Container Options
List of all available environment variables for the container:
| Environment Variable | Possible Values | Default | Description |
|---|---|---|---|
| NULLAFI_API_KEY | any string of characters | none | Sets an API Key to be used by clients on Nullafi Shield API Requests |
| NULLAFI_SERVERMODE | [icap | api | web | alert | all] |
all |
Sets which services will run on the Shield container. ICAP server, API server, Web Management Console (which includes API), Alert server, or all at once (all is convenient for testing but not recommended for production). |
| NULLAFI_ACTIVITY_DATABASE_URL | a valid Elasticsearch URL | none | Sets the Activity Database location, including the protocol, credentials, hostname, and path for an Elasticsearch database accessible by the Web Management Console and all ICAP enforcement nodes. |
| NULLAFI_ELASTIC_CERTIFICATE_FINGERPRINT | a valid SHA256 hex fingerprint given by Elasticsearch on first launch | none | see https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-stack-security.html |
| NULLAFI_REDIS_URI | a valid Redis URI | none | Sets the Web Management Console's configuration database location, including the protocol, credentials, hostname, and path for a Redis database accessible by the Web Management Console and all ICAP enforcement nodes. |
| NULLAFI_LOG_FILE_DIR | a valid path to a folder | ./log |
Sets the path to the log file |
| NULLAFI_LOG_TO_FILE | [true | false] |
FALSE |
By default sends the log information to the stdout. |
| NULLAFI_LICENSE_KEY_FILE | a valid path to a file | none | Passes the Nullafi Shield license information by reference to a file on the filesystem. Mutually exclusive with NULLAFI_LICENSE_KEY_VALUE. Nullafi Shield requires one of NULLAFI_LICENSE_KEY_FILE or NULLAFI_LICENSE_KEY_VALUE to exist but will only use one at a time. |
| NULLAFI_LICENSE_KEY_VALUE | any string of characters | none | Passes the Nullafi Shield license information by directly invoking the license key string. Mutually exclusive with NULLAFI_LICENSE_KEY_FILE. Nullafi Shield requires one of NULLAFI_LICENSE_KEY_FILE or NULLAFI_LICENSE_KEY_VALUE to exist but will only use one at a time. |
| NULLAFI_HTTP_CUSTOM_DOMAIN | any valid hostname | localhost |
Sets the custom domain for the web Web Management Console |
| NULLAFI_SHOWBUILD | [true | false] |
TRUE |
Determines whether the software build number is displayed in the Web Management Console |
| NULLAFI_SHOWDATE | [true | false] |
FALSE |
Determines whether the software build date is displayed in the Web Management Console |
| NULLAFI_HTTP_PORT | [0-65535] |
8080 |
Sets the listening port for plain text (HTTP) access to the Web Management Console. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. By default, browsers use port 80 for HTTP and so it is common to map the host’s port 80 to the container’s 8080 |
| NULLAFI_HTTPS_ENABLED | [true | false] |
FALSE |
Controls whether the Web Management Console will be offered with SSL encryption (via HTTPS). |
| NULLAFI_HTTPS_PORT | [0-65535] |
8081 |
Sets the listening port for SSL encrypted (HTTPS) access to the Web Management Console. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. By default, browsers use port 443 for HTTPS and so it is common to map the host’s port 443 to the container’s 8081 |
| NULLAFI_HTTPS_TLS_CERT_FILE | a path to the TLS certificate file (.crt) | none | Sets the certificate to be used for secure HTTPS connections to the Web Management Console. If not using the ACME protocol, Nullafi Shield can be configured to use specific certificates manually managed by the administrator. Ordinarily, these would be signed by the organization's private Certificate Authority. |
