diff --git a/etc/ctrl.with.edge.yml b/etc/ctrl.with.edge.yml index f497db943..6943f16e5 100644 --- a/etc/ctrl.with.edge.yml +++ b/etc/ctrl.with.edge.yml @@ -108,6 +108,7 @@ ctrl: # handler: # type: file # format: json +# # do not commit uncommented as it causes startup issues for non-linux environments # path: /tmp/ziti-events.log # usageLogger: # subscriptions: @@ -164,7 +165,7 @@ edge: # address - required # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses # defined in a bind point's address field for the `edge-client` API in the web section. - address: 127.0.0.1:443 + address: 127.0.0.1:1280 # enrollment - required # A section containing settings pertaining to enrollment. enrollment: @@ -197,103 +198,82 @@ edge: web: # name - required # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested. - - name: client1 + - name: all-apis-localhost + # bindPoints - required + # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines + # where on the host machine the webListener will listen and the address (host:port) that should be used to + # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for + # incoming address resolution as well as used in responses in the API. bindPoints: - - interface: 0.0.0.0:443 - address: 127.0.0.1:443 - apis: - - binding: edge-client - options: {} - - name: all-the-rest - bindPoints: - - interface: 0.0.0.0:8443 - address: 127.0.0.1:8443 + #interface - required + # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces + - interface: 127.0.0.1:1280 + + # address - required + # The public address that external incoming requests will be able to resolve. Used in request processing and + # response content that requires full host:port/path addresses. + address: 127.0.0.1:1280 + + # newAddress - optional + # A host:port string which will be sent out as an HTTP header "ziti-new-address" if specified. If the header + # is present, clients should update location configuration to immediately use the new address for future + # connections. The value of newAddress must be resolvable both via DNS and validate via certificates + newAddress: localhost:1280 + # identity - optional + # Allows the webListener to have a specific identity instead of defaulting to the root `identity` section. + # identity: + # cert: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem + # server_cert: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem + # key: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/private/ctrl.key.pem + # ca: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ca-chain.cert.pem + # options - optional + # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are + # used for all http servers started by the current webListener. + options: + # idleTimeout - optional, default 5000ms + # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high + # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value + # will cause clients to reconnect on subsequent HTTPs requests. + idleTimeout: 5000ms #http timeouts, new + + # readTimeout - optional, default 5000ms + # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher + # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency + # or packet loss. A lower value can risk losing connections to high latency/packet loss clients. + + readTimeout: 5000ms + # writeTimeout - optional, default 10000ms + # The total maximum time in milliseconds that the http server will wait for a single requests to be received and + # responded too. A higher value can allow long running requests to consume resources on the host. A lower value + # can risk ending requests before the server has a chance to respond. + + writeTimeout: 100000ms + # minTLSVersion - optional, default TSL1.2 + # The minimum version of TSL to support + + minTLSVersion: TLS1.2 + # maxTLSVersion - optional, default TSL1.3 + # The maximum version of TSL to support + + maxTLSVersion: TLS1.3 + # apis - required + # Allows one or more APIs to be bound to this webListener apis: - - binding: edge-management - options: { } + # binding - required + # Specifies an API to bind to this webListener. Built-in APIs are + # - health-checks + # - edge-management + # - edge-client + # - fabric-management + - binding: health-checks - binding: fabric - options: { } - - binding: zac + - binding: edge-management + - binding: edge-client + - binding: edge-oidc options: - location: C:\Users\andre\repos\openziti\gross - indexFile: index.html -# -# - name: all-apis-localhost -# # bindPoints - required -# # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines -# # where on the host machine the webListener will listen and the address (host:port) that should be used to -# # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for -# # incoming address resolution as well as used in responses in the API. -# bindPoints: -# #interface - required -# # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces -# - interface: 127.0.0.1:1280 -# -# # address - required -# # The public address that external incoming requests will be able to resolve. Used in request processing and -# # response content that requires full host:port/path addresses. -# address: 127.0.0.1:1280 -# -# # newAddress - optional -# # A host:port string which will be sent out as an HTTP header "ziti-new-address" if specified. If the header -# # is present, clients should update location configuration to immediately use the new address for future -# # connections. The value of newAddress must be resolvable both via DNS and validate via certificates -# newAddress: localhost:1280 -# # identity - optional -# # Allows the webListener to have a specific identity instead of defaulting to the root `identity` section. -# # identity: -# # cert: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem -# # server_cert: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem -# # key: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/private/ctrl.key.pem -# # ca: ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ca-chain.cert.pem -# # options - optional -# # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are -# # used for all http servers started by the current webListener. -# options: -# # idleTimeout - optional, default 5000ms -# # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high -# # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value -# # will cause clients to reconnect on subsequent HTTPs requests. -# idleTimeout: 5000ms #http timeouts, new -# -# # readTimeout - optional, default 5000ms -# # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher -# # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency -# # or packet loss. A lower value can risk losing connections to high latency/packet loss clients. -# -# readTimeout: 5000ms -# # writeTimeout - optional, default 10000ms -# # The total maximum time in milliseconds that the http server will wait for a single requests to be received and -# # responded too. A higher value can allow long running requests to consume resources on the host. A lower value -# # can risk ending requests before the server has a chance to respond. -# -# writeTimeout: 100000ms -# # minTLSVersion - optional, default TSL1.2 -# # The minimum version of TSL to support -# -# minTLSVersion: TLS1.2 -# # maxTLSVersion - optional, default TSL1.3 -# # The maximum version of TSL to support -# -# maxTLSVersion: TLS1.3 -# # apis - required -# # Allows one or more APIs to be bound to this webListener -# apis: -# # binding - required -# # Specifies an API to bind to this webListener. Built-in APIs are -# # - health-checks -# # - edge-management -# # - edge-client -# # - fabric-management -# - binding: health-checks -# - binding: fabric -# - binding: edge-management -# - binding: edge-client -# - binding: edge-oidc -# options: -# redirectURIs: -# - "http://localhost:*/auth/callback" -# - "http://127.0.0.1:*/auth/callback" + redirectURIs: + - "http://localhost:*/auth/callback" + - "http://127.0.0.1:*/auth/callback" commandRateLimiter: enabled: true