Configuration Reference

CONFIGDESCRIPTIONDEFAULTENV
–config valuepath the a configuration filePROXY_CONFIG_FILE
–listen valueDefines the binding interface for main listener, e.g. {address}:{port}. This is required and there is no default valuePROXY_LISTEN
–listen-http valueinterface we should be listening to for HTTP trafficPROXY_LISTEN_HTTP
–listen-admin valuedefines the interface to bind admin-only endpoint (live-status, debug, prometheus…). If not defined, this defaults to the main listener defined by ListenPROXY_LISTEN_ADMIN
–listen-admin-scheme valuescheme to serve admin-only endpoint (http or https).PROXY_LISTEN_ADMIN_SCHEME
–discovery-url valuediscovery url to retrieve the openid configurationPROXY_DISCOVERY_URL
–client-id valueclient id used to authenticate to the oauth servicePROXY_CLIENT_ID
–client-secret valueclient secret used to authenticate to the oauth servicePROXY_CLIENT_SECRET
–redirection-url valueredirection url for the oauth callback url, defaults to host header if absentPROXY_REDIRECTION_URL
–post-logout-redirect-uri valueurl to which client is redirected after successful logoutPROXY_POST_LOGOUT_REDIRECT_URI
–post-login-redirect-path valuepost-login-redirect-path" usage:“path to which client is redirected after successful login, in case user access /PROXY_POST_LOGIN_REDIRECT_PATH
–revocation-url valueurl for the revocation endpoint to revoke refresh tokenPROXY_REVOCATION_URL
–skip-openid-provider-tls-verifyskip the verification of any TLS communication with the openid providerfalsePROXY_SKIP_OPENID_PROVIDER_TLSVERIFY
–openid-provider-proxy valueproxy for communication with the openid providerPROXY_OPENID_PROVIDER_PROXY
–openid-provider-timeout valuetimeout for openid configuration on .well-known/openid-configuration30sPROXY_OPENID_PROVIDER_TIMEOUT
–openid-provider-retry-count valuenumber of retries for retrieving openid configuration3PROXY_OPENID_PROVIDER_RETRY_COUNT
–openid-provider-headers valuehttp headers sent to idp provider
–upstream-proxyproxy for communication with upstreamPROXY_UPSTREAM_PROXY
–upstream-no-proxylist of upstream destinations which should be not proxiedPROXY_UPSTREAM_NO_PROXY
–base-uri valuecommon prefix for all URIsPROXY_BASE_URI
–oauth-uri valuethe uri for proxy oauth endpoints/oauthPROXY_OAUTH_URI
–scopes valuelist of scopes requested when authenticating the user
–upstream-url valueurl for the upstream endpoint you wish to proxyPROXY_UPSTREAM_URL
–upstream-ca valuethe path to a file container a CA certificate to validate the upstream tls endpointPROXY_UPSTREAM_CA
–resources valuelist of resources ‘uri=/admin*|methods=GET,PUT|roles=role1,role2’
–headers valuecustom headers to the upstream request, key=value
–preserve-hostpreserve the host header of the proxied request in the upstream requestfalsePROXY_PRESERVE_HOST
–request-id-header valuethe http header name for request idX-Request-IDPROXY_REQUEST_ID_HEADER
–response-headers valuecustom headers to added to the http response key=valuePROXY_RESPONSE_HEADERS
–custom-http-methodslist of additional non-standard http methods
–allowed-query-paramsallowed query params, sent to IDP key=optional value
–default-allowed-query-paramsdefault allowed query params, sent to IDP key=required-value
–enable-self-signed-tlscreate self signed certificates for the proxyfalsePROXY_ENABLE_SELF_SIGNED_TLS
–self-signed-tls-hostnames valuea list of hostnames to place on the self-signed certificate
–self-signed-tls-expiration valuethe expiration of the certificate before rotation3h0m0sPROXY_SELF_SIGNED_TLS_EXPIRATION
