRITE_WELLKNOWN1.0.0boolEnables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider."false"
OC_SERVICE_ACCOUNT_ID
PROXY_SERVICE_ACCOUNT_ID
1.0.0stringThe ID of the service account the service should use. See the 'auth-service' service description for more details.""
OC_SERVICE_ACCOUNT_SECRET
PROXY_SERVICE_ACCOUNT_SECRET
1.0.0stringThe service account secret.""
PROXY_ROLE_ASSIGNMENT_DRIVER1.0.0stringThe mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims."default"
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM1.0.0stringThe OIDC claim used to create the users role assignment."roles"
PROXY_ENABLE_PRESIGNEDURLS1.0.0boolAllow OCS to get a signing key to sign requests."true"
OC_CACHE_STORE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE
1.0.0stringThe type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details."nats-js-kv"
OC_CACHE_STORE_NODES
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
1.0.0[]stringA list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."[127.0.0.1:9233]"
OC_CACHE_TTL
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL
1.0.0DurationDefault time to live for signing keys. See the Environment Variable Types description for more details."12h0m0s"
OC_CACHE_DISABLE_PERSISTENCE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE
1.0.0boolDisables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true."true"
OC_CACHE_AUTH_USERNAME
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME
1.0.0stringThe username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_AUTH_PASSWORD
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD
1.0.0stringThe password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_ENABLE_TLS
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS
nextboolEnable TLS for the connection to file metadata cache."false"
OC_INSECURE
OC_CACHE_TLS_INSECURE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE
nextboolWhether to verify the server TLS certificates."false"
OC_CACHE_TLS_ROOT_CA_CERTIFICATE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE
nextstringThe root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.""
PROXY_ACCOUNT_BACKEND_TYPE1.0.0stringAccount backend the PROXY service should use. Currently only 'cs3' is possible here."cs3"
PROXY_USER_OIDC_CLAIM1.0.0stringThe name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim."preferred_username"
PROXY_USER_CS3_CLAIM1.0.0stringThe name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'."username"
PROXY_TENANT_OIDC_CLAIM6.1.0stringJMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled.""
PROXY_TENANT_ID_MAPPING_ENABLED6.1.0boolWhen set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled."false"
OC_MACHINE_AUTH_API_KEY
PROXY_MACHINE_AUTH_API_KEY
1.0.0stringMachine auth API key used to validate internal requests necessary to access resources from other services.""
PROXY_AUTOPROVISION_ACCOUNTS1.0.0boolSet this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running."false"
PROXY_AUTOPROVISION_CLAIM_USERNAME1.0.0stringThe name of the OIDC claim that holds the username."preferred_username"
PROXY_AUTOPROVISION_CLAIM_EMAIL1.0.0stringThe name of the OIDC claim that holds the email."email"
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME1.0.0stringThe name of the OIDC claim that holds the display name."name"
PROXY_AUTOPROVISION_CLAIM_GROUPS1.0.0stringThe name of the OIDC claim that holds the groups."groups"
PROXY_ENABLE_BASIC_AUTH1.0.0boolSet this to true to enable 'basic authentication' (username/password)."false"
PROXY_INSECURE_BACKENDS1.0.0boolDisable TLS certificate validation for all HTTP backend connections."false"
PROXY_HTTPS_CACERT1.0.0stringPath/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.""
PROXY_ENABLE_APP_AUTH1.0.0boolAllow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work."true"
PROXY_POLICIES_QUERY1.0.0stringDefines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.""
PROXY_CSP_CONFIG_FILE_LOCATION1.0.0stringThe location of the CSP configuration file.""
PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION4.0.0stringThe location of the CSP configuration file override.""
OC_EVENTS_ENDPOINT
PROXY_EVENTS_ENDPOINT
1.0.0stringThe address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events."127.0.0.1:9233"
OC_EVENTS_CLUSTER
PROXY_EVENTS_CLUSTER
1.0.0stringThe clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."opencloud-cluster"
OC_INSECURE
OC_EVENTS_TLS_INSECURE
PROXY_EVENTS_TLS_INSECURE
1.0.0boolWhether to verify the server TLS certificates."false"
OC_EVENTS_TLS_ROOT_CA_CERTIFICATE
PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE
1.0.0stringThe root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.""
OC_EVENTS_ENABLE_TLS
PROXY_EVENTS_ENABLE_TLS
1.0.0boolEnable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services."false"
OC_EVENTS_AUTH_USERNAME
PROXY_EVENTS_AUTH_USERNAME
1.0.0stringThe username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.""
OC_EVENTS_AUTH_PASSWORD
PROXY_EVENTS_AUTH_PASSWORD
1.0.0stringThe password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.""