Service Configuration

Example YAML Config

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202


# Autogenerated
# Filename: proxy-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9205
  token: ""
  pprof: false
  zpages: false
http:
  addr: 0.0.0.0:9200
  root: /
  tls_cert: /var/lib/ocis/proxy/server.crt
  tls_key: /var/lib/ocis/proxy/server.key
  tls: true
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
grpc_client_tls: null
role_quotas: {}
policies:
- name: ocis
  routes:
  - endpoint: /
    service: com.owncloud.web.web
    unprotected: true
  - endpoint: /.well-known/ocm
    service: com.owncloud.web.ocm
    unprotected: true
  - endpoint: /.well-known/webfinger
    service: com.owncloud.web.webfinger
    unprotected: true
  - endpoint: /.well-known/openid-configuration
    service: com.owncloud.web.idp
    unprotected: true
  - endpoint: /branding/logo
    service: com.owncloud.web.web
  - endpoint: /konnect/
    service: com.owncloud.web.idp
    unprotected: true
  - endpoint: /signin/
    service: com.owncloud.web.idp
    unprotected: true
  - endpoint: /archiver
    service: com.owncloud.web.frontend
  - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications/sse
    service: com.owncloud.sse.sse
  - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications
    service: com.owncloud.web.userlog
  - type: regex
    endpoint: /ocs/v[12].php/cloud/user/signing-key
    service: com.owncloud.web.ocs
  - type: regex
    endpoint: /ocs/v[12].php/config
    service: com.owncloud.web.frontend
    unprotected: true
  - endpoint: /sciencemesh/
    service: com.owncloud.web.ocm
  - endpoint: /ocm/
    service: com.owncloud.web.ocm
  - endpoint: /ocs/
    service: com.owncloud.web.frontend
  - type: query
    endpoint: /remote.php/?preview=1
    service: com.owncloud.web.webdav
  - type: regex
    method: REPORT
    endpoint: (/remote.php)?/(web)?dav
    service: com.owncloud.web.webdav
  - type: query
    endpoint: /dav/?preview=1
    service: com.owncloud.web.webdav
  - type: query
    endpoint: /webdav/?preview=1
    service: com.owncloud.web.webdav
  - endpoint: /remote.php/
    service: com.owncloud.web.ocdav
  - endpoint: /dav/
    service: com.owncloud.web.ocdav
  - endpoint: /webdav/
    service: com.owncloud.web.ocdav
  - endpoint: /status
    service: com.owncloud.web.ocdav
    unprotected: true
  - endpoint: /status.php
    service: com.owncloud.web.ocdav
    unprotected: true
  - endpoint: /index.php/
    service: com.owncloud.web.ocdav
  - endpoint: /apps/
    service: com.owncloud.web.ocdav
  - endpoint: /data
    service: com.owncloud.web.frontend
    unprotected: true
  - endpoint: /app/list
    service: com.owncloud.web.frontend
    unprotected: true
  - endpoint: /app/
    service: com.owncloud.web.frontend
  - endpoint: /graph/v1beta1/extensions/org.libregraph/activities
    service: com.owncloud.web.activitylog
  - endpoint: /graph/v1.0/invitations
    service: com.owncloud.web.invitations
  - endpoint: /graph/
    service: com.owncloud.web.graph
  - endpoint: /api/v0/settings
    service: com.owncloud.web.settings
  - endpoint: /auth-app/tokens
    service: com.owncloud.web.auth-app
additional_policies: []
oidc:
  issuer: https://localhost:9200
  insecure: false
  access_token_verify_method: jwt
  skip_user_info: false
  user_info_cache:
    store: memory
    addresses:
    - 127.0.0.1:9233
    database: cache-userinfo
    table: ""
    ttl: 10s
    disable_persistence: false
    username: ""
    password: ""
  jwks:
    refresh_interval: 60
    refresh_timeout: 10
    refresh_limit: 60
    refresh_unknown_kid: true
  rewrite_well_known: false
service_account:
  service_account_id: ""
  service_account_secret: ""
role_assignment:
  driver: default
  oidc_role_mapper:
    role_claim: roles
    role_mapping:
    - role_name: admin
      claim_value: ocisAdmin
    - role_name: spaceadmin
      claim_value: ocisSpaceAdmin
    - role_name: user
      claim_value: ocisUser
    - role_name: user-light
      claim_value: ocisGuest
policy_selector:
  static:
    policy: ocis
  claims: null
  regex: null
pre_signed_url:
  allowed_http_methods:
  - GET
  enabled: true
  signing_keys:
    store: nats-js-kv
    addresses:
    - 127.0.0.1:9233
    ttl: 12h0m0s
    disable_persistence: true
    username: ""
    password: ""
account_backend: cs3
user_oidc_claim: preferred_username
user_cs3_claim: username
machine_auth_api_key: ""
auto_provision_accounts: false
auto_provision_claims:
  username: preferred_username
  email: email
  display_name: name
  groups: groups
enable_basic_auth: false
insecure_backends: false
backend_https_cacert: ""
auth_middleware:
  credentials_by_user_agent: {}
  allow_app_auth: false
policies_middleware:
  query: ""
csp_config_file_location: ""
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
  username: ""
  password: ""

