Configuration
For the latest and most up to date description of the Envoy configuration, ask Envoy directly! You can do this using the Envoy docker image as follows:
$ docker run trisa/envoy:latest envoy config
This will print out a table of the configuration options, default values, and descriptions. If you’d prefer it in list form, run:
$ docker run trisa/envoy:latest envoy config --list
Configuration Values
Envoy is configured via the environment and for local development, also supports using .env
files in the working directory for loading environment variables. We recommend configuring Envoy using the deployment mechanism of your choice. For example, if you’re running the binary using systemd
, then the environment should be defined in your .service
using Environment
or an EnvironmentFile
. If you’re using Kubernetes or Docker, then the environment variables should be added to the manifest of your deployment.
A list of the primary environment variables and their configuration are as follows:
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_MAINTENANCE | bool | false | If true, the node will start in maintenance mode and will respond Unavailable to requests |
TRISA_ORGANIZATION | string | Envoy | Specify the display name of the organization using the Envoy node for the web UI and interactive docs |
TRISA_MODE | string | release | Specify the mode of the API/UI server (release, debug, or testing) |
TRISA_LOG_LEVEL | string | info | Specify the verbosity of logging (trace, debug, info, warn, error, fatal, panic) |
TRISA_CONSOLE_LOG | bool | false | If true, logs colorized human readable output instead of json |
TRISA_DATABASE_URL | string | sqlite3:///trisa.db | DSN containing the backend database configuration |
TRISA_SEARCH_THRESHOLD | float | 0.0 | Specify a threshold for fuzzy search from 0.0 (any match) to 1.0 (exact matches only) |
TRISA_ENDPOINT | string | The endpoint of the TRISA node as defined by the mTLS certificates (to create travel addresses) | |
TRISA_TRP_ENDPOINT | string | If enabled, the endpoint of the TRP node as assigned by the mTLS certificates (to create travel addresses) |
Web UI/API Configuration
These configuration values influence the behavior of the internal web UI and API.
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_WEB_ENABLED | bool | true | If false, both the web UI and API are disabled |
TRISA_WEB_API_ENABLED | bool | true | If false, the API will return unavailable when accessed |
TRISA_WEB_UI_ENABLED | bool | true | If false, the web UI will return unavailable when accessed |
TRISA_WEB_BIND_ADDR | string | :8000 | The IP address and port to bind the web server on |
TRISA_WEB_ORIGIN | string | http://localhost:8000 | The origin (url) of the web UI for creating API endpoints |
TRISA_WEB_DOCS_NAME | string | The display name for the API docs server in the Swagger app (by default the organization name) | |
TRISA_WEB_AUTH_KEYS | map | Optional static RSA key configuration for signing access and refresh tokens. Should be a comma separated map of keyID:path. | |
TRISA_WEB_AUTH_AUDIENCE | string | http://localhost:8000 | The value for the aud (audience) claim in JWT tokens issued by the API |
TRISA_WEB_AUTH_ISSUER | string | http://localhost:8000 | The value for the iss (issuer) claim in JWT tokens issued by the API |
TRISA_WEB_AUTH_COOKIE_DOMAIN | string | localhost | Limit cookies for the UI to the specified domain (exclude any port information) |
TRISA_WEB_AUTH_ACCESS_TOKEN_TTL | duration | 1h | The amount of time before an access token expires |
TRISA_WEB_AUTH_REFRESH_TOKEN_TTL | duration | 2h | The amount of time before refresh tokens expire |
TRISA_WEB_AUTH_TOKEN_OVERLAP | duration | -15m | The amount of overlap between the access and refresh tokens, the more negative the duration the more the overlap |
TRISA Node Configuration
Configuration values for the public facing TRISA node.
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_NODE_ENABLED | bool | true | If false, the TRISA node server will not be run |
TRISA_NODE_BIND_ADDR | string | :8100 | The ip address and port to bind the TRISA node server on |
TRISA_NODE_POOL | path | The path to TRISA x509 certificate pool; this allows you to define what certificate authorities you’re willing to accept using mTLS (optional) | |
TRISA_NODE_CERTS | path | The path to your TRISA identify certificates and private key for establishing mTLS connections to TRISA peer counterparties | |
TRISA_NODE_KEY_EXCHANGE_CACHE_TTL | duration | 24h | The duration to cache public keys exchanged with remote TRISA nodes before performing another key exchange |
Webhook Configuration
If you would like to configure the Envoy node to send incoming travel rule requests to a webhook, you can configure those details below. For more information on the webhook and authentication, please see the “webhook guide”
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_WEBHOOK_URL | string | Specify a callback webhook that incoming travel rule messages will be posted to | |
TRISA_WEBHOOK_AUTH_KEY_ID | string | Used to identify the shared secret for HMAC authorization headers (required if secret is set) | |
TRISA_WEBHOOK_AUTH_KEY_SECRET | string | Specify a hexadecimal encoded 32 byte shared secret for HMAC authorization (required if key id is set) | |
TRISA_WEBHOOK_REQUIRE_SERVER_AUTH | bool | false | If true, the client will expect the webhook server to send a Server-Authorization header with HMAC token |
TRISA Directory Configuration
The following configuration influences how the Envoy node connects to the TRISA Global Directory Service.
