serve:
decision:
host: 127.0.0.1
port: 4468
verbose_errors: true
timeout:
read: 2s
write: 5s
idle: 2m
cors:
allowed_origins:
- example.org
allowed_methods:
- GET
- POST
allowed_headers:
- Authorization
exposed_headers:
- X-My-Header
allow_credentials: true
max_age: 1m
tls:
key: /path/to/key/file.pem
cert: /path/to/cert/file.pem
trusted_proxies:
- 192.168.1.0/24
proxy:
host: 127.0.0.1
port: 4469
verbose_errors: false
timeout:
read: 2s
write: 5s
idle: 2m
cors:
allowed_origins:
- example.org
allowed_methods:
- GET
- POST
allowed_headers:
- Authorization
exposed_headers:
- X-My-Header
allow_credentials: true
max_age: 1m
tls:
key: /path/to/key/file.pem
cert: /path/to/cert/file.pem
min_version: TLS1.2
cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
trusted_proxies:
- 192.168.1.0/24
management:
host: 127.0.0.1
port: 4457
verbose_errors: false
timeout:
read: 2s
write: 5s
idle: 2m
cors:
allowed_origins:
- example.org
allowed_methods:
- GET
- POST
allowed_headers:
- Authorization
exposed_headers:
- X-My-Header
allow_credentials: true
max_age: 1m
tls:
key: /path/to/key/file.pem
cert: /path/to/cert/file.pem
min_version: TLS1.2
log:
level: debug
format: text
tracing:
enabled: true
span_processor: batch
metrics:
prometheus:
host: 0.0.0.0
port: 9000
metrics_path: /metrics
signer:
name: foobar
key_store: /opt/heimdall/keystore.pem
password: VeryInsecure!
key_id: foo
pipeline:
authenticators:
- id: noop_authenticator
type: noop
- id: anonymous_authenticator
type: anonymous
- id: unauthorized_authenticator
type: unauthorized
- id: foo
type: basic_auth
config:
user_id: bar
password: baz
allow_fallback_on_error: true
- id: kratos_session_authenticator
type: generic
config:
identity_info_endpoint:
url: http://127.0.0.1:4433/sessions/whoami
retry:
max_delay: 300ms
give_up_after: 2s
authentication_data_source:
- cookie: ory_kratos_session
subject:
attributes: "@this"
id: "identity.id"
allow_fallback_on_error: true
- id: hydra_authenticator
type: oauth2_introspection
config:
introspection_endpoint:
url: http://hydra:4445/oauth2/introspect
retry:
max_delay: 300ms
give_up_after: 2s
auth:
type: basic_auth
config:
user: foo
password: bar
token_source:
- header: Authorization
schema: Bearer
- query_parameter: access_token
- body_parameter: access_token
assertions:
issuers:
- http://127.0.0.1:4444/
scopes:
- foo
- bar
audience:
- bla
subject:
attributes: "@this"
id: "sub"
allow_fallback_on_error: true
- id: jwt_authenticator
type: jwt
config:
jwks_endpoint:
url: http://foo/token
method: GET
enable_http_cache: true
jwt_source:
- header: Authorization
schema: Bearer
- query_parameter: access_token
- body_parameter: access_token
assertions:
audience:
- bla
scopes:
- foo
allowed_algorithms:
- RSA
issuers:
- bla
subject:
attributes: "@this"
id: "identity.id"
cache_ttl: 5m
allow_fallback_on_error: true
authorizers:
- id: allow_all_authorizer
type: allow
- id: deny_all_authorizer
type: deny
- id: keto_authorizer
type: remote
config:
endpoint:
url: http://keto
method: POST
headers:
foo-bar: "{{ .Subject.ID }}"
payload: "https://bla.bar"
script: "heimdall.Payload.response === true"
forward_response_headers_to_upstream:
- bla-bar
- id: attributes_based_authorizer
type: local
config:
script: "console.log('New JS script')"
hydrators:
- id: subscription_hydrator
type: generic
config:
endpoint:
url: http://foo.bar
method: GET
headers:
bla: bla
payload: http://foo
- id: profile_data_hydrator
type: generic
config:
endpoint:
url: http://profile
headers:
foo: bar
mutators:
- id: jwt
type: jwt
config:
ttl: 5m
claims: "{'user': {{ quote .Subject.ID }} }"
- id: bla
type: header
config:
headers:
foo-bar: bla
- id: blabla
type: cookie
config:
cookies:
foo-bar: '{{ .Subject.ID }}'
error_handlers:
- id: default
type: default
- id: authenticate_with_kratos
type: redirect
config:
to: http://127.0.0.1:4433/self-service/login/browser
return_to_query_parameter: return_to
when:
- error:
- type: authentication_error
raised_by: kratos_session_authenticator
- type: authorization_error
request_headers:
Accept:
- '*/*'
rules:
default:
methods:
- GET
- POST
execute:
- authenticator: anonymous_authenticator
- mutator: jwt
on_error:
- error_handler: authenticate_with_kratos
providers:
file_system:
src: test_rules.yaml
watch: true
http_endpoint:
watch_interval: 5m
endpoints:
- url: http://foo.bar/ruleset1
expected_path_prefix: /foo/bar
enable_http_cache: false
- url: http://foo.bar/ruleset2
retry:
give_up_after: 5s
max_delay: 250ms
auth:
type: api_key
config:
name: X-Api-Key
value: super-secret
in: header
header:
X-Customer-Header: Some Value
cloud_blob:
watch_interval: 1m
buckets:
- url: gs://my-bucket
prefix: service1
rule_path_match_prefix: /service1
- url: azblob://my-bucket
prefix: service2
rule_path_match_prefix: /service2
- url: s3://my-bucket/my-rule-setStatic Configuration Reference
Below you can find possible contents (not exhaustive) for Heimdall’s config.yaml file. Head over to configuration documentation to get detailed explanation.
Last updated on Nov 9, 2022