pomerium/pkg/grpc/config/config.proto

syntax = "proto3";

package pomerium.config;
option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";

import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "envoy/config/cluster/v3/cluster.proto";
import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto";

import "crypt/crypt.proto";

message Config {
  string name = 1;
  repeated Route routes = 2;
  Settings settings = 3;
}

message RouteRewriteHeader {
  string header = 1;
  oneof matcher { string prefix = 3; }
  string value = 2;
}

message RouteRedirect {
  optional bool https_redirect = 1;
  optional string scheme_redirect = 2;
  optional string host_redirect = 3;
  optional uint32 port_redirect = 4;
  optional string path_redirect = 5;
  optional string prefix_rewrite = 6;
  optional int32 response_code = 7;
  optional bool strip_query = 8;
}

message Route {
  enum AuthorizationHeaderMode {
    PASS_THROUGH = 0;
    ACCESS_TOKEN = 1;
    ID_TOKEN = 2;
  }

  string name = 1;

  string from = 2;
  repeated string to = 3;

  // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint
  // optional load balancing weights assigned to upstream servers defined in TO
  // if not specified, all upstream servers would be assigned the same weight
  // if provided, load_balancing_weights[i] >= 1 and len(to) ==
  // len(load_balancing_weights)
  repeated uint32 load_balancing_weights = 37;

  RouteRedirect redirect = 34;

  repeated string allowed_users = 4 [ deprecated = true ];
  repeated string allowed_groups = 5 [ deprecated = true ];
  repeated string allowed_domains = 6 [ deprecated = true ];
  map<string, google.protobuf.ListValue> allowed_idp_claims = 32
      [ deprecated = true ];

  string prefix = 7;
  string path = 8;
  string regex = 9;

  string prefix_rewrite = 29;
  string regex_rewrite_pattern = 30;
  string regex_rewrite_substitution = 31;

  bool cors_allow_preflight = 10;
  bool allow_public_unauthenticated_access = 11;
  bool allow_any_authenticated_user = 33;
  google.protobuf.Duration timeout = 12;
  google.protobuf.Duration idle_timeout = 43;
  bool allow_websockets = 13;
  bool allow_spdy = 44;

  bool tls_skip_verify = 14;
  string tls_server_name = 15;
  string tls_upstream_server_name = 57;
  string tls_downstream_server_name = 58;
  string tls_custom_ca = 16;
  string tls_custom_ca_file = 17;

  string tls_client_cert = 18;
  string tls_client_key = 19;
  string tls_client_cert_file = 20;
  string tls_client_key_file = 21;
  string tls_downstream_client_ca = 38;
  string tls_downstream_client_ca_file = 39;

  map<string, string> set_request_headers = 22;
  repeated string remove_request_headers = 23;
  map<string, string> set_response_headers = 41;
  repeated RouteRewriteHeader rewrite_response_headers = 40;
  AuthorizationHeaderMode set_authorization_header = 54;

  bool preserve_host_header = 24;
  bool pass_identity_headers = 25;

  string kubernetes_service_account_token = 26;
  bool enable_google_cloud_serverless_authentication = 42;

  envoy.config.cluster.v3.Cluster envoy_opts = 36;

  repeated Policy policies = 27;
  string id = 28;

  optional string host_rewrite = 50;
  optional string host_rewrite_header = 51;
  optional string host_path_regex_rewrite_pattern = 52;
  optional string host_path_regex_rewrite_substitution = 53;

  optional string idp_client_id = 55;
  optional string idp_client_secret = 56;
}

message Policy {
  string id = 1;
  string name = 2;
  repeated string allowed_users = 3;
  repeated string allowed_groups = 4;
  repeated string allowed_domains = 5;
  map<string, google.protobuf.ListValue> allowed_idp_claims = 7;
  repeated string rego = 6;
}

message Settings {
  message Certificate {
    string cert_file = 1;
    string key_file = 2;
    bytes cert_bytes = 3;
    bytes key_bytes = 4;
  }

  optional string installation_id = 71;
  optional bool debug = 2;
  optional string log_level = 3;
  optional string proxy_log_level = 4;
  optional string shared_secret = 5;
  optional string services = 6;
  optional string address = 7;
  optional bool insecure_server = 8;
  optional string dns_lookup_family = 60;
  repeated Certificate certificates = 9;
  optional string http_redirect_addr = 10;
  optional google.protobuf.Duration timeout_read = 11;
  optional google.protobuf.Duration timeout_write = 12;
  optional google.protobuf.Duration timeout_idle = 13;
  optional string authenticate_service_url = 14;
  optional string authenticate_internal_service_url = 82;
  optional string authenticate_callback_path = 15;
  optional string cookie_name = 16;
  optional string cookie_secret = 17;
  optional string cookie_domain = 18;
  optional bool cookie_secure = 19;
  optional bool cookie_http_only = 20;
  optional google.protobuf.Duration cookie_expire = 21;
  optional string idp_client_id = 22;
  optional string idp_client_secret = 23;
  optional string idp_provider = 24;
  optional string idp_provider_url = 25;
  repeated string scopes = 26;
  optional string idp_service_account = 27;
  optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
  optional google.protobuf.Duration idp_refresh_directory_interval = 29;
  map<string, string> request_params = 30;
  repeated string authorize_service_urls = 32;
  optional string authorize_internal_service_url = 83;
  optional string override_certificate_name = 33;
  optional string certificate_authority = 34;
  optional string certificate_authority_file = 35;
  optional string signing_key = 36;
  map<string, string> set_response_headers = 69;
  // repeated string jwt_claims_headers = 37;
  map<string, string> jwt_claims_headers = 63;
  optional google.protobuf.Duration default_upstream_timeout = 39;
  optional string metrics_address = 40;
  optional string metrics_basic_auth = 64;
  optional Certificate metrics_certificate = 65;
  optional string metrics_client_ca = 66;
  optional string metrics_client_ca_file = 67;
  optional string tracing_provider = 41;
  optional double tracing_sample_rate = 42;
  optional string tracing_jaeger_collector_endpoint = 43;
  optional string tracing_jaeger_agent_endpoint = 44;
  optional string tracing_zipkin_endpoint = 45;
  optional string grpc_address = 46;
  optional bool grpc_insecure = 47;
  optional string forward_auth_url = 50;
  repeated string databroker_service_urls = 52;
  optional string databroker_internal_service_url = 84;
  optional string client_ca = 53;
  optional string client_ca_file = 54;
  optional string client_crl = 74;
  optional string client_crl_file = 75;
  optional string google_cloud_serverless_authentication_service_account = 55;
  optional bool autocert = 56;
  optional string autocert_ca = 76;
  optional string autocert_email = 77;
  optional string autocert_eab_key_id = 78;
  optional string autocert_eab_mac_key = 79;
  optional string autocert_trusted_ca = 80;
  optional string autocert_trusted_ca_file = 81;
  optional bool autocert_use_staging = 57;
  optional bool autocert_must_staple = 58;
  optional string autocert_dir = 59;
  optional bool skip_xff_append = 61;
  optional uint32 xff_num_trusted_hops = 70;
  repeated string programmatic_redirect_domain_whitelist = 68;
  optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
  optional envoy.extensions.filters.network.http_connection_manager.v3
      .HttpConnectionManager.CodecType codec_type = 73;
}