# Full Proxy Config Reference ## Config File The **Grey Matter Proxy** receives its initial configuration in the form of a YAML configuration file on disk. This file takes any configuration available in the [Envoy Bootstrap Config File](https://www.envoyproxy.io/docs/envoy/v1.9.0/configuration/overview/v2_overview#config-overview-v2-bootstrap), as well as the additional Grey Matter filters that are made available through the SDK. {% hint style="info" %} Since the full bootstrap config file has a large number of complex options, a select number of common options have been exposed via template files and environment variables. {% endhint %} ### Sample Dynamic Configuration The dynamic configuration template is used if `PROXY_DYNAMIC=true`. In this case, the bootstrap configuration sets up the proxy to receive all other configuration through the control plane. In this case, the proxy starts with almost no configuration (no listeners, routes, clusters, filters, etc), but will receive them through actions end users take. ``` PROXY_DYNAMIC="true" XDS_CLUSTER="example" XDS_HOST="gm-control.fabric.svc" XDS_PORT="50000" ``` ### Sample Static Configuration The static configuration template is used if `PROXY_DYNAMIC=false` (default). In this case, the environment variables set certain behavior and options in the bootstrap config file that the Grey Matter Proxy will use at startup. A simple example of setting a static config is shown below. Note that these options (and all other defaults) are then locked in while this proxy is running. You will need to restart it to receive any modifications. ``` HOST="0.0.0.0" PORT=8080 SERVICE_HOST="localhost" SERVICE_PORT=9080 METRICS_PORT=8081 OBS_ENABLED=true ``` ## Full Config Options The following tables lists the full configuration options. | Option | Description | Example | Default | | | ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ----------------------------- | | `HOST` | Host for Envoy listener | `0.0.0.0` | `0.0.0.0` | | | `PORT` | Port for Envoy listener | `8080` | `8080` | | | `TIMEOUT` | Cluster route timeout | `3000s` | | | | `IDLE_TIMEOUT` | Cluster idle timeout | `3000s` | | | | `DRAIN_TIMEOUT` | Listener drain timeout | `3000s` | | | | `USE_HTTP2` | Enable HTTP/2 for static cluster connection (doesn't work with HTTP/1.0) | `true` | `false` | | | `ACCEPT_HTTP_10` | Accept HTTP/1.0 connections on the Envoy static listener | `true` | `false` | | | `SERVICE_DNS_TYPE` | The type of DNS envoy will use to connect to the static cluster | `LOGICAL_DNS` | `STRICT_DNS` | | | `SERVICE_HOST` | Proxied service host | `example-service` | `0.0.0.0` | | | `SERVICE_PORT` | Proxied service port | `3000` | | | | `ZK_ANNOUNCE_PATH` | Zookeeper discovery path | `/services/example-servic/1.0.0` | | | | `ZK_ANNOUNCE_HOST` | Host of the original service | `172.0.3.18` | `0.0.0.0` | | | `ZK_ADDRS` | List of host:port locations for ZooKeeper nodes | `zk1:2181,zk2:2181` | `localhost:2181` | | | `METRICS_PORT` | Port for metrics listener | `8081` | `8081` | | | `METRICS_FABRIC_PATH` | Route for Grey Matter Dashboard metrics collection | `/metrics` | `/metrics` | | | `METRICS_PROMETHEUS_PATH` | Route for Prometheus metrics collection | `/prometheus` | `/prometheus` | | | `METRICS_USE_TLS` | Expose metrics over 2-way SSL | `false` | `false` | | | `INGRESS_USE_TLS` | Enable ingress TLS to the Envoy listener | `false` | `false` | | | `INGRESS_CA_CERT_PATH` | Ingress trust certificate path | `./ingress/trust.pem` | | | | `INGRESS_CERT_PATH` | Ingress certificate path | `./ingress/cert.pem` | | | | `INGRESS_KEY_PATH` | Ingress key certificate path | `./ingress/key.pem` | | | | `EGRESS_USE_TLS` | Enable 2-way SSL to the proxied service | `false` | `false` | | | `EGRESS_CA_CERT_PATH` | Egress trust certificate path | `./egress/trust.pem` | | | | `EGRESS_CERT_PATH` | Egress certificate path | `./egress/cert.pem` | | | | `EGRESS_KEY_PATH` | Egress key certificate path | `./egress/key.pem` | | | | `DELAY_MEAN` | Obfuscation delay mean | `1` | | | | `DELAY_STD` | Obfuscation delay std | `4` | | | | `OAUTH_ENABLED` | Full OAuth 2.0 Functionality | `true` | | | | `OAUTH_CLIENT_ID` | Client ID issued by the authorization server | `client-id` | | | | `OAUTH_CLIENT_SECRET` | Client secret issued by the authorization server | `client-secret` | | | | `OAUTH_SERVER_NAME` | Authorization server name | `server` | | | | `OAUTH_SERVER_INSECURE` | Enable if the OAuth authorization server is insecure | `true` | `false` | | | `OAUTH_SESSION_SECRET` | OAuth session secret | `secret` | | | | `OAUTH_DOMAIN` | Provider domain | \`\` | | | | `CW_ENABLED` | Enable Amazon CloudWatch metrics collection | `false` | `false` | | | `CW_NAMESPACE` | Customize namespace where metrics will be stored | `GM/EC2` | `GM/EC2` | | | `CW_METRICS_ROUTES` | Regular expression describing routes to be recognized | `^all$` | `^all$` | | | `CW_METRICS_VALUES` | Values reported to Amazon Cloudwatch | `latency_ms.count,latency_ms.p50,latency_ms.p9999,in_throughput,out_throughput` | `latency_ms.count,latency_ms.p50,latency_ms.p9999,in_throughput,out_throughput` | | | `CW_DIMENSIONS` | The dimension names/values that the specified metrics will be stored under | `AutoScalingGroupName: test-proxy-asg, ServiceName: gm-fabric-proxy` | `AutoScalingGroupName: test-proxy-asg, ServiceName: gm-fabric-proxy` | | | `AWS_REGION` | AWS defined region | `us-east-1` | `us-east-1` | | | `AWS_ACCESS_KEY_ID` | AWS provided access key credential | | | | | `AWS_SECRET_ACCESS_KEY` | AWS provided secret access key credential | | | | | `AWS_PROFILE` | A locally defined AWS profile name associated with valid AWS credentials | `default` | `default` | | | `AWS_CONFIG_FILE` | Location of the local AWS config | `/root/.aws/config` | `~/.aws/config` | | | `OBS_ENABLED` | Enables event emission to various brokers | `true` | `false` | | | `OBS_KAFKA_TOPIC` | Kafka topic to send observables on | gm-sidecar-events | `false` | | | `OBS_TOPIC` | Topic for the observable event. Sets eventType in the payload. | \`\` | `false` | | | `OBS_ENFORCED` | Audit all events which pass through the proxy | `false` | `false` | | | `OBS_FULL_RESPONSE` | If `true`, dump the request/response bodies as well as the regular audit event. If `KAFKA_ENABLED` also dumps into Kafka. | `false` | `false` | | | `KAFKA_ENABLED` | Enable event emission to a Kafka topic | `false` | `false` | | | `KAFKA_ZK_DISCOVER` | Discovery of Kafka brokers from ZooKeeper | `false` | `false` | | | `KAFKA_SERVER_CONNECTION` | List of Kafka node locations | `kafka:9091,kafka2:9091` | `localhost:9091` | | | `USE_KAFKA_TLS` | Enable TLS communication with Kafka nodes | `false` | `false` | | | `KAFKA_TLS_TRUSTS` | Certificate authorities to be used when connecting to Kafka over TLS (command de-limited) | `file:///opt/certs/truststore.pem` | \`\` | | | `KAFKA_TLS_CERT` | Certificate to be used when connecting to Kafka over TLS | `file:///opt/certs/certificate.pem` | \`\` | | | `KAFKA_TLS_KEY` | Certificate key to be used when connecting to Kafka over TLS | `file:///opt/certs/key.pem` | \`\` | | | `KAFKA_SERVER_NAME` | Server name to be used when connecting to Kafka over TLS | `cn=kafka-node` | \`\` | | | `ACL_ENABLED` | Enables 2-Way SSL impersonation REST filter | `false` | `false` | | | `ACL_SERVER_LIST` | A list of server DNs to be whitelisted (pipe delimited) | `C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost` | | | | `LISTAUTH_ENABLED` | Enable/disable the whitelist/blacklist feature | `false` | `false` | | | `LISTAUTH_WHITELIST` | List of DNs to be whitelisted (pipe delimited) | `C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost` | | | | `LISTAUTH_BLACKLIST` | List of DNs to be blacklisted (pipe delimited) | `C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost` | | | | `ENVOY_CONFIG` | Base64 encoded string of envoy configuration file | | | | | `GM_CONFIG` | Base64 encoded string of gm-config.yaml configuration file | | | | | `INGRESS_TLS_CERT` | Base64 encoded cert written out to `./certs/ingress_localhost.crt` | | | | | `INGRESS_TLS_KEY` | Base64 encoded key written out to `./certs/ingress_localhost.key` | | | | | `INGRESS_TLS_TRUST` | Base64 encoded trust written out to `./certs/ingress_intermediate.crt` | | | | | `EGRESS_TLS_CERT` | Base64 encoded cert written out to `./certs/egress_localhost.crt` | | | | | `EGRESS_TLS_KEY` | Base64 encoded key written out to `./certs/egress_localhost.key` | | | | | `EGRESS_TLS_TRUST` | Base64 encoded trust written out to `./certs/egress_intermediate.crt` | | | | | `PROXY_DYNAMIC` | Enable dynamic configuration from Grey Matter xDS | `true` | `false` | | | `DELTA_XDS` | Enable dynamic configuration from Grey Matter xDS using the incremental protocol variant | `true` | `false` | | | `XDS_CLUSTER` | Envoy xDS proxy cluster identifier | `catalog` | `us-east-1` | Yes (only for dynamic config) | | `XDS_NODE_ID` | Envoy node id per xds configuration | `default-node` | `default` | Yes (only for dynamic config) | | `XDS_HOST` | Host of Grey Matter xDS Server | `gm-xds` | `localhost` | Yes (only for dynamic config) | | `XDS_PORT` | Port of Grey Matter xDS Server | `18000` | `18000` | Yes (only for dynamic config) | | `XDS_ENABLE_TLS` | Enable TLS when communicating with the xDS server | `true` | `false` | No (only for dynamic config) | | `XDS_SERVER_CERT_PATH` | Path to certificate file to be used for connecting to xDS | `certs/xds_server_cert.crt` | `certs/xds_server_cert.crt` | No (only for dynamic config) | | `XDS_SERVER_KEY_PATH` | Path to key file to be used for connecting to xDS | `certs/xds_server_key.key` | `certs/xds_server_key.key` | No (only for dynamic config) | | `XDS_SERVER_CA_PATH` | Path to ca file to be used for connecting to xDS | `certs/xds_server_ca.crt` | `certs/xds_server_ca.crt` | No (only for dynamic config) | | `HOST` | Host for Envoy listener | `false` | `false` | | | `INHEADERS_ENABLED` | Setup Impersonation headers | `false` | `false` | | | `ENVOY_ADMIN_LOG_PATH` | Determine the path of logs the envoy admin server will emit too | `/dev/stdout` | `/dev/null` | | | `ENVOY_ADMIN_HOST` | The host the envoy admin server will listen on | `0.0.0.0` | `0.0.0.0` | | | `ENVOY_ADMIN_PORT` | The port the envoy admin server will listen on | `8001` | `8001` | | | `SPIRE_PATH` | The Unix domain socket path Envoy will use to connect to a SPIRE agent | `/tmp/agent.sock` | \`\` | | | `SPIRE_PORT` | The