Access Proxy Parameters

Last updated on 2022-09-15 16:21:43

Envoy Proxy

Environment variables to override default values:

Key	Default	Type	Description
COMPONENTLOGLEVEL	grpc:debug,config:debug	str	Envoy’s component specific log level info
FYDE_PROXY_HOST	proxy-client	str	Orchestrator’s hostname / DNS record
FYDE_PROXY_PORT	50051	str	Orchestrator’s service port
LOGLEVEL	info	str	Envoy’s global log level info

Proxy Orchestrator

The following override mechanisms will be processed in order, the last override representing the final value:

Default value
Configuration pushed from CloudGen Access Enterprise Console
overrides.json file on the CWD of the service process
Docker provisioned secret (/run/secrets/<key>)
AWS SSM (all keys prefixed with the value from the ‘prefix’ key; disable check with env variable DISABLE_AWS_SSM=1 )
AWS SecretsManager (all keys prefixed with the value from the ‘prefix’ key; disable check with env variable DISABLE_AWS_SEC_MANAGER=1 )
Environment variable, prefixed with FYDE_ and all caps
Command-line arguments in long-form notation like ‘--example’, all keys underscores converted to dashes.

Key	Default	Type	Description
authz_pubkey	None	str	Authorizer EC Public Key (Used to verify authorization JWTs)
authz_timeout	30	int	CloudGen Access authorization call timeout (seconds)
enable_ipv6	False	bool	Enable ipv6 usage for DNS in envoy
enrollment_token	None	str	Enrollment token provided by CloudGen Access Enterprise Console
envoy_listener_ip	‘0.0.0.0’	str	Envoy Proxy listener IP
envoy_listener_port	8000	int	Envoy Proxy listener port
envoy_prometheus	True	bool	Prometheus metrics for Envoy Proxy status
envoy_prometheus_ip	‘0.0.0.0’	str	Prometheus metrics for Envoy Proxy listener IP
envoy_prometheus_port	9000	int	Prometheus metrics for Envoy Proxy listener port
grpc_insecure	True	bool	gRPC insecure mode for the CloudGen Access Proxy Orchestrator
grpc_listener	’[::]:50051’	str	gRPC listener for the CloudGen Access Proxy Orchestrator
http_proxy	None	str	Use HTTP proxy. Example: “http://proxy.host:1234/” or “socks5://10.0.0.1:5555”
https_proxy	None	str	Use HTTPS proxy. Example: “https://proxy.host:1234/” or “socks5://10.0.0.1:5555”
prefix	fyde_	str	Define the prefix used for keys stored in AWS SSM and AWS SecretsManager
proxy_prometheus	True	bool	Prometheus metrics for CloudGen Access Proxy Orchestrator status
proxy_prometheus_ip	‘0.0.0.0’	str	Prometheus metrics for CloudGen Access Proxy Orchestrator listener IP
proxy_prometheus_port	9010	int	Prometheus metrics for CloudGen Access Proxy Orchestrator listener port
redis_ssl	False	bool	Enable SSL support for Redis connections
redis_sentinel_ssl	False	bool	Enable SSL support for Redis Sentinel connections
redis_ssl_cert_reqs	‘none’	str	SSL Certificate verification options. one of ‘none’, ‘optional’, ‘required’. More info here
redis_ssl_key	None	str	Redis/Sentinel SSL client authentication private key This can be a path to a file holding the key or the content of it inlined in the variable
redis_ssl_cert	None	str	Redis/Sentinel SSL client authentication certificate This can be a path to a file holding the cert or the content of it inlined in the variable
redis_ssl_ca_certs	None	str	Redis/Sentinel SSL CA trusted anchors This can be a path to a file holding the certs or the content of it inlined in the variable
redis_auth	None	str	Redis auth key
redis_db	0	int	Redis database
redis_host	None	str	Used for HA mode only. Leave empty in CloudGen Access Proxy single mode.
redis_port	6379	int	Redis port
redis_timeout	1.0	float	Redis socket_timeout in seconds
redis_sentinel_hosts	None	str	Redis Sentinel comma-separated list of host:port pairs
redis_sentinel_service_name	None	str	Redis Sentinel service (cluster) name
redis_sentinel_wait_for_primary	30	int	Redis Sentinel time in seconds to wait for primary