siphon/server.example.toml at main · RemiKalbe/siphon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Tunnel Server Configuration

# Port for control plane (mTLS client connections)
control_port = 4443

# Port for HTTP data plane (traffic from Cloudflare)
http_port = 80

# Base domain for tunnels (e.g., "tunnel.example.com")
# Clients will get subdomains like "myapp.tunnel.example.com"
base_domain = "tunnel.example.com"

# TLS Certificates and Keys
# Supported formats:
#   - File path: "/etc/tunnel/server.crt" or "file:///etc/tunnel/server.crt"
#   - Base64: "base64://LS0tLS1CRUdJTi..." (useful for CI/CD, K8s secrets)
#   - OS Keychain: "keychain://tunnel-server/cert" (macOS Keychain, Windows Credential Manager, Linux Secret Service)
#   - 1Password CLI: "op://vault/item/field" (requires 'op' CLI installed and authenticated)
#   - Environment variable: "env://TUNNEL_SERVER_CERT"

# Server certificate (PEM format)
cert = "/etc/tunnel/server.crt"

# Server private key (PEM format)
key = "/etc/tunnel/server.key"
# Or use keychain: key = "keychain://tunnel-server/private-key"
# Or use 1Password: key = "op://Infrastructure/tunnel-server/private-key"

# CA certificate for client verification (PEM format)
ca_cert = "/etc/tunnel/ca.crt"

# TCP port range for TCP tunnels (optional)
tcp_port_range = [30000, 40000]

# HTTP plane TLS (optional - enables HTTPS for Cloudflare Full Strict mode)
# If not set, HTTP plane accepts plain HTTP (suitable for Cloudflare Flexible/Full mode)
#
# Option 1: Manual certificates
# http_cert = "/etc/tunnel/origin.crt"
# http_key = "/etc/tunnel/origin.key"
#
# Option 2: Automatic Origin CA (recommended - set auto_origin_ca in [cloudflare] section)
# The server will automatically generate a Cloudflare Origin CA certificate on startup.
# No manual certificate management needed!

[cloudflare]
# API token with required permissions
# Create at: https://dash.cloudflare.com/profile/api-tokens
# Required permissions:
#   - Zone:DNS:Edit (for creating tunnel DNS records)
#   - SSL and Certificates:Edit (only if using auto_origin_ca)
#
# Recommended: Store securely using one of:
#   - 1Password: "op://Private/Cloudflare/tunnel-api-token"
#   - OS Keychain: "keychain://tunnel-server/cloudflare-token"
#   - Environment: "env://CLOUDFLARE_API_TOKEN"
api_token = "env://CLOUDFLARE_API_TOKEN"

# Zone ID for the domain
# Found in the Cloudflare dashboard under your domain's Overview page
zone_id = "your-zone-id"

# DNS target for tunnel subdomains (optional - auto-detects IP if neither is set)
# Use server_ip for VPS with static IP (creates A records):
# server_ip = "1.2.3.4"
#
# Use server_cname for platforms like Railway/Render/Fly.io (creates CNAME records):
# server_cname = "myapp.up.railway.app"

# Automatic Origin CA certificate generation (recommended for Cloudflare Full Strict mode)
# When enabled, the server automatically:
#   1. Generates a private key and CSR
#   2. Requests a certificate from Cloudflare's Origin CA
#   3. Uses the certificate for HTTPS on the HTTP plane
# This eliminates the need to manually configure http_cert/http_key
# The certificate is valid for *.base_domain and base_domain
auto_origin_ca = true