port a SPIRE agent is listening on if connecting over mTLS | `9090` | \`\` | | | `SPIRE_HOST` | The host a SPIRE agent is listening on if connecting over mTLS | `0.0.0.0` | \`\` | | | `SPIRE_CERT_PATH` | The path of a SPIRE agent certificate used to create an mTLS connection | `/certs/spire.crt` | \`\` | | | `SPIRE_KEY_PATh` | The path of a SPIRE agent certificate key used to create an mTLS connection | `/certs/spire.key` | \`\` | | | `TRACING_ENABLED` | Turn on request tracing using the Zipkin config | `false` | `false` | | | `TRACING_ADDRESS` | The host of the trace collector server | `localhost` | | | | `TRACING_PORT` | The port of the trace collector server | `9411` | | | | `TRACING_USE_TLS` | Communicate to the trace server via TLS | `false` | `false` | | | `TRACING_CA_CERT_PATH` | Trace server trust certificate path | `./certs/egress_intermediate.crt` | | | | `TRACING_CERT_PATH` | Trace server certificate path | `./certs/egress_localhost.crt` | | | | `TRACING_KEY_PATH` | Trace server key certificate path | `./certs/egress_localhost.key` | | | | `TRACING_DRIVER` | Receives "zipkin", "lightstep", "datadog", "opencensus", "instana" | `datadog` | `zipkin` | | | `TRACING_COLLECTOR_ENDPOINT` | Used by Zipkin and Opencensus (only when exporting to Zipkin). Endpoint on the tracing server to send spans. | `/api/v1/spans` | `/api/v1/spans` | | | `TRACING_COLLECTOR_ENDPOINT_VERSION` | API Version of the tracing collector endpoint | `HTTP_JSON` | `HTTP_JSON` | | | `TRACING_LIGHTSTEP_ACCESS_TOKEN_PATH` | Used by Lightstep. Path to file containing the access token to the LightStep API. | `./cfg/lightstep` | `./cfg/lightstep_access_token` | | | `TRACING_DATADOG_SERVICE_NAME` | Used by Datadog. A unique identifier to display in the Datadog dashboard. | `my-traced-service` | `gm-proxy` | | | `TRACING_OPENCENSUS_CONTEXT_HEADER` | Header for manually tracking traces across services. Accepts "traceparent", "grpc-trace-bin", "x-cloud-trace-context", "x-b3-\*". | `x-cloud-trace-context` | `NONE` | | | `TRACING_OPENCENSUS_EXPORTER` | Receives "ocagent", "stackdriver", "zipkin" | `ocagent` | `zipkin` | | | `TRACING_OPENCENSUS_STACKDRIVER_PROJECT_ID` | The cloud project\_id to use when exporting to Stackdriver. | `my-project` | | | | `TRACING_INSTANA_LIBRARY_PATH` | The path of the Instana library file to run when sending spans to Instana. | `/app/instana_sensor.so` | `/app/instana_sensor.so` | | | `TCP_CLUSTER` | Name to assign the cluster that will be used for proxying requests with a configured TCP proxy filter | `tcp_proxy` | \`\` | | | `TCP_HOST` | The host of a server that receives TCP connections | `tcp_server` | `tcp_server` | | | `TCP_PORT` | The port of a server that receives TCP connections | `3000` | `3000` | | | `TCP_SNI` | What Server Name Indication (SNI) to assign to the TCP cluster | `www.google.com` | \`\` | | | `REDIS_CLUSTER` | Name to assign the cluster that will be used for proxying Redis requests with a configured Redis proxy filter | `redis_proxy` | \`\` | | | `REDIS_HOST` | The host of a Redis server | `redis_server` | `redis_server` | | | `REDIS_PORT` | The port of a Redis server | `6379` | `3679` | | | `REDIS_SNI` | What Server Name Indication (SNI) to assign to the Redis cluster | `www.google.com` | \`\` | | ## Questions {% hint style="success" %} **Need help?** Create an account at [Grey Matter Support](https://support.greymatter.io/support/home) to reach our team. {% endhint %}