Envoy Proxy
Environment variables to override default values:
Key | Default | Type | Description |
COMPONENTLOGLEVEL | grpc:debug,config:debug | str | Envoy’s component specific log level info |
FYDE_PROXY_HOST | proxy-client | str | Orchestrator’s hostname / DNS record |
FYDE_PROXY_PORT | 50051 | str | Orchestrator’s service port |
LOGLEVEL | info | str | Envoy’s global log level info |
Proxy Orchestrator
The following override mechanisms will be processed in order, the last override representing the final value:
Default value
Configuration pushed from CloudGen Access Enterprise Console
overrides.json file on the CWD of the service process
Docker provisioned secret (/run/secrets/<key>)
AWS SSM (all keys prefixed with the value from the ‘prefix’ key; disable check with env variable DISABLE_AWS_SSM=1 )
AWS SecretsManager (all keys prefixed with the value from the ‘prefix’ key; disable check with env variable DISABLE_AWS_SEC_MANAGER=1 )
Environment variable, prefixed with FYDE_ and all caps
Command-line arguments in long-form notation like ‘--example’, all keys underscores converted to dashes.
Key | Default | Type | Description |
authz_pubkey | None | str | Authorizer EC Public Key (Used to verify authorization JWTs) |
authz_timeout | 30 | int | CloudGen Access authorization call timeout (seconds) |
enable_ipv6 | False | bool | Enable ipv6 usage for DNS in envoy |
enrollment_token | None | str | Enrollment token provided by CloudGen Access Enterprise Console |
envoy_listener_ip | ‘0.0.0.0’ | str | Envoy Proxy listener IP |
envoy_listener_port | 8000 | int | Envoy Proxy listener port |
envoy_prometheus | True | bool | Prometheus metrics for Envoy Proxy status |
envoy_prometheus_ip | ‘0.0.0.0’ | str | Prometheus metrics for Envoy Proxy listener IP |
envoy_prometheus_port | 9000 | int | Prometheus metrics for Envoy Proxy listener port |
grpc_insecure | True | bool | gRPC insecure mode for the CloudGen Access Proxy Orchestrator |
grpc_listener | ’[::]:50051’ | str | gRPC listener for the CloudGen Access Proxy Orchestrator |
http_proxy | None | str | Use HTTP proxy. Example: “http://proxy.host:1234/” or “socks5://10.0.0.1:5555” |
https_proxy | None | str | Use HTTPS proxy. Example: “https://proxy.host:1234/” or “socks5://10.0.0.1:5555” |
prefix | fyde_ | str | Define the prefix used for keys stored in AWS SSM and AWS SecretsManager |
proxy_prometheus | True | bool | Prometheus metrics for CloudGen Access Proxy Orchestrator status |
proxy_prometheus_ip | ‘0.0.0.0’ | str | Prometheus metrics for CloudGen Access Proxy Orchestrator listener IP |
proxy_prometheus_port | 9010 | int | Prometheus metrics for CloudGen Access Proxy Orchestrator listener port |
redis_ssl | False | bool | Enable SSL support for Redis connections |
redis_sentinel_ssl | False | bool | Enable SSL support for Redis Sentinel connections |
redis_ssl_cert_reqs | ‘none’ | str | SSL Certificate verification options. one of ‘none’, ‘optional’, ‘required’. More info here |
redis_ssl_key | None | str | Redis/Sentinel SSL client authentication private key
This can be a path to a file holding the key or the content of it inlined in the variable |
redis_ssl_cert | None | str | Redis/Sentinel SSL client authentication certificate
This can be a path to a file holding the cert or the content of it inlined in the variable |
redis_ssl_ca_certs | None | str | Redis/Sentinel SSL CA trusted anchors
This can be a path to a file holding the certs or the content of it inlined in the variable |
redis_auth | None | str | Redis auth key |
redis_db | 0 | int | Redis database |
redis_host | None | str | Used for HA mode only. Leave empty in CloudGen Access Proxy single mode. |
redis_port | 6379 | int | Redis port |
redis_timeout | 1.0 | float | Redis socket_timeout in seconds |
redis_sentinel_hosts | None | str | Redis Sentinel comma-separated list of host:port pairs |
redis_sentinel_service_name | None | str | Redis Sentinel service (cluster) name |
redis_sentinel_wait_for_primary | 30 | int | Redis Sentinel time in seconds to wait for primary |