Configuration

If no configuration is provided via the --conf.path flag, Synapse starts on port 3594 and attempts to load Cerbos policies from a directory named policies in the current path. While the --conf.set flag can be used to override configuration values from the command line, it is recommended to use a configuration file for better readability.

The pdp.inProcess block embeds a full Cerbos PDP. It accepts every option the standalone Cerbos PDP accepts — storage drivers, audit backends, schema enforcement, server hardening, and so on. For the authoritative reference on what goes inside pdp.inProcess, see the Cerbos PDP configuration documentation. The reference below covers only the Synapse-specific keys that wrap it.

Example configuration

The following snippet illustrates a typical configuration for Synapse.

server:
  listenAddress: ":3594"
  tls:
    cert: /certs/tls.crt
    key: /certs/tls.key

pdp:
  inProcess:
    storage:
      driver: "disk"
      disk:
        directory: /policies
    schema:
      enforcement: warn
    audit:
      enabled: true
      backend: file
      file:
        path: stderr

extensions:
  dataDir: /tmp/data
  cacheDir: /tmp/cache

  dataSources:
    litestreamds:
      extension:
        extensionURL: system://sqldb
        configuration:
          litestream:
            replicationURL:  s3://bucket/mydb.db

  envoyExternalAuthz:
    enabled: true
    extension:
      extensionURL: /extensions/envoy.wasm

  proxyExtensions:
    importantExtension:
      extensionURL: /extensions/important.wasm?checksum=sha256:dcbbdeaf3d6ddd64ca8ec1026e7addb877a420fbc1be9a73d246839df8935b4a
      priority: 1
      required: true
      configuration:
        environment: staging
      dataMount: /data

  routeExtensions:
    caddy:
      extension:
        extensionURL: /extensions/caddy.wasm
      routes:
        "/caddy/auth": ["POST"]

Reference

The following section enumerates all possible configuration options for Synapse. Please note that some configuration sections are mutually exclusive with each other.

