Configuration file | Mender documentation

Server integration Mender Gateway Configuration file

Mender Gateway uses a JSON file for configuring the proxy and mTLS settings. The configuration is loaded from the file /var/lib/mender/mender-gateway.conf by default, unless otherwise by the --config command line argument. This section provides a reference for the configuration variables.

{
    "Features": {
        "ArtifactsProxy": {
            "Enabled": true,
            "GatewayURL": "https://gateway.mender.io",
            "DomainWhitelist": ["s3.amazonaws.com", "s3.my-min.io"],
            "ArtifactsCache": {
                "Enabled": true,
                "Path": "/var/cache/mender-gateway"
            }
        }
        "mTLS": {
            "Enabled": true,
            "CACertificate": "/var/lib/mender/ca-cert.pem",
            "MenderUsername": "gateway@mender.io",
            "MenderPassword": "password123",
            "BlacklistPath": "/var/lib/mender/mtls-blacklist.txt"
        },
    },
    "HTTP": {
      "Enabled": false,
      "Listen": ":80"
    },
    "HTTPS": {
        "Enabled": true,
        "Listen": ":443",
        "ServerCertificate": "/var/lib/mender/server-cert.pem",
        "ServerKey": "/var/lib/mender/server-pkey.pem"
    },
    "UpstreamServer": {
        "URL": "https://hosted.mender.io",
        "InsecureSkipVerify": false
    },
    "DebugLog": false
}

Features

ArtifactsProxy

Enabled: Enable the Local Artifact Proxy.
GatewayURL: The self-URL to the gateway.
DomainWhitelist: List of whitelisted domains to proxy Artifacts from.
ArtifactsCache: Configuration for the Artifact Cache, see below.

ArtifactsCache

Enabled: Enable the Artifact Cache (depends on [ArtifactsProxy](#artifactsproxy)).
Path: Path where to store the cached Artifacts.

mTLS

Enabled: Enable forwarding of mutual TLS (mTLS) authentication requests.
CACertificate: Path to Certificate Authority (CA) Certificate used to sign authorized client certificates.
BlacklistPath: Path to file listing blacklisted client certificate serial numbers. The file is a new-line separated list of hexadecimal serial numbers.
MenderUsername: Username (email) for the user representing the API Gateway. This user will preauthorize devices with authorization to the gateway.
MenderPassword: Password credential to the MenderUsername.

Mender Enterprise Only: Using RBAC you can create a new user with a dedicated role to the user access scope to the preauthorization API endpoint for the gateway user.

HTTP

Enabled: Enable proxy of plain HTTP requests.
Listen: TCP network address to listen for incomming connections.

Do not enable HTTP on public or untrusted networks - always use HTTPS whenever possible.

HTTPS

Enabled: Enable proxy of TLS-terminated HTTP requests.
Listen: TCP network address to listen for incomming connections.
ServerCertificate: Path to the public server certificate representing the server.
ServerKey: Path to certificate key file.

UpstreamServer

URL: The upstream server URL for proxying device HTTP requests.
InsecureSkipVerify: Skip verification of certificate claims.

We welcome contributions to improve this documentation. To submit a change, use the Edit link at the top of the page or email us at .