Skip to main content
Cordon is configured via a cordon.yaml file in your project directory. The cordon setup command generates a starter config, or you can create one manually.

Minimal example

listen: "127.0.0.1:6790"

tls:
  enabled: true
  ca_cert_path: "./ca-cert.pem"
  ca_key_path: "./ca-key.pem"

routes:
  - name: stripe
    match:
      host: api.stripe.com
    auth:
      type: bearer
      secret:
        source: 1password
        vault: Engineering
        item: Stripe API Key
        field: secret_key

Top-level fields

FieldTypeRequiredDescription
listenstringYesBind address. Must be 127.0.0.1:<port>. Non-loopback addresses are rejected.
tlsobjectNoTLS interception settings. Required for HTTPS routes.
routesarrayYesList of route definitions. At least one route is required.
servicesarrayNoTCP service definitions (requires pg feature flag).

TLS settings

FieldTypeRequiredDescription
tls.enabledbooleanYesEnable HTTPS interception via TLS MITM.
tls.ca_cert_pathstringYesPath to the CA certificate file. Created by cordon setup.
tls.ca_key_pathstringYesPath to the CA private key file. Created by cordon setup.
When TLS is enabled, cordon performs MITM on HTTPS connections for matched routes. It generates per-host certificates signed by the local CA. See TLS for details.

Full example

listen: "127.0.0.1:6790"

tls:
  enabled: true
  ca_cert_path: "./ca-cert.pem"
  ca_key_path: "./ca-key.pem"

routes:
  - name: stripe
    match:
      host: api.stripe.com
    auth:
      type: bearer
      secret:
        source: 1password
        vault: Engineering
        item: Stripe API Key
        field: secret_key

  - name: openai
    match:
      host: api.openai.com
    auth:
      type: bearer
      secret:
        source: 1password
        vault: Engineering
        item: OpenAI API Key
        field: credential

  - name: custom-service
    match:
      host: api.example.com
    auth:
      type: api_key
      header_name: X-Api-Key
      secret:
        source: keyring
        service: cordon
        account: example-api-key

Config file location

By default, cordon looks for cordon.yaml in the current directory. Override this with the --config flag: 
cordon start --config /path/to/cordon.yaml
cordon.yaml typically contains project-specific secret references and should be gitignored. The repo can include a cordon.yaml.example as a reference for contributors.