|
|
|
|
@ -25,7 +25,7 @@ allowed.
|
|
|
|
|
## `tcp` Listener Parameters
|
|
|
|
|
|
|
|
|
|
- `purpose` `(string: "")` - Specifies the purpose. Can be `api`, `cluster`, or
|
|
|
|
|
`proxy`.
|
|
|
|
|
`proxy`.
|
|
|
|
|
|
|
|
|
|
- `address` `(string: "127.0.0.1:9200")` – Specifies the address to bind to for
|
|
|
|
|
listening.
|
|
|
|
|
@ -63,30 +63,25 @@ allowed.
|
|
|
|
|
assumes TLS by default, so you must explicitly disable TLS to opt-in to
|
|
|
|
|
insecure communication.
|
|
|
|
|
|
|
|
|
|
- `tls_cert_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
|
|
|
|
|
- `tls_cert_file` `(string: <required-if-enabled>` –
|
|
|
|
|
Specifies the path to the certificate for TLS. To configure the listener to
|
|
|
|
|
use a CA certificate, concatenate the primary certificate and the CA
|
|
|
|
|
certificate together. The primary certificate should appear first in the
|
|
|
|
|
combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be used
|
|
|
|
|
for reloading the certificate; modifying this value while Boundary is running
|
|
|
|
|
will have no effect for `SIGHUP`s.
|
|
|
|
|
combined file.
|
|
|
|
|
|
|
|
|
|
- `tls_key_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
|
|
|
|
|
- `tls_key_file` `(string: <required-if-enabled>` –
|
|
|
|
|
Specifies the path to the private key for the certificate. If the key file
|
|
|
|
|
is encrypted, you will be prompted to enter the passphrase on server startup.
|
|
|
|
|
The passphrase must stay the same between key files when reloading your
|
|
|
|
|
configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Boundary
|
|
|
|
|
startup_ will be used for reloading the certificate; modifying this value
|
|
|
|
|
while Boundary is running will have no effect for `SIGHUP`s.
|
|
|
|
|
|
|
|
|
|
- `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
|
|
|
|
|
version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".
|
|
|
|
|
|
|
|
|
|
~> **Warning**: TLS 1.1 and lower are generally considered insecure.
|
|
|
|
|
|
|
|
|
|
- `tls_cipher_suites` `(string: "")` – Specifies the list of supported
|
|
|
|
|
ciphersuites as a comma-separated-list. The list of all available ciphersuites
|
|
|
|
|
is available in the [Golang TLS documentation][golang-tls].
|
|
|
|
|
- `tls_cipher_suites` `(string: "")` – Override the default list of supported
|
|
|
|
|
ciphersuites (which varies by TLS version) with the the specified
|
|
|
|
|
comma-delimited list. The list of all available ciphersuites is available in
|
|
|
|
|
the [Golang TLS documentation][golang-tls].
|
|
|
|
|
|
|
|
|
|
- `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the
|
|
|
|
|
server's ciphersuite over the client ciphersuites.
|
|
|
|
|
|
Jeff Mitchell
5 years ago