-
Notifications
You must be signed in to change notification settings - Fork 39
/
config.example.yaml
84 lines (76 loc) · 2.51 KB
/
config.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Copyright 2016 CoreOS, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :8080
shutdown_timeout: 1m
# CA used to forge certificates used by
# the proxy's MITM mechanism.
ca_key_file: ca.key
ca_crt_file: ca.crt
# Certificates to be trusted by the proxy when its MITM mechanism communicates with remotes.
# This is optional. Specifying it currently replaces system root certificates entirely.
trusted_certificates:
- localhost.crt
# Whether the remotes' certificate chain and host name should be verified.
insecure_skip_verify: false
signer:
issuer: jwtproxy
expiration_time: 5m
max_skew: 1m
nonce_length: 32 # length of generated nonces
# private_key:
# type: preshared
# options:
# key_id: mykey
# private_key_path: mykey.key
private_key:
type: autogenerated
options:
rotate_every: 12h
key_server:
type: keyregistry
options:
registry: http://localhost:8888/
verifier_proxies:
- enabled: true
listen_addr: :8081
shutdown_timeout: 1m
# Key pair used to terminate TLS.
key_file: localhost.key
crt_file: localhost.crt
verifier:
upstream: http://localhost:9090/
audience: https://localhost:8081/ # host used to talk to the verifier proxy
max_skew: 1m # maximum accepted skew for the iat claim
max_ttl: 5m # maximum expiration duration that a JWT can be signed for to be accepted
#key_server:
# type: preshared
# options:
# issuer: jwtproxy
# key_id: mykey
# public_key_path: mykey.crt
key_server:
type: keyregistry
options:
registry: http://localhost:8888/
nonce_storage:
type: local
options:
purge_interval: 1m # interval between expired expired nonce cleanups
claims_verifiers:
- type: static
options:
iss: jwtproxy