Container Options
List of all available environment variables for the container:
| Environment Variable | Possible Values | Default | Description |
|---|---|---|---|
| NULLAFI_PROXY_URL | a valid Proxy URL | none | Sets the Proxy URL for auto-generated PAC files. Must include the protocol and port. Example: https://proxy.hostname:1328 |
| NULLAFI_USERNAME | any string of characters | none | Sets the username for full administrative privileges to the Web Management Console |
| NULLAFI_PASSWORD | any string of characters | none | Sets the password for full administrative privileges to the Web Management Console |
| NULLAFI_API_KEY | any string of characters | none | Sets an API Key to be used by clients on Nullafi Shield API Requests |
| NULLAFI_SHOWBUILD | [true | false] |
true | Determines whether the software build number is displayed in the Web Management Console |
| NULLAFI_SHOWDATE | [true | false] |
true | Determines whether the software build date is displayed in the Web Management Console |
| NULLAFI_SERVERMODE | [icap | web | both] |
both | Sets how services should run on that instance, just the ICAP server, just the web Web Management Console or both. |
| NULLAFI_ACTIVITY_DATABASE_URL | a valid Elasticsearch URL | Sets the Activity Database location, including the protocol, credentials, hostname, and path for an Elasticsearch database accessible by the Web Management Console and all ICAP enforcement nodes. | |
| NULLAFI_ELASTIC_CERTIFICATE_FINGERPRINT | a valid SHA256 hex fingerprint given by Elasticsearch on first launch | none | https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-stack-security.html |
| NULLAFI_PROXY_CERT_FILE | a valid path to a file | Allows the Web Management Console to distribute the public key used by the Proxy to sign SSL certificates. End user devices can download the certificate for importing into their own trust store from the Web Management Console without authentication. | |
| NULLAFI_LOG_FILE_DIR | a valid path to a folder | ./log | Sets the path to the log file |
| NULLAFI_LOG_TO_FILE | [true | false] |
false | By default sends the log information to the stdout. |
| NULLAFI_LICENSE_KEY_FILE | a valid path to a file | none | Passes the Nullafi Shield license information by reference to a file on the filesystem. Mutually exclusive with NULLAFI_LICENSE_KEY_VALUE. Nullafi Shield requires one of NULLAFI_LICENSE_KEY_FILE or NULLAFI_LICENSE_KEY_VALUE to exist but will only use one at a time. |
| NULLAFI_LICENSE_KEY_VALUE | any string of characters | none | Passes the Nullafi Shield license information by directly invoking the license key string. Mutually exclusive with NULLAFI_LICENSE_KEY_FILE. Nullafi Shield requires one of NULLAFI_LICENSE_KEY_FILE or NULLAFI_LICENSE_KEY_VALUE to exist but will only use one at a time. |
| NULLAFI_ICAP_PORT | [0-65535] | 1344 | Sets the TCP port for the ICAP protocol. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. |
| NULLAFI_ICAPS_ENABLED | [true | false] |
false | Sets the ICAP protocol to run on TLS |
| NULLAFI_ICAPS_PORT | [0-65535] | 11344 | Sets the TCP port for the ICAP protocol with TLS. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. |
| NULLAFI_HTTP_PORT | [0-65535] | 8080 | Sets the listening port for plain text (HTTP) access to the Web Management Console. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. By default, browsers use port 80 for HTTP and so it is common to map the host’s port 80 to the container’s 8080 |
| NULLAFI_HTTPS_ENABLED | [true | false] |
false | Controls whether the Web Management Console will be offered with SSL encryption (via HTTPS). |
| NULLAFI_HTTPS_PORT | [0-65535] | 8081 | Sets the listening port for SSL encrypted (HTTPS) access to the Web Management Console. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. By default, browsers use port 443 for HTTPS and so it is common to map the host’s port 443 to the container’s 8081 |
| NULLAFI_HTTPS_CERT_DIR | a valid path to a folder | ./certs | Sets the path to the certificates folder |
| NULLAFI_HTTPS_ENABLE_ACME | [true | false] |
false | Sets if Nullafi Shield will obtain a certificate for the Web Management Console using the ACME protocol service. See more in RFC8555 |
| NULLAFI_HTTPS_ACME_SERVER_URL | a valid URL | none | ACME directory URL for signed HTTP certificates. |
| NULLAFI_HTTPS_TLS_CERT_FILE | a path to the TLS key file (.pem) | Sets the cetificate to be used for secure HTTPS connections to the Web Management Console. If not using the ACME protocol, Nullafi Shield can be configured to use specific certificates manually managed by the administrator. Ordinarily, these would be signed by the organization's private Certificate Authority. | |
| NULLAFI_HTTPS_TLS_KEY_FILE | a path to the TLS certificate file (.crt) | Sets the private key to be used for secure HTTPS connections to the Web Management Console. If not using the ACME protocol, Nullafi Shield can be configured to use specific certificates manually managed by the administrator. Ordinarily, these would be signed by the organization's private Certificate Authority. | |
| NULLAFI_VERBOSE_LOG | [true | false] |
true | Sets the product to print all information |
| NULLAFI_HTTP_CUSTOM_DOMAIN | any valid hostname | localhost | Sets the custom domain for the web Web Management Console |
| NULLAFI_TLS_KEY_FILE | a path to the TLS key file (.pem) | nullafi.pem | Sets the path to the key file for ICAPS protocol (ICAP with SSL). |
| NULLAFI_TLS_CERT_FILE | a path to the TLS certificate file (.crt) | nullafi.crt | Sets the path to the certificate file for ICAPS protocol (ICAP with SSL). |
| NULLAFI_MUTUAL_TLS_CLIENT_FILE | a path to the TLS certificate file | none | Sets client and server ICAP to use signed certificate to authenticate each other. |
| NULLAFI_SYSLOG_ACTIVITY_ENABLE | [true | false] |
false | Sets the log information to be sent to a SYSLOG service. |
| NULLAFI_SYSLOG_ACTIVITY_FACILITY | [ kernel | user-level | mail | system | security/authorization | syslogd | line printer | network news | UUCP | clock | security/authorization | FTP | NTP | log audit | log alert | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 ] |
local0 | Labels for facility levels defined in RFC3164 |
| NULLAFI_HTTPS_ACME_DNS01_PROVIDER | a valid DNS name | googledomains | The DNS Provider used by the Acme DNS-01 challenge automation process, see the options: https://go-acme.github.io/lego/dns/ |
| NULLAFI_ICAP_NAME | any string of characters | nullafi shield | When the Shield instance is configured as an ICAP server (NULLAFI_SERVERMODE is set to either "icap" or "both"), sets the name of the Shield instance to appear in the Web Management Console and Activity Log. |
| NULLAFI_TRACER_ENDPOINT | a valid URL | none | A compatible OpenTelemetry tool URL (vendors: Splunk, Grafana, SolarWind, FluentBit, etc) |
| NULLAFI_REDIS_URI | a valid Redis URI | Sets the Web Management Console's configuration database location, including the protocol, credentials, hostname, and path for a Redis database accessible by the Web Management Console and all ICAP enforcement nodes. |