|
|
|
|
@ -26,6 +26,8 @@ allowed.
|
|
|
|
|
|
|
|
|
|
## `unix` Listener Parameters
|
|
|
|
|
|
|
|
|
|
### General
|
|
|
|
|
|
|
|
|
|
- `purpose` `(string: "")` - Specifies the purpose. Can be `api` or `cluster`.
|
|
|
|
|
|
|
|
|
|
- `address` `(string: "")` – Specifies the address (filesystem path) to bind to
|
|
|
|
|
@ -60,22 +62,29 @@ allowed.
|
|
|
|
|
request duration allowed before Boundary cancels the request. This overrides
|
|
|
|
|
`default_max_request_duration` for this listener.
|
|
|
|
|
|
|
|
|
|
### TLS
|
|
|
|
|
|
|
|
|
|
~> All `tls` parameters are valid only for the `api` listener. `cluster` and
|
|
|
|
|
`proxy` connections use their own ephemeral TLS stacks. For more information,
|
|
|
|
|
see [the connections security concepts
|
|
|
|
|
page](https://www.boundaryproject.io/docs/concepts/security/connections-tls).
|
|
|
|
|
|
|
|
|
|
- `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Boundary
|
|
|
|
|
assumes TLS by default, so you must explicitly disable TLS to opt-in to
|
|
|
|
|
insecure communication.
|
|
|
|
|
|
|
|
|
|
- `tls_cert_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
|
|
|
|
|
- `tls_cert_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
|
|
|
|
|
Specifies the path to the certificate for TLS. To configure the listener to
|
|
|
|
|
use a CA certificate, concatenate the primary certificate and the CA
|
|
|
|
|
certificate together. The primary certificate should appear first in the
|
|
|
|
|
combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be used
|
|
|
|
|
for reloading the certificate; modifying this value while Boundary is running
|
|
|
|
|
will have no effect for `SIGHUP`s.
|
|
|
|
|
|
|
|
|
|
- `tls_key_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
|
|
|
|
|
Specifies the path to the private key for the certificate. If the key file
|
|
|
|
|
is encrypted, you will be prompted to enter the passphrase on server startup.
|
|
|
|
|
The passphrase must stay the same between key files when reloading your
|
|
|
|
|
combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be
|
|
|
|
|
used for reloading the certificate; modifying this value while Boundary is
|
|
|
|
|
running will have no effect for `SIGHUP`s.
|
|
|
|
|
|
|
|
|
|
- `tls_key_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
|
|
|
|
|
Specifies the path to the private key for the certificate. If the key file is
|
|
|
|
|
encrypted, you will be prompted to enter the passphrase on server startup. The
|
|
|
|
|
passphrase must stay the same between key files when reloading your
|
|
|
|
|
configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Boundary
|
|
|
|
|
startup_ will be used for reloading the certificate; modifying this value
|
|
|
|
|
while Boundary is running will have no effect for `SIGHUP`s.
|
|
|
|
|
@ -83,17 +92,18 @@ allowed.
|
|
|
|
|
- `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
|
|
|
|
|
version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".
|
|
|
|
|
|
|
|
|
|
~> **Warning**: TLS 1.1 and lower are generally considered insecure.
|
|
|
|
|
!> TLS 1.1 and lower are generally considered insecure.
|
|
|
|
|
|
|
|
|
|
- `tls_max_version` `(string: "tls13")` – Specifies the maximum supported
|
|
|
|
|
version of TLS, useful if appliances (e.g. load balancers) are not yet capable
|
|
|
|
|
of higher levels. Accepted values are "tls10", "tls11", "tls12" or "tls13".
|
|
|
|
|
|
|
|
|
|
~> **Warning**: TLS 1.1 and lower are generally considered insecure.
|
|
|
|
|
!> TLS 1.1 and lower are generally considered insecure.
|
|
|
|
|
|
|
|
|
|
- `tls_cipher_suites` `(string: "")` – Specifies the list of supported
|
|
|
|
|
ciphersuites as a comma-separated-list. The list of all available ciphersuites
|
|
|
|
|
is available in the [Golang TLS documentation][golang-tls].
|
|
|
|
|
- `tls_cipher_suites` `(string: "")` – Override the default list of supported
|
|
|
|
|
ciphersuites (which varies by TLS version) with the the specified
|
|
|
|
|
comma-delimited list. The list of all available ciphersuites is available in
|
|
|
|
|
the [Golang TLS documentation][golang-tls].
|
|
|
|
|
|
|
|
|
|
- `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the
|
|
|
|
|
server's ciphersuite over the client ciphersuites.
|
|
|
|
|
|
Jeff Mitchell
5 years ago