Advanced Configuration

SSL/TLS Certificate

HUMAN Callout Enforcer spawns gRPC server to listen for incoming messages from Envoy. gRPC server uses HTTP/2 protocol, it is required to have a SSL/TLS certificate to be present on Docker container.
By default perimeterx/px-callout-enforcer Docker image has a self-signed certificate located in /etc/cert folder.
We advice to generate your own certificate (ideally signed by CA) and mount certificate files to /etc/cert/ files.
Two certificate files are required:

• PEM EC private key (named server.key)
• PEM certificate (named server.crt)

To mount certificate files to /etc/cert folder, the following docker run parameters could be used:

docker run \
 ...
--mount type=bind,source="$(pwd)"/server.key,target=/etc/cert/server.key,readonly \
--mount type=bind,source="$(pwd)"/server.crt,target=/etc/cert/server.crt,readonly \
...
perimeterx/px-callout-enforcer:latest

Logging

By default all logs are printed to stdout.
TBD

Debugging

Enforcer debug logging could be enabled by enabling px_debug:

"px_debug": true

TBD