Advanced Configuration

SSL/TLS Certificate

HUMAN Callout Enforcer spawns gRPC server to listen for incoming messages from Envoy. gRPC server uses HTTP/2 protocol, it is required to have a SSL/TLS certificate to be present on Docker container.
By default perimeterx/px-callout-enforcer Docker image has a self-signed certificate located in /etc/cert folder.
We advice to generate your own certificate (ideally signed by CA) and mount certificate files to /etc/cert/ files.
Two certificate files are required:

PEM EC private key (named server.key)
PEM certificate (named server.crt)

To mount certificate files to /etc/cert folder, the following docker run parameters could be used:

1 docker run \
2  ...
3 --mount type=bind,source="$(pwd)"/server.key,target=/etc/cert/server.key,readonly \
4 --mount type=bind,source="$(pwd)"/server.crt,target=/etc/cert/server.crt,readonly \
5 ...
6 perimeterx/px-callout-enforcer:latest

Logging

By default all logs are printed to stdout.
TBD

Debugging

Enforcer debug logging could be enabled by enabling px_debug:

1 "px_debug": true

TBD

1	docker run \
2	...
3	--mount type=bind,source="$(pwd)"/server.key,target=/etc/cert/server.key,readonly \
4	--mount type=bind,source="$(pwd)"/server.crt,target=/etc/cert/server.crt,readonly \
5	...
6	perimeterx/px-callout-enforcer:latest