Proxy
Properties
Enables the admin servlets (/ping, /version, /healthcheck, /threaddump) on this process. Resolved from CLI → ADMIN_ENABLED env var → <role>.admin.enabled config (default false).
Listen port for this process's admin servlets. -1 means "fall back to ADMIN_PORT env var, then <role>.admin.port config (Proxy default 8092, Agent default 8093)".
Filesystem path to the TLS certificate chain (PEM). Must be paired with privateKeyFilePath; supplying one without the other is rejected by validateTlsConfig. Empty disables TLS on this side and exposes plaintext gRPC. See also isTlsEnabled.
Enables the /debug admin servlet on this process — exposes recent activity / scrape-request introspection. Distinct from DEBUG (the servlet path constant). Resolved from CLI → DEBUG_ENABLED env var → <role>.admin.debugEnabled config (default false).
Dynamic HOCON property overrides accepted as -Dkey=value (multiple -D flags allowed). Each pair is merged into the resolved config with highest precedence over the loaded config file, and any surrounding double-quotes on the value are stripped. Useful for one-off overrides that don't have a dedicated flag.
gRPC handshake timeout for the Proxy server, in seconds. -1L means "use the gRPC default (120s)".
gRPC keepalive ping timeout, in seconds — how long this side waits for a keepalive ack before considering the connection dead. -1L means "fall back to KEEPALIVE_TIMEOUT_SECS env var, then <role>.grpc.keepAliveTimeoutSecs config; -1L after resolution leaves the gRPC default in place".
gRPC keepalive ping interval, in seconds — how often this side sends a keepalive ping on an idle channel. -1L means "fall back to KEEPALIVE_TIME_SECS env var, then <role>.grpc.keepAliveTimeSecs config; -1L after resolution leaves the gRPC default in place".
Logback log level for this process: one of all, trace, debug, info, warn, error, off. Empty falls back to the role-specific env var (io.prometheus.common.EnvVars.PROXY_LOG_LEVEL or io.prometheus.common.EnvVars.AGENT_LOG_LEVEL) and then <role>.logLevel config; if still empty, the level configured in logback.xml is used.
Grace period, in seconds, after maxConnectionAgeSecs is reached before the Proxy forcibly closes the connection. Allows in-flight RPCs to complete cleanly. -1L means "use the gRPC default (INT_MAX)".
gRPC server MAX_CONNECTION_AGE in seconds — connections older than this are gracefully closed, forcing reconnect (useful for load-balancer rebalancing). -1L means "use the gRPC default (INT_MAX, effectively no age limit)".
gRPC server MAX_CONNECTION_IDLE in seconds — connections idle longer than this are closed. -1L means "use the gRPC default (INT_MAX, effectively no idle timeout)".
Enables this process's Prometheus metrics endpoint. Resolved from CLI → METRICS_ENABLED env var → <role>.metrics.enabled config (default false).
Listen port for this process's Prometheus metrics endpoint. -1 means "fall back to METRICS_PORT env var, then <role>.metrics.port config (Proxy default 8082, Agent default 8083)".
Minimum interval, in seconds, that the Proxy will accept gRPC keepalive pings from agents. Pings arriving more frequently than this are treated as a protocol violation by gRPC. -1L means "use the gRPC default (300s)".
If true, the Proxy permits gRPC keepalive pings from agents even when no RPCs are in-flight. Pair with permitKeepAliveTimeSecs to control the minimum allowed ping interval.
Filesystem path to the TLS private key (PEM) matching certChainFilePath. Must be paired with the cert file; supplying one without the other is rejected by validateTlsConfig. Empty disables TLS on this side.
TCP port the Proxy listens on for incoming gRPC connections from agents. -1 means "fall back to AGENT_PORT env var, then proxy.agent.port from config (default 50051)".
TCP port the Proxy serves proxied scrape requests on (the port Prometheus connects to). -1 means "fall back to PROXY_PORT env var, then proxy.http.port from config (default 8080)".
Disables the gRPC server reflection service on the Proxy.
Enables the Prometheus HTTP service-discovery endpoint on the Proxy. When true, the Proxy serves a discovery document listing currently registered agent paths at sdPath. Resolved from CLI → SD_ENABLED env var → proxy.service.discovery.enabled config.
Base URL used to build per-target entries in the service-discovery document (e.g. http://proxy.example.com:8080/). Required and validated to be non-empty when sdEnabled is true.
Disables the gRPC transport filter that records remote-peer information per call. Set when running behind an L7 