| Name | Required | Type | Default Value | Description |
| UPSTREAM | TRUE | string | The network address of the POP server that this node works with | |
| UPSTREAM_SNI | TRUE | string | The service name of the POP server, this corresponds to the SNI environment variable on the POP server | |
| CERT | TRUE | string | The path to the certificate (in PEM format) that this node uses to authenticate with other nodes and with users | |
| KEY | TRUE | string | The path to the private key (in PEM format) that corresponds with the certificate | |
| INSECURE | FALSE | boolean | Whether to validate certificates of external components (Edges, other App Gateways, and so on) | |
| DB_PATH | TRUE | string | /dbdata/idac.db | The path to the database file |
| EXTERNAL_MFA_TIMEOUT | TRUE | duration | 5m | The timeout of multifactor authentication tokens sent via SMS messages |
| ALLOW_CORS | FALSE | boolean | Whether Cross-Origin-Resource-Sharing is allowed on the App Gateway API | |
| LOG_REQUESTS | FALSE | boolean | Whether to log HTTP requests to the App Gateway API | |
| LICENSE_PATH | TRUE | string | The path to the license file | |
| BLOB_PATH | TRUE | string | /<host>/blobs | The path where blobs are stored |
| EXTERNAL_SERVICES_URL | TRUE | string | https://services.cyolo.io | The URL of the external services server (used for SMS, and so on) |
| RECERTER_RUN | FALSE | boolean | TRUE | Whether to use the internal automatic certificate renewal service (only for cyolo.io certificates) |
| RECERTER_WATCH_DAYS | FALSE | int | 10 | The number of days before a certificate expires before it gets renewed |
| RECERTER_WATCH_INTERVAL | FALSE | duration | 36h | The interval at which the internal certificate renewal service checks whether the certificate needs to be renewed |
| RECORDING_PATH | TRUE | string | /<host>/tmp/recordings | The location at which recordings are stored prior to being moved to the blob store |
| USE_EDGE_PROXY | FALSE | boolean | Whether to proxy network access towards external services via POP servers | |
| NATIVE_SSH_UPSTREAM | FALSE | string | ssh.tcp.ztna.safous.com:443 | The network address of the native-ssh gateway that this node works with |
| NATIVE_SSH_UPSTREAM_SNI | FALSE | string | ssh.ztna.safous.com | The service name the native-ssh gateway, this corresponds to the NATIVE_SSH_SNI environment variable on the gateway |
| NATIVE_SSH_SECRET | FALSE | string | Whether to use a static secret with the native-ssh gateway (otherwise, authorization is performed using the license) | |
| SYSLOG_ADDRESSES | FALSE | []string | A comma delimited list of syslog servers to forward App Gateway logs | |
| RAFT_PATH | TRUE | string | /dbdata/raft | The path that stores the Raft cluster metadata |
| RAFT_VOTER | FALSE | string | Whether the App Gateway can participate in the Raft (or is a READONLY instance) | |
| SITE | TRUE | string | default | The site name that corresponds with App Gateway |
| ID_FILE | TRUE | string | /config/idfile | The file in which the App Gateway ID is persisted |
| LOGS_DB_PATH | TRUE | string | /config/logs.db | The path for the activity log database |
| RDP_KEYBOARD_LAYOUT | FALSE | string | en-us-querty | The RDP server keyboard layout |
| HTTP_PROXY | FALSE | string | Set proxy <host | IP address>:<port> for all HTTP web applications. | |
| HTTPS_PROXY | FALSE | string | Set proxy <host | IP address>:<port> for all HTTPS web applications. | |
| COOKIE_SAME_SITE_MODE | FALSE | string | lax |
Change the SameSite attribute of the Set-Cookie response header, SameSite=none/lax/strict.
|
| COOKIE_DOMAIN | FALSE | string | certificate CN |
Change the default domain of the cookie, the certificate CN of safous, to allow cookies to be sent in cross-origin requests under the same domain. For example, if CN=safous.example.com, set example.com to allow cookies under all example.com subdomains. |
DISABLE_AUTO_UPDATE |
FALSE |