syntax = "proto3"; package pomerium.config; option go_package = "github.com/pomerium/pomerium/pkg/grpc/config"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "envoy/config/cluster/v3/cluster.proto"; import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; import "crypt/crypt.proto"; message Config { string name = 1; repeated Route routes = 2; Settings settings = 3; } message RouteRewriteHeader { string header = 1; oneof matcher { string prefix = 3; } string value = 2; } message RouteRedirect { optional bool https_redirect = 1; optional string scheme_redirect = 2; optional string host_redirect = 3; optional uint32 port_redirect = 4; optional string path_redirect = 5; optional string prefix_rewrite = 6; optional int32 response_code = 7; optional bool strip_query = 8; } message Route { string name = 1; string from = 2; repeated string to = 3; // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint // optional load balancing weights assigned to upstream servers defined in TO // if not specified, all upstream servers would be assigned the same weight // if provided, load_balancing_weights[i] >= 1 and len(to) == // len(load_balancing_weights) repeated uint32 load_balancing_weights = 37; RouteRedirect redirect = 34; repeated string allowed_users = 4 [ deprecated = true ]; repeated string allowed_groups = 5 [ deprecated = true ]; repeated string allowed_domains = 6 [ deprecated = true ]; map allowed_idp_claims = 32 [ deprecated = true ]; string prefix = 7; string path = 8; string regex = 9; string prefix_rewrite = 29; string regex_rewrite_pattern = 30; string regex_rewrite_substitution = 31; bool cors_allow_preflight = 10; bool allow_public_unauthenticated_access = 11; bool allow_any_authenticated_user = 33; google.protobuf.Duration timeout = 12; google.protobuf.Duration idle_timeout = 43; bool allow_websockets = 13; bool allow_spdy = 44; bool tls_skip_verify = 14; string tls_server_name = 15; string tls_custom_ca = 16; string tls_custom_ca_file = 17; string tls_client_cert = 18; string tls_client_key = 19; string tls_client_cert_file = 20; string tls_client_key_file = 21; string tls_downstream_client_ca = 38; string tls_downstream_client_ca_file = 39; map set_request_headers = 22; repeated string remove_request_headers = 23; map set_response_headers = 41; repeated RouteRewriteHeader rewrite_response_headers = 40; bool preserve_host_header = 24; bool pass_identity_headers = 25; string kubernetes_service_account_token = 26; bool enable_google_cloud_serverless_authentication = 42; envoy.config.cluster.v3.Cluster envoy_opts = 36; repeated Policy policies = 27; string id = 28; } message Policy { string id = 1; string name = 2; repeated string allowed_users = 3; repeated string allowed_groups = 4; repeated string allowed_domains = 5; map allowed_idp_claims = 7; repeated string rego = 6; } message Settings { message Certificate { string cert_file = 1; string key_file = 2; bytes cert_bytes = 3; bytes key_bytes = 4; } optional string installation_id = 71; optional bool debug = 2; optional string log_level = 3; optional string proxy_log_level = 4; optional string shared_secret = 5; optional string services = 6; optional string address = 7; optional bool insecure_server = 8; optional string dns_lookup_family = 60; repeated Certificate certificates = 9; optional string http_redirect_addr = 10; optional google.protobuf.Duration timeout_read = 11; optional google.protobuf.Duration timeout_write = 12; optional google.protobuf.Duration timeout_idle = 13; optional string authenticate_service_url = 14; optional string authenticate_callback_path = 15; optional string cookie_name = 16; optional string cookie_secret = 17; optional string cookie_domain = 18; optional bool cookie_secure = 19; optional bool cookie_http_only = 20; optional google.protobuf.Duration cookie_expire = 21; optional string idp_client_id = 22; optional string idp_client_secret = 23; optional string idp_provider = 24; optional string idp_provider_url = 25; repeated string scopes = 26; optional string idp_service_account = 27; optional google.protobuf.Duration idp_refresh_directory_timeout = 28; optional google.protobuf.Duration idp_refresh_directory_interval = 29; map request_params = 30; repeated string authorize_service_urls = 32; optional string override_certificate_name = 33; optional string certificate_authority = 34; optional string certificate_authority_file = 35; optional string signing_key = 36; optional string signing_key_algorithm = 62; map set_response_headers = 69; // repeated string jwt_claims_headers = 37; map jwt_claims_headers = 63; optional google.protobuf.Duration default_upstream_timeout = 39; optional string metrics_address = 40; optional string metrics_basic_auth = 64; optional Certificate metrics_certificate = 65; optional string metrics_client_ca = 66; optional string metrics_client_ca_file = 67; optional string tracing_provider = 41; optional double tracing_sample_rate = 42; optional string tracing_jaeger_collector_endpoint = 43; optional string tracing_jaeger_agent_endpoint = 44; optional string tracing_zipkin_endpoint = 45; optional string grpc_address = 46; optional bool grpc_insecure = 47; optional string forward_auth_url = 50; repeated string databroker_service_urls = 52; optional string client_ca = 53; optional string client_ca_file = 54; optional string client_crl = 74; optional string client_crl_file = 75; optional string google_cloud_serverless_authentication_service_account = 55; optional bool autocert = 56; optional bool autocert_use_staging = 57; optional bool autocert_must_staple = 58; optional string autocert_dir = 59; optional bool skip_xff_append = 61; optional uint32 xff_num_trusted_hops = 70; repeated string programmatic_redirect_domain_whitelist = 68; optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72; optional envoy.extensions.filters.network.http_connection_manager.v3 .HttpConnectionManager.CodecType codec_type = 73; }