Config File #
You can generate a config file by running forwarder <command> config-file
for any command.
forwarder run #
# --- Server options ---
# address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#address: :3128
# basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#basic-auth:
# credentials <username[:password]@host:port,...>
#
# Site or upstream proxy basic authentication credentials. The host and port can
# be set to "*" to match all hosts and ports respectively. The flag can be
# specified multiple times to add multiple credentials.
#credentials:
# idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#idle-timeout: 1h0m0s
# name <string>
#
# Name of this proxy instance. This value is used in the Via header in requests.
# The name value in Via header is extended with a random string to avoid
# collisions when several proxies are chained.
#name: forwarder
# protocol <http|https>
#
# The server protocol. For https and h2 protocols, if TLS certificate is not
# specified, the server will use a self-signed certificate.
#protocol: http
# proxy-protocol-listener <value>
#
# The PROXY protocol is used to correctly read the client's IP address. When
# enabled the proxy will expect the client to send the PROXY protocol header
# before the actual request. PROXY protocol version 1 and 2 are supported.
#proxy-protocol-listener: false
# proxy-protocol-read-header-timeout <duration>
#
# The amount of time to wait for PROXY protocol header. Zero means no limit.
#proxy-protocol-read-header-timeout: 5s
# read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#read-header-timeout: 1m0s
# read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#read-limit: 0
# shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#shutdown-timeout: 30s
# tls-cert-file <path or base64>
#
# TLS certificate to use if the server protocol is https or h2.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-cert-file:
# tls-handshake-timeout <duration>
#
# The maximum amount of time to wait for a TLS handshake before closing
# connection. Zero means no limit.
#tls-handshake-timeout: 10s
# tls-key-file <path or base64>
#
# TLS private key to use if the server protocol is https or h2.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-key-file:
# write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#write-limit: 0
# --- Proxy options ---
# connect-header <header>
#
# Add or remove CONNECT request headers. See the documentation for the -H,
# --header flag for more details on the format.
#connect-header:
# deny-domains [-]<regexp>,...
#
# Deny requests to the specified domains. Prefix domains with '-' to exclude
# requests to certain domains from being denied.
#deny-domains:
# direct-domains [-]<regexp>,...
#
# Connect directly to the specified domains without using the upstream proxy.
# Prefix domains with '-' to exclude requests to certain domains from being
# directed. This flag takes precedence over the PAC script.
#direct-domains:
# header <header>
#
# Add or remove HTTP request headers.
#
# Use the format:
# - name:value to add a header
# - name; to set the header to empty value
# - -name to remove the header
# - -name* to remove headers by prefix
#
# The header name will be normalized to canonical form. The header value should
# not contain any newlines or carriage returns. The flag can be specified
# multiple times. The following example removes the User-Agent header and all
# headers starting with X-.
#
# -H "-User-Agent" -H "-X-*"
#header:
# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection.
#
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac:
# proxy <[protocol://]host:port>
#
# Upstream proxy to use. The supported protocols are: http, https, socks5. No
# protocol specified will be treated as HTTP proxy. The basic authentication
# username and password can be specified in the host string e.g.
# user:pass@host:port. Alternatively, you can use the -c, --credentials flag to
# specify the credentials. If both are specified, the proxy flag takes
# precedence.
#proxy:
# proxy-header <header>
#
#
# DEPRECATED: use --connect-header flag instead
#proxy-header:
# proxy-localhost <allow|deny|direct>
#
# Setting this to allow enables sending requests to localhost through the
# upstream proxy. Setting this to direct sends requests to localhost directly
# without using the upstream proxy. By default, requests to localhost are
# denied.
#proxy-localhost: deny
# response-header <header>
#
# Add or remove HTTP headers on the received response before sending it to the
# client. See the documentation for the -H, --header flag for more details on
# the format.
#response-header:
