Skip to content

Engine — engine.conf

The engine reads /etc/enforcegate/engine.conf. The default file ships with these sections:

/etc/enforcegate/engine.conf (defaults)
[connectors.local]
net = "tcp"
ip = "127.0.0.1"
key = "pleasechangethiskey"          # (1)!

[captive_portal]
secret_file = "/etc/enforcegate-shared/captive-portal-secret"
base_url    = "https://localhost"    # (2)!

[control]
ip = "0.0.0.0"                       # (3)!

[license]
serial   = "EGDEV-BEEF-BABE-COFE"    # (4)!
username = "exosys-dev"
password = "thispasswordsuckhard"

diagnostic_file = "/var/lib/enforcegate/apm-last-error.json"
  1. Replaced with a random 32-character key by the generate-engine-key boot one-shot on first boot. The same value is written to squid-connector.conf so the pair is always in sync. To pin a specific key (e.g. for an HA pair sharing a control-plane secret), bind-mount this file: -v /path/to/engine.conf:/etc/enforcegate/engine.conf:ro.
  2. Public URL clients reach the captive portal at. Override in .env with ENFORCEGATE_CAPTIVE_BASE_URL — the matching ENFORCEGATE_* environment variable takes precedence over the persisted conf at every boot.
  3. The Control API listener (port 11225) binds to 0.0.0.0 inside the container so the captive-portal sidecar can reach it over the compose network. The shipped docker-compose.yml does not publish 11225 to the host. Override with ENGINE_CONTROL_API_IP=127.0.0.1 for deployments without a portal sidecar.
  4. Dev-tier credentials baked into the image so the IR smoke flow boots without operator action. Not valid for production: override every field for test/prod tiers via .env's ENGINE_LICENSE_SERIAL / _USERNAME / _PASSWORD.

For the complete configuration-attribute schema (every TOML key, default, and type), see the engine reference.

Adding connectors

Each connector that the engine accepts must be declared as a sub-table of [connectors]. The shipped default has one local connector. Adding a remote connector:

[connectors.remote]
net = "tcp"
ip  = "172.16.1.1"
key = "abcdef1234567890"

The ip parameter is the source IP the connector establishes the session from. The key is a shared authentication secret that must match the corresponding entry in the connector's own squid-connector.conf (case-sensitive, up to 128 characters; longer keys are truncated). See Squid connector configuration for the connector side of the pairing.

Captive portal, TLS terminator, and SSL inspection

The captive portal and the TLS terminator are configured via environment variables forwarded from the bundle's .env to the sidecar containers — see bundles/standalone/.env.example for the complete list. The SSL inspection mode is a single env var with significant operational consequences; it has its own dedicated page: SSL inspection.