Config File

Config File #

You can generate a config file by running forwarder <command> config-file for any command.

forwarder run #


# --- Server options ---

# address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#address: :3128

# basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#basic-auth: 

# credentials <username[:password]@host:port,...>
#
# Site or upstream proxy basic authentication credentials. The host and port can
# be set to "*" to match all hosts and ports respectively. The flag can be
# specified multiple times to add multiple credentials.
#credentials: 

# idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#idle-timeout: 1h0m0s

# name <string>
#
# Name of this proxy instance. This value is used in the Via header in requests.
# The name value in Via header is extended with a random string to avoid
# collisions when several proxies are chained.
#name: forwarder

# protocol <http|https>
#
# The server protocol. For https and h2 protocols, if TLS certificate is not
# specified, the server will use a self-signed certificate.
#protocol: http

# proxy-protocol-listener <value>
#
# The PROXY protocol is used to correctly read the client's IP address. When
# enabled the proxy will expect the client to send the PROXY protocol header
# before the actual request. PROXY protocol version 1 and 2 are supported.
#proxy-protocol-listener: false

# proxy-protocol-read-header-timeout <duration>
#
# The amount of time to wait for PROXY protocol header. Zero means no limit.
#proxy-protocol-read-header-timeout: 5s

# read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#read-header-timeout: 1m0s

# read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#read-limit: 0

# shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#shutdown-timeout: 30s

# tls-cert-file <path or base64>
#
# TLS certificate to use if the server protocol is https or h2. 
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-cert-file: 

# tls-handshake-timeout <duration>
#
# The maximum amount of time to wait for a TLS handshake before closing
# connection. Zero means no limit.
#tls-handshake-timeout: 10s

# tls-key-file <path or base64>
#
# TLS private key to use if the server protocol is https or h2. 
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-key-file: 

# write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#write-limit: 0

# --- Proxy options ---

# connect-header <header>
#
# Add or remove CONNECT request headers. See the documentation for the -H,
# --header flag for more details on the format.
#connect-header: 

# deny-domains [-]<regexp>,...
#
# Deny requests to the specified domains. Prefix domains with '-' to exclude
# requests to certain domains from being denied.
#deny-domains: 

# direct-domains [-]<regexp>,...
#
# Connect directly to the specified domains without using the upstream proxy.
# Prefix domains with '-' to exclude requests to certain domains from being
# directed. This flag takes precedence over the PAC script.
#direct-domains: 

# header <header>
#
# Add or remove HTTP request headers. 
# 
# Use the format:
# - name:value to add a header
# - name; to set the header to empty value
# - -name to remove the header
# - -name* to remove headers by prefix
# 
# The header name will be normalized to canonical form. The header value should
# not contain any newlines or carriage returns. The flag can be specified
# multiple times. The following example removes the User-Agent header and all
# headers starting with X-. 
# 
# -H "-User-Agent" -H "-X-*"
#header: 

# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection. 
# 
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac: 

# proxy <[protocol://]host:port>
#
# Upstream proxy to use. The supported protocols are: http, https, socks5. No
# protocol specified will be treated as HTTP proxy. The basic authentication
# username and password can be specified in the host string e.g.
# user:pass@host:port. Alternatively, you can use the -c, --credentials flag to
# specify the credentials. If both are specified, the proxy flag takes
# precedence.
#proxy: 

# proxy-header <header>
#
#
# DEPRECATED: use --connect-header flag instead
#proxy-header: 

# proxy-localhost <allow|deny|direct>
#
# Setting this to allow enables sending requests to localhost through the
# upstream proxy. Setting this to direct sends requests to localhost directly
# without using the upstream proxy. By default, requests to localhost are
# denied.
#proxy-localhost: deny

# response-header <header>
#
# Add or remove HTTP headers on the received response before sending it to the
# client. See the documentation for the -H, --header flag for more details on
# the format.
#response-header: 

# --- MITM options ---

# mitm <value>
#
# Enable Man-in-the-Middle (MITM) mode. It only works with HTTPS requests,
# HTTP/2 is not supported. MITM is enabled by default when the
# --mitm-cacert-file flag is set. If the CA certificate is not provided MITM
# uses a generated CA certificate. The CA certificate used can be retrieved from
# the API server.
#mitm: false

# mitm-cacert-file <path or base64>
#
# CA certificate file to use for generating MITM certificates. If the file is
# not specified, a generated CA certificate will be used. See the documentation
# for the --mitm flag for more details. 
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#mitm-cacert-file: 

# mitm-cache-size <size>
#
# Maximum number of certificates to cache. If the cache is full, the least
# recently used certificate is removed.
#mitm-cache-size: 1024

# mitm-cache-ttl <duration>
#
# Expiration time of the cached certificates.
#mitm-cache-ttl: 6h0m0s

# mitm-cakey-file <path or base64>
#
# CA key file to use for generating MITM certificates.
#mitm-cakey-file: 

# mitm-domains [-]<regexp>,...
#
# Limit MITM to the specified domains. Prefix domains with '-' to exclude
# requests to certain domains from being MITMed.
#mitm-domains: 

# mitm-org <name>
#
# Organization name to use in the generated MITM certificates.
#mitm-org: Forwarder Proxy MITM

# mitm-validity <duration>
#
# Validity period of the generated MITM certificates.
#mitm-validity: 24h0m0s

# --- DNS options ---

# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false

# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server: 

# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s

# --- HTTP client options ---

# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file: 

# connect-to <HOST1:PORT1:HOST2:PORT2>,...
#
# For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead.
# This option is suitable to direct requests at a specific server, e.g. at a
# specific cluster node in a cluster of servers. This option is only used to
# establish the network connection and does not work when request is routed
# using an upstream proxy. It does NOT affect the hostname/port that is used for
# TLS/SSL (e.g. SNI, certificate verification) or for the application protocols.
# HOST1 and PORT1 may be the empty string, meaning any host/port. HOST2 and
# PORT2 may also be the empty string, meaning use the request's original
# host/port.
#connect-to: 

# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3

# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s

# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s

# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s

# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s

# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s

# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file: 

# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false

# --- API server options ---

# api-address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#api-address: localhost:10000

# api-basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#api-basic-auth: 

# api-idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#api-idle-timeout: 1h0m0s

# api-read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#api-read-header-timeout: 1m0s

# api-read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#api-read-limit: 0

# api-shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#api-shutdown-timeout: 30s

# api-write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#api-write-limit: 0

# --- Logging options ---

# log-file <path>
#
# Path to the log file, if empty, logs to stdout. The file is reopened on SIGHUP
# to allow log rotation using external tools.
#log-file: 

# log-http [api|proxy:]<none|short-url|url|headers|body|errors>,... 
#
# HTTP request and response logging mode. 
# 
# Modes: 
# - none: no logging
# - short-url: logs [scheme://]host[/path] instead of the full URL
# - url: logs the full URL including query parameters
# - headers: logs request line and headers
# - body: logs request line, headers, and body
# - errors: logs request line and headers if status code is greater than or
# equal to 500
# 
# Modes for different modules can be specified separated by commas. The
# following example specifies that the API module logs errors, the proxy module
# logs headers, and anything else logs full URL. 
# 
# --log-http=api:errors,proxy:headers,url
#log-http: errors

# log-http-request-id-header <name>
#
# If the header is present in the request, the proxy will associate the value
# with the request in the logs.
#log-http-request-id-header: X-Request-Id

# log-level <error|info|debug>
#
# Log level.
#log-level: info

forwarder pac eval #


# --- Proxy options ---

# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection. 
# 
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac: file://pac.js

# --- DNS options ---

# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false

# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server: 

# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s

# --- HTTP client options ---

# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file: 

# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3

# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s

# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s

# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s

# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s

# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s

# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file: 

# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false

forwarder pac server #


# --- Server options ---

# address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#address: :8080

# basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#basic-auth: 

# idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#idle-timeout: 1h0m0s

# protocol <http|https|h2>
#
# The server protocol. For https and h2 protocols, if TLS certificate is not
# specified, the server will use a self-signed certificate.
#protocol: http

# read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#read-header-timeout: 1m0s

# read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#read-limit: 0

# shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#shutdown-timeout: 30s

# tls-cert-file <path or base64>
#
# TLS certificate to use if the server protocol is https or h2. 
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-cert-file: 

# tls-handshake-timeout <duration>
#
# The maximum amount of time to wait for a TLS handshake before closing
# connection. Zero means no limit.
#tls-handshake-timeout: 0s

# tls-key-file <path or base64>
#
# TLS private key to use if the server protocol is https or h2. 
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-key-file: 

# write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#write-limit: 0

# --- Proxy options ---

# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection. 
# 
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac: file://pac.js

# --- DNS options ---

# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false

# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server: 

# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s

# --- HTTP client options ---

# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
# 
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file: 

# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3

# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s

# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s

# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s

# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s

# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s

# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file: 

# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false

# --- Logging options ---

# log-file <path>
#
# Path to the log file, if empty, logs to stdout. The file is reopened on SIGHUP
# to allow log rotation using external tools.
#log-file: 

# log-http <none|short-url|url|headers|body|errors>,... 
#
# HTTP request and response logging mode. 
# 
# Modes: 
# - none: no logging
# - short-url: logs [scheme://]host[/path] instead of the full URL
# - url: logs the full URL including query parameters
# - headers: logs request line and headers
# - body: logs request line, headers, and body
# - errors: logs request line and headers if status code is greater than or
# equal to 500
# 
# Modes for different modules can be specified separated by commas. The
# following example specifies that the API module logs errors, the proxy module
# logs headers, and anything else logs full URL. 
# 
# --log-http=api:errors,proxy:headers,url
#log-http: errors

# log-level <error|info|debug>
#
# Log level.
#log-level: info

forwarder ready #


# --- API server options ---

# api-address <host:port>
#
# The API server address.
#api-address: localhost:10000

© 2024 Sauce Labs Inc.