User Site

User-site configuration lets you attach overrides to a subset of destinations for one user.

Each site block says what should match, whether site-level metrics should be emitted, and which per-site overrides should apply once it matches.

id

required, type: metric node name

Each site must have an ID. If site metrics are enabled, this ID is used in the metric name.

alias: name

exact_match

optional, type: host | seq

Exact domain or target IP address to match in the user request.

Both a single host value and a sequence of hosts are accepted.

Note

the value should be different within all sites config of the current user.

suffix_match

optional, type: domain | seq, alias: child_match

Parent domain to match. Any child domain under it also matches.

Both a single domain value and a sequence of domains are accepted.

Note

the value should be different within all sites config of the current user.

Changed in version renamed: to suffix_match since version 1.13.3

subnet_match

optional, type: ip network str | seq

Network to match when the user request target is an IP address.

Both a single network value and a sequence of networks are accepted.

Note

the value should be different within all sites config of the current user.

emit_stats

optional, type: bool

Controls whether site-level metrics are emitted for this site.

See user site metrics for the definition of metrics.

default: false, alias: emit_metrics

duration_stats

optional, type: histogram metrics

Histogram-metric configuration for site-level duration statistics.

default: set with default value, alias: duration_metrics

Added in version 1.7.32.

resolve_strategy

optional, type: resolve strategy

Custom resolve strategy at the user-site level. It overrides the user-level strategy, but must still remain within the limits allowed by the escaper. Not all escapers support this, see the documentation for each escaper for more info.

default: no custom resolve strategy is set

Added in version 1.7.10.

tls_client

optional, type: tls client

TLS client configuration used for the upstream-side handshake during TLS interception.

This will overwrite:

  • auditor tls_interception_client <conf_auditor_tls_interception_client> if tls interception is enabled

  • http_proxy server tls_client <conf_server_http_proxy_tls_client> if https forward is enabled

default: not set

Added in version 1.9.0.

Example:

- id: office-sites
  exact_match:
    - www.example.com
    - 203.0.113.10
  suffix_match: example.net
  subnet_match:
    - 192.0.2.0/24
    - 2001:db8::/32
  emit_metrics: true
  resolve_strategy: ipv4_only
  http_rsp_header_recv_timeout: 8s

http_rsp_header_recv_timeout

optional, type: humanize duration

Custom HTTP response-header receive timeout for this site.

This will set and overwrite:

default: not set

Added in version 1.9.0.