Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
214 lines (143 sloc) 6.95 KB
version: 0.85.0
# Path to AcraCensor configuration file
acracensor_config_file:
# Use tls to encrypt transport between AcraServer and AcraConnector/client
acraconnector_tls_transport_enable: false
# Use raw transport (tcp/unix socket) between AcraServer and AcraConnector/client (don't use this flag if you not connect to database with SSL/TLS
acraconnector_transport_encryption_disable: false
# Acrastruct may be injected into any place of data cell
acrastruct_injectedcell_enable: false
# Acrastruct will stored in whole data cell
acrastruct_wholecell_enable: true
# Path to basic auth passwords. To add user, use: `./acra-authmanager --set --user <user> --pwd <pwd>`
auth_keys: configs/auth.keys
# Expected client ID of AcraConnector in mode without encryption
client_id:
# path to config
config_file:
# Log everything to stderr
d: false
# Host to db
db_host:
# Port to db
db_port: 5432
# Turn on HTTP debug server
ds: false
# dump config
dump_config: false
# Path to Encryptor configuration file
encryptor_config_file:
# Generate with yaml config markdown text file with descriptions of all args
generate_markdown_args_table: false
# Enable HTTP API
http_api_enable: false
# Port for AcraServer for HTTP API
incoming_connection_api_port: 9090
# Connection string for api like tcp://x.x.x.x:yyyy or unix:///path/to/socket
incoming_connection_api_string: tcp://0.0.0.0:9090/
# Time that AcraServer will wait (in seconds) on restart before closing all connections
incoming_connection_close_timeout: 10
# Host for AcraServer
incoming_connection_host: 0.0.0.0
# Port for AcraServer
incoming_connection_port: 9393
# URL (tcp://host:port) which will be used to expose Prometheus metrics (<URL>/metrics address to pull metrics)
incoming_connection_prometheus_metrics_string:
# Connection string like tcp://x.x.x.x:yyyy or unix:///path/to/socket
incoming_connection_string: tcp://0.0.0.0:9393/
# Jaeger agent endpoint (for example, localhost:6831) that will be used to export trace data
jaeger_agent_endpoint:
# Password used for basic auth (optional) to jaeger
jaeger_basic_auth_password:
# Username used for basic auth (optional) to jaeger
jaeger_basic_auth_username:
# Jaeger endpoint (for example, http://localhost:14268/api/traces) that will be used to export trace data
jaeger_collector_endpoint:
# Folder from which will be loaded keys
keys_dir: .acrakeys
# Maximum number of keys stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache
keystore_cache_size: 0
# Logging format: plaintext, json or CEF
logging_format: plaintext
# Handle MySQL connections
mysql_enable: false
# Escape format for Postgresql bytea data (deprecated, ignored)
pgsql_escape_bytea: false
# Hex format for Postgresql bytea data (deprecated, ignored)
pgsql_hex_bytea: false
# Turn on poison record detection, if server shutdown is disabled, AcraServer logs the poison record detection and returns decrypted data
poison_detect_enable: true
# On detecting poison record: log about poison record detection, execute script, return decrypted data
poison_run_script_file:
# On detecting poison record: log about poison record detection, stop and shutdown
poison_shutdown_enable: false
# Handle Postgresql connections (default true)
postgresql_enable: false
# Id that will be sent in secure session
securesession_id: acra_server
# Set authentication mode that will be used in TLS connection with AcraConnector and database. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert
tls_auth: 4
# Path to additional CA certificate for AcraConnector and database certificate validation
tls_ca:
# Path to tls certificate
tls_cert:
# Set authentication mode that will be used in TLS connection with AcraConnector. Overrides the "tls_auth" setting.
tls_client_auth: -1
# Path to additional CA certificate for AcraConnector certificate validation (setup if AcraConnector certificate CA is different from database certificate CA)
tls_client_ca:
# Path to server TLS certificate presented to AcraConnectors (overrides "tls_cert")
tls_client_cert:
# Extract clientID from TLS certificate. Take TLS certificate from AcraConnector's connection if acraconnector_tls_transport_enable is TRUE; otherwise take TLS certificate from application's connection if acraconnector_transport_encryption_disable is TRUE
tls_client_id_from_cert: false
# Path to private key of the TLS certificate presented to AcraConnectors (see "tls_client_cert")
tls_client_key:
# How many CRLs to cache in memory (use 0 to disable caching)
tls_crl_cache_size: 16
# How long to keep CRLs cached, in seconds (use 0 to disable caching, maximum: 300 s)
tls_crl_cache_time: 0
# Put 'true' to check only final/last certificate, or 'false' to check the whole certificate chain using CRL
tls_crl_check_only_leaf_certificate: false
# URL of the Certificate Revocation List (CRL) to use, for client/connector certificates only
tls_crl_client_url:
# URL of the Certificate Revocation List (CRL) to use, for database certificates only
tls_crl_database_url:
# How to treat CRL URL described in certificate itself: <use|trust|prefer|ignore>
tls_crl_from_cert: prefer
# URL of the Certificate Revocation List (CRL) to use
tls_crl_url:
# Set authentication mode that will be used in TLS connection with database. Overrides the "tls_auth" setting.
tls_database_auth: -1
# Path to additional CA certificate for database certificate validation (setup if database certificate CA is different from AcraConnector certificate CA)
tls_database_ca:
# Path to client TLS certificate shown to database during TLS handshake (overrides "tls_cert")
tls_database_cert:
# Path to private key of the TLS certificate used to connect to database (see "tls_database_cert")
tls_database_key:
# Expected Server Name (SNI) from database
tls_database_sni:
# Expected Server Name (SNI) from database (deprecated, use "tls_database_sni" instead)
tls_db_sni:
# Decide which field of TLS certificate to use as ClientID (distinguished_name|serial_number)
tls_identifier_extractor_type: distinguished_name
# Path to private key that will be used in AcraServer's TLS handshake with AcraConnector as server's key and database as client's key
tls_key:
# Put 'true' to check only final/last certificate, or 'false' to check the whole certificate chain using OCSP
tls_ocsp_check_only_leaf_certificate: false
# OCSP service URL, for client/connector certificates only
tls_ocsp_client_url:
# OCSP service URL, for database certificates only
tls_ocsp_database_url:
# How to treat OCSP server described in certificate itself: <use|trust|prefer|ignore>
tls_ocsp_from_cert: prefer
# How to treat certificates unknown to OCSP: <denyUnknown|allowUnknown|requireGood>
tls_ocsp_required: denyUnknown
# OCSP service URL
tls_ocsp_url:
# Export trace data to jaeger
tracing_jaeger_enable: false
# Export trace data to log
tracing_log_enable: false
# Log to stderr all INFO, WARNING and ERROR logs
v: false
# Turn on zone mode
zonemode_enable: false