By default the server will start an HTTP server on port
3592 and a gRPC server on
3593 that will listen on all available interfaces.
server: httpListenAddr: ":3592" grpcListenAddr: ":3593"
server: httpListenAddr: "192.168.0.17:3592" grpcListenAddr: "192.168.0.17:3593"
server: httpListenAddr: "unix:/var/sock/cerbos.http" grpcListenAddr: "unix:/var/sock/cerbos.grpc"
By default, Prometheus metrics are available to scrape from the
/_cerbos/metrics HTTP endpoint. If you want to disable metrics reporting, set
server: metricsEnabled: false
For debugging or auditing purposes, you can enable request and response payload logging for each request.
|Enabling this setting affects server performance and could expose potentially sensitive data contained in the requests to anyone with access to the server logs.|
server: logRequestPayloads: true
Transport layer security (TLS)
You can enable transport layer security (TLS) by defining the paths to the certificate and key file in the
server: tls: cert: /path/to/certificate key: /path/to/private_key
|For production use cases that require automatic certificate reloading, workload identities and other advanced features, we recommend running a proxy server such as Envoy, Ghostunnel or Traefik in front of the Cerbos server.|
By default, CORS is enabled on the HTTP service with all origins allowed. You can disable CORS by setting
true. You can also restrict the list of allowed origins and headers by setting
server: cors: allowedOrigins: - example.com - example.org allowedHeaders: - X-CUSTOM
Enable Admin API
The Cerbos Admin API provides administration functions such as adding or updating policies (if the underlying storage engine supports it) to the running Cerbos instance. It is disabled by default.
Authentication is mandatory for the Admin API. See Cerbos Admin API documentation for more details.
|TLS should be enabled to ensure that credentials are transmitted securely over the network. We also highly recommend changing the default username and password when deploying Cerbos.|
server: adminAPI: enabled: true adminCredentials: username: cerbos passwordHash: JDJ5JDEwJE5HYnk4cTY3VTE1bFV1NlR2bmp3ME9QOXdXQXFROGtBb2lWREdEY2xXbzR6WnoxYWtSNWNDCgo=