Environment Variables

Name	Type	Default Value	Description
OCIS_TRACING_ENABLED PROXY_TRACING_ENABLED	bool	false	Activates tracing.
OCIS_TRACING_TYPE PROXY_TRACING_TYPE	string		The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now.
OCIS_TRACING_ENDPOINT PROXY_TRACING_ENDPOINT	string		The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR PROXY_TRACING_COLLECTOR	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL PROXY_LOG_LEVEL	string		The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY PROXY_LOG_PRETTY	bool	false	Activates pretty log output.
OCIS_LOG_COLOR PROXY_LOG_COLOR	bool	false	Activates colorized log output.
OCIS_LOG_FILE PROXY_LOG_FILE	string		The path to the log file. Activates logging to this file if set.
PROXY_DEBUG_ADDR	string	127.0.0.1:9205	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
PROXY_DEBUG_TOKEN	string		Token to secure the metrics endpoint.
PROXY_DEBUG_PPROF	bool	false	Enables pprof, which can be used for profiling.
PROXY_DEBUG_ZPAGES	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
PROXY_HTTP_ADDR	string	0.0.0.0:9200	The bind address of the HTTP service.
PROXY_HTTP_ROOT	string	/	Subdirectory that serves as the root for this HTTP service.
PROXY_TRANSPORT_TLS_CERT	string	/var/lib/ocis/proxy/server.crt	Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/proxy.
PROXY_TRANSPORT_TLS_KEY	string	/var/lib/ocis/proxy/server.key	Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/proxy.
PROXY_TLS	bool	true	Enable/Disable HTTPS for external HTTP services. Must be set to ’true’ if the built-in IDP service an no reverse proxy is used. See the text description for details.
OCIS_REVA_GATEWAY	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
OCIS_GRPC_CLIENT_TLS_MODE	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification.
OCIS_GRPC_CLIENT_TLS_CACERT	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
OCIS_URL OCIS_OIDC_ISSUER PROXY_OIDC_ISSUER	string	https://localhost:9200	URL of the OIDC issuer. It defaults to URL of the builtin IDP.
OCIS_INSECURE PROXY_OIDC_INSECURE	bool	false	Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD	string	jwt	Sets how OIDC access tokens should be verified. Possible values are ’none’ and ‘jwt’. When using ’none’, no special validation apart from using it for accessing the IPD’s userinfo endpoint will be done. When using ‘jwt’, it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP’s ‘jwks_uri’.
PROXY_OIDC_SKIP_USER_INFO	bool	false	Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with ‘PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none’.
OCIS_CACHE_STORE PROXY_OIDC_USERINFO_CACHE_STORE	string	memory	The type of the cache store. Supported values are: ‘memory’, ‘redis-sentinel’, ’nats-js-kv’, ’noop’. See the text description for details.
OCIS_CACHE_STORE_NODES PROXY_OIDC_USERINFO_CACHE_STORE_NODES	[]string	[127.0.0.1:9233]	A list of nodes to access the configured store. This has no effect when ‘memory’ store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
OCIS_CACHE_DATABASE	string	cache-userinfo	The database name the configured store should use.
PROXY_OIDC_USERINFO_CACHE_TABLE	string		The database table the store should use.
OCIS_CACHE_TTL PROXY_OIDC_USERINFO_CACHE_TTL	Duration	10s	Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.
OCIS_CACHE_DISABLE_PERSISTENCE PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE	bool	false	Disables persistence of the cache. Only applies when store type ’nats-js-kv’ is configured. Defaults to false.
OCIS_CACHE_AUTH_USERNAME PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME	string		The username to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
OCIS_CACHE_AUTH_PASSWORD PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD	string		The password to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
PROXY_OIDC_JWKS_REFRESH_INTERVAL	uint64	60	The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.
PROXY_OIDC_JWKS_REFRESH_TIMEOUT	uint64	10	The timeout in seconds for an outgoing JWKS request.
PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT	uint64	60	Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via ocis.
PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID	bool	true	If set to ’true’, the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a ‘refresh_limit’ when enabling this.
PROXY_OIDC_REWRITE_WELLKNOWN	bool	false	Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.
OCIS_SERVICE_ACCOUNT_ID PROXY_SERVICE_ACCOUNT_ID	string		The ID of the service account the service should use. See the ‘auth-service’ service description for more details.
OCIS_SERVICE_ACCOUNT_SECRET PROXY_SERVICE_ACCOUNT_SECRET	string		The service account secret.
PROXY_ROLE_ASSIGNMENT_DRIVER	string	default	The mechanism that should be used to assign roles to user upon login. Supported values: ‘default’ or ‘oidc’. ‘default’ will assign the role ‘user’ to users which don’t have a role assigned at the time they login. ‘oidc’ will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM	string	roles	The OIDC claim used to create the users role assignment.
PROXY_ENABLE_PRESIGNEDURLS	bool	true	Allow OCS to get a signing key to sign requests.
OCIS_CACHE_STORE PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE	string	nats-js-kv	The type of the signing key store. Supported values are: ‘redis-sentinel’, ’nats-js-kv’ and ‘ocisstoreservice’ (deprecated). See the text description for details.
OCIS_CACHE_STORE_NODES PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES	[]string	[127.0.0.1:9233]	A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
OCIS_CACHE_TTL PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL	Duration	12h0m0s	Default time to live for signing keys. See the Environment Variable Types description for more details.
OCIS_CACHE_DISABLE_PERSISTENCE PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE	bool	true	Disables persistence of the store. Only applies when store type ’nats-js-kv’ is configured. Defaults to true.
OCIS_CACHE_AUTH_USERNAME PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME	string		The username to authenticate with the store. Only applies when store type ’nats-js-kv’ is configured.
OCIS_CACHE_AUTH_PASSWORD PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD	string		The password to authenticate with the store. Only applies when store type ’nats-js-kv’ is configured.
PROXY_ACCOUNT_BACKEND_TYPE	string	cs3	Account backend the PROXY service should use. Currently only ‘cs3’ is possible here.
PROXY_USER_OIDC_CLAIM	string	preferred_username	The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like ’email’ or ‘preferred_username’ but you can also add your own claim.
PROXY_USER_CS3_CLAIM	string	username	The name of a CS3 user attribute (claim) that should be mapped to the ‘user_oidc_claim’. Supported values are ‘username’, ‘mail’ and ‘userid’.
OCIS_MACHINE_AUTH_API_KEY PROXY_MACHINE_AUTH_API_KEY	string		Machine auth API key used to validate internal requests necessary to access resources from other services.
PROXY_AUTOPROVISION_ACCOUNTS	bool	false	Set this to ’true’ to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.
PROXY_AUTOPROVISION_CLAIM_USERNAME	string	preferred_username	The name of the OIDC claim that holds the username.
PROXY_AUTOPROVISION_CLAIM_EMAIL	string	email	The name of the OIDC claim that holds the email.
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME	string	name	The name of the OIDC claim that holds the display name.
PROXY_AUTOPROVISION_CLAIM_GROUPS	string	groups	The name of the OIDC claim that holds the groups.
PROXY_ENABLE_BASIC_AUTH	bool	false	Set this to true to enable ‘basic authentication’ (username/password).
PROXY_INSECURE_BACKENDS	bool	false	Disable TLS certificate validation for all HTTP backend connections.
PROXY_HTTPS_CACERT	string		Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.
PROXY_ENABLE_APP_AUTH	bool	false	Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.
PROXY_POLICIES_QUERY	string		Defines the ‘Complete Rules’ variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.
PROXY_CSP_CONFIG_FILE_LOCATION	string		The location of the CSP configuration file.
OCIS_EVENTS_ENDPOINT PROXY_EVENTS_ENDPOINT	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
OCIS_EVENTS_CLUSTER PROXY_EVENTS_CLUSTER	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
OCIS_INSECURE PROXY_EVENTS_TLS_INSECURE	bool	false	Whether to verify the server TLS certificates.
OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE	string		The root CA certificate used to validate the server’s TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.
OCIS_EVENTS_ENABLE_TLS PROXY_EVENTS_ENABLE_TLS	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_USERNAME PROXY_EVENTS_AUTH_USERNAME	string		The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_PASSWORD PROXY_EVENTS_AUTH_PASSWORD	string		The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.