authorization-proxy/test/data/example_config.yaml at master · AthenZ/authorization-proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
version: v2.0.0
server:
  port: 8082
  shutdownTimeout: 10s
  shutdownDelay: 9s
  disableKeepAlives: true
  tls:
    enable: true
    certPath: "test/data/dummyServer.crt"
    keyPath: "test/data/dummyServer.key"
    caPath: "test/data/dummyCa.pem"
    certRefreshPeriod: "24h"
    disableCipherSuites:
      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      - TLS_RSA_WITH_AES_256_CBC_SHA
      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      - TLS_RSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    enableInsecureCipherSuites:
      - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
      - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  healthCheck:
    port: 6082
    endpoint: /healthz
  debug:
    enable: false
    port: 6083
    timeout: 10s
    dump: true
    profiling: true
  metrics:
    port: 6084
athenz:
  url: https://athenz.io:4443/zts/v1
  timeout: 30s
  caPath: _athenz_root_ca_
  # caPath: /etc/ssl/cert.pem
proxy:
  scheme: http
  host: localhost
  port: 80
  bufferSize: 4096
  originHealthCheckPaths: []
  noAuthPaths:
    - "/no-auth/any/*"
    - "/no-auth/single/a?c"
    - "/no-auth/no-regex/^$|([{"
  preserveHost: true
  transport:
    tlsHandshakeTimeout: "10s"
    disableKeepAlives: false
    disableCompression: false
    maxIdleConns: 100
    maxIdleConnsPerHost: 0
    maxConnsPerHost: 0
    idleConnTimeout: "90s"
    responseHeaderTimeout: "0"
    expectContinueTimeout: "1s"
    maxResponseHeaderBytes: 0
    writeBufferSize: 0
    readBufferSize: 0
    forceAttemptHTTP2: true
    dialContext:
      timeout: "1s"
  originLog:
    statusCode:
      enable: true
      exclude:
        - 200
authorization:
  athenzDomains:
  - provider-domain1
  - provider-domain2
  publicKey:
    sysAuthDomain: sys.auth
    refreshPeriod: 24h
    retryDelay: ""
    eTagExpiry: 168h
    eTagPurgePeriod: 84h
  policy:
    disable: false
    expiryMargin: 48h
    refreshPeriod: 1h
    purgePeriod: 24h
    retryDelay: ""
    retryAttempts: 0
    mappingRules:
      domain1:
        - method: get
          action: action
          path: "/path1/{path2}"
          resource: path1.{path2}
        - method: get
          action: action
          path: "/path?param={value}"
          resource: "path.{value}"
      domain2:
        - method: get
          action: action
          path: "/path1/{path2}?param={value}"
          resource: "{path2}.{value}"
    resourcePrefix: /public
  jwk:
    refreshPeriod: ""
    retryDelay: ""
    urls:
      - http://your-jwk-set-url1
      - https://your-jwk-set-url2
  accessToken:
    enable: true
    verifyCertThumbprint: true
    verifyClientID: true
    authorizedClientIDs:
      common_name1:
        - client_id1
        - client_id2
      common_name2:
        - client_id1
        - client_id2
    certBackdateDuration: 1h
    certOffsetDuration: 1h
    accessTokenAuthHeader: Authorization
  roleToken:
    enable: true
    roleAuthHeader: Athenz-Role-Auth
log:
  level: debug
  color: true
  outputAuthorizedPrincipalName: false