TitaniumGuard
Proxy Configuration | Docs | TitaniumGuard

Proxy Configuration

Proxy Configuration Reference

{
  // REQUIRED: no
  // TYPE: string
  // DEFAULT: "0.0.0.0"
  "bind_address": "0.0.0.0",

  // REQUIRED: no
  // TYPE: string
  // DEFAULT: null
  // Path to policy JSON document used by the rule engine.
  "policy_file_path": "/etc/titaniumguard/proxy-policy.json",

  // REQUIRED: no
  // TYPE: object
  // DEFAULT: x-tg-org/x-tg-team/x-tg-user/x-tg-groups
  // Trusted headers that provide org/team/user/group identity for selector matching.
  "identity_headers": {
    "org": "x-tg-org",
    "team": "x-tg-team",
    "user": "x-tg-user",
    "groups": "x-tg-groups"
  },

  // REQUIRED: no
  // TYPE: object
  // DEFAULT: { "max_trace_facts": 64, "enable_explain_logs": true }
  "rule_engine": {
    "max_trace_facts": 64,
    "enable_explain_logs": true
  },

  // REQUIRED: no
  // TYPE: CacheBackend
  // DEFAULT: { "type": "memory", "capacity": 10000 }
  "cache": {
    // REQUIRED: yes (if cache object provided)
    // TYPE: enum
    // ALLOWED: "memory", "redis"
    "type": "memory",

    // REQUIRED: no (memory only)
    // TYPE: u64
    // DEFAULT: 10000
    "capacity": 10000

    // REQUIRED: yes (redis only)
    // TYPE: string
    // "url": "redis://127.0.0.1/"
  },

  // REQUIRED: no
  // TYPE: PartialListenerConfig
  // DEFAULT: { "enabled": true, "port": 8080 }
  "http": {
    "enabled": true,
    "port": 8080
  },

  // REQUIRED: no
  // TYPE: PartialHttpsConfig
  // DEFAULT: enabled=false, port=8443, tls=null, auth disabled
  "https": {
    "enabled": true,
    "port": 8443,
    "tls": {
      "cert_path": "/etc/titaniumguard/tls.crt",
      "key_path": "/etc/titaniumguard/tls.key"
    },
    "auth": {
      "enabled": true,
      "basic_credentials_file": "/etc/titaniumguard/basic_auth.csv",
      "bearer_tokens_file": "/etc/titaniumguard/bearer_tokens.csv",
      "realm": "proxy"
    }
  },

  // REQUIRED: no
  // TYPE: PartialListenerConfig
  // DEFAULT: { "enabled": false, "port": 1080 }
  "socks5": {
    "enabled": false,
    "port": 1080
  },

  // LEGACY OPTIONS (still accepted)

  "port": 8080,
  "protocol": "http",
  "tls": {
    "cert_path": "/etc/titaniumguard/tls.crt",
    "key_path": "/etc/titaniumguard/tls.key"
  }
}

Validation rules

{
  "notes": [
    "At least one mode must be enabled: http, https, or socks5.",
    "If https.enabled=true, https.tls is mandatory.",
    "If https.auth.enabled=true, https must also be enabled.",
    "If https.auth.enabled=true, set at least one of basic_credentials_file or bearer_tokens_file.",
    "Traffic flow allow/deny decisions are only configured through the rule engine policy."
  ]
}

Rule Engine

The canonical policy spec lives in products/proxy/proxy_rule_engine_policy_spec.json and an example docs page is available at /docs/proxy/rule-engine-policy.