osh-http-proxy.conf

Note

This module is optional, and disabled by default. To know more about the HTTP Proxy feature of The Bastion, please check the HTTPS Proxy section

Option List

HTTP Proxy configuration options

These options modify the behavior of the HTTP Proxy, an optional module of The Bastion

• enabled

• port

• ssl_certificate

• ssl_key

• ciphers

• insecure

• min_servers

• max_servers

• min_spare_servers

• max_spare_servers

• timeout

• log_request_response

• log_request_response_max_size

• allowed_egress_protocols

Option Reference

HTTP Proxy configuration

enabled

Type:

bool

Default:

false

Whether the HTTP proxy daemon daemon is enabled or not. If it's not enabled, it'll exit when started. Of course, if you want to enable this daemon, you should also configure your init system to start it for you. Both sysV-style scripts and systemd unit files are provided. For systemd, using systemctl enable osh-http-proxy.service should be enough. For sysV-style inits, it depends on the scripts provided for your distro, but usually update-rc.d osh-http-proxy defaults then update-rc.d osh-http-proxy enable should do the trick.

port

Type:

int, 1 to 65535

Default:

8443

The port to listen to. You can use ports < 1024, in which case privileges will be dropped after binding, but please ensure your systemd unit file starts the daemon as root in that case.

ssl_certificate

Type:

string

Default:

/etc/ssl/certs/ssl-cert-snakeoil.pem

The file that contains the server SSL certificate in PEM format. For tests, install the ssl-cert package and point this configuration item to the snakeoil certs (which is the default).

ssl_key

Type:

string

Default:

/etc/ssl/private/ssl-cert-snakeoil.key

The file that contains the server SSL key in PEM format. For tests, install the ssl-cert package and point this configuration item to the snakeoil certs (which is the default).

ciphers

Type:

string

Default:

""

Example:

"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

The ordered list the TLS server ciphers, in openssl classic format. Use openssl ciphers to see what your system supports, an empty list leaves the choice to your openssl libraries default values (system-dependent)

insecure

Type:

bool

Default:

false

Whether to ignore SSL certificate verification for the connection between the bastion and the devices

min_servers

Type:

int, 1 to 512

Default:

8

Number of child processes to start at launch

max_servers

Type:

int, 1 to 512

Default:

32

Hard maximum number of child processes that can be active at any given time no matter what

min_spare_servers

Type:

int, 1 to 512

Default:

8

The daemon will ensure that there is at least this number of children idle & ready to accept new connections (as long as max_servers is not reached)

max_spare_servers

Type:

int, 1 to 512

Default:

16

The daemon will kill idle children to keep their number below this maximum when traffic is low

timeout

Type:

int, 1 to 3600

Default:

120

Timeout delay (in seconds) for the connection between the bastion and the devices

log_request_response

Type:

bool

Default:

true

When enabled, the complete response of the device to the request we forwarded will be logged, otherwise we'll only log the response headers

log_request_response_max_size

Type:

int, 0 to 2^30 (1 GiB)

Default:

65536

This option only applies when log_request_response is true (see above). When set to zero, the complete response will be logged in the account's home log directory, including the body, regardless of its size. If set to a positive integer, the query response will only be partially logged, with full status and headers but the body only up to the specified size. This is a way to avoid turning off request response logging completely on very busy bastions, by ensuring logs growth don't get out of hand, as some responses to queries can take megabytes, with possibly limited added value to traceability.

allowed_egress_protocols

Type:

array of strings

Default:

["https"]

Example:

["https","http"]

This array lists the allowed egress protocols. By default, only https is allowed. If required, plain http egress can be enabled here, which is of course strongly discouraged, but might be required for your environment if business constraints out of your control force you to.