SynadiaDocs

Synadia Protect

Setting up a standalone gateway

Prerequisites

Install the following tools:

  • protect - the Synadia Protect binary (server + CLI + UI)
  • nats - the NATS CLI for testing and managing NATS contexts
  • nats-server - a local NATS server to use as the backend (optional, recommended). An existing NATS server such as demo.nats.io can also be used; the setup and commands would need to include whatever authentication that server requires.

For simplicity, the examples use backend NATS servers without authentication unless the example specifically demonstrates an authentication-related feature.

The backend

The gateway proxies connections to a NATS server. The gateway refers to these servers as a backend. This guide uses demo.nats.io — a public NATS server run by the nats-io organization.

To use a local server instead, create a backend.conf:

listen: 127.0.0.1:14222

Start it with nats-server -c backend.conf and use nats://127.0.0.1:14222 as the backend URL in the setup below.

Generating the configuration

The protect setup command generates a starter configuration file along with the necessary security keys. It takes a target directory as an argument:

$ protect setup my_gateway

The command prompts for client/leafnode ports, backend URLs, monitoring, management API, and audit settings. For this guide, accept all the defaults except:

PromptValue
namemy_gateway
backend urlsnats://demo.nats.io:4222 (or your own backend URL; port is required - ie nats://localhost:14222)
configure leafnode portNo
configure TLS (all prompts)No
data_dirdata
log_file_dirlogs
client_trace_dirtraces

After the setup completes, the target directory will contain:

my_gateway/
├── config.yaml       # gateway configuration
├── admin.nk          # NKey for admin API access
├── system.nk         # NKey for system access
└── bundle-signer.nk  # NKey for signing rule bundles

The generated configuration

The generated configuration sets up:

  • a single client port proxying to one backend
  • Prometheus metrics
  • the admin access credentials and port
  • basic audit logging to a file

The Configuration Reference covers additional options including:

  • multiple ports (client and leafnode, or multiples of the same kind)
  • TLS on any port, backend, monitoring, or management connection
  • connection limits per port
  • per-subject traffic tracking in Prometheus
  • multiple audit processors that output to files, stdout, or NATS in text, JSON, or CEF format
  • per-port rule direction and unmatched action overrides

Generated files

The NKey files are used for authentication: admin.nk for protect admin commands, system.nk for system access, and bundle-signer.nk for signing rule bundles.

Previous
Overview
Next
Running