Teleport 설정 레퍼런스
요약
Teleport는 설정에 YAML 파일 형식을 사용합니다. 기본적으로 Teleport는 /etc/teleport.yaml에서 설정을 읽습니다. 이 예제 설정을 프로덕션에 사용하지 마십시오. 설정 파일을 환경 요구 사항에 맞게 편집해야 합니다.
Teleport는 설정에 YAML 파일 형식을 사용합니다. 아래에 전체 설정 레퍼런스 파일이 나와 있습니다. 이는 teleport.yaml에 대한 주석과 모든 사용 가능한 옵션을 제공합니다.
기본적으로 Teleport는 /etc/teleport.yaml에서 설정을 읽습니다.
이 레퍼런스를 사용하기 전에#
Warning
이 예제 설정을 프로덕션에 사용하지 마십시오.
설정 파일을 환경 요구 사항에 맞게 편집해야 합니다. 레퍼런스 설정을 복사해서 사용하면 의도치 않은 효과가 발생합니다. 시작점으로 사용할 수 있는 설정 파일을 생성하려면 다음 명령을 실행하십시오:
$ teleport configure -o file
SSH 서비스와 데이터베이스 서비스에 대한 configure 명령도 있습니다. Teleport CLI 레퍼런스의 teleport node configure 및 teleport db configure에 대한 문서를 참조하십시오.
Warning
변경하기 전에 설정 파일을 백업해야 합니다. 이렇게 하면 필요한 경우 이전 설정으로 롤백할 수 있습니다.
Teleport 서비스 활성화#
teleport 프로세스는 여러 서비스를 실행할 수 있습니다.
일부 서비스의 경우, 시작하려면 Teleport 설정 내에서 서비스를 활성화해야 합니다. 다른 서비스는 기본적으로 활성화되어 있습니다.
서비스를 활성화하거나 비활성화하려면, Teleport 설정에 다음을 포함하고 service_name을 서비스 이름으로 바꾸십시오(서비스 이름은 아래에 나열되어 있습니다):
service_name:
enabled: false
Teleport는 다음 서비스를 지원합니다:
| 서비스 | 설정 섹션 | 기본 활성화 |
|---|---|---|
| Application Service | app_service |
❌ |
| Auth Service | auth_service |
✅ |
| Database Service | db_service |
❌ |
| Discovery Service | discovery_service |
❌ |
| Kubernetes Service | kubernetes_service |
❌ |
| Proxy Service | proxy_service |
✅ |
| SSH Service | ssh_service |
✅ |
| Desktop Service | windows_desktop_service |
❌ |
| Jamf Service | jamf_service |
❌ |
| Relay Service | relay_service |
❌ |
| Debug Service | debug_service |
✅ |
Teleport Cloud는 Auth Service와 Proxy Service를 자동으로 관리합니다. Teleport 서비스 인스턴스(예: Application Service 및 Database Service)는 의도치 않은 효과를 방지하기 위해 다음 설정 옵션을 포함해야 합니다:
auth_service:
enabled: false
proxy_service:
enabled: false
레퍼런스 설정#
이 예제 설정에는 올바른 들여쓰기 사용을 보여주기 위한 모든 가능한 설정 옵션이 YAML 형식으로 포함되어 있습니다.
Teleport 서비스를 선택하여 애플리케이션 설정 옵션을 확인하십시오:
인스턴스 전체 설정#
이 설정은 모든 teleport 인스턴스에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/instance-wide.yaml -->
# By default, this file should be stored in /etc/teleport.yaml
# Configuration file version. The current version is "v3".
version: v3
# This section of the configuration file applies to all teleport
# services.
teleport:
# nodename allows one to assign an alternative name this node can be
# reached by. By default it's equal to hostname.
nodename: graviton
# Data directory where Teleport daemon keeps its data.
data_dir: /var/lib/teleport
# PID file for Teleport process
#pid_file: /var/run/teleport.pid
# The invitation token or an absolute path to a file containing the token used
# to join a cluster. It is not used on subsequent starts.
# If using a file, it only needs to exist when teleport is first ran.
#
# File path example:
# auth_token: /var/lib/teleport/tokenjoin
#
# This is the same as setting join_params.method to "token", and join_params.token_name
# to the value of auth_token.
# You should only use either auth_token or join_params.
auth_token: xxxx-token-xxxx
# join_params are parameters to set when joining a cluster via
# EC2, IAM or a token.
join_params:
# When `method` is set to "token", it is the equivalent to using `auth_token` above.
# You should only use either auth_token or join_params.
method: "token"|"ec2"|"iam"|"github"|"circleci"|"kubernetes"
# If method is not "token", token_name will be will be the name of
# the joining token resource, e.g., "ec2-token" or "iam-token" as created
# in the Joining Nodes via EC2 or IAM guides.
# If method is "token", token_name will be the invitation token
# or an absolute path to a file containing the token used to join a cluster.
# It is not used on subsequent starts.
# If using a file, it only needs to exist when teleport is first ran.
#
# File path example:
# token_name: /var/lib/teleport/tokenjoin
token_name: "token-name"
# Optional CA pin of the Auth Service. Specifying a CA pin enables new
# agents to trust a Teleport cluster when joining via the Auth Service
# directly. You can assign the ca_pin field to the literal value of the CA
# pin or an absolute path to a file. If you specify a file, the file should
# only contain the CA pin.
#
# You can also specify the value of the ca_pin key as a YAML list of CA pins
# or file paths, e.g.:
#
# ca_pin:
# - /var/lib/teleport/pin1
# - /var/lib/teleport/pin2
ca_pin:
"sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"
# When running in multi-homed or NATed environments Teleport Nodes need
# to know which IP it will be reachable at by other Nodes.
#
# This value can be specified as FQDN e.g. host.example.com
advertise_ip: 10.1.0.5
# Teleport provides HTTP endpoints for monitoring purposes. They are
# disabled by default but you can enable them using the diagnosis address.
diag_addr: "127.0.0.1:3000"
# Only use one of auth_server or proxy_server.
#
# When you have either the application service or database service enabled,
# only tunneling through the proxy is supported, so you should specify proxy_server.
# All other services support both tunneling through the proxy and directly connecting
# to the auth server, so you can specify either auth_server or proxy_server.
# Auth Server address and port to connect to. If you enable the Teleport
# Auth Server to run in High Availability configuration, the address should
# point to a Load Balancer.
# If adding a node located behind NAT, use the Proxy URL (e.g. teleport-proxy.example.com:443)
# and set `proxy_server` instead.
auth_server: 10.1.0.5:3025
# Proxy Server address and port to connect to. If you enable the Teleport
# Proxy Server to run in High Availability configuration, the address should
# point to a Load Balancer.
proxy_server: teleport-proxy.example.com:443
# Relay tunnel address and port to connect to, if set. Used by some services
# to open additional tunnels to a Relay group if Teleport is configured to
# connect to a Proxy Server. If a Relay group consists of more than one
# Relay Service instance, the address should point to a Load Balancer.
# Used in Teleport v18.3.0 and later for the SSH service.
relay_server: teleport-relay.example.com:3042
# cache:
# # The cache is enabled by default, it can be disabled with this flag
# enabled: true
# The duration (in string form) of the delay between receiving a termination
# signal and the beginning of the shutdown procedures. It can be used to
# give time to load balancers to stop routing connections to the Teleport
# instance while the instance is still capable of handling them. If unset or
# negative, no delay is applied.
#shutdown_delay: "0s"
# Teleport can limit the number of connections coming from each client
# IP address to avoid abuse. Note that these limits are enforced separately
# for each service (SSH, Kubernetes, etc.)
connection_limits:
max_connections: 1000
# Auth Service connection configuration.
# These settings can be tweaked to control how aggresively the Proxy or Agent instances will retry to connect. In addition
# each instance will apply jitter.
# auth_connection_config:
# upper_limit_between_retries: "90s" # Cannot be lower than 10s
# initial_connection_delay: "9s" # When unset upper_limit_between_retries / 10
# backoff_step_duration: "18s" # When unset upper_limit_between_retries / 5
# Logging configuration. Possible output values to disk via
# '/var/lib/teleport/teleport.log',
# 'stdout', 'stderr' and 'syslog'. Possible severity values are DEBUG, INFO (default), WARN,
# and ERROR.
log:
output: /var/lib/teleport/teleport.log
severity: INFO
# Log format configuration
# Possible output values are 'json' and 'text' (default).
# Possible extra_fields values include: timestamp, component, caller,
# and level.
# All extra fields are included by default.
format:
output: text
extra_fields: [level, timestamp, component, caller]
<!-- /INCLUDE:ENGLISH -->
추가 읽기:
- 클러스터에 서비스 합류하기:
join_params를 설정하는 데 도움이 되는 사용 가능한 합류 방법. - CA 핀 사용하기:
ca_pin에 값을 할당할 시기. - Teleport 메트릭 레퍼런스:
diag_addr를 사용하여 수집할 데이터.
Proxy Service#
이 설정은 Teleport Proxy Service에 적용됩니다:
Tip
Teleport Enterprise Cloud는 Proxy Service를 자동으로 관리하므로 이 설정을 지정할 필요가 없습니다.
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/proxy-service.yaml -->
# This section configures the 'proxy service'
proxy_service:
# Turns 'proxy' role on. Default is true
enabled: true
# proxy_protocol controls support for HAProxy PROXY protocol.
# Unspecified by default, possible values:
# 'on' - PROXY protocol is enabled and required.
# 'off' - PROXY protocol is disabled and forbidden.
#
# If unspecified, PROXY protocol is allowed, but not required. This is
# suitable for test environments, but not recommended for production use.
# Teleport's IP pinning functionality will not work if this field is left
# unspecified and PROXY headers are received.
# Set to `on` if Proxy service runs behind a L4 load balancer that sends PROXY
# headers, otherwise set to `off`.
proxy_protocol: on
# proxy_protocol_allow_downgrade controls support for automatic downgrading of
# PROXY header source addresses from IPv6 to pseudo IPv4.
# Defaults to 'off', possible values:
# 'on' - Downgrade PROXY header source IPv6 addresses to pseudo IPv4 addresses.
# 'off' - Do not modify PROXY header source addresses.
#
# Because the PROXY protocol spec does not support source and destination addresses
# with mixed TCP versions, this allows for environments where Teleport is proxying
# between IPv6 networks into IPv4 networks. Downgrading to IPv4 comes with the
# posibility of collisions, which means IP pinning functionality will not work for
# downgraded connections.
proxy_protocol_allow_downgrade: on
# SSH forwarding/proxy address. Command line (CLI) clients always begin
# their SSH sessions by connecting to this port
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, SSH is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3023
listen_addr: 0.0.0.0:3023
# Reverse tunnel listening address. An auth server (CA) can establish an
# outbound (from behind the firewall) connection to this address.
# This will allow users of the outside CA to connect to
# behind-the-firewall nodes.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, reverse tunnel traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3024
tunnel_listen_addr: 0.0.0.0:3024
# Proxy Peering listening address. Teleport Proxy Services will bind to this address
# to listen for incoming connections from dialing agents in Proxy Peering mode.
peer_listen_addr: 0.0.0.0:3021
# Proxy Peering public address. Teleport Proxy Services will advertise this address
# for dialing agents in Proxy Peering mode.
# NOTE: This address should be unique to each proxy and should not point to a load balancer.
# Using a load balancer address here will lead to unpredictable results and connection delays.
peer_public_addr: teleport-proxy-host-1.example.com:3021
# The HTTPS listen address to serve the Web UI and authenticate users.
# Handles the PostgreSQL proxy if the Database Service is enabled.
web_listen_addr: 0.0.0.0:3080
# The DNS name of the proxy HTTPS endpoint as accessible by cluster users.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load balancer
# If application access is enabled, public_addr is used to write correct
# redirects
# If database access is enabled, Database clients will connect to the Proxy
# over this hostname
public_addr: proxy.example.com:3080
# The DNS name of the proxy SSH endpoint as accessible by cluster clients.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load
# balancer.
# Use a TCP load balancer because this port uses SSH protocol.
ssh_public_addr: proxy.example.com:3023
# The DNS name of the tunnel SSH endpoint as accessible by trusted clusters
# and nodes joining the cluster via Teleport IoT/node tunneling.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load
# balancer. Use a TCP load balancer because this port uses SSH protocol.
tunnel_public_addr: proxy.example.com:3024
# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
https_keypairs:
- key_file: /var/lib/teleport/webproxy_key.pem
cert_file: /var/lib/teleport/webproxy_cert.pem
- key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem
# Interval between attempts to reload the certificate key pairs.
# If one of the key pairs fails to load, then no key pair is reloaded.
# If set to 0 (the default), then periodic reloading is disabled.
# To use this feature correctly, certificate files should be updated atomically.
https_keypairs_reload_interval: 1h
# Kubernetes proxy listen address.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, Kubernetes traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3026
kube_listen_addr: 0.0.0.0:3026
# optional: set a different public address for kubernetes access
kube_public_addr: kube.example.com:3026
# MySQL proxy listen address.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, MySQL traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3036
mysql_listen_addr: "0.0.0.0:3036"
# Postgres Proxy listener address. If provided, proxy will use a separate
# listener
# instead of multiplexing Postgres protocol on web_listener_addr.
# postgres_listen_addr: "0.0.0.0:5432"
# Mongo Proxy listener address. If provided, proxy will use a separate
# listener instead of multiplexing Mongo protocol on web_listener_addr.
# mongo_listen_addr: "0.0.0.0:27017"
# Address advertised to MySQL clients. If not set, public_addr is used.
mysql_public_addr: "mysql.teleport.example.com:3306"
# Address advertised to PostgreSQL clients. If not set, public_addr is
# used.
postgres_public_addr: "postgres.teleport.example.com:443"
# Address advertised to Mongo clients. If not set, public_addr is used.
mongo_public_addr: "mongo.teleport.example.com:443"
# Get an automatic certificate from Letsencrypt.org using ACME via
# TLS_ALPN-01 challenge.
# When using ACME, the 'proxy_service' must be publicly accessible over
# port 443.
# Also set using the CLI command:
# 'teleport configure --acme --acme-email=email@example.com \
# --cluster-name=tele.example.com -o file'
# This should NOT be enabled in a highly available Teleport deployment
# Using in HA can lead to too many failed authorizations and a lock-up
# of the ACME process (https://letsencrypt.org/docs/failed-validation-limit/)
#acme:
# enabled: yes
# email: user@example.com
# Identity provider configuration. Provides detailed configuration for
# Teleport's identity providers. At present, only SAML is supported.
idp:
# SAML identity provider configuration.
saml:
# Turns the SAML identity provider on. Defaults is 'yes'.
enabled: yes
# Configuration options for the Web UI served by the Proxy Service.
ui:
# The amount of scrollback in the terminal. Scrollback is the amount of
# rows that are retained when lines are scrolled beyond the initial
# viewport. Does not apply to session recording view.
scrollback_lines: 1000
# Which resources should be shown in the web UI resources page; resources the user
# has access to, and resources the user can request access to. By default, both types
# are included. If you wish for users to only see resources they have access to, set
# this to "accessible_only".
show_resources: 'requestable'
# Enables the Proxy service to take client source IPs from the
# "X-Forwarded-For" headers for web APIs.
#
# In order to prevent IP spoofing, it is important to ensure that the Proxy
# service is placed behind a layer 7 load balancer or reverse proxy that
# sets client IPs in the "X-Forwarded-For" headers. Requests with more than
# one IPs will be rejected.
trust_x_forwarded_for: false
# Configuration for the built-in version server for agent automatic updates.
# If you leave this configuration unset, a default channel is created and
# serves the Teleport version run by the Proxy Service.
automatic_upgrades_channels:
# Override the default version channel
default:
static_version: v14.2.1
# Define a new version channel with a static version
additional/channel/static:
static_version: v14.2.0
critical: true
# Define a new version channel forwarding requests to an upstream version server
additional/channel/remote:
forward_url: https://updates.releases.teleport.dev/v1/stable/cloud
<!-- /INCLUDE:ENGLISH -->
Auth Service#
이 설정은 Teleport Auth Service에 적용됩니다:
Tip
Teleport Enterprise Cloud는 Auth Service를 자동으로 관리하므로 이 설정을 지정할 필요가 없습니다.
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/auth-service.yaml -->
teleport:
# Configuration for the storage back-end used for the cluster state and the
# audit log. Several back-end types are supported.
storage:
# By default teleport uses a SQLite database in the `data_dir`
# directory on a local filesystem
type: sqlite
# List of locations where the audit log events will be stored. By
# default, they are stored in `/var/lib/teleport/log`.
#
# When specifying multiple destinations like this, make sure that
# highly-available storage methods (like DynamoDB or Firestore) are
# specified first, as this is what the Teleport Web UI uses as its
# source of events to display.
audit_events_uri:
- "dynamodb://events_table_name"
- "firestore://events_table_name"
- "postgresql://user_name@database-address/events_table_name"
- "file:///var/lib/teleport/log"
- "stdout://"
# Use this setting to configure teleport to store the recorded sessions
# in an AWS S3 bucket or use GCP Storage with 'gs://'.
audit_sessions_uri: "s3://example.com/path/to/bucket?region=us-east-1"
# SQLite-specific section:
# The default path is the `backend` directory in the `data_dir`
path: /var/lib/teleport/backend/
# SQLite's `synchronous` pragma, can be set to `"OFF"` for improved
# write performance in exchange for reliability against system crashes
# (see https://www.sqlite.org/pragma.html#pragma_synchronous).
sync: FULL
# SQLite's `journal_mode` pragma, by default it doesn't change the mode from
# the SQLite default (DELETE unless the database file is using WAL mode).
# For improved performance without sacrificing reliability it's possible to
# set `journal` to `WAL` and `sync` to `NORMAL`, but only when using a filesystem
# that supports locks (see https://www.sqlite.org/pragma.html#pragma_journal_mode).
#journal: DELETE
# DynamoDB-specific section:
# continuous_backups is used to enable continuous backups.
# default: false
continuous_backups: true
# auto_scaling is used to enable (and define settings for) auto
# scaling.
# default: false
auto_scaling: true
# By default, Teleport stores stores audit events with an AWS TTL of 1 year.
# This value can be configured as shown below. If set to 0 seconds, TTL is disabled.
#
# NOTE: Only the DynamoDB events backend respects the retention_period. All other event backends
# consume the retention period via a query parameter in the audit_events_uri. See the examples below
# for how to configure the retention period for other backends.
# Firestore: firestore://events_table_name?eventRetentionPeriod=10d
# Postgres: postgresql://user_name@database-address/teleport_audit?sslmode=verify-full#retention_period=240h
retention_period: 365d
# minimum/maximum read capacity in units
read_min_capacity: int
read_max_capacity: int
read_target_value: float
# minimum/maximum write capacity in units
write_min_capacity: int
write_max_capacity: int
write_target_value: float
# Default cipher algorithms for SSH. This section only needs to be set if
# you want to override the defaults.
ciphers:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- chacha20-poly1305@openssh.com
# Default key exchange algorithms (KEX) for SSH. This section only needs to
# be set if you want to override the defaults.
kex_algos:
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group14-sha256
# Default message authentication code (MAC) algorithms for SSH. This
# section only needs to be set if you want to override the defaults.
mac_algos:
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256
- hmac-sha2-512
# Default ciphersuites for TLS. If this section is not specified, only the
# default ciphersuites are enabled.
ciphersuites:
- tls-ecdhe-rsa-with-aes-128-gcm-sha256
- tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
- tls-ecdhe-rsa-with-aes-256-gcm-sha384
- tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
- tls-ecdhe-rsa-with-chacha20-poly1305
- tls-ecdhe-ecdsa-with-chacha20-poly1305
# This section configures the 'auth service':
auth_service:
# Turns 'auth' role on. Default is true
enabled: true
# cluster_name is the name used to initiate a new cluster.
# A cluster name is used as part of a signature in certificates
# generated by this CA.
#
# We strongly recommend explicitly setting it to something meaningful as it
# becomes important when configuring trust between multiple clusters.
#
# By default an automatically generated name is used (not recommended)
#
# IMPORTANT: changes to this field won't have an effect on an already created cluster.
# To change the name of an existing cluster, you can use
# the 'POST /v2/configuration/name' endpoint, but it will invalidate all generated
# certificates and keys (may need to wipe out /var/lib/teleport directory)
cluster_name: "main"
# proxy_protocol controls support for HAProxy PROXY protocol.
# Unspecified by default, possible values:
# 'on' - PROXY protocol is enabled and required.
# 'off' - PROXY protocol is disabled and forbidden.
#
# If unspecified, PROXY protocol is allowed, but not required. This is
# suitable for test environments, but not recommended for production use.
# Teleport's IP pinning functionality will not work if this field is left
# unspecified and PROXY headers are received.
# Set to `on` if Auth service runs behind a L4 load balancer that sends PROXY
# headers, otherwise set to `off`.
proxy_protocol: on
authentication:
# default authentication type. possible values are 'local' and 'github'
# for Teleport Community Edition, plus 'oidc' and 'saml' for Enterprise.
# Only local authentication (Teleport's own user DB) & GitHub is
# supported in the open source version
type: local
# Sets whether local auth is enabled alongside any other authentication
# type. Default is true. local_auth must be 'false' for FedRAMP / FIPS.
#local_auth: true
# Enforce per-session MFA or PIV-hardware key restrictions on user login sessions.
# Defaults to false. Possible values:
# - "false" to disable per-session MFA
# - "true" to require MFA of any type on each session
# - "hardware_key" to require MFA of any type on each session AND hardware-key-backed private keys
# - "hardware_key_touch" to require a hardware key touch on each session
# - "hardware_key_pin" to require entering a hardware key PIN on each session
# - "hardware_key_touch_and_pin" to require a hardware key touch and PIN on each session
require_session_mfa: false
# second_factors is the list of allowed second factors for the cluster.
# Possible values: "otp", "webauthn", and "sso". Order does not matter.
# Defaults to ["otp"].
second_factors: ["webauthn", "otp"]
# second_factor can be 'on', 'otp' or 'webauthn'.
# - 'on' requires either otp or webauthn second factor.
# - 'otp' and 'webauthn' require the corresponding second factor.
#
# Prefer setting second_factors instead.
#second_factor: otp
# Sets whether passwordless authentication is allowed.
# Passwordless requires WebAuthn.
# Defaults to "true".
#passwordless: true
# Sets whether headless authentication is allowed.
# Headless authentication requires WebAuthn.
# Defaults to "true".
#headless: true
# Sets the default authentication connector for the cluster:
# - 'local' for local authentication (password, WebAuthn, etc.)
# - 'passwordless' for passwordless authentication
# - 'headless' for headless authentication
# - A specific SSO connector name
# Defaults to "local".
#connector_name: local
# this section is used if second_factor is set to 'on', 'optional' or
# 'webauthn'.
webauthn:
# public domain of the Teleport proxy, *excluding* protocol
# (`https://`) and port number.
#
# IMPORTANT: rp_id must never change in the lifetime of the cluster,
# because it's recorded in the registration data on the second factor
# authenticator. If the rp_id changes, all existing authenticator
# registrations will become invalid and all users who use WebAuthn as
# the second factor will need to re-register.
rp_id: "localhost"
# optional allow list of certificate authorities (as local file paths
# or in-line PEM certificate string) for [device verification](
# https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
# This field allows you to restrict which device models and vendors
# you trust.
# Devices outside of the list will be rejected during registration.
# By default all devices are allowed.
# If you must use attestation, consider using
# `attestation_denied_cas` to forbid troublesome devices instead.
attestation_allowed_cas:
- /path/to/allowed_ca.pem
- |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# optional deny list of certificate authorities (as local file paths
# or in-line PEM certificate string) for [device verification](
# https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
# This field allows you to forbid specific device models and vendors,
# while allowing all others (provided they clear
# `attestation_allowed_cas` as well).
# Devices within this list will be rejected during registration. By
# default no devices are forbidden.
attestation_denied_cas:
- /path/to/denied_ca.pem
- |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# if set to true, disables WebAuthn. Allows a fallback to U2F for
# second factor modes 'on' and 'optional'.
disabled: false
# the U2F section is kept for legacy purposes and to support existing
# U2F registrations.
u2f:
# app ID used by U2F registrations.
# Keep it in your config to avoid having to re-register U2F devices.
app_id: https://localhost:3080
# Locking mode determines how to apply lock views locally available to
# a Teleport component; can be strict or best_effort.
locking_mode: best_effort
# Device Trust configures Teleport's behavior in regards to trusted
# devices.
# Device Trust is a Teleport Enterprise feature.
device_trust:
# 'mode' is the cluster-wide device trust mode.
# The following values are supported:
# - 'off' - disables device trust. Device authentication is not
# performed and device-aware audit logs are absent.
# - 'optional' - enables device authentication and device-aware audit,
# but doesn't require a trusted device to access resources.
# - 'required' - enables device authentication and device-aware audit.
# Additionally, it requires a trusted device for all SSH, Database
# and Kubernetes connections.
# - 'required-for-humans' - enables device authentication and device-aware
# audit. Additionally, it requires a trusted device for all SSH, Database
# and Kubernetes connections, for human users only (bots are exempt).
mode: optional # always "off" for Teleport Community Edition
# Determines the default time to live for user certificates
# issued by this auth server, defaults to 12 hours. Examples:
# "14h30m", "1h" etc.
default_session_ttl: 12h
stable_unix_user_config:
# If set to true, SSH instances will use the same UID for each given
# username when automatically creating users. Defaults to false.
enabled: false
# The range of UIDs (including both ends) used for automatic UID
# assignment. Ignored if enabled is set to false.
#first_uid: 90000
#last_uid: 95000
# Sets the cryptographic signature algorithm used to sign each kind of
# certificate issued by Teleport.
# The following values are supported:
# 'legacy' : For clusters created prior to v17.0.0 with
# signatures based on 2048-bit RSA keys.
# 'balanced-v1' : (default) For self-hosted clusters created v17.0.0+.
# Ed25519 is used for all SSH certificates and ECDSA with
# the NIST P-256 curve is used for all TLS certificates.
# RSA is still used where for compatibility when non-RSA
# algorithms are unsupported.
# 'fips-v1' : Used by default for FIPS mode clusters created v17.0.0+.
# Based on 'balanced-v1' and replaces all uses of Ed25519
# with ECDSA. HSM or KMS configuration is fully supported.
# 'hsm-v1' : Default suite for new clusters created after version 17.0.0
# that have an HSM or KMS configured. 'hsm-v1' suite is based
# on the 'balanced-v1' suite but uses ECDSA in place of Ed25519
# for all Certificate Authority keys. User and host SSH keys
# still use Ed25519.
signature_algorithm_suite: "balanced-v1"
# IP and the port to bind to. Other Teleport Nodes will be connecting to
# this port (AKA "Auth API" or "Cluster API") to validate client
# certificates
listen_addr: 0.0.0.0:3025
# The optional DNS name for the auth server if located behind a load
# balancer.
public_addr: auth.example.com:3025
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `tctl nodes add --ttl` command to generate auto-expiring
# tokens.
#
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
tokens:
- 'proxy,node:xxxxx'
- 'auth:yyyy'
# Optional configuration for session recording.
session_recording_config:
# Recording mode that should be use for session recordings. Possible
# values are:
# "node" : (default) sessions will be recorded on the node
# and periodically cleaned up after they are uploaded
# to the storage service.
# "node-sync" : session recordings will be streamed from
# node -> auth -> storage service without being stored on
# disk at all.
# "proxy" : sessions will be recorded on the Teleport Proxy Service
# and periodically cleaned up after they are uploaded to
# the storage service.
# "proxy-sync : session recordings will be streamed from
# proxy -> auth -> storage service without being stored on
# disk at all.
# "off" : session recording is turned off
#
mode: 'node'
# This setting determines if a Teleport Proxy Service instance performs
# strict host key checks.
# Only applicable if session_recording=proxy
proxy_checks_host_keys: yes
# Optional configuration for encrypting session recordings.
encryption:
# Determines whether or not session recordings should be encrypted at
# rest. By default, all encryption keys required will be provisioned
# using the key storage backend defined in ca_key_params.
enabled: yes
# Optional configuration allowing for manually managing encryption keys
# instead of relying on automatic key provisioning and management.
manual_key_management:
# Determine whether or not manual key management should be used.
enabled: yes
# The list of key labels that should be used to find active encryption
# keys. These support encrypting new session recordings and are each a
# pair of key backend type and label value to use during key lookup.
# Possible values for 'type' match the possible keys in ca_key_params,
# which are:
# "pkcs11" : PKCS#11 compliant HSM
# "aws_kms" : AWS KMS
# "gcp_kms" : Google Cloud KMS
#
# Label values are used to identify the key(s) within the key backend.
# For "pkcs11" keys these are expected to map directly to labels within
# the HSM. For 'aws_kms' keys, both ARN or ID values are valid. For
# 'gcp_kms' the full key version name is expected.
active_keys:
- type: pkcs11
label: "session_recording"
# The list of key labels that should be used to find rotated encryption
# keys. These allow for replaying historical session recordings
# encrypted with keys that are no longer active. Individual list
# elements share the format described above for "active_keys".
rotated_keys:
- type: pkcs11
label: "rotated_session_recording"
# Determines if sessions to cluster resources are forcefully terminated after
# no activity from a client (idle client).
# Examples: "30m", "1h" or "1h30m"
client_idle_timeout: never
# Send a custom message to the client when they are disconnected due to
# inactivity. The empty string indicates that no message will be sent.
# (Currently only supported for Server Access connections)
client_idle_timeout_message: ""
# Sets an idle timeout for the Web UI. The default is 10m.
web_idle_timeout: 10m
# Determines if the clients will be forcefully disconnected when their
# certificates expire in the middle of an active session. (default is 'no')
disconnect_expired_cert: no
# keep_alive_interval determines the interval at which Teleport will
# send keep-alive messages for client and reverse tunnel connections.
# The default is set to 5 minutes (300 seconds) to stay lower than the
# common load balancer timeout of 350 seconds.
# keep_alive_count_max is the number of missed keep-alive messages before
# the Teleport cluster tears down the connection to the client or service.
keep_alive_interval: 5m
keep_alive_count_max: 3
# Specifies the cluster wide dial timeout used for establishing SSH connections
# via tsh ssh and the Web UI. The default value of 30 seconds should suffice for
# most use cases. However, if there are multiple network hops to reach the target
# host causing dial timeout failures, this value can be increased as needed.
ssh_dial_timeout: 30s
# Determines the internal session control timeout cluster-wide. This value
# will be used with enterprise max_connections and max_sessions. It's
# unlikely that you'll need to change this.
# session_control_timeout: 2m
# Determines the routing strategy used to connect to nodes when connecting via
# node name. Can be 'unambiguous_match' (default), or 'most_recent'.
routing_strategy: unambiguous_match
# License file to start auth server with. Note that this setting is ignored
# in the Teleport Community Edition and is required only for Teleport Enterprise.
#
# The path can be either absolute or relative to the configured `data_dir`
# and should point to the license file obtained from Teleport Download
# Portal.
#
# If not set, by default Teleport will look for the `license.pem` file in
# the configured `data_dir` .
license_file: /var/lib/teleport/license.pem
# Configures a banner message to be displayed to a user logging into the
# cluster, which must be acknowledged before the user is allowed to log in.
# Note that will be shown *before* login, so should not contain any
# confidential information.
# Defaults to the empty string, implying no message or acknowledgment is
# required.
message_of_the_day: ""
# Indicates to the clients whether the cluster is running in TLS routing
# mode with all protocols multiplexed on the proxy's web_listen_addr.
#
# Possible values are:
#
# "multiplex": clients will be connecting to Teleport proxy's web listener
# in TLS routing mode.
# "separate": clients will be connecting to Teleport proxy's individual
# listeners: tunnel_listen_addr, mysql_listen_addr, etc.
#
# See "TLS Routing" in Architecture section for additional information.
proxy_listener_mode: multiplex
# Determines the strategy that the cluster uses for connecting clients to
# agents through the Teleport Proxy Service.
tunnel_strategy:
# Possible tunnel strategy types are:
#
# "agent_mesh": The default behavior, where agents will connect to every
# Teleport Proxy Service instance.
# "proxy_peering": Agents will connect to a subset of Proxy Service instances
# and clients will be routed between Proxy Service instances
# for end-to-end connectivity.
type: proxy_peering
# The number of reverse tunnel connections agents will attempt to create.
# This field is only available when using the "proxy_peering" tunnel
# strategy type. For high availability we recommend setting this value to
# 2 or more.
agent_connection_count: 1
# Tells tsh to load the CAs of all clusters when trying to ssh into a Teleport Node,
# instead of just the CA for the current cluster. This may be useful for
# users that want to log in to a root cluster and then "tsh ssh" into a node
# in a leaf cluster. Defaults to false.
load_all_cas: false
# Enables case-insensitivity for ssh dial requests. Setting this to true will allow
# 'tsh ssh myserver' to route to host 'MyServer'. Dialing with an uppercase hostname
# will still require an exact match. Openssh always lowercases hostnames, so setting
# this to true is necessary if you want to use openssh to access nodes with uppercase
# characters in their hostnames.
case_insensitive_routing: false
# AccessMonitoring is a set of options related to the Access Monitoring feature.
access_monitoring:
# Turn on Access Monitoring. Default is 'no'.
enabled: yes
# AWS role ARN that Teleport will assume to execute Athena SQL queries.
# The Teleport role should be configured with a trust relationship and should be able to assume this role.
role_arn: arn:aws:iam::123456789012:role/AccessMonitoringRole
# S3 bucket where Access Monitoring reports will be stored.
report_results: s3://audit-long-term/report_results
# (Optional) Athena workgroup used by access monitoring queries (if not set, the default primary workgroup will be used).
workgroup: access_monitoring_workgroup
# Enables storing CAs in an external Hardware Security Module(HSM) or Key Management Service(KMS)
# Only one of the options can be enbabled at a given time.
ca_key_params:
# Persist CAs to Google Cloud KMS.
gcp_kms:
# The fully qualified path to the GCP key ring where CAs are to be stored.
keyring: "projects/<your-gcp-project>/locations/<location>/keyRings/<your-teleport-keyring>"
# The protection level of the keys. Must be either SOFTWARE or HSM.
protection_level: "SOFTWARE"
# Persist CAs to AWS KMS.
aws_kms:
# The AWS account where keys should be stored.
account: "123456789012"
# The AWS region where keys will be stored.
region: "us-west-2"
# Persist CAs to a PKCS#11 compliant HSM.
pkcs11:
# this is the default install location of the PKCS#11 module for the HSM.
module_path: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
# slot_number is the PKCS#11 slot number to use for HSM connections.
slot_number: 0
# token_label is the label of the PKCS#11 token to use for HSM connections.
token_label: "hsm1"
# max_sessions configures the maximum number of open sessions for the HSM.
# If not set, it will default to the minimum of 1024 or the MaxRWSessionCount
# reported by the PKCS#11 module for the token. If set, must be greater than 1.
max_sessions: 10
# pin is the PKCS#11 pin to use for HSM connections.
pin: "0001password"
# pin_path can optionally be used to read the pin from a file
# pin_path: /path/to/pin_file
<!-- /INCLUDE:ENGLISH -->
추가 읽기:
- 스토리지 백엔드 레퍼런스: DynamoDB, S3, etcd 및 기타 고가용성 백엔드 설정 지침.
- 패스워드리스:
passwordless인증 옵션에 대한 추가 정보. - 헤드리스 WebAuthn:
headless인증 옵션. - Single Sign-On: SSO 설정으로 Teleport가 특정 SSO 인증 커넥터를 사용하도록 구성.
- 잠금:
locking_mode옵션 설정. - Device Trust:
device_trust섹션 설정. - 녹화 프록시 모드: 녹화 프록시 모드를 구성하는 경우
proxy_checks_host_keys활성화 고려.
SSH Service#
이 설정은 Teleport SSH Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/ssh-service.yaml -->
ssh_service:
# Turns 'ssh' role on. Default is true
enabled: true
# IP and the port for SSH service to bind to.
listen_addr: 0.0.0.0:3022
# The optional public address the SSH service. This is useful if
# administrators want to allow users to connect to nodes directly,
# bypassing a Teleport proxy.
public_addr: node.example.com:3022
labels:
role: leader
type: postgres
# List of the commands to periodically execute. Their output will be used
# as node labels.
commands:
# this command will add a label 'arch=x86_64' to a node
- name: arch
command: ['/bin/uname', '-p']
period: 1h0m0s
# Enables reading ~/.tsh/environment on the server before creating a session.
# Disabled by default. Can be enabled here or via the `--permit-user-env` flag.
permit_user_env: false
# Disables automatic creation of host users on this SSH node.
# Set to false by default.
disable_create_host_user: true
# Enables listening on the configured listen_addr when connected
# to the cluster via a reverse tunnel. If no listen_addr is
# configured, the default address is used.
#
# This allows the service to be connectable by users with direct network access.
# All connections still require a valid user certificate to be presented and will
# not permit any additional access. This is intended to provide an optional connection
# path to reduce latency if the Proxy is not co-located with the user and service.
#
# Set to false by default.
force_listen: false
# Enhanced Session Recording
enhanced_recording:
# Enable or disable enhanced auditing for this node. Default value:
# false.
enabled: false
# command_buffer_size is optional with a default value of 8 pages.
command_buffer_size: 8
# disk_buffer_size is optional with default value of 128 pages.
disk_buffer_size: 128
# network_buffer_size is optional with default value of 8 pages.
network_buffer_size: 8
# Controls where cgroupv2 hierarchy is mounted. Default value:
# /cgroup2.
cgroup_path: /cgroup2
# Optional: Controls the path inside cgroupv2 hierarchy where Teleport
# cgroups will be placed. Default value: /teleport
root_path: /teleport
# Configures the PAM integration.
pam:
# "no" by default
enabled: yes
# use /etc/pam.d/sshd configuration (the default)
service_name: 'sshd'
# use the "auth" modules in the PAM config
# "false" by default
use_pam_auth: true
# Enables/disables TCP forwarding. Default is 'true'
port_forwarding: true
# When x11.enabled is set to yes, users with the "permit_x11_forwarding"
# role option will be able to request X11 forwarding sessions with
# "tsh ssh -X".
#
# X11 forwarding will only work if the server has the "xauth" binary
# installed and the Teleport Node can open Unix sockets.
# e.g. "$TEMP/.X11-unix/X[display_number]."
x11:
# no by default
enabled: yes
# display_offset can be used to specify the start of the range of X11
# displays the server will use when granting X11 forwarding sessions
# 10 by default
display_offset: 10
# max_display can be set to specify the end of the range of X11 displays
# to use when granting X11 forwarding sessions
# display_offset + 1000 by default
max_display: 1010
# Enables/disables remote file operations via SCP/SFTP for this Node. Default
# value: true
ssh_file_copy: true
<!-- /INCLUDE:ENGLISH -->
추가 읽기:
Kubernetes Service#
이 설정은 Teleport Kubernetes Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/kubernetes-config.yaml -->
kubernetes_service:
enabled: true
# Optional Public & Listen Addr: Set these if you are connecting to
# Teleport running inside a Kubernetes cluster instead of using a
# reverse tunnel.
#
# Optional Public Addr
public_addr: [k8s.example.com:3026]
# Optional Listen Addr
listen_addr: 0.0.0.0:3026
# Optional kubeconfig_file and kube_cluster_name. Exactly one of these must
# be set.
#
# When running teleport outside of the Kubernetes cluster, use
# kubeconfig_file to provide teleport with cluster credentials.
#
# When running teleport inside of the Kubernetes cluster pod, use
# kube_cluster_name to provide a user-visible name. Teleport uses the pod
# service account credentials to authenticate to its local kubernetes API.
kubeconfig_file: /secrets/kubeconfig
kube_cluster_name:
# Matchers for dynamic kubernetes cluster resources created with "tctl create" command or by Kubernetes auto-discovery.
# When resources were created by 'discovery_service', ' kubernetes_service' must have the required permissions.
resources:
- labels:
"*": "*"
# Optional AWS role that the Teleport Kubernetes Service will assume to access
# EKS clusters.
aws:
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
external_id: "example-external-id"
# Optional labels: These can be used in combination with RBAC rules
# to limit access to applications.
# When using kubeconfig_file above, these labels apply to all kubernetes
# clusters specified in the kubeconfig.
labels:
env: "prod"
# Optional Dynamic Labels
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
# Get cluster name on GKE.
- name: cluster-name
command:
- 'curl'
- 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name'
- '-H'
- 'Metadata-Flavor: Google'
period: 1m0s
<!-- /INCLUDE:ENGLISH -->
Application Service#
이 설정은 Teleport Application Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/app-service.yaml -->
app_service:
# Turns 'app' role on. Default is false
enabled: true
# Teleport contains a small debug app that can be used to make sure the
# Application Service is working correctly. The app outputs JWTs so it can
# be useful when extending your application.
debug_app: true
# Enables the builtin Teleport demo MCP server that shows current user and
# session information. To access it, this MCP server uses the app label
# "teleport.internal/resource-type" with the value "demo".
mcp_demo_server: true
# Matchers for dynamic application resources
#
# All application resources have a predefined "teleport.dev/origin" label with
# one of the following values:
# "dynamic": application resources created via an Auth Service API
# client like `tctl` or the Teleport Terraform provider
# "config": application resources defined in the "apps" array below
resources:
- labels:
"*": "*"
apps:
- name: "kubernetes-dashboard"
# Optional: For access to cloud provider APIs, specify the cloud
# provider. Allowed values are "AWS", "Azure", and "GCP".
cloud: ""
# Optional: Free-form description of the application.
description: "Kubernetes Dashboard to development cluster"
# URI of Application. For TCP applications
# use tcp, ex: tcp://localhost:5432.
uri: "http://10.0.1.27:8000"
# Optionally skip TLS verification. default false
# insecure_skip_verify: true
# Optional Public Addr
public_addr: "example.com"
# Optional Label: These can be used in combination with RBAC rules
# to limit access to applications
labels:
env: "prod"
# # Optional list of Teleport application names that require a session for this app to function correctly.
# # When launching this app, any app listed here will also be launched, and a session will be created.
# # These sessions follow their respective RBAC policies.
# required_apps:
# - "my-api"
# - "prod-database"
# # Add more required app names as needed
# # Optional CORS policy is used for preflight requests only. It does not overwrite the contained
# # app's CORS policy per route but is used by Teleport to respond to unauthenticated OPTION requests.
# # Important Notes:
# # - Each field in the CORS spec is optional.
# # - The allowed_headers field accepts wildcard entries. However, in requests with "allow_credentials: true",
# # a wildcard is treated as the literal header name "*" without special semantics.
# # - The Authorization header can't be set with a wildcard and always needs to be listed explicitly.
# cors:
# # Specifies which origins are allowed to make cross-origin requests.
# allowed_origins:
# - "https://example.com"
# - "https://app.example.com"
# # HTTP methods that are allowed when accessing the resource.
# allowed_methods:
# - "GET"
# - "POST"
# - "PUT"
# - "DELETE"
# - "OPTIONS"
# # HTTP headers that can be used during the actual request.
# allowed_headers:
# - "Content-Type"
# - "Authorization"
# - "X-Custom-Header"
# # Headers that browsers are allowed to access.
# exposed_headers:
# - "Content-Type"
# - "X-Custom-Response-Header"
# # Indicates whether the request can include credentials.
# allow_credentials: true
# # Indicates how long (in seconds) the results of a preflight request can be cached.
# max_age: 3600
# Optional Dynamic Labels
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
## Optional list of rewrite rules to apply to requests and responses
# rewrite:
## Optional simple rewriting of Location header
## Rewrite the "Location" header on redirect responses replacing the
## host with the public address of this application.
# redirect:
# - "localhost"
# - "jenkins.internal.dev"
## Optional list of extra headers to inject in to requests.
# headers:
# For example:
# - "Host: jenkins.example.com"
## Optional rewrite to remove parts of the JWT token.
## Can be one of three options:
## - roles-and-traits: include both roles and traits in the JWT token
## - roles: include only roles in the JWT token
## - traits: include only traits in the JWT token
## - none: include neither roles nor traits in the JWT token
## Default: roles-and-traits
# jwt_claims: roles-and-traits
# Contains MCP server-related configurations.
mcp:
# Command to launch stdio-based MCP servers.
command: "docker"
# Args to execute with the command.
args: ["run", "-i", "--rm", "mcp/everything"]
# Name of the host user account under which the command will be
# executed. Required for stdio-based MCP servers.
run_as_host_user: "docker"
<!-- /INCLUDE:ENGLISH -->
Database Service#
이 설정은 Teleport Database Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/database-config.yaml -->
db_service:
# Enables the Database Service.
enabled: true
# Matchers for database resources created with "tctl create" command or by the
# discovery service.
resources:
# Resource labels to match.
#
# Use specific label selectors so each Database Service instance only
# matches databases it can actually reach.
- labels:
"env": "staging"
# Optional AWS role that the Database Service will assume to access the
# databases.
aws:
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
external_id: "example-external-id"
# Matchers for registering AWS-hosted databases by performing auto-discovery
# on the Database Service.
#
# NOTE: for most deployments, it is recommended to use the Discovery Service
# to register AWS databases instead of Database Service–based discovery.
aws:
# Database types. Valid options are:
# 'rds' - discovers and registers Amazon RDS and Aurora databases.
# 'rdsproxy' - discovers and registers Amazon RDS Proxy databases.
# 'redshift' - discovers and registers Amazon Redshift databases.
# 'redshift-serverless' - discovers and registers Amazon Redshift Serverless databases.
# 'elasticache' - discovers and registers Amazon ElastiCache Redis and Valkey databases.
# 'elasticache-serverless' - Amazon ElastiCache Serverless Redis or Valkey databases.
# 'memorydb' - discovers and registers Amazon MemoryDB databases.
# 'opensearch' - discovers and registers Amazon OpenSearch databases.
# 'docdb' - discovers and registers Amazon DocumentDB databases.
- types: ["rds", "rdsproxy","redshift", "redshift-serverless", "elasticache", "elasticache-serverless", "memorydb", "opensearch", "docdb"]
# AWS regions to register databases from.
regions: ["us-west-1", "us-east-2"]
# Optional AWS role that the Database Service will assume to discover
# and register AWS-hosted databases.
# Discovered databases are also accessed by the Database Service via
# this role.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Database Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# AWS resource tags to match when registering databases.
#
# Use specific tag selectors so each Database Service instance only matches
# databases it can actually reach.
tags:
"env": "staging"
# Matchers for registering Azure-hosted databases by performing auto-discovery
# on the Database Service.
#
# NOTE: for most deployments, it is recommended to use the Discovery Service
# to register AWS databases instead of Database Service–based discovery.
azure:
# Database types. Valid options are:
# 'mysql' - discovers and registers Azure MySQL databases.
# 'postgres' - discovers and registers Azure PostgreSQL databases.
# 'redis' - discovers and registers Azure Cache for Redis databases.
# 'sqlserver' - discovers and registers Azure SQL Server databases.
- types: ["mysql", "postgres", "redis", "sqlserver"]
# Azure regions to register databases from. Valid options are:
# '*' - discovers databases in all regions (default).
# Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table`
regions: ["eastus", "westus"]
# Azure subscription IDs to register databases from. Valid options are:
# '*' - discovers databases in all subscriptions (default).
subscriptions: ["11111111-2222-3333-4444-555555555555"]
# Azure resource groups to register databases from. Valid options are:
# '*' - discovers databases in all resource groups within configured subscription(s) (default).
resource_groups: ["group1", "group2"]
# Azure resource tags to match when registering databases.
#
# Use specific tag selectors so each Database Service instance only matches
# databases it can actually reach.
tags:
"env": "staging"
# Lists statically registered databases proxied by this agent.
databases:
# Name of the database proxy instance, used to reference in CLI.
- name: "prod"
# Free-form description of the database proxy instance.
description: "Production database"
# Database protocol. Valid options are:
# "cassandra"
# "clickhouse"
# "clickhouse-http"
# "cockroachdb"
# "dynamodb"
# "elasticsearch"
# "mongodb"
# "mysql"
# "oracle"
# "postgres"
# "redis"
# "snowflake"
# "spanner"
# "sqlserver"
protocol: "postgres"
# Database connection endpoint. Must be reachable from Database Service.
uri: "postgres.example.com:5432"
# Optional TLS configuration.
tls:
# TLS verification mode. Valid options are:
# 'verify-full' - performs full certificate validation (default).
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
# 'insecure' - accepts any certificate provided by database (not recommended).
mode: verify-full
# Optional database DNS server name. It allows to override the DNS name on
# a client certificate when connecting to a database.
# Use only with 'verify-full' mode.
server_name: db.example.com
# Optional path to the CA used to validate the database certificate.
ca_cert_file: /path/to/pem
# Optional configuration that allows Teleport to trust certificate
# authorities available on the host system. If not set (by default),
# Teleport only trusts self-signed databases with TLS certificates signed
# by Teleport's Database Server CA or the ca_cert_file specified in this
# TLS setting. For cloud-hosted databases, Teleport downloads the
# corresponding required CAs for validation.
trust_system_cert_pool: false
# MySQL only options.
mysql:
# The default MySQL server version reported by Teleport Proxy.
# When this option is set the Database Agent doesn't try to check the MySQL server version.
server_version: 8.0.28
# Oracle only options.
oracle:
# Randomize host order per connection attempt to spread load. Optional.
shuffle_hostnames: true
# Retries per host on network errors only; non-network errors stop (default: 2). Optional.
retry_count: 5
# Optional admin user configuration for Automatic User Provisioning.
admin_user:
# Name of the admin user.
name: "teleport-admin"
# Optional default database the admin user logs into. See individual
# guides for default value.
default_database: "teleport"
# Optional AWS configuration for AWS hosted databases. AWS region- and
# service-specific configurations can usually be auto-detected from the
# endpoint.
aws:
# Region the database is deployed in.
region: "us-east-1"
# Optional AWS role that the Database Service will assume to access
# this database.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Database Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# Redshift-specific configuration.
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# RDS-specific configuration.
rds:
# RDS instance identifier.
instance_id: "rds-instance-1"
# RDS Aurora cluster identifier.
cluster_id: "aurora-cluster-1"
# ElastiCache-specific configuration.
elasticache:
# ElastiCache replication group identifier.
replication_group_id: "elasticache-replication-group-1"
# MemoryDB-specific configuration.
memorydb:
# MemoryDB cluster name.
cluster_name: "memorydb-cluster-1"
# Optional AWS Secrets Manager configuration for managing ElastiCache
# or MemoryDB users.
#
# IMPORTANT: please make sure databases sharing the same Teleport-managed
# users have the same secret_store configuration. The configuration
# should also be consistent across all Database Services in High
# Availability (HA) mode.
secret_store:
# Prefix to all secrets created by the service. Defaults to 'teleport/'.
key_prefix: "teleport/"
# KMS Key ID used for secret encryption and description. If not
# specified, Secrets Manager uses AWS managed key 'aws/secretsmanager'
# by default.
kms_key_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# Optional session tags used when assuming IAM roles for DynamoDB access.
session_tags:
dynamodb_table_name: "table-a"
# GCP specific configuration for Cloud SQL and Spanner databases.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# AlloyDB-specific configuration.
alloydb:
# Endpoint type. Valid types: "private" (default), "public", "PSC".
endpoint_type: "private"
# Endpoint override. IP address or hostname to be used instead of automatically resolved endpoint.
endpoint_override: "11.22.33.44"
# Settings specific to Active Directory authentication e.g. for SQL Server.
ad:
# Path to Kerberos keytab file.
keytab_file: /path/to/keytab
# Active Directory domain name.
domain: EXAMPLE.COM
# Service Principal Name to obtain Kerberos tickets for.
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
krb5_file: /etc/krb5.conf
# Name of the service account Teleport uses to perform LDAP queries for retrieving user SIDs.
ldap_service_account_name: "svc-teleport"
# SID of the above service account. Teleport uses this to authenticate LDAP queries.
# Also required for PKINIT if the user SID must be included in the certificate.
ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444"
# Optional configuration for Azure hosted databases.
azure:
# Set is_flexi_server to true when using an Azure flexible server.
is_flexi_server: false
# Resource ID for the database in Azure. This field is required for Azure Cache for Redis databases.
resource_id: "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/example-group/providers/Microsoft.Cache/Redis/example-db-name"
# Static labels to assign to the database. Used in RBAC.
static_labels:
env: "prod"
# Dynamic labels ("commands"). Used in RBAC.
dynamic_labels:
- name: "hostname"
command: ["hostname"]
period: 1m0s
<!-- /INCLUDE:ENGLISH -->
Discovery Service#
Discovery Service는 클라우드 환경을 감시하고 지원되는 리소스를 자동으로 Teleport에 등록합니다.
클라우드 매처(즉, discovery_service.aws, discovery_service.gcp 및 discovery_service.azure)를 사용하여 등록할 리소스를 지정하는 대신,
tctl 또는 Terraform을 통해 Discovery Configs를 생성할 수 있습니다.
Discovery Service는 동일한 discovery_group을 가진 모든 Discovery Configs를 로드합니다.
이 설정은 Teleport Discovery Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/discovery/discovery-config.yaml -->
discovery_service:
enabled: true
# discovery_group is used to group discovered resources into different
# sets. This is required when you have multiple Teleport Discovery services
# running. It prevents discovered services from colliding in Teleport when
# managing discovered resources.
# If two Discovery Services match the same resources, they must be in the
# same discovery group.
# If two Discovery Services match different resources, they must be in
# different discovery groups.
#
# It is also used to watch DiscoveryConfig resources.
# The Discovery Configs that have a matching discovery_group will be added to
# this Discovery Service matchers.
discovery_group: "disc-group"
# poll_interval is the cadence at which the discovery server will run each of its
# discovery cycles. The default is 5m.
poll_interval: 5m
# Matchers for discovering AWS-hosted resources.
aws:
# AWS resource types to discover and register with your Teleport cluster.
# Valid options are:
# 'ec2' - Amazon EC2 instances.
# 'eks' - Amazon EKS clusters.
# 'rds' - Amazon RDS and Aurora databases.
# 'rdsproxy' - Amazon RDS Proxy databases.
# 'redshift' - Amazon Redshift databases.
# 'redshift-serverless' - Amazon Redshift Serverless databases.
# 'elasticache' - Amazon ElastiCache Redis and Valkey databases.
# 'elasticache-serverless' - Amazon ElastiCache Serverless Redis or Valkey databases.
# 'memorydb' - Amazon MemoryDB databases.
# 'opensearch' - Amazon OpenSearch Redis databases.
# 'docdb' - Amazon DocumentDB databases.
- types: ["ec2"]
# AWS regions to search for resources from
regions: ["us-east-1","us-west-1"]
# Optional AWS resource tags to match when registering resources
# Defaults to a wildcard selector that matches any resource: "*":"*"
tags:
"*": "*"
# Optional AWS role that the Discovery Service will assume to discover
# and register AWS-hosted databases and EKS clusters.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Discovery Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# Organization sections enables AWS organization account discovery.
# Only applicable for EC2 discovery.
organization:
# Organization ID used for discovering accounts in the AWS organization.
organization_id: "o-exampleorgid"
# Filters for matching on AWS Organizational Units (OUs).
organizational_units:
# Include is a list of AWS Organizational Unit IDs and children OUs to include.
# Accounts that belong to these OUs, and their children, will be included.
# Only exact matches or wildcard (*) are supported.
# Required.
include_ous: ["*"]
# Exclude is a list of AWS Organizational Unit IDs and children OUs to exclude.
# Accounts that belong to these OUs, and their children, will be excluded, even if they were included.
# Only exact matches are supported.
# Optional. If empty, no OUs are excluded.
exclude_ous: []
# AWS role name that the Discovery Service will assume to discover resources in other accounts
# Only required when using discovering accounts under an organization.
assume_role_name: "example-role-name"
# Optional section: install is used to provide parameters to the installer script.
# Only applicable for EC2 discovery.
install:
# enroll_mode is used to identify the method used to enroll the ec2 instance into Teleport.
# Only the value "script" is supported, which uses a script to install and enroll the instance into Teleport.
# Only applicable for EC2 discovery.
enroll_mode: script
# Whether to install teleport on the EC2 instance.
# If false, it will enroll the EC2 instance as an agentless node.
# When using agentless, change the script_name to "default-agentless-installer" or create a custom script.
install_teleport: true
join_params:
# token_name is the name of the Teleport invite token to use.
# Optional, defaults to: "aws-discovery-iam-token".
token_name: "aws-discovery-iam-token"
# script_name is the name of the Teleport install script to use.
# Optional, defaults to: "default-installer".
script_name: "default-installer"
# Optional: adds a suffix to teleport installation, allowing for multiple agent installations.
# Requires managed updates to be enabled.
# Supported characters are alphanumeric characters and `-`.
suffix: "<suffix>"
# Optional: when using managed updates, set the update group of the installation.
# Supported characters are alphanumeric characters and `-`.
update_group: "<update-group>"
# Optional: proxy settings for the install script.
# Sets the http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, no_proxy, and NO_PROXY
# environment variables for the install script.
http_proxy_settings:
https_proxy: http://172.31.5.130:3128
http_proxy: http://172.31.5.130:3128
no_proxy: my-local-domain
# Optional section: ssm is used to configure which AWS SSM document to use
# If the ssm section isnt provided the below defaults are used.
ssm:
# document_name is the name of the SSM document that should be
# executed when installing teleport on matching nodes
# Can be set to "AWS-RunShellScript" which is a pre-defined SSM Document,
# removing the need to create a custom SSM Document in each region.
# Optional, defaults to: "TeleportDiscoveryInstaller".
document_name: "AWS-RunShellScript"
# Optional role for which the Discovery Service should create the EKS access entry.
# If not set, the Discovery Service will attempt to create the access
# entry using its own identity.
# If used, the role must match the role configured for a Teleport Kubernetes Service.
setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role
# Matchers for discovering Azure-hosted resources.
azure:
# Azure resource types. Valid options are:
# 'aks' - discovers and registers Azure AKS Kubernetes Clusters.
# 'vm' - discovers and registers Azure virtual machines.
# 'mysql' - discovers and registers Azure MySQL databases.
# 'postgres' - discovers and registers Azure PostgreSQL databases.
# 'redis' - discovers and registers Azure Cache for Redis databases.
# 'sqlserver' - discovers and registers Azure SQL Server databases.
- types: ["aks"]
# Azure regions to search for resources from. Valid options are:
# '*' - discovers resources in all regions (default).
# Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table`
regions: ["eastus", "westus"]
# Azure subscription IDs to search resources from. Valid options are:
# '*' - discovers resources in all subscriptions (default).
# Any subscription_id: `az account subscription list -o table`
subscriptions: ["11111111-2222-3333-4444-555555555555"]
# Azure resource groups to search resources from. Valid options are:
# '*' - discovers resources in all resource groups within configured subscription(s) (default).
# Any resource_groups: `az group list -o table`
resource_groups: ["group1", "group2"]
# Optional section: install is used to provide parameters to the Teleport installation in Azure VMs.
# Only applicable for VM discovery.
install:
join_params:
# token_name is the name of the Teleport invite token to use.
# Optional, defaults to: "azure-discovery-token".
token_name: "azure-discovery-token"
# script_name is the name of the Teleport install script to use.
# Optional, defaults to: "default-installer".
script_name: "default-installer"
# Optional: adds a suffix to teleport installation, allowing for multiple agent installations.
# Requires managed updates to be enabled.
# Supported characters are alphanumeric characters and `-`.
suffix: "<suffix>"
# Optional: when using managed updates, set the update group of the installation.
# Supported characters are alphanumeric characters and `-`.
update_group: "<update-group>"
# Optional proxy settings for the install script.
# Sets the http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, no_proxy, and NO_PROXY
# environment variables for the install script.
http_proxy_settings:
https_proxy: http://172.31.5.130:3128
http_proxy: http://172.31.5.130:3128
no_proxy: my-local-domain
# Azure resource tag filters used to match resources.
tags:
"*": "*"
# Matchers for discovering GCP-hosted resources.
gcp:
# GCP resource types. Valid options are:
# 'gke' - discovers and registers GKE Kubernetes clusters.
# 'gce' - discovers and registers GCP compute instances.
- types: ["gce"]
# IDs of GCP projects to search for resources from.
project_ids: ["project-id"]
# GCP locations to search for resources from. Valid options are:
# '*' - discovers resources in all locations.
# Any valid GCP region (e.g. "us-west1").
# Any valid GCP zone (e.g. "us-west1-b").
locations: ["us-east2", "us-west1-b"]
# Email addresses of service accounts that instances can join with.
# If empty, any service account is allowed.
service_accounts: []
# Optional section: install is used to provide parameters to the Teleport installation in Google Cloud VMs.
# Only applicable for VM discovery.
install:
join_params:
# token_name is the name of the Teleport invite token to use.
# Optional, defaults to: "gcp-discovery-token".
token_name: "gcp-discovery-token"
# script_name is the name of the Teleport install script to use.
# Optional, defaults to: "default-installer".
script_name: "default-installer"
# Optional: adds a suffix to teleport installation, allowing for multiple agent installations.
# Requires managed updates to be enabled.
# Supported characters are alphanumeric characters and `-`.
suffix: "<suffix>"
# Optional: when using managed updates, set the update group of the installation.
# Supported characters are alphanumeric characters and `-`.
update_group: "<update-group>"
# Optional proxy settings for the install script.
# Sets the http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, no_proxy, and NO_PROXY
# environment variables for the install script.
http_proxy_settings:
https_proxy: http://172.31.5.130:3128
http_proxy: http://172.31.5.130:3128
no_proxy: my-local-domain
# GCP resource label filters used to match resources.
labels:
"*": "*"
# Matchers for discovering services inside Kubernetes clusters and exposing them as Teleport apps
# When the `kubernetes` value is set, the `discovery_group` parameter is mandatory and should be set to
# the name of Kubernetes cluster where the discovery service is running.
kubernetes:
# Type of services to discover. Currently, only "app" is supported. Default value is `["app"]`
- types: ["app"]
# List of namespaces of the Kubernetes cluster to search in. Default value is `*` to search all namespaces.
namespaces: ["test", "staging"]
# List of Kubernetes labels to match when the Discovery service queries Kubernetes cluster services.
# Default value is `*`: `*` to match any labels.
labels:
"purpose": "monitoring"
"department": "security"
<!-- /INCLUDE:ENGLISH -->
Windows Desktop Service#
이 설정은 Windows Desktop Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/desktop-config.yaml -->
windows_desktop_service:
enabled: true
# This is the address that windows_desktop_service will listen on.
listen_addr: "0.0.0.0:3028"
# (optional) This is the address that windows_desktop_service will advertise
# to the rest of Teleport for incoming connections. Only proxy_service should
# connect to windows_desktop_service, users connect to the proxy's web UI
# instead.
public_addr: "desktop-access.example.com:3028"
# (optional) Determines whether desktop sessions will show a user-selected wallpaper
# vs a system-default, single-color wallpaper. For improved visual performance,
# set this to false (its default value).
show_desktop_wallpaper: false
# (optional) ldap contains configuration keys used when connecting Teleport
# to an Active Directory domain.
ldap:
# Address of the LDAP server for secure LDAP connections.
# Usually, this address will use port 636, like: ldap.example.com:636.
# For best results, this address should point to a highly-available
# endpoint rather than a single domain controller.
addr: "$LDAP_SERVER_ADDRESS"
# locate_server gets a list of available LDAP servers from the AD
# domain's SRV records. When enabled, addr is ignored.
locate_server:
enabled: true
# Optional: Site is the logical AD site that locate_server should return.
# Ignored if locate_server is false.
site: "$LDAP_SITE_NAME"
# Optional: the server name to use when validating the LDAP server's
# certificate. Useful in cases where addr is an IP but the server
# presents a cert with some other hostname.
server_name: "$LDAP_SERVER_NAME"
# You can skip LDAPS certificate verification by setting
# this to true. It is recommended that this be set to false
# and the certificate added your system's trusted repository,
# or provided as a PEM encoded certificate using ldap_ca_cert variable.
# You can provide a filepath with der_ca_file, but this behavior is deprecated.
insecure_skip_verify: false
# PEM encoded LDAP CA certificate.
ldap_ca_cert: |
-----BEGIN CERTIFICATE-----
*certificate data*
-----END CERTIFICATE-----
# DER encoded LDAP CA certificate.
# deprecated: prefer ldap_ca_cert instead
der_ca_file: /path/to/cert
# Active Directory domain name you are connecting to.
domain: "$LDAP_DOMAIN_NAME"
# LDAP username for authentication. This username must include the domain
# NetBIOS name. The use of single quotes here is intentional in order to
# avoid the need to escape the backslash (\) character.
#
# For example, if your domain is "example.com", the NetBIOS name for it is
# likely "EXAMPLE". When connecting as the "svc-teleport" user, you should
# use the format: "EXAMPLE\svc-teleport".
username: "$LDAP_USERNAME"
# The security identifier of the service account specified by the username
# field above. This looks like a string starting with "S-".
#
# Any AD user with permission to read user objects can obtain this value
# by opening a PowerShell and running
# ```
# Get-AdUser -Identity $LDAP_USERNAME | Select SID
# ```
#
# The value can be obtained over LDAP by constructing a query with the
# filter = (&(objectCategory=person)(objectClass=user)(sAMAccountName=$LDAP_USERNAME))
# and requesting the attribute = objectSid
sid: "$LDAP_USER_SID"
# (optional) When AD support is used, this field allows you to override
# the domain that Teleport uses for PKI operations. If empty, the domain
# from the ldap section is used. This can be useful for cases where PKI
# is configured in a root domain but Teleport is used to provide access
# to users and computers in a child domain.
pki_domain: root.example.com
# (optional) Configures the address of the Kerberos Key Distribution Center,
# which is used to support RDP Network Level Authentication (NLA). When set,
# this field takes priority over locate_server. If empty and locate_server
# is disabled, the LDAP address will be used instead.
#
# example: kdc.example.com:88.
# The port is optional and defaults to port 88 if unspecified.
#
# Note: NLA is only supported in Active Directory environments - this field has
# no effect when connecting to desktops as local Windows users.
kdc_address: "$KDC_SERVER_ADDRESS"
# (optional) static_hosts is a list of hosts to register as WindowsDesktop
# objects in Teleport. You can define host name and labels directly.
static_hosts:
- name: example1
ad: false
addr: win1.dev.example.com
labels:
datacenter: dc1
- ad: true
addr: win2.dev.example.com # name will be generated based on address
labels:
controller: all
# (optional) settings for enabling automatic desktop discovery via LDAP.
# To disable automatic discovery, omit this section.
discovery_configs:
- base_dn: "OU=prod,DC=example,DC=com"
# (optional) LDAP filters for further customizing the LDAP search.
# See https://ldap.com/ldap-filters for details on LDAP filter syntax.
filters:
- "(location=Oakland)"
- "(!(primaryGroupID=516))" # exclude domain controllers
# (optional) LDAP attributes to convert into Teleport labels.
# The key of the label will be "ldap/" + the value of the attribute.
label_attributes:
- location
# (optional) static labels to apply to all hosts discovered via this policy
labels:
env: prod
# (optional) The port to use for RDP.
# Defaults to 3389 if unspecified.
rdp_port: 3389
# (optional) interval at which to run desktop discovery
discovery_interval: 10m
# (optional) interval at which to publish CRLs
# Defaults to 5m if unspecified
publish_crl_interval: 10m
# (optional) configure a set of label selectors for dynamic registration.
# If specified, this service will monitor the cluster for dynamic_windows_desktop
# and automatically proxy connections for desktops with matching labels.
resources:
- labels:
"env": "dev"
# (optional) rules for applying labels to Windows hosts based on regular expressions
# matched against the host name. If multiple rules match, the desktop will
# get the union of all matching labels.
host_labels:
- match: '^.*\.dev\.example\.com'
labels:
environment: dev
- match: '^.*\.prod\.example\.com'
labels:
environment: prod
- match: "^EC2AMAZ-"
labels:
environment: discovered-in-aws
# Labels to attach to the Windows Desktop Service. This is used internally, so
# any custom labels added won't affect the Windows hosts.
labels:
teleport.internal/resource-id: "resource-id"
<!-- /INCLUDE:ENGLISH -->
Jamf Service#
이 설정은 Jamf Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/jamf-service.yaml -->
# This section configures the Jamf service.
jamf_service:
# Enables the Jamf service. Default is false
enabled: true
# Name of the sync source corresponding to the service.
# Jamf service sources with the same name manage the same devices, which is
# particularly relevant during device removal.
# If you have multiple Jamf sources, make sure to give them distinct,
# descriptive names.
# Default is 'jamf'.
name: jamf
# API endpoint for the Jamf Pro API.
# Required.
api_endpoint: (=jamf.api_endpoint=)
# Username for the Jamf Pro API.
# Prefer using client_id and client_secret_file.
# If both username+password and client_id+client_secret are set the service
# will use the latter.
username: teleport
# Path to a file containing the password for the Jamf Pro API.
# It is recommended to set the permissions for the file as restrictively as
# possible.
# Prefer using client_id and client_secret_file.
# If both username+password and client_id+client_secret are set the service
# will use the latter.
password_file: /var/lib/teleport/jamf_password.txt
# Client ID for the Jamf Pro API.
# See https://developer.jamf.com/jamf-pro/docs/client-credentials.
client_id: (=jamf.client_id=)
# Path to a file containing the client secret for the Jamf Pro API.
# It is recommended to set the permissions for the file as restrictively as
# possible.
# See https://developer.jamf.com/jamf-pro/docs/client-credentials.
client_secret_file: /var/lib/teleport/jamf_client_secret.txt
# Delay for initial syncs.
# Set to zero for syncs to start after a short random delay (a couple minutes
# max).
# Set to -1 for immediate syncs on startup.
# Default is '0'.
sync_delay: 0
# If `true` the Teleport process runs all Jamf syncs immediately and exits as
# soon as they are done. Implies `sync_delay=-1`.
# Useful for cron-like executions of Jamf syncs.
# Default is `false`.
exit_on_sync: false
# Inventory sync entries.
# Each entry corresponds to its own sync schedule and may have different
# filters and intervals.
# If the inventory section is absent a preset sync configuration is used.
inventory:
# Sync period for partial syncs.
# A partial sync attempts to fetch new and modified devices, but won't scan
# the entire Jamf inventory.
# Set to zero or -1 to disable partial syncs.
- sync_period_partial: 6h
# Sync period for full syncs.
# A full sync scans the entire Jamf inventory, processing new/modified
# devices and removals from Jamf.
# Set to zero or -1 to disable partial syncs.
sync_period_full: 24h
# Action to take against devices missing from Jamf but present in Teleport.
# Valid options are:
# 'DELETE' - devices removed from Jamf are removed from Teleport.
# (Requires a full sync.)
# 'NOOP' - devices removed from Jamf are left in Teleport.
# Default is 'NOOP'.
on_missing: NOOP
# Device filters forwarded to the Jamf Pro API queries.
# Refer to https://developer.jamf.com/jamf-pro/reference/get_v1-computers-inventory
# for the possible filter values.
# Default is ''
filter_rsql: ''
# Custom page size for inventory queries.
# Useful if Jamf reads are failing due to the page length, but otherwise
# better left alone.
# If absent, zeroed or negative a server default is used.
page_size: 0
<!-- /INCLUDE:ENGLISH -->
Relay Service#
Relay Service는 Teleport v18.3.0 이상에서 사용 가능합니다.
이 설정은 Relay Service에 적용됩니다:
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/relay-service.yaml -->
relay_service:
# Enables the Relay Service, defaults to false.
enabled: true
# The name of the Relay group. All Relay Service instances that are accessible
# behind the same Load Balancer must use the same name, and other Relay
# Service instances in the same Teleport cluster must use a different name.
relay_group: groupname
# The amount of distinct tunnels that other Teleport agents will open when
# using this Relay group. The target connection count should be no bigger than
# the amount of distinct Relay Service instances behind the Load Balancer.
target_connection_count: 2
# A list of hostnames or IP addresses that agents and clients can use to
# connect to the Relay group. Most setups will only need one.
public_hostnames:
- relay-group.example.com
# The listen address and port for the transport server of the Relay Service,
# used by clients to access resources through the Relay.
transport_listen_addr: 0.0.0.0:3040
# Whether or not the transport server should expect a PROXY protocol v2 header
# for incoming connections. If set, anything with the ability to connect
# directly to the transport listener will be able to spoof the source of
# network connections. Defaults to false.
#transport_proxy_protocol: true
# The listen address and port for the peer server of the Relay Service, used
# by other Relay Service instances of the same Relay group to forward
# connections between instances.
peer_listen_addr: 0.0.0.0:3041
# The address and port that other Relay Service instances of the same group should use
# to connect to the peer server. Defaults to the first available private IP
# address found in the system's network interfaces.
#peer_public_addr: 1.2.3.4:3041
# The listen address and port for the tunnel server of the Relay Service, used
# by agents to discover the Relay group configuration and open tunnels to the
# Relay.
tunnel_listen_addr: 0.0.0.0:3042
# Whether or not the tunnel server should expect a PROXY protocol v2 header
# for incoming connections. If set, anything with the ability to connect
# directly to the tunnel listener will be able to spoof the source of network
# connections. Defaults to false.
#tunnel_proxy_protocol: true
<!-- /INCLUDE:ENGLISH -->
Debug Service#
이 설정은 Debug Service에 적용됩니다
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/debug-service.yaml -->
# These settings apply to the Debug service:
debug_service:
enabled: true
<!-- /INCLUDE:ENGLISH -->
설정 버전#
기존 설정이 손상되지 않도록 Teleport의 설정은 버전이 지정됩니다. 최신 설정 버전은 v3입니다. 설정 파일에 version이 지정되지 않으면 v1로 가정합니다.
일부 새로운 Teleport 기능은 사용자가 설정을 더 새로운 버전으로 명시적으로 업그레이드하여 옵트인해야 합니다.
Config v1#
v1은 Teleport 파일 설정의 원래 버전입니다. 현재도 지원되지만, 대부분의 새 사용자는 최신 설정 버전으로 시작해야 합니다.
Config v2#
설정 버전 v2는 Teleport의 TLS 라우팅 기능의 일환으로 Teleport 8에서 도입되었습니다. TLS 라우팅을 사용하면 Teleport의 프록시가 단일 포트에서 수신하고 ALPN 및 SNI를 사용하여 들어오는 트래픽을 여러 프로토콜별 포트에서 수신하는 대신 올바른 Teleport 서비스로 라우팅합니다.
하위 호환성을 위해, 설정 버전 v1은 항상 이러한 프로토콜별 포트에서 수신합니다. Teleport가 설정 버전 v2를 사용할 때, 개별 프로토콜별 포트는 명시적으로 설정하지 않는 한 열리지 않습니다.
Config v3#
설정 버전 v3은 Teleport 11과 함께 도입되었습니다. 버전 3에서는 auth_servers 필드가 더 이상 지원되지 않으며, 에이전트는 Teleport 클러스터에 합류하기 위해 사용할 엔드포인트를 나타내기 위해 auth_server 또는 proxy_server 중 하나를 지정해야 합니다.
이전 버전의 Teleport에서는 auth_servers가 Auth 서버 또는 Proxy 서버를 가리킬 수 있었습니다. 결과적으로 Teleport는 여러 가지 다른 모드에서 연결을 시도했고, 이로 인해 혼란스러운 오류 메시지가 발생했습니다. 설정 버전 3에서는 Teleport가 단일 모드에서만 연결을 시도하므로 더 효율적이고 문제 해결이 더 쉽습니다.
예를 들어, v2 설정에서 이 발췌문은 다음 변경으로 v3로 변환할 수 있습니다.
-version: v2
+version: v3
teleport:
- auth_servers: [ teleport.example.com:443 ]
+ proxy_server: teleport.example.com:443