Configuration Reference¶
Conductor configuration is managed through three layers: the node configuration file, environment variables, and NATS KV buckets for runtime settings.
Node Configuration File¶
Path: /witfoo/configs/node.json
This file is generated by the wfa configure wizard and contains the primary node configuration. It is mounted read-only into all containers at /configs/node.json.
Key Fields¶
| Field | Type | Description |
|---|---|---|
node_role | integer | Node role (12 = Conductor) |
node_hostname | string | System hostname |
node_ip | string | Primary IP address |
appliance_id | UUID | Unique appliance identifier |
org_id | string | Organization identifier (DNS-valid, lowercase) |
org_name | string | Organization display name |
broker_client_port | integer | NATS client port (default: 4223) |
broker_leaf_port | integer | NATS leaf/cluster port (default: 4443) |
broker_max_data_mb | integer | Maximum NATS data size (default: 1024 MB) |
local_metrics | boolean | Enable local Prometheus/Grafana stack |
export_metrics | boolean | Enable metrics export to Grafana Cloud |
offline_mode | boolean | Disable external network access |
auto_update | boolean | Enable automatic WFA package updates |
registry_fqdn | string | Container image registry hostname |
registry_namespace | string | Container image registry namespace |
branch | string | Image tag/branch to pull |
license | string | WitFoo license key |
console_fqdn | string | WitFoo Console hostname (optional) |
ca_path | string | Custom CA certificate path |
cert_path | string | Custom server certificate path |
key_path | string | Custom server key path |
client_cert_path | string | Custom client certificate path |
client_key_path | string | Custom client key path |
Warning
The node.json file is written with permissions 0600 and contains sensitive information including the license key and broker credentials. Do not share this file or commit it to version control.
Environment Variables¶
Each container receives configuration via environment variables set by WFA:
| Variable | Description |
|---|---|
WF_NODE_CONFIG_FILE | Path to node.json inside the container (/configs/node.json) |
NATS_URL | NATS broker connection URL (nats://broker-edge:4223) |
SECRET_KEY | Session cookie encryption key (conductor-ui only) |
PORT | HTTP listen port (conductor-ui, default: 8000) |
REVERSE_PROXY_MODE | Enable reverse proxy headers (conductor-ui) |
DISABLE_TLS | Disable TLS on the UI server (handled by reverse proxy) |
NATS KV Bucket Configuration¶
Runtime configuration for pipeline services is stored in NATS JetStream KV buckets. These are the primary mechanism for dynamic configuration changes without container restarts.
| Bucket | Service | Content |
|---|---|---|
SERVERS | signal-server | Listener enable/disable, masquerading options |
INTEGRATIONS | signal-client | API credentials, polling intervals, enable/disable |
PARSERS | signal-parser | Per-parser enable/disable state |
FILTERS | artifact-filter | Deduplication settings, predicate rules, STIX config |
EXPORTERS | artifact-exporter | Destination URLs, credentials, batch settings |
Network Configuration¶
Ports¶
| Port | Service | Protocol | Direction |
|---|---|---|---|
| 443 | conductor-ui | HTTPS | Inbound (management) |
| 514 | signal-server | TCP/UDP | Inbound (syslog) |
| 4223 | broker-edge | NATS | Internal |
| 4443 | broker-edge | NATS | Inbound (leaf/cluster) |
| 5044–5045 | signal-server | TCP | Inbound (Beats) |
| 6514 | signal-server | TCP+TLS | Inbound (secure syslog) |
| 7514 | signal-server | HTTP | Inbound (HTTP ingestion) |
| 8223 | broker-edge | HTTP | Internal (monitoring) |
TLS Certificates¶
Certificates are stored in /witfoo/certs/ and mounted into all containers at /certs/:
| File | Purpose |
|---|---|
ca.crt | Customer CA certificate (if provided) |
witfoo_ca.crt | WitFoo embedded CA |
ca-bundle.crt | Combined CA bundle (auto-generated) |
server.crt / server.key | Server certificate and key |
client.crt / client.key | Client certificate and key |