Deployment

Configuration

2min

Engine
The following environmental variables are used to configure the JumpWire engine container:
Name
Required
Default
Description
RELEASE_COOKIE
✔️
-
Shared secret used for distributed connectivity. Must be identical on all nodes in the cluster.
JUMPWIRE_AUDIT_LOG_PATH
﻿
audit.log
Path to a file for storing logs generated by audit policies.
JUMPWIRE_TOKEN
✔️
-
JWT used to authenticate with the web app.
JUMPWIRE_NODE
﻿
{IP address}
Override the autodetected node name. Must be an IP address or DNS name reachable by all nodes in the cluster.
JUMPWIRE_FRONTEND
✔️
-
DNS name or IP address of the web application.
Set to false to disable the web connection.
JUMPWIRE_CONFIG_PATH
﻿
-
Directory to load YAML config files from. See Local file configuration﻿ for details.
JUMPWIRE_DATABASE_MIGRATION_LIMIT
﻿
100
When migrating existing data (eg encrypting rows that existed before JumpWire), this limit specifies the maximum number of rows that will be updated at once.
VAULT_ADDR
﻿
http://localhost:8200
URL of a HashiCorp Vault server to use for key management.
VAULT_KV_VERSION
﻿
2
Whether to use version 1 or 2 of the Vault KV API.
VAULT_KV_PATH
﻿
secret/jumpwire
Path in Vault to a KV store. The provided token/role should have write access to this.
VAULT_DB_PATH
﻿
database
Mount point of database secrets in Vault. JumpWire will lookup databases and roles under this path for possible proxy credentials.
VAULT_APPROLE_ID
﻿
-
ID of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_APPROLE_SECRET
﻿
-
Secret of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_TOKEN
﻿
-
Token to use to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_NAMESPACE
﻿
-
Namespace to use with Vault Enterprise.
JUMPWIRE_AWS_KMS_ENABLE
﻿
-
When set to true AWS KMS will be used for generating encryption keys.
JUMPWIRE_AWS_KMS_KEY_NAME
﻿
jumpwire
A prefix to use for aliases when creating AWS KMS keys.
JUMPWIRE_TLS_CERT
﻿
-
Public cert to use for TLS on incoming proxy connections. Both JUMPWIRE_TLS_CERT and JUMPWIRE_TLS_KEY must be configured to enable TLS.
JUMPWIRE_TLS_KEY
﻿
-
Private key to use for TLS on incoming proxy connections.
JUMPWIRE_TLS_CA
﻿
﻿Mozilla's public cert bundle﻿
CA cert bundle to use for HTTPS connections.
JUMPWIRE_TLS_PROXY_CA
﻿
The value of JUMPWIRE_TLS_CA
CA cert bundle to use when verifying the certificate of proxied databases and APIs.
JUMPWIRE_DOMAIN
﻿
﻿
Domain used to connect to the engine. This will be shown in client setup instructions.
JUMPWIRE_POSTGRES_PROXY_PORT
﻿
6432
Port to listen on for incoming postgres clients.
JUMPWIRE_POSTGRES_PROXY_POOL_SIZE
﻿
4
Size of connection pool used when connecting to a PostgreSQL database.
JUMPWIRE_HTTP_PORT
﻿
4004
Port to listen on for incoming HTTP requests.
JUMPWIRE_HTTPS_PORT
﻿
4443
Port to listen on for incoming HTTPS requests.
JUMPWIRE_PROMETHEUS_PORT
﻿
9568
Port to serve Prometheus stats on, under the /metrics endpoint.
SENTRY_DSN
﻿
﻿
URL of a Sentry endpoint to send crash and error logs. By default crashes will be sent to a Sentry instance controlled by JumpWire.
JUMPWIRE_PARSE_REQUESTS
﻿
true
When true, requests being proxied through JumpWire will be inspected and access policies will be applied.
JUMPWIRE_PARSE_RESPONSES
﻿
true
When true, responses from requests proxied through JumpWire will be inspected and access policies will be applied.
Additional configuration is available for Observability﻿ data.
Web
The following environment variables are used to configure the JumpWire web container:
Name
Required
Default
Description
DATABASE_URL
✔️
-
Connection string for internal PostgreSQL instance.
JUMPWIRE_SECRET_KEY
✔️
-
Secret used for secure session handling and cookies.
PORT
﻿
4000
Port to listen on for inbound HTTP requests.
GOOGLE_CLIENT_ID
﻿
-
Client ID for authenticating users with Google OAuth.
GOOGLE_CLIENT_SECRET
﻿
-
Client secret for authenticating users with Google OAuth.
AUTH0_CLIENT_ID
﻿
-
Client ID for authenticating users with Auth0 OAuth. Auth0 will take precedence over Google if both are set.
AUTH0_DOMAIN
﻿
-
Domain for authenticating users with Auth0 OAuth
AUTH0_TOKEN_SECRET
﻿
-
Secret for authenticating users with Auth0 OAuth
JUMPWIRE_AUTH_DOMAINS
﻿
-
Comma-delimited list of email domains that are allowed to access the web UI. Only enforced for Google OAuth.
JUMPWIRE_ORG_TOKEN
✔️
-
JWT used to authenticate the engine to the frontend.
JUMPWIRE_ORG_NAME
﻿
-
Name of the organization using JumpWire.
JUMPWIRE_DOMAIN
✔️
-
User facing domain name for the web interface.
JUMPWIRE_ENGINE_HOST
﻿
localhost
Hostname of the JumpWire engine. Used to generate user facing URLs for connecting to the proxy. Can be overridden from the web interface.
﻿

Name	Required	Default	Description
RELEASE_COOKIE	✔️	-	Shared secret used for distributed connectivity. Must be identical on all nodes in the cluster.
JUMPWIRE_AUDIT_LOG_PATH		audit.log	Path to a file for storing logs generated by audit policies.
JUMPWIRE_TOKEN	✔️	-	JWT used to authenticate with the web app.
JUMPWIRE_NODE		{IP address}	Override the autodetected node name. Must be an IP address or DNS name reachable by all nodes in the cluster.
JUMPWIRE_FRONTEND	✔️	-	DNS name or IP address of the web application. Set to false to disable the web connection.
JUMPWIRE_CONFIG_PATH		-	Directory to load YAML config files from. See Local file configuration for details.
JUMPWIRE_DATABASE_MIGRATION_LIMIT		100	When migrating existing data (eg encrypting rows that existed before JumpWire), this limit specifies the maximum number of rows that will be updated at once.
VAULT_ADDR		http://localhost:8200	URL of a HashiCorp Vault server to use for key management.
VAULT_KV_VERSION		2	Whether to use version 1 or 2 of the Vault KV API.
VAULT_KV_PATH		secret/jumpwire	Path in Vault to a KV store. The provided token/role should have write access to this.
VAULT_DB_PATH		database	Mount point of database secrets in Vault. JumpWire will lookup databases and roles under this path for possible proxy credentials.
VAULT_APPROLE_ID		-	ID of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_APPROLE_SECRET		-	Secret of an approle to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_TOKEN		-	Token to use to authenticate with Vault. Either a token or an approle must be provided to enable Vault.
VAULT_NAMESPACE		-	Namespace to use with Vault Enterprise.
JUMPWIRE_AWS_KMS_ENABLE		-	When set to true AWS KMS will be used for generating encryption keys.
JUMPWIRE_AWS_KMS_KEY_NAME		jumpwire	A prefix to use for aliases when creating AWS KMS keys.
JUMPWIRE_TLS_CERT		-	Public cert to use for TLS on incoming proxy connections. Both JUMPWIRE_TLS_CERT and JUMPWIRE_TLS_KEY must be configured to enable TLS.
JUMPWIRE_TLS_KEY		-	Private key to use for TLS on incoming proxy connections.
JUMPWIRE_TLS_CA		Mozilla's public cert bundle	CA cert bundle to use for HTTPS connections.
JUMPWIRE_TLS_PROXY_CA		The value of JUMPWIRE_TLS_CA	CA cert bundle to use when verifying the certificate of proxied databases and APIs.
JUMPWIRE_DOMAIN			Domain used to connect to the engine. This will be shown in client setup instructions.
JUMPWIRE_POSTGRES_PROXY_PORT		6432	Port to listen on for incoming postgres clients.
JUMPWIRE_POSTGRES_PROXY_POOL_SIZE		4	Size of connection pool used when connecting to a PostgreSQL database.
JUMPWIRE_HTTP_PORT		4004	Port to listen on for incoming HTTP requests.
JUMPWIRE_HTTPS_PORT		4443	Port to listen on for incoming HTTPS requests.
JUMPWIRE_PROMETHEUS_PORT		9568	Port to serve Prometheus stats on, under the /metrics endpoint.
SENTRY_DSN			URL of a Sentry endpoint to send crash and error logs. By default crashes will be sent to a Sentry instance controlled by JumpWire.
JUMPWIRE_PARSE_REQUESTS		true	When true, requests being proxied through JumpWire will be inspected and access policies will be applied.
JUMPWIRE_PARSE_RESPONSES		true	When true, responses from requests proxied through JumpWire will be inspected and access policies will be applied.

Name	Required	Default	Description
DATABASE_URL	✔️	-	Connection string for internal PostgreSQL instance.
JUMPWIRE_SECRET_KEY	✔️	-	Secret used for secure session handling and cookies.
PORT		4000	Port to listen on for inbound HTTP requests.
GOOGLE_CLIENT_ID		-	Client ID for authenticating users with Google OAuth.
GOOGLE_CLIENT_SECRET		-	Client secret for authenticating users with Google OAuth.
AUTH0_CLIENT_ID		-	Client ID for authenticating users with Auth0 OAuth. Auth0 will take precedence over Google if both are set.
AUTH0_DOMAIN		-	Domain for authenticating users with Auth0 OAuth
AUTH0_TOKEN_SECRET		-	Secret for authenticating users with Auth0 OAuth
JUMPWIRE_AUTH_DOMAINS		-	Comma-delimited list of email domains that are allowed to access the web UI. Only enforced for Google OAuth.
JUMPWIRE_ORG_TOKEN	✔️	-	JWT used to authenticate the engine to the frontend.
JUMPWIRE_ORG_NAME		-	Name of the organization using JumpWire.
JUMPWIRE_DOMAIN	✔️	-	User facing domain name for the web interface.
JUMPWIRE_ENGINE_HOST		localhost	Hostname of the JumpWire engine. Used to generate user facing URLs for connecting to the proxy. Can be overridden from the web interface.

Updated 25 Mar 2024

Did this page help you?

Vault Integration

Local file configuration