–enable-request-idindicates we should add a request id if none foundfalsePROXY_ENABLE_REQUEST_ID
–enable-logout-redirectindicates we should redirect to the identity provider for logging outfalsePROXY_ENABLE_LOGOUT_REDIRECT
–enable-default-denyenables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permittedtruePROXY_ENABLE_DEFAULT_DENY
–enable-default-deny-strictenables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended)falsePROXY_ENABLE_DEFAULT_DENY_STRICT
–enable-encrypted-tokenenable encryption for the access tokenstruePROXY_ENABLE_ENCRYPTED_TOKEN
–force-encrypted-cookieforce encryption for the access tokens in cookiesfalsePROXY_FORCE_ENCRYPTED_COOKIE
–enable-loggingenable http logging of the requestsfalsePROXY_ENABLE_LOGGING
–enable-json-loggingswitch on json logging rather than texttruePROXY_ENABLE_JSON_LOGGING
–enable-forwardingenables the forwarding proxy mode, signing outbound requestfalsePROXY_ENABLE_FORWARDING
–enable-security-filterenables the security filter handlerfalsePROXY_ENABLE_SECURITY_FILTER
–enable-refresh-tokensenables the handling of the refresh tokensfalsePROXY_ENABLE_REFRESH_TOKEN
–enable-session-cookiesaccess and refresh tokens are session only i.e. removed browser closetruePROXY_ENABLE_SESSION_COOKIES
–enable-login-handlerenables the handling of the refresh tokensfalsePROXY_ENABLE_LOGIN_HANDLER
–enable-token-headerenables the token authentication header X-Auth-Token to upstreamtruePROXY_ENABLE_TOKEN_HEADER
–enable-authorization-headeradds the authorization header to the proxy requesttruePROXY_ENABLE_AUTHORIZATION_HEADER
–enable-authorization-cookiesadds the authorization cookies to the uptream proxy requesttruePROXY_ENABLE_AUTHORIZATION_COOKIES
–enable-https-redirectionenable the http to https redirection on the http servicefalsePROXY_ENABLE_HTTPS_REDIRECT
–enable-profilingswitching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etcfalsePROXY_ENABLE_PROFILING
–enable-metricsenable the prometheus metrics collector on /oauth/metricsfalsePROXY_ENABLE_METRICS
–filter-browser-xssenable the adds the X-XSS-Protection header with mode=blockfalsePROXY_ENABLE_BROWSER_XSS_FILTER
–filter-content-nosniffadds the X-Content-Type-Options header with the value nosnifffalsePROXY_ENABLE_CONTENT_NO_SNIFF
–filter-frame-denyenable to the frame deny headerfalsePROXY_ENABLE_FRAME_DENY
–content-security-policy valuespecify the content security policyPROXY_CONTENT_SECURITY_POLICY
–localhost-metricsenforces the metrics page can only been requested from 127.0.0.1falsePROXY_LOCALHOST_METRICS
–enable-compressionenable gzip compression for responsefalsePROXY_ENABLE_COMPRESSION
–enable-pkceenable pkce for auth code flow, only S256 code challenge supportedtruePROXY_ENABLE_PKCE
–enable-idp-session-checkduring token validation it also checks if user session is still present, useful for multi app logouttruePROXY_ENABLE_IDP_SESSION_CHECK
–enable-umaenable UMA authorization, please don’t use in production as it is new feature, we would like to receive feedback firstfalsePROXY_ENABLE_UMA
–enable-opaenable authorization with external Open policy agentfalsePROXY_ENABLE_OPA
–opa-timeouttimeout for connection to OPA10sPROXY_OPA_TIMEOUT
–opa-authz-uriOPA endpoint address with pathPROXY_OPA_AUTHZ_URI
–pat-retry-countnumber of retries to get PAT5PROXY_PAT_RETRY_COUNT
–pat-retry-intervalinterval between retries to get PAT2sPROXY_PAT_RETRY_INTERVAL
–access-token-duration valuefallback cookie duration for the access token when using refresh tokens720h0m0sPROXY_ACCESS_TOKEN_DURATION
–cookie-domain valuedomain the access cookie is available to, defaults host headerPROXY_COOKIE_DOMAIN
–cookie-access-name valuename of the cookie use to hold the access tokenkc-accessPROXY_COOKIE_ACCESS_NAME
–cookie-refresh-name valuename of the cookie used to hold the encrypted refresh tokenkc-statePROXY_COOKIE_REFRESH_NAME
–cookie-oauth-state-name valuename of the cookie used to hold the Oauth request stateOAuth_Token_Request_StateCOOKIE_OAUTH_STATE_NAME
–cookie-request-uri-name valuename of the cookie used to hold the request urirequest_uriCOOKIE_REQUEST_URI_NAME
–cookie-pkce-name valuename of the cookie used to hold PKCE code verifierpkceCOOKIE_PKCE_NAME
–secure-cookieenforces the cookie to be securetruePROXY_SECURE_COOKIE
–http-only-cookieenforces the cookie is in http only modetruePROXY_HTTP_ONLY_COOKIE
–same-site-cookie valueenforces cookies to be send only to same site requests according to the policy (can be | Strict|Lax|None)LaxPROXY_SAME_SITE_COOKIE
–enable-id-token-cookieenable id token cookiefalsePROXY_ENABLE_IDTOKEN_COOKIE
–match-claims valuekeypair values for matching access token claims e.g. aud=myapp, iss=http://example.*
–add-claims valueextra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name
–enable-uma-method-scopeenables passing request method as ‘method:GET’ scope to keycloak for authorizationfalsePROXY_ENABLE_UMA_METHOD_SCOPE
–tls-min-versionspecify server minimal TLS version one of tlsv1.2,tlsv1.3TLS_MIN_VERSION
–tls-cert valuepath to ths TLS certificatePROXY_TLS_CERTIFICATE
–tls-private-key valuepath to the private key for TLSPROXY_TLS_PRIVATE_KEY
–tls-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_CA_CERTIFICATE
–tls-ca-key valuepath the ca private key, used by the forward signing proxyPROXY_TLS_CA_PRIVATE_KEY
–tls-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_CLIENT_CERTIFICATE
–skip-upstream-tls-verifyskip the verification of any upstream TLStruePROXY_SKIP_UPSTREAM_TLS_VERIFY
–tls-admin-cert valuepath to ths TLS certificatePROXY_TLS_ADMIN_CERTIFICATE
–tls-admin-private-key valuepath to the private key for TLSPROXY_TLS_ADMIN_PRIVATE_KEY
–tls-admin-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_ADMIN_CA_CERTIFICATE
–tls-admin-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_ADMIN_CLIENT_CERTIFICATE
–cors-origins valueorigins to add to the CORE origins control (Access-Control-Allow-Origin)
–cors-methods valuemethods permitted in the access control (Access-Control-Allow-Methods)
–cors-headers valueset of headers to add to the CORS access control (Access-Control-Allow-Headers)
–cors-exposed-headers valueexpose cors headers access control (Access-Control-Expose-Headers)
–cors-credentialscredentials access control header (Access-Control-Allow-Credentials)falsePROXY_CORS_CREDENTIALS
–cors-max-age valuemax age applied to cors headers (Access-Control-Max-Age)0sPROXY_CORS_MAX_AGE
–hostnames valuelist of hostnames the service will respond to
–store-url valueurl for the storage subsystem, e.g redis://user:secret@localhost:6379/0?protocol=3, only supported is redis usig redis uri specPROXY_STORE_URL
–encryption-key valueencryption key used to encryption the session statePROXY_ENCRYPTION_KEY
–enable-hmacenable creating hmac for forwarded requests and verification on incoming requestsfalsePROXY_ENABLE_HMAC
–no-proxy valuedo not proxy requests to upstream, useful for forward-auth usage (with nginx, traefik)PROXY_NO_PROXY
