Skip to content

Configuration

After installation, EnforceGate vX is configured at two layers: per-component runtime configuration (engine + connector + sidecars) and operator-defined policies that drive what the engine actually permits, denies, warns, or escalates.

  • Engineengine.conf defaults, license credentials, connector declarations, captive portal and SSL inspection knobs.
  • Squid connectorsquid-connector.conf defaults and the remote-engine deployment shape.
  • Policies — define the rules the engine enforces (permit / deny / warn / AUP) using eghost policy ... or by editing .policy files directly.
  • Policy rollback — snapshots, retention, and how to revert a bad rule reload.
  • Policy audit and history — optional per-commit audit trail and per-rule blame for policy edits.

Where defaults live

The standalone image carries its complete /etc/enforcegate/ default tree under /opt/enforcegate/skel/. On every container boot the seed-defaults boot one-shot copies any missing files from skel into the enforcegate-config volume (file-level no-clobber) and section-merges any new config sections that don't yet exist in the live file (per-section no-clobber).

This means:

  • The first boot creates a fully-populated /etc/enforcegate/ from skel.
  • Subsequent boots leave operator-modified files alone.
  • Image upgrades that add a new default file or a new config section apply on the next boot without clobbering operator overrides.
  • Image upgrades that change a value inside an existing populated section do not propagate. Use the .env override path for runtime-tunable engine.conf keys.

See persistence for the full skel-copy model.

Peer authentication

The engine and the connector mutually authenticate every session using a shared key. The authentication key must match exactly (case-sensitive) in both locations:

  • The engine's [connectors.<name>].key in engine.conf (see Engine).
  • The connector's [engine.<name>].key in squid-connector.conf (see Squid connector).

Any discrepancy prevents authentication. The standalone image's first-boot generate-engine-key one-shot writes the same random 32-character key to both files, so for the default deployment shape no operator action is required.

Peer authentication is mandatory

EnforceGate vX enforces mutual peer authentication between the engine and the connectors. The key attribute is mandatory and must be explicitly configured on both sides. The engine does not error if a connector's key is omitted from engine.conf — the absence silently prevents the connector from establishing a session. Always confirm the key is present on both sides.

Configuration file permissions

Ensure that configuration files are not readable by unauthorised users. By default they are readable only by the root user and members of the enforcegate group. Enforce filesystem permissions of 0640 or stricter and verify that no world permissions are granted.