---
audit:
  instanceAnnotations: {"instance": "eu-west-002"} # InstanceAnnotations are key-value pairs of static information about this instance that should be added to the Cerbos requests for audit purposes.
cache:
  backend: "inmem" # Backend sets the cache implementation to use. Valid values are "inmem" or "redis".
  inmem: # InMem configures the in-memory cache.
    maxSize: 1024
  redis: # Redis configures a Redis-backed cache.
    connectionURL: redis://localhost:6379/0?dial_timeout=3&read_timeout=6s&max_retries=2
extensions:
  cacheDir: ${XDG_CACHE_DIR} # CacheDir sets the directory to use for caching downloaded extensions and other artifacts.
  dataDir: ${XDG_DATA_DIR} # DataDir sets the global directory under which the extensions can store their custom data.
  dataSources:
    example:
      extension:
        extensionURL: system://sqldb # DataSources are common functions usable by other extensions.
  envoyExternalAuthz: # EnvoyExternalAuthz configures the Envoy external authorization endpoint.
    enabled: false # Enabled sets whether the Envoy endpoint is enabled or not.
    extension: # Extension defines a pluggable extension to use for handling Envoy requests. Mutually exclusive with mapping.
      configuration: {} # Configuration holds any custom configuration values needed by the extension.
      dataMount: /data # DataMount defines the virtual file system root for the extension.
      disabled: false # Disabled prevents the extension from being loaded.
      extensionURL: ${PWD}/extensions/ext.wasm?checksum=sha256:dcbbdeaf3d6ddd64ca8ec1026e7addb877a420fbc1be9a73d246839df8935b4a # Required. ExtensionURL defines the URL to obtain the extension from.
    mapping: # Mapping uses declarative configuration to handle Envoy requests. Mutually exclusive with extension.
      request: # Required. Request configures handling of requests sent to the adapter.
        action: "request.method.lowerAscii()" # Required. Action is a CEL expression to extract the action from the incoming request.
        auxData: # AuxData configures how to extract the auxiliary data from the incoming request.
          jwt: # JWT configures how to extract the JWT from the incoming request.
            keySetID: "'gateway'" # KeySetID is a CEL expression to extract the ID of the keyset to be used to verify the JWT from the incoming request.
            token: "request.header['Authorization'].replace('Bearer ', '', 1)" # Required. Token is a CEL expression to extract the JWT from the incoming request.
        principal: # Required. Principal configures how to extract the principal from the incoming request.
          attr: "{'ip': request.header['X-Forwarded-For'].split(', ', 2)[0]}" # Attr is a CEL expression or map of CEL expressions to extract the principal's attributes from the incoming request.
          id: "request.header['X-User-Id']" # Required. ID is a CEL expression to extract the principal's ID from the incoming request.
          policyVersion: "'default'" # PolicyVersion is a CEL expression to extract the principal's policy version from the incoming request.
          roles: "['anonymous']" # Required. Roles is a CEL expression or list of CEL expressions to extract the principal's roles from the incoming request.
          scope: "request.header['X-Tenant-Id']" # Scope is a CEL expression to extract the principal's scope from the incoming request.
        requestID: "request.header['X-Request-Id']" # RequestID is a CEL expression to extract the request ID from the incoming request.
        resource: # Required. Resource configures how to extract the resource from the incoming request.
          attr: "request.body.json" # Attr is a CEL expression or map of CEL expressions to extract the resource's attributes from the incoming request.
          id: "request.body.json.id" # Required. ID is a CEL expression to extract the resource's ID from the incoming request.
          kind: "'route'" # Required. Kind is a CEL expression to extract the resource's kind from the incoming request.
          policyVersion: "'default'" # PolicyVersion is a CEL expression to extract the resource's policy version from the incoming request.
          scope: "request.header['X-Tenant-Id']" # Scope is a CEL expression to extract the resource's scope from the incoming request.
      response: "{'status': {'code': check.allow ? google.rpc.Code.OK : google.rpc.Code.PERMISSION_DENIED}}" # Response is a CEL expression returning a envoy.service.auth.v3.CheckResponse
  proxyExtensions:
    example:
      extensionURL: /extensions/foo.wasm # ProxyExtensions configure interceptor chains for Cerbos Check/Plan requests.
  routeExtensions:
    example:
      extensionURL: /extensions/foo.wasm # RouteExtensions configure arbitrary HTTP handlers for providing external authorization capabilities via Cerbos policies.
  workDir: ${TMPDIR} # WorkDir sets the directory for creating sockets and other temporary files.
pdp:
  external: # External configures the server to connect to PDP(s) running elsewhere.
    grpcAddress: cerbos:3593
    httpAddress: cerbos:3592
    tls:
      authority: cerbos.example.com # Authority overrides the TLS authority for the connection.
      caCert: /path/to/ca.crt # CACert sets the path to a CA certificate file to use for validating the certificates.
      disabled: false # Disabled switches off TLS and attempts to connect to the PDP using a plaintext connection. Not recommended for production use.
      insecure: false # Insecure switches off verification of issuer and host of TLS certificates. Not recommended for production use.
    timeout: 5s
  inProcess:
    storage:
      driver: disk # InProcess configures a Cerbos PDP that runs on the same process as this server.
  workDir: /tmp/tainaron # WorkDir is the directory to use for creating sockets and other files required to run the PDP.
server:
  cors:
    allowedHeaders: ['content-type'] # AllowedHeaders is the contents of the allowed-headers header.
    allowedOrigins: ['*'] # AllowedOrigins is the contents of the allowed-origins header.
    disabled: false # Disabled sets whether CORS is disabled.
    maxAge: 10s # MaxAge is the max age of the CORS preflight check.
  debugAddress: 127.0.0.1:6666
  disableDocs: false
  listenAddress: :3594
  tls:
    caCert: /path/to/ca.crt # CACert is the path to the optional CA certificate for verifying client requests.
    cert: /path/to/tls.crt # Cert is the path to the TLS certificate file.
    key: /path/to/tls.key # Key is the path to the TLS private key file.
  tailscale:
    authKey: ${TS_AUTHKEY} # AuthKey to use to register the service. Defaults to environment variable TS_AUTHKEY.
    disabled: false # Disabled prevents the Tailscale service from being launched even if TS_AUTHKEY is defined in the environment.
    hostName: cerbos-001 # HostName overrides the host name of this instance on the tailnet. Defaults to system host name.
    serviceName: svc:cerbos-synapse # ServiceName sets the name of the Tailscale service. Defaults to cerbos-synapse.
    servicePort: 443 # ServicePort sets the port of the Tailscale service. Defaults to 443.
  timeouts:
    idle: 300s # Idle sets the server idle timeout.
    read: 60s # Read sets server read timeout.
    readHeader: 30s # ReadHeader sets server read header timeout.
    shutdown: 30s # Shutdown sets the time to wait for the server to gracefully shutdown.
    write: 30s # Write sets server write timeout.
  udsFileMode: 0o766