# --- MITM options ---
# mitm <value>
#
# Enable Man-in-the-Middle (MITM) mode. It only works with HTTPS requests,
# HTTP/2 is not supported. MITM is enabled by default when the
# --mitm-cacert-file flag is set. If the CA certificate is not provided MITM
# uses a generated CA certificate. The CA certificate used can be retrieved from
# the API server.
#mitm: false
# mitm-cacert-file <path or base64>
#
# CA certificate file to use for generating MITM certificates. If the file is
# not specified, a generated CA certificate will be used. See the documentation
# for the --mitm flag for more details.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#mitm-cacert-file:
# mitm-cache-size <size>
#
# Maximum number of certificates to cache. If the cache is full, the least
# recently used certificate is removed.
#mitm-cache-size: 1024
# mitm-cache-ttl <duration>
#
# Expiration time of the cached certificates.
#mitm-cache-ttl: 6h0m0s
# mitm-cakey-file <path or base64>
#
# CA key file to use for generating MITM certificates.
#mitm-cakey-file:
# mitm-domains [-]<regexp>,...
#
# Limit MITM to the specified domains. Prefix domains with '-' to exclude
# requests to certain domains from being MITMed.
#mitm-domains:
# mitm-org <name>
#
# Organization name to use in the generated MITM certificates.
#mitm-org: Forwarder Proxy MITM
# mitm-validity <duration>
#
# Validity period of the generated MITM certificates.
#mitm-validity: 24h0m0s
# --- DNS options ---
# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false
# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server:
# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s
# --- HTTP client options ---
# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file:
# connect-to <HOST1:PORT1:HOST2:PORT2>,...
#
# For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead.
# This option is suitable to direct requests at a specific server, e.g. at a
# specific cluster node in a cluster of servers. This option is only used to
# establish the network connection and does not work when request is routed
# using an upstream proxy. It does NOT affect the hostname/port that is used for
# TLS/SSL (e.g. SNI, certificate verification) or for the application protocols.
# HOST1 and PORT1 may be the empty string, meaning any host/port. HOST2 and
# PORT2 may also be the empty string, meaning use the request's original
# host/port.
#connect-to:
# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3
# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s
# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s
# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s
# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s
# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s
# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file:
# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false
# --- API server options ---
# api-address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#api-address: localhost:10000
# api-basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#api-basic-auth:
# api-idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#api-idle-timeout: 1h0m0s
# api-read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#api-read-header-timeout: 1m0s
# api-read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#api-read-limit: 0
# api-shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#api-shutdown-timeout: 30s
# api-write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#api-write-limit: 0
# --- Logging options ---
# log-file <path>
#
# Path to the log file, if empty, logs to stdout. The file is reopened on SIGHUP
# to allow log rotation using external tools.
#log-file:
# log-http [api|proxy:]<none|short-url|url|headers|body|errors>,...
#
# HTTP request and response logging mode.
#
# Modes:
# - none: no logging
# - short-url: logs [scheme://]host[/path] instead of the full URL
# - url: logs the full URL including query parameters
# - headers: logs request line and headers
# - body: logs request line, headers, and body
# - errors: logs request line and headers if status code is greater than or
# equal to 500
#
# Modes for different modules can be specified separated by commas. The
# following example specifies that the API module logs errors, the proxy module
# logs headers, and anything else logs full URL.
#
# --log-http=api:errors,proxy:headers,url
#log-http: errors
# log-http-request-id-header <name>
#
# If the header is present in the request, the proxy will associate the value
# with the request in the logs.
#log-http-request-id-header: X-Request-Id
# log-level <error|info|debug>
#
# Log level.
#log-level: info
forwarder pac eval #
# --- Proxy options ---
# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection.
#
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac: file://pac.js
# --- DNS options ---
# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false
# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server:
# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s
# --- HTTP client options ---
# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file:
# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3
# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s
# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s
# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s
# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s
# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s
# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file:
# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false
forwarder pac server #
# --- Server options ---
# address <host:port>
#
# The server address to listen on. If the host is empty, the server will listen
# on all available interfaces.
#address: :8080
# basic-auth <username[:password]>
#
# Basic authentication credentials to protect the server.
#basic-auth:
# idle-timeout <duration>
#
# The maximum amount of time to wait for the next request before closing
# connection.
#idle-timeout: 1h0m0s
# protocol <http|https|h2>
#
# The server protocol. For https and h2 protocols, if TLS certificate is not
# specified, the server will use a self-signed certificate.
#protocol: http
# read-header-timeout <duration>
#
# The amount of time allowed to read request headers.
#read-header-timeout: 1m0s
# read-limit <bandwidth>
#
# Global read rate limit in bytes per second i.e. how many bytes per second you
# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#read-limit: 0
# shutdown-timeout <duration>
#
# The maximum amount of time to wait for the server to drain connections before
# closing. Zero means no limit.
#shutdown-timeout: 30s
# tls-cert-file <path or base64>
#
# TLS certificate to use if the server protocol is https or h2.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-cert-file:
# tls-handshake-timeout <duration>
#
# The maximum amount of time to wait for a TLS handshake before closing
# connection. Zero means no limit.
#tls-handshake-timeout: 0s
# tls-key-file <path or base64>
#
# TLS private key to use if the server protocol is https or h2.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#tls-key-file:
# write-limit <bandwidth>
#
# Global write rate limit in bytes per second i.e. how many bytes per second you
# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
#write-limit: 0
# --- Proxy options ---
# pac <path or URL>
#
# Proxy Auto-Configuration file to use for upstream proxy selection.
#
# Syntax:
# - File: /path/to/file.pac
# - URL: http://example.com/proxy.pac
# - Embed: data:base64,<base64 encoded data>
# - Stdin: -
#pac: file://pac.js
# --- DNS options ---
# dns-round-robin <value>
#
# If more than one DNS server is specified with the --dns-server flag, passing
# this flag will enable round-robin selection.
#dns-round-robin: false
# dns-server <ip>[:<port>]
#
# DNS server(s) to use instead of system default. There are two execution
# policies, when more then one server is specified. Fallback: the first server
# in a list is used as primary, the rest are used as fallbacks. Round robin: the
# servers are used in a round-robin fashion. The port is optional, if not
# specified the default port is 53.
#dns-server:
# dns-timeout <duration>
#
# Timeout for dialing DNS servers. Only used if DNS servers are specified.
#dns-timeout: 5s
# --- HTTP client options ---
# cacert-file <path or base64>
#
# Add your own CA certificates to verify against. The system root certificates
# will be used in addition to any certificates in this list. Use this flag
# multiple times to specify multiple CA certificate files.
#
# Syntax:
# - File: /path/to/file.pac
# - Embed: data:base64,<base64 encoded data>
#cacert-file:
# http-dial-attempts <int>
#
# The number of attempts to dial the network address.
#http-dial-attempts: 3
# http-dial-backoff <duration>
#
# The amount of time to wait between dial attempts.
#http-dial-backoff: 1s
# http-dial-timeout <duration>
#
# The maximum amount of time a dial will wait for a connect to complete. With or
# without a timeout, the operating system may impose its own earlier timeout.
# For instance, TCP timeouts are often around 3 minutes.
#http-dial-timeout: 25s
# http-idle-conn-timeout <duration>
#
# The maximum amount of time an idle (keep-alive) connection will remain idle
# before closing itself. Zero means no limit.
#http-idle-conn-timeout: 1m30s
# http-response-header-timeout <duration>
#
# The amount of time to wait for a server's response headers after fully writing
# the request (including its body, if any).This time does not include the time
# to read the response body. Zero means no limit.
#http-response-header-timeout: 0s
# http-tls-handshake-timeout <duration>
#
# The maximum amount of time waiting to wait for a TLS handshake. Zero means no
# limit.
#http-tls-handshake-timeout: 10s
# http-tls-keylog-file <path>
#
# File to log TLS master secrets in NSS key log format. By default, the value is
# taken from the SSLKEYLOGFILE environment variable. It can be used to allow
# external programs such as Wireshark to decrypt TLS connections.
#http-tls-keylog-file:
# insecure <value>
#
# Don't verify the server's certificate chain and host name. Enable to work with
# self-signed certificates.
#insecure: false
# --- Logging options ---
# log-file <path>
#
# Path to the log file, if empty, logs to stdout. The file is reopened on SIGHUP
# to allow log rotation using external tools.
#log-file:
# log-http <none|short-url|url|headers|body|errors>,...
#
# HTTP request and response logging mode.
#
# Modes:
# - none: no logging
# - short-url: logs [scheme://]host[/path] instead of the full URL
# - url: logs the full URL including query parameters
# - headers: logs request line and headers
# - body: logs request line, headers, and body
# - errors: logs request line and headers if status code is greater than or
# equal to 500
#
# Modes for different modules can be specified separated by commas. The
# following example specifies that the API module logs errors, the proxy module
# logs headers, and anything else logs full URL.
#
# --log-http=api:errors,proxy:headers,url
#log-http: errors
# log-level <error|info|debug>
#
# Log level.
#log-level: info
forwarder ready #
# --- API server options ---
# api-address <host:port>
#
# The API server address.
#api-address: localhost:10000