–no-redirectsdo not have back redirects when no authentication is present, 401 themfalsePROXY_NO_REDIRECTS
–skip-token-verificationTESTING ONLY; bypass token verification, only expiration and roles enforcedfalsePROXY_SKIP_TOKEN_VERIFICATION
–skip-access-token-issuer-checkaccording RFC issuer should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_ISSUER_CHECK
–skip-access-token-clientid-checkaccording RFC client id should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_CLIENT_ID_CHECK
–skip-authorization-header-identityskip authorization header identity, means that we won’t be extracting token from authorization header, only from cookie or fail if even no cookie present (e.g. if authorization header is used only by application behind gatekeeper)"`falsePROXY_SKIP_AUTHORIZATION_HEADER_IDENTITY
–upstream-keepalivesenables or disables the keepalive connections for upstream endpointtruePROXY_UPSTREAM_KEEPALIVES
–upstream-timeout valuemaximum amount of time a dial will wait for a connect to complete10sPROXY_UPSTREAM_TIMEOUT
–upstream-keepalive-timeout valuespecifies the keep-alive period for an active network connection10sPROXY_UPSTREAM_KEEPALIVE_TIMEOUT
–upstream-tls-handshake-timeout valuethe timeout placed on the tls handshake for upstream10sPROXY_UPSTREAM_TLS_HANDSHAKE_TIMEOUT
–upstream-response-header-timeout valuethe timeout placed on the response header for upstream10sPROXY_UPSTREAM_RESPONSE_HEADER_TIMEOUT
–upstream-expect-continue-timeout valuethe timeout placed on the expect continue for upstream10sPROXY_UPSTREAM_EXPECT_CONTINUE_TIMEOUT
–verboseswitch on debug / verbose loggingfalsePROXY_VERBOSE
–enabled-proxy-protocolenable proxy protocolfalsePROXY_ENABLE_PROXY_PROTOCOL
–max-idle-connections valuemax idle upstream / keycloak connections to keep alive, ready for reuse0PROXY_MAX_IDLE_CONNS
–max-idle-connections-per-host valuelimits the number of idle connections maintained per host0PROXY_MAX_IDLE_CONNS_PER_HOST
–server-grace-timeout valuethe server graceful period before shutdown10sPROXY_SERVER_GRACE_TIMEOUT
–server-read-timeout valuethe server read timeout on the http server10sPROXY_SERVER_READ_TIMEOUT
–server-write-timeout valuethe server write timeout on the http server10sPROXY_SERVER_WRITE_TIMEOUT
–server-idle-timeout valuethe server idle timeout on the http server2m0sPROXY_SERVER_IDLE_TIMEOUT
–use-letsencryptuse letsencrypt for certificatesfalsePROXY_USE_LETS_ENCRYPT
–letsencrypt-cache-dir valuepath where cached letsencrypt certificates are stored./cache/PROXY_LETS_ENCRYPT_CACHE_DIR
–sign-in-page valuepath to custom template displayed for signinPROXY_SIGN_IN_PAGE
–forbidden-page valuepath to custom template used for access forbiddenPROXY_FORBIDDEN_PAGE
–error-page valuepath to custom template displayed for http.StatusBadRequestPROXY_ERROR_PAGE
–tags valuekeypairs passed to the templates at render,e.g title=Page
–forwarding-grant-type valuegrant-type to use when logging into the openid provider, can be one of password, client_credentialspasswordPROXY_FORWARDING_GRANT_TYPE
–forwarding-username valueusername to use when logging into the openid providerPROXY_FORWARDING_USERNAME
–forwarding-password valuepassword to use when logging into the openid providerPROXY_FORWARDING_PASSWORD
–forwarding-domains valuelist of domains which should be signed; everything else is relayed unsigned
–enable-loaenable level of authenticationfalse
–disable-all-loggingdisables all logging to stdout and stderrfalsePROXY_DISABLE_ALL_LOGGING
–help, -hshow help
–version, -vprint the version