Deployment

Configuration

3min

Engine
The following environmental variables are used to configure the JumpWire engine container:
Name
Required
Default
Description
RELEASE_COOKIE
✔️
-
Shared secret used for distributed connectivity. Must be identical on all nodes in the cluster.
JUMPWIRE_AUDIT_LOG_PATH
﻿
audit.log
Path to a file for storing logs generated by audit policies.
JUMPWIRE_TOKEN
✔️
-
JWT used to authenticate with the web app.
JUMPWIRE_NODE
﻿
{IP address}
Override the autodetected node name. Must be an IP address or DNS name reachable by all nodes in the cluster.
JUMPWIRE_FRONTEND
✔️
-
DNS name or IP address of the web application.
Set to false to disable the web connection.
JUMPWIRE_CONFIG_PATH
﻿
-
Directory to load YAML config files from. See Local file configuration﻿ for details.
JUMPWIRE_DATABASE_MIGRATION_LIMIT
﻿
100
When migrating existing data (eg encrypting rows that existed before JumpWire), this limit specifies the maximum number of rows that will be updated at once.
VAULT_ADDR
﻿
http://localhost:8200
URL of a HashiCorp Vault server to use for key management.
VAULT_KV_VERSION
﻿
2
Whether to use version 1 or 2 of the Vault KV API.
VAULT_KV_PATH
﻿
secret/jumpwire
Path in Vault to a KV store. The provided token/role should have write access to this.
VAULT_DB_PATH
﻿
database
Mount point of database secrets in Vault. JumpWire will lookup databases and roles under this path for possible proxy credentials.
VAULT_APPROLE_ID
﻿
-
ID of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_APPROLE_SECRET
﻿
-
Secret of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_TOKEN
﻿
-
Token to use to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_NAMESPACE
﻿
-
Namespace to use with Vault Enterprise.
JUMPWIRE_AWS_KMS_ENABLE
﻿
-
When set to true AWS KMS will be used for generating encryption keys.
JUMPWIRE_AWS_KMS_KEY_NAME
﻿
jumpwire
A prefix to use for aliases when creating AWS KMS keys.
JUMPWIRE_TLS_CERT
﻿
-
Public cert to use for TLS on incoming proxy connections. Both JUMPWIRE_TLS_CERT and JUMPWIRE_TLS_KEY must be configured to enable TLS.
JUMPWIRE_TLS_KEY
﻿
-
Private key to use for TLS on incoming proxy connections.
JUMPWIRE_TLS_CA
﻿
﻿Mozilla's public cert bundle﻿
CA cert bundle to use for HTTPS connections.
JUMPWIRE_TLS_PROXY_CA
﻿
The value of JUMPWIRE_TLS_CA
CA cert bundle to use when verifying the certificate of proxied databases and APIs.
JUMPWIRE_DOMAIN
﻿
﻿
Domain used to connect to the engine. This will be shown in client setup instructions.
JUMPWIRE_POSTGRES_PROXY_PORT
﻿
6432
Port to listen on for incoming postgres clients.
JUMPWIRE_POSTGRES_PROXY_POOL_SIZE
﻿
4
Size of connection pool used when connecting to a PostgreSQL database.
JUMPWIRE_HTTP_PORT
﻿
4004
Port to listen on for incoming HTTP requests.
JUMPWIRE_HTTPS_PORT
﻿
4443
Port to listen on for incoming HTTPS requests.
JUMPWIRE_PROMETHEUS_PORT
﻿
9568
Port to serve Prometheus stats on, under the /metrics endpoint.
SENTRY_DSN
﻿
﻿
URL of a Sentry endpoint to send crash and error logs. By default crashes will be sent to a Sentry instance controlled by JumpWire.
JUMPWIRE_PARSE_REQUESTS
﻿
true
When true, requests being proxied through JumpWire will be inspected and access policies will be applied.
JUMPWIRE_PARSE_RESPONSES
﻿
true
When true, responses from requests proxied through JumpWire will be inspected and access policies will be applied.
Additional configuration is available for Observability﻿ data.
Web
The following environment variables are used to configure the JumpWire web container:
Name
Required
Default
Description
DATABASE_URL
✔️
-
Connection string for internal PostgreSQL instance.
JUMPWIRE_SECRET_KEY
✔️
-
Secret used for secure session handling and cookies.
PORT
﻿
4000
Port to listen on for inbound HTTP requests.
GOOGLE_CLIENT_ID
﻿
-
Client ID for authenticating users with Google OAuth.
GOOGLE_CLIENT_SECRET
﻿
-
Client secret for authenticating users with Google OAuth.
AUTH0_CLIENT_ID
﻿
-
Client ID for authenticating users with Auth0 OAuth. Auth0 will take precedence over Google if both are set.
AUTH0_DOMAIN
﻿
-
Domain for authenticating users with Auth0 OAuth
AUTH0_TOKEN_SECRET
﻿
-
Secret for authenticating users with Auth0 OAuth
JUMPWIRE_AUTH_DOMAINS
﻿
-
Comma-delimited list of email domains that are allowed to access the web UI. Only enforced for Google OAuth.
JUMPWIRE_ORG_TOKEN
✔️
-
JWT used to authenticate the engine to the frontend.
JUMPWIRE_ORG_NAME
﻿
-
Name of the organization using JumpWire.
JUMPWIRE_DOMAIN
✔️
-
User facing domain name for the web interface.
JUMPWIRE_ENGINE_HOST
﻿
localhost
Hostname of the JumpWire engine. Used to generate user facing URLs for connecting to the proxy. Can be overridden from the web interface.
﻿