| NULLAFI_HTTPS_TLS_KEY_FILE | a path to the TLS key file (.pem) | none | Sets the private key to be used for secure HTTPS connections to the Web Management Console. If not using the ACME protocol, Nullafi Shield can be configured to use specific certificates manually managed by the administrator. Ordinarily, these would be signed by the organization's private Certificate Authority. |
| NULLAFI_HTTPS_ENABLE_ACME | [true | false] |
FALSE |
Sets if Nullafi Shield will obtain a certificate for the Web Management Console using the ACME protocol service. See more in RFC8555 |
| NULLAFI_HTTPS_CERT_DIR | a valid path to a folder | ./certs |
Sets the path where ACME SSL certificates will be stored. This should be mounted to persistent storage to avoid excessive certificate generation attempts from container restarts. |
| NULLAFI_HTTPS_ACME_SERVER_URL | a valid URL | none | ACME directory URL for signed HTTP certificates. |
| NULLAFI_HTTPS_ACME_DNS01_PROVIDER | a valid DNS provider name | none | The DNS Provider used by the Acme DNS-01 challenge automation process, see the options: https://go-acme.github.io/lego/dns/ |
| NULLAFI_PROXY_CERT_FILE | a valid path to a file | none | Allows the Web Management Console to distribute the public key used by the Proxy to sign SSL certificates. End user devices can download the certificate for importing into their own trust store from the Web Management Console without authentication. |
| NULLAFI_PROXY_URL | a valid hostname or IP address and port combination, separated by a colon (e.g. 192.168.0.254:8080, proxy.example.com:3128) |
none | Allows the Web Management Console to distribute a custom PAC file. End user devices can download the PAC file or point their automatic proxy settings to the PAC file download URL inside the Web Management Console. |
| NULLAFI_GOOGLE_LOGOUT_URL | a valid URL | https://accounts.google.com/logout |
Allows Shield to recognize when a user has logged out from the identity provider so it can invalidate the user's SAML session. |
| NULLAFI_NODE_NAME | any string of characters | nullafi shield |
When the Shield instance is configured as an ICAP server (NULLAFI_SERVERMODE is set to either "icap" or "both"), sets the name of the Shield instance to appear in the Web Management Console and Activity Log. |
| NULLAFI_ICAP_PORT | [0-65535] |
1344 |
Sets the TCP port for the ICAP protocol. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. |
| NULLAFI_ICAPS_ENABLED | [true | false] |
FALSE |
Sets the ICAP protocol to run on TLS |
| NULLAFI_ICAPS_PORT | [0-65535] |
11344 |
Sets the TCP port for the ICAP protocol with TLS. This is the container’s listening port, and might be mapped through the host’s network stack in several ways. |
| NULLAFI_ICAP_TLS_KEY_FILE | a path to the TLS key file (.pem) | none | Sets the path to the key file for ICAPS protocol (ICAP with SSL). |
| NULLAFI_ICAP_TLS_CERT_FILE | a path to the TLS certificate file (.crt) | none | Sets the path to the certificate file for ICAPS protocol (ICAP with SSL). |
| NULLAFI_ICAP_MUTUAL_TLS_CLIENT_FILE | a path to the TLS certificate file | none | Sets client and server ICAP to use signed certificate to authenticate each other. |
| NULLAFI_SYSLOG_ACTIVITY_ENABLE | [true | false] |
FALSE |
Sets the log information to be sent to a SYSLOG service. |
| NULLAFI_SYSLOG_ACTIVITY_FACILITY | [ KERN | USER | MAIL | DAEMON | AUTH | SYSLOG | LPR | NEWS | UUCP | CRON | AUTHPRIV | FTP | LOCAL0 | LOCAL1 | LOCAL2 | LOCAL3 | LOCAL4 | LOCAL5 | LOCAL6 | LOCAL7 ] |
LOCAL0 |
Labels for facility levels defined in RFC5424 |
| NULLAFI_SYSLOG_ACTIVITY_NETWORK | [tcp | udp] |
none | Sets the network protocol to be used by syslog |
| NULLAFI_SYSLOG_ACTIVITY_REMOTE_ADDRESS | a valid hostname or IP address and port combination, separated by a colon (e.g. 192.168.1.1:514, syslog.example.com:601) |
none | Sets the syslog destination server and port |
| NULLAFI_TRACER_ENDPOINT | a valid URL | none | A compatible OpenTelemetry tool URL (vendors: Splunk, Grafana, SolarWind, FluentBit, etc) |