1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# structured-proxy configuration.
#
# This is a TEMPLATE. The service ships disabled because the proxy needs a
# service-specific config before it can do anything useful: at minimum an
# upstream gRPC address and one proto descriptor set. Edit this file, then:
#
# sudo systemctl enable --now structured-proxy
#
# Read by /usr/lib/systemd/system/structured-proxy.service via:
# ExecStart=/usr/bin/structured-proxy --config /etc/structured-proxy/config.yaml
#
# Marked as a config file in the RPM/DEB package, so local edits survive
# upgrades. Full reference: https://github.com/structured-world/structured-proxy
#
# Any file path referenced below (descriptor sets, JWT/OIDC PEM keys, JWKS
# caches) must live somewhere the hardened unit can read. The service runs with
# ProtectHome=yes and ProtectSystem=strict, so /home, /root and /run/user are
# hidden and most of the filesystem is read-only — keep referenced files under
# /etc/structured-proxy (readable) rather than an operator home directory.
# HTTP listen address for the transcoded REST surface.
listen:
http: "0.0.0.0:8080"
# Upstream gRPC service this proxy transcodes to. REQUIRED — replace with your
# service address.
upstream:
default: "http://127.0.0.1:50051"
# Pre-compiled proto descriptor sources (one or more, merged into one pool).
# REQUIRED for any routes to be generated. Build one with:
# buf build -o my-service.descriptor.bin
# # or: protoc --descriptor_set_out=my-service.descriptor.bin --include_imports *.proto
descriptors:
# - file: "/etc/structured-proxy/my-service.descriptor.bin"
# Service identity (drives the /health response and metrics namespace).
service:
name: "structured-proxy"
# CORS: empty list = permissive (dev). List exact origins for production.
cors:
origins: