Configuration file

reference

Mender Gateway uses a JSON file for configuring the proxy and mTLS settings. The configuration is loaded from the file /var/lib/mender/mender-gateway.conf by default, unless otherwise by the --config command line argument. This section provides a reference for the configuration variables.

{
    "Features": {
        "ArtifactsProxy": {
            "Enabled": true,
            "GatewayURL": "https://gateway.mender.io",
            "DomainWhitelist": ["s3.amazonaws.com", "s3.my-min.io"],
            "ArtifactsCache": {
                "Enabled": true,
                "Path": "/var/cache/mender-gateway"
            }
        },
        "mTLS": {
            "Enabled": true,
            "CACertificate": "/var/lib/mender/ca-cert.pem",
            "MenderUsername": "gateway@mender.io",
            "MenderPassword": "password123",
            "BlacklistPath": "/var/lib/mender/mtls-blacklist.txt"
        },
    },
    "HTTP": {
      "Enabled": false,
      "Listen": ":80"
    },
    "HTTPS": {
        "Enabled": true,
        "Listen": ":443",
        "ServerCertificate": "/var/lib/mender/server-cert.pem",
        "ServerKey": "/var/lib/mender/server-pkey.pem"
    },
    "UpstreamServer": {
        "URL": "https://hosted.mender.io",
        "InsecureSkipVerify": false
    },
    "DebugLog": false
}

Features

ArtifactsProxy

Enabled
Enable the Local Artifact Proxy.
GatewayURL
The self-URL to the gateway.
DomainWhitelist
List of whitelisted domains to proxy Artifacts from.
ArtifactsCache
Configuration for the Artifact Cache, see below.

ArtifactsCache

Enabled
Enable the Artifact Cache (depends on [ArtifactsProxy](#artifactsproxy)).
Path
Path where to store the cached Artifacts.

mTLS

Enabled
Enable forwarding of mutual TLS (mTLS) authentication requests.
CACertificate
Path to Certificate Authority (CA) Certificate used to sign authorized client certificates.
BlacklistPath
Path to file listing blacklisted client certificate serial numbers. The file is a new-line separated list of hexadecimal serial numbers.
MenderUsername
Username (email) for the user representing the API Gateway. This user will preauthorize devices with authorization to the gateway.
MenderPassword
Password credential to the MenderUsername.

Mender Enterprise Only: Using RBAC you can create a new user with a dedicated role to the user access scope to the preauthorization API endpoint for the gateway user.

HTTP

Enabled
Enable proxy of plain HTTP requests.
Listen
TCP network address to listen for incomming connections.

Do not enable HTTP on public or untrusted networks - always use HTTPS whenever possible.

HTTPS

Enabled
Enable proxy of TLS-terminated HTTP requests.
Listen
TCP network address to listen for incomming connections.
ServerCertificate
Path to the public server certificate representing the server.
ServerKey
Path to certificate key file.

UpstreamServer

URL
The upstream server URL for proxying device HTTP requests.
InsecureSkipVerify
Skip verification of certificate claims.

We welcome contributions to improve this documentation. To submit a change, use the Edit link at the top of the page or email us at .