diff --git a/services/proxy/README.md b/services/proxy/README.md index 8d27bc07e..397c69ca9 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -108,3 +108,11 @@ The `proxy` service can use a configured store via `PROXY_STORE_TYPE`. Possible 2. Though usually not necessary, a database name and a database table can be configured for event stores if the event store supports this. Generally not applicable for stores of type `in-memory`. These settings are blank by default which means that the standard settings of the configured store apply. 3. The proxy service can be scaled if not using `in-memory` stores and the stores are configured identically over all instances. 4. When using `redis-sentinel`, the Redis master to use is configured via `PROXY_OIDC_USERINFO_CACHE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. + +## Special Settings + +When using the ocis IDP service instead of an external IDP: + +- Use the environment variable `OCIS_URL` to define how ocis can be accessed, mandatory use `https` as protocol for the URL. +- If no reverse proxy is set up, the `PROXY_TLS` environment variable **must** be set to `true` because the embedded `libreConnect` shipped with the IDP service has a hard check if the connection is on TLS and uses the HTTPS protocol. If this mismatches, an error will be logged and no connection from the client can be established. +- `PROXY_TLS` **can** be set to `false` if a reverse proxy is used and the OCIS_URL is terminated at the reverse proxy. When setting to `false`, the communication between the reverse proxy and ocis is not secured. If set to `true`, you must provide certificates. diff --git a/services/proxy/pkg/config/http.go b/services/proxy/pkg/config/http.go index d4d04d51e..fcb07dd8a 100644 --- a/services/proxy/pkg/config/http.go +++ b/services/proxy/pkg/config/http.go @@ -7,5 +7,5 @@ type HTTP struct { Namespace string `yaml:"-"` TLSCert string `yaml:"tls_cert" env:"PROXY_TRANSPORT_TLS_CERT" desc:"Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/proxy."` TLSKey string `yaml:"tls_key" env:"PROXY_TRANSPORT_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/proxy."` - TLS bool `yaml:"tls" env:"PROXY_TLS" desc:"Enable/Disable HTTPS for the external HTTP services."` + TLS bool `yaml:"tls" env:"PROXY_TLS" desc:"Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service an no reverse proxy is used. See the text description for details."` }