OC_LOG_LEVEL
PROXY_LOG_LEVEL | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error |
PROXY_DEBUG_ADDR | 1.0.0 | string | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | 127.0.0.1:9205 |
PROXY_DEBUG_TOKEN | 1.0.0 | string | Token to secure the metrics endpoint. | `` |
PROXY_DEBUG_PPROF | 1.0.0 | bool | Enables pprof, which can be used for profiling. | false |
PROXY_DEBUG_ZPAGES | 1.0.0 | bool | Enables zpages, which can be used for collecting and viewing in-memory traces. | false |
PROXY_HTTP_ADDR | 1.0.0 | string | The bind address of the HTTP service. | 0.0.0.0:9200 |
PROXY_HTTP_ROOT | 1.0.0 | string | Subdirectory that serves as the root for this HTTP service. | / |
PROXY_TRANSPORT_TLS_CERT | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy. | /var/lib/opencloud/proxy/server.crt |
PROXY_TRANSPORT_TLS_KEY | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy. | /var/lib/opencloud/proxy/server.key |
PROXY_TLS | 1.0.0 | bool | Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service and no reverse proxy is used. See the text description for details. | true |
OC_REVA_GATEWAY | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
OC_GRPC_CLIENT_TLS_MODE | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. | `` |
OC_GRPC_CLIENT_TLS_CACERT | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | `` |
OC_URL
OC_OIDC_ISSUER
PROXY_OIDC_ISSUER | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
OC_INSECURE
PROXY_OIDC_INSECURE | 1.0.0 | bool | Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments. | false |
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD | 1.0.0 | string | Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'. | jwt |
PROXY_OIDC_SKIP_USER_INFO | 1.0.0 | bool | Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'. | false |
OC_CACHE_STORE
PROXY_OIDC_USERINFO_CACHE_STORE | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
OC_CACHE_STORE_NODES
PROXY_OIDC_USERINFO_CACHE_STORE_NODES | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
OC_CACHE_DATABASE | 1.0.0 | string | The database name the configured store should use. | cache-userinfo |
PROXY_OIDC_USERINFO_CACHE_TABLE | 1.0.0 | string | The database table the store should use. | `` |
OC_CACHE_TTL
PROXY_OIDC_USERINFO_CACHE_TTL | 1.0.0 | Duration | Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details. | 10s |
OC_CACHE_DISABLE_PERSISTENCE
PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
OC_CACHE_AUTH_USERNAME
PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | `` |
OC_CACHE_AUTH_PASSWORD
PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | `` |
PROXY_OIDC_JWKS_REFRESH_INTERVAL | 1.0.0 | uint64 | The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP. | 60 |
PROXY_OIDC_JWKS_REFRESH_TIMEOUT | 1.0.0 | uint64 | The timeout in seconds for an outgoing JWKS request. | 10 |
PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT | 1.0.0 | uint64 | Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud. | 60 |
PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID | 1.0.0 | bool | If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this. | true |
PROXY_OIDC_REWRITE_WELLKNOWN | 1.0.0 | bool | Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider. | false |
OC_SERVICE_ACCOUNT_ID
PROXY_SERVICE_ACCOUNT_ID | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. | `` |
OC_SERVICE_ACCOUNT_SECRET
PROXY_SERVICE_ACCOUNT_SECRET | 1.0.0 | string | The service account secret. | `` |
PROXY_ROLE_ASSIGNMENT_DRIVER | 1.0.0 | string | The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims. | default |
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM | 1.0.0 | string | The OIDC claim used to create the users role assignment. | roles |
PROXY_ENABLE_PRESIGNEDURLS | 1.0.0 | bool | Allow OCS to get a signing key to sign requests. | true |
OC_CACHE_STORE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE | 1.0.0 | string | The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details. | nats-js-kv |
OC_CACHE_STORE_NODES
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES | 1.0.0 | []string | A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
OC_CACHE_TTL
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL | 1.0.0 | Duration | Default time to live for signing keys. See the Environment Variable Types description for more details. | 12h0m0s |
OC_CACHE_DISABLE_PERSISTENCE
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE | 1.0.0 | bool | Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true. | true |
OC_CACHE_AUTH_USERNAME
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | `` |
OC_CACHE_AUTH_PASSWORD
PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | `` |
PROXY_ACCOUNT_BACKEND_TYPE | 1.0.0 | string | Account backend the PROXY service should use. Currently only 'cs3' is possible here. | cs3 |
PROXY_USER_OIDC_CLAIM | 1.0.0 | string | The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim. | preferred_username |
PROXY_USER_CS3_CLAIM | 1.0.0 | string | The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'. | username |
PROXY_TENANT_OIDC_CLAIM | 6.1.0 | string | JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled. | `` |
PROXY_TENANT_ID_MAPPING_ENABLED | 6.1.0 | bool | When set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled. | false |
OC_MACHINE_AUTH_API_KEY
PROXY_MACHINE_AUTH_API_KEY | 1.0.0 | string | Machine auth API key used to validate internal requests necessary to access resources from other services. | `` |
PROXY_AUTOPROVISION_ACCOUNTS | 1.0.0 | bool | Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running. | false |
PROXY_AUTOPROVISION_CLAIM_USERNAME | 1.0.0 | string | The name of the OIDC claim that holds the username. | preferred_username |
PROXY_AUTOPROVISION_CLAIM_EMAIL | 1.0.0 | string | The name of the OIDC claim that holds the email. | email |
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME | 1.0.0 | string | The name of the OIDC claim that holds the display name. | name |
PROXY_AUTOPROVISION_CLAIM_GROUPS | 1.0.0 | string | The name of the OIDC claim that holds the groups. | groups |
PROXY_ENABLE_BASIC_AUTH | 1.0.0 | bool | Set this to true to enable 'basic authentication' (username/password). | false |
PROXY_INSECURE_BACKENDS | 1.0.0 | bool | Disable TLS certificate validation for all HTTP backend connections. | false |
PROXY_HTTPS_CACERT | 1.0.0 | string | Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services. | `` |
PROXY_ENABLE_APP_AUTH | 1.0.0 | bool | Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work. | true |
PROXY_POLICIES_QUERY | 1.0.0 | string | Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found. | `` |
PROXY_CSP_CONFIG_FILE_LOCATION | 1.0.0 | string | The location of the CSP configuration file. | `` |
PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION | 4.0.0 | string | The location of the CSP configuration file override. | `` |
OC_EVENTS_ENDPOINT
PROXY_EVENTS_ENDPOINT | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 |
OC_EVENTS_CLUSTER
PROXY_EVENTS_CLUSTER | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | opencloud-cluster |
OC_INSECURE
OC_EVENTS_TLS_INSECURE
PROXY_EVENTS_TLS_INSECURE | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
OC_EVENTS_TLS_ROOT_CA_CERTIFICATE
PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. | `` |
OC_EVENTS_ENABLE_TLS
PROXY_EVENTS_ENABLE_TLS | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
OC_EVENTS_AUTH_USERNAME
PROXY_EVENTS_AUTH_USERNAME | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | `` |
OC_EVENTS_AUTH_PASSWORD
PROXY_EVENTS_AUTH_PASSWORD | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | `` |