Updated 16 Aug 2023

Did this page help you?

Vault Integration

Local file configuration

TABLE OF CONTENTS

Name	Required	Default	Description
RELEASE_COOKIE	✔️	-	Shared secret used for distributed connectivity. Must be identical on all nodes in the cluster.
JUMPWIRE_AUDIT_LOG_PATH		audit.log	Path to a file for storing logs generated by audit policies.
JUMPWIRE_TOKEN	✔️	-	JWT used to authenticate with the web app.
JUMPWIRE_NODE		{IP address}	Override the autodetected node name. Must be an IP address or DNS name reachable by all nodes in the cluster.
JUMPWIRE_FRONTEND	✔️	-	DNS name or IP address of the web application. Set to false to disable the web connection.
JUMPWIRE_CONFIG_PATH		-	Directory to load YAML config files from. See Local file configuration for details.
JUMPWIRE_DATABASE_MIGRATION_LIMIT		100	When migrating existing data (eg encrypting rows that existed before JumpWire), this limit specifies the maximum number of rows that will be updated at once.
VAULT_ADDR		http://localhost:8200	URL of a HashiCorp Vault server to use for key management.
VAULT_KV_VERSION		2	Whether to use version 1 or 2 of the Vault KV API.
VAULT_KV_PATH		secret/jumpwire	Path in Vault to a KV store. The provided token/role should have write access to this.
VAULT_DB_PATH		database	Mount point of database secrets in Vault. JumpWire will lookup databases and roles under this path for possible proxy credentials.
VAULT_APPROLE_ID		-	ID of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_APPROLE_SECRET		-	Secret of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_TOKEN		-	Token to use to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_NAMESPACE		-	Namespace to use with Vault Enterprise.
JUMPWIRE_AWS_KMS_ENABLE		-	When set to true AWS KMS will be used for generating encryption keys.
JUMPWIRE_AWS_KMS_KEY_NAME		jumpwire	A prefix to use for aliases when creating AWS KMS keys.
JUMPWIRE_TLS_CERT		-	Public cert to use for TLS on incoming proxy connections. Both JUMPWIRE_TLS_CERT and JUMPWIRE_TLS_KEY must be configured to enable TLS.
JUMPWIRE_TLS_KEY		-	Private key to use for TLS on incoming proxy connections.
JUMPWIRE_TLS_CA		Mozilla's public cert bundle	CA cert bundle to use for HTTPS connections.
JUMPWIRE_TLS_PROXY_CA		The value of JUMPWIRE_TLS_CA	CA cert bundle to use when verifying the certificate of proxied databases and APIs.
JUMPWIRE_DOMAIN			Domain used to connect to the engine. This will be shown in client setup instructions.
JUMPWIRE_POSTGRES_PROXY_PORT		6432	Port to listen on for incoming postgres clients.
JUMPWIRE_POSTGRES_PROXY_POOL_SIZE		4	Size of connection pool used when connecting to a PostgreSQL database.
JUMPWIRE_HTTP_PORT		4004	Port to listen on for incoming HTTP requests.
JUMPWIRE_HTTPS_PORT		4443	Port to listen on for incoming HTTPS requests.
JUMPWIRE_PROMETHEUS_PORT		9568	Port to serve Prometheus stats on, under the /metrics endpoint.
SENTRY_DSN			URL of a Sentry endpoint to send crash and error logs. By default crashes will be sent to a Sentry instance controlled by JumpWire.
JUMPWIRE_PARSE_REQUESTS		true	When true, requests being proxied through JumpWire will be inspected and access policies will be applied.
JUMPWIRE_PARSE_RESPONSES		true	When true, responses from requests proxied through JumpWire will be inspected and access policies will be applied.