Skip to content

Commit dd4cf66

Browse files
damncabbagedamncabbage
authored
Merge pull request #244 from cipherstash/rh/tls-docs
docs: Adds TLS and Docker configuration docs.
2 parents 7b40e18 + 939a4cf commit dd4cf66

1 file changed

Lines changed: 41 additions & 14 deletions

File tree

docs/reference.md

Lines changed: 41 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ This page contains reference documentation for configuring CipherStash Proxy and
66

77
- [Proxy config options](#proxy-config-options)
88
- [Recommended settings for development](#recommended-settings-for-development)
9+
- [Docker-specific configuration](#docker-specific-configuration)
910
- [Prometheus metrics](#prometheus-metrics)
1011
- [Available metrics](#available-metrics)
1112
- [Supported architectures](#supported-architectures)
@@ -32,7 +33,7 @@ host = "0.0.0.0"
3233
# Env: CS_SERVER__PORT
3334
port = "6432"
3435

35-
# Enforce TLS connections
36+
# Enforce TLS connections from the Client to Proxy
3637
# Optional
3738
# Default: `false`
3839
# Env: CS_SERVER__REQUIRE_TLS
@@ -57,7 +58,7 @@ worker_threads = "4"
5758
# Env: CS_SERVER__THREAD_STACK_SIZE
5859
thread_stack_size = "2097152"
5960

60-
61+
### Proxy -> Backing database connection settings
6162
[database]
6263
# Database host address
6364
# Optional
@@ -92,7 +93,7 @@ password = "password"
9293
# Env: CS_DATABASE__CONNECTION_TIMEOUT
9394
connection_timeout = "300000"
9495

95-
# Enable TLS verification
96+
# Enable TLS verification between Proxy and the backing database.
9697
# Optional
9798
# Default: `false`
9899
# Env: CS_DATABASE__WITH_TLS_VERIFICATION
@@ -115,22 +116,30 @@ config_reload_interval = "60"
115116
schema_reload_interval = "60"
116117

117118

119+
### Client->Proxy TLS Settings:
120+
# This section configures how the Proxy accepts connections from your client.
121+
# A Public Certificate and Private Key pair is required to correctly enable TLS.
122+
# Fill out:
123+
# - a Certificate Path and a Private Key Path, *or*
124+
# - a Certificate PEM string and a Private Key PEM string, *or*
125+
# - neither, removing this section, to disable Client->Proxy TLS.
126+
# (This is a misconfiguration if `require_tls` above is enabled.)
118127
[tls]
119-
# Certificate path
128+
# Path to the Public Certificate .crt file.
120129
# Env: CS_TLS__CERTIFICATE_PATH
121-
certificate_path = "./server.cert"
130+
certificate_path = "./server.crt"
122131

123-
# Private Key path
132+
# Path to the Private Key file.
124133
# Env: CS_TLS__PRIVATE_KEY_PATH
125134
private_key_path = "./server.key"
126135

127-
# Certificate path
136+
# The Public Certificate PEM as a string.
128137
# Env: CS_TLS__CERTIFICATE_PEM
129-
certificate_pem = "..."
138+
certificate_pem = "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----"
130139

131-
# Private Key path
140+
# The Private Key as a string.
132141
# Env: CS_TLS__PRIVATE_KEY_PEM
133-
private_key_pem = "..."
142+
private_key_pem = "-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----"
134143

135144

136145
[auth]
@@ -207,17 +216,35 @@ Although Proxy attempts to detect the environment and set a sensible default for
207216
To turn on human-friendly logging:
208217

209218
```bash
210-
CS_LOG__FORMAT = "pretty"
211-
CS_LOG__ANSI_ENABLED = "true"
219+
CS_LOG__FORMAT="pretty"
220+
CS_LOG__ANSI_ENABLED="true"
212221
```
213222

214223
If you are frequently changing the database schema or making updates to the column encryption configuration, it can be useful to reload the config and schema more frequently:
215224

216225
```bash
217-
CS_DATABASE__CONFIG_RELOAD_INTERVAL = "10"
218-
CS_DATABASE__SCHEMA_RELOAD_INTERVAL = "10"
226+
CS_DATABASE__CONFIG_RELOAD_INTERVAL="10"
227+
CS_DATABASE__SCHEMA_RELOAD_INTERVAL="10"
228+
```
229+
230+
### Docker-specific configuration
231+
232+
As a convenience for local development, if you use [Proxy's Docker container](../proxy.Dockerfile) with its default entrypoint and the below environment variables set, the EQL SQL will be applied to the database, and an example schema (for example, with the `users` table, from the [README Getting Started example](../README.md#getting-started)) will be loaded. These are turned on by default in the [development `docker-compose.yml`](../docker-compose.yml):
233+
234+
(It is not recommended to use either of these in production.)
235+
236+
```bash
237+
CS_DATABASE__INSTALL_EQL="true"
238+
CS_DATABASE__INSTALL_EXAMPLE_SCHEMA="true"
239+
```
240+
241+
As a convenience for production deployments, with the below environment variable set, the Proxy container will add the AWS RDS global certificate bundle to the operating system's set of trusted certificates. This is recommended when running Proxy on AWS.
242+
243+
```bash
244+
CS_DATABASE__INSTALL_AWS_RDS_CERT_BUNDLE="true"
219245
```
220246

247+
221248
## Prometheus metrics
222249

223250
To enable a Prometheus exporter on the default port (`9930`) use either:

0 commit comments

Comments
 (0)