If you’re running a TestNet node, then ensure the values point to testnet.directory
(e.g. api.testnet.directory:443
), if you’re running a MainNet node, then ensure the values point to trisa.directory
(the default values).
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_NODE_DIRECTORY_INSECURE | bool | false | If true, do not connect to the directory using TLS (only useful for local development) |
TRISA_NODE_DIRECTORY_ENDPOINT | string | api.trisa.directory:443 | The endpoint of the public GDS service |
TRISA_NODE_DIRECTORY_MEMBERS_ENDPOINT | string | members.trisa.directory:443 | The endpoint of the private members GDS service |
TRISA_DIRECTORY_SYNC_ENABLED | bool | true | If false, then the background directory sync service will not run |
TRISA_DIRECTORY_SYNC_INTERVAL | duration | 6h | The interval that the node will synchronize counterparties with the GDS |
Sunrise Configuration
To enable the Sunrise protocol use the following configuration and ensure that you also update the email configuration for the node to send outgoing emails.
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_SUNRISE_ENABLED | bool | true | Used to disable sunrise access which will cause external sunrise pages to return a 404; both this and email need to be enabled for Sunrise |
TRISA_SUNRISE_TRISA_WEB_ORIGIN | string | The URL to send sunrise requests to (by default the same as TRISA_WEB_ORIGIN) | |
TRISA_SUNRISE_INVITE_ENDPOINT | string | /sunrise/verify | The endpoint to verify an incoming Sunrise request |
TRISA_SUNRISE_REQUIRE_OTP | true | If true, Sunrise verification will require an additional OTP step to access PII data |
TRP Node Configuration
Configuration values for the publically facing TRP server.
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_TRP_ENABLED | bool | true | If false, the TRP node server will not be run |
TRISA_TRP_BIND_ADDR | string | :8200 | The ip address and port to bind the TRISA node server on |
TRISA_TRP_IDENTITY_VASP_NAME | string | Specify the name of your VASP for TRP identity requests | |
TRISA_TRP_IDENTITY_LEI | string | Specify the LEI of your VASP to respond to a TRP identity request | |
TRISA_TRP_USE_MTLS | bool | true | If true, the TRP server will require mTLS authentication |
TRISA_TRP_POOL | path | The path to TRP x509 certificate pool; this allows you to define what certificate authorities you’re willing to accept using mTLS (optional) | |
TRISA_TRP_CERTS | path | The path to your TRP identify certificates and private key for establishing mTLS connections to TRISA peer counterparties |
Email Configuration
Configure either SMTP or SendGrid so that the Envoy node can send emails for Sunrise messages, forgot password resets, etc. If email is not enabled, the Sunrise protocol will be disabled.
EnvVar | Type | Default | Description |
---|---|---|---|
TRISA_EMAIL_SENDER | string | The email address that messages are sent from by the Envoy node (e.g. compliance@envoy.local) | |
TRISA_EMAIL_SENDER_NAME | string | The name of the sender, usually the name of the VASP or compliance team | |
TRISA_EMAIL_SUPPORT_EMAIL | string | An email address to refer support requests to, will appear on error pages | |
TRISA_EMAIL_COMPLIANCE_EMAIL | string | An email address to refer compliance requests to in case an originator counterparty does not use TRISA | |
TRISA_EMAIL_TESTING | bool | false | Sets the emailer to testing mode and ensures no live emails are sent |
TRISA_EMAIL_SMTP_HOST | string | If configuring SMTP, the host without the port (e.g. smtp.example.com) | |
TRISA_EMAIL_SMTP_PORT | int | 587 | The port to access the SMTP on |
TRISA_EMAIL_SMTP_USERNAME | string | A username to authenticate to the SMTP server with | |
TRISA_EMAIL_SMTP_PASSWORD | string | A password to authenticate to the SMTP server with | |
TRISA_EMAIL_SMTP_USE_CRAM_MD5 | bool | false | Enables CRAM-MD5 auth to your SMTP server as defined in RFC 2195 instead of simple authentication |
TRISA_EMAIL_SMTP_POOL_SIZE | int | 2 | The SMTP connection pool size for concurrent email sending |
TRISA_EMAIL_SENDGRID_API_KEY | string | If configuring SendGrid, add the your API key to access the SendGrid API |
Region Info
Envoy nodes support some provenance features when deployed in a geographically replicated fashion. If you would like to configure your node with hosting information (even just for debugging using the about page on the node), you may set the following environment variables:
EnvVar | Type | Default | Description |
---|---|---|---|
REGION_INFO_ID | int32 | the 7 digit region identifier code | |
REGION_INFO_NAME | string | the name of the region | |
REGION_INFO_COUNTRY | string | the alpha-2 country code of the region | |
REGION_INFO_CLOUD | string | the cloud service provider | |
REGION_INFO_CLUSTER | string | the name of the cluster the node is hosted in |