-
Notifications
You must be signed in to change notification settings - Fork 13
/
example.conf.yaml
159 lines (143 loc) · 6.4 KB
/
example.conf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
version: "2"
listen: "127.0.0.1:8999"
pid_file: "simplessl.pid"
enable_sds: true
sds_listen: "127.0.0.1:8998"
sds_ca_cert: "./secret-dir/ca.cert"
sds_server_cert: "./secret-dir/sds-server.cert"
sds_server_key: "./secret-dir/sds-server.key"
storage:
type: "dir_cache" # or redis
dir_cache: "./secret-dir"
redis:
# See https://pkg.go.dev/github.com/go-redis/redis/v8#ParseURL for detail format of addr.
addr: "redis://<user>:<password>@<host>:<port>/<db_number>"
prefix: ""
self_signed:
enable: false
check_domain_name: false
domains:
- "a.example.com"
- "a.example-1.com"
domain_regex:
- "[a-z]+\\.example\\.com"
- "a\\.example-1\\.com"
valid_days: 3650
organization: "SSL Cert Server Self-Signed"
managed:
reload_interval: "10m"
certificates:
- name: "abc.example.com"
domains:
- "abc.example.com"
domain_regex:
- "(abc|def)\\.example\\.com"
- "img-\\d+\\.example\\.com"
no_ocsp_stapling: false
- name: "_wildcard.example.com"
domains:
- "example.com"
- "*.example.com"
domain_regex:
- "(abc|def)\\.example\\.com"
- "biz-\\w+\\.example\\.com"
no_ocsp_stapling: false
acme:
directory_url: "https://acme-v02.api.letsencrypt.org/directory"
force_rsa: false
renew_before: 30 # days
default_account:
email: "acme@example.com"
accounts:
- email: "another@somedomain.com"
dns_credentials:
- name: example_alidns
provider: alidns
env:
ALICLOUD_ACCESS_KEY: "my_access_key_xxxx"
ALICLOUD_SECRET_KEY: "my_secret_key_xxxx"
- name: another_godaddy_1
provider: godaddy
env:
GODADDY_API_KEY: "my_api_key_xxxx"
GODADDY_API_SECRET: "my_api_secret_xxxx"
- name: another_cloudflare_1
provider: cloudflare
env:
CLOUDFLARE_EMAIL: "my_email_xxxx"
CLOUDFLARE_API_KEY: "my_api_key_xxxx"
on_demand:
domains:
- a.example-2.com
- b.example-2.com
domain_regex:
- "api-1-(\\w+)\\.example\\.com"
- "api-2-(\\w+)\\.example\\.com"
named:
certificates:
- name: "z_san_example_com"
account: "acme@example.com"
dns_credential: example_alidns
force_rsa: false
domains:
- "z1.example.com"
- "z2.example.com"
- "z3.example.com"
- name: "_wildcard.y.somedomain.com"
account: "another@somedomain.com"
dns_credential: another_cloudflare_1
force_rsa: false
domains:
- "y.somedomain.com"
- "*.y.somedomain.com"
# Explanations
# version: Format version of the configuration file. New since version 0.6.0.
# listen: The address simplessl server should listen, be sure DON'T open the server to the world.
# pid_file: The pid file path, it's used when doing graceful restarts.
# enable_sds: Enable Envoy SDS (secret discovery service) grpc service. Default false.
# sds_listen: Specifies the SDS service listen address. Require enable_sds to be true.
# sds_ca_cert: Path of the root certificate to verify SDS grpc client.
# sds_server_cert: Path of the server certificate for SDS grpc server.
# sds_server_key: Path of the private key for SDS grpc server.
# storage: Cache storage settings.
# storage.type: "dir_cache" or "redis"
# storage.dir_cache: If type is "dir_cache", which directory to store cached certificate files.
# storage.redis: If type is "redis", the settings of Redis.
# storage.redis.addr: The connection string of Redis. See https://pkg.go.dev/github.com/go-redis/redis/v8#ParseURL for detail format of addr.
# storage.redis.prefix: An optional string to use as prefix of certificate keys.
# self_signed: Self signed certificate settings.
# self_signed.enable: whether enable self-signed certificate (default false)
# self_signed.check_domain_name: whether check domain name for self-signed certificate (default false)
# self_signed.domains: allowed domain list to for self-signed certificate
# self_signed.domain_regex: allowed domains by regular expression for self-signed certificate
# self_signed.valid_days: how may days to set the certificate when generating self-signed certificate
# self_signed.organization: organization to set the certificate when generating self-signed certificate
# managed: Managed certificates settings.
# managed.reload_interval: interval to reload managed certificates from storage
# managed.certificates: configuration of managed certificates
# managed.certificates.name: name of a managed certificate
# managed.certificates.domains: domain name list for the certificate
# managed.certificates.domain_regex: domain names by regular expression for the certificate
# managed.certificates.no_ocsp_stapling: disable OCSP stapling for the certificate (default false)
# acme: ACME settings.
# acme.directory_url: the ACME directory url to use (default "https://acme-v02.api.letsencrypt.org/directory")
# acme.force_rsa: force to generate certificates with 2048-bit RSA keys (default force)
# acme.renew_before: renew certificates before how many days (default 30)
# acme.default_account: the default ACME account to use when not specified
# acme.default_account.email: email of the default ACME account
# acme.accounts: extra ACME accounts settings
# acme.accounts.email: email of the ACME account
# acme.dns_credentials: DNS credentials to use with dns-01 challenge for named certificates.
# acme.dns_credentials.name: name of a DNS credential config
# acme.dns_credentials.provider: the type of a DNS credential config, see https://go-acme.github.io/lego/dns/ for available DNS providers and the corresponding configurations
# acme.dns_credentials.env: environment variables required by the DNS provider
# acme.on_demand: On-demand ACME certificates.
# acme.on_demand.domains: allowed domain list to issue certificates on-demand
# acme.on_demand.domain_regex: allowed domains by regular expression to issue certificates on-demand
# acme.named: Named ACME certificates settings.
# acme.named.certificates: named certificates to issue from ACME server
# acme.named.certificates.name: name of the ACME certificate
# acme.named.certificates.account: the account (email) to use for this certificate
# acme.named.certificates.dns_credential: the DNS credential to use for this certificate
# acme.named.certificates.force_rsa: force to use 2048-bit RSA key for this certificate (default false)
# acme.named.certificates.domains: domain list to issue for the certificate, can be normal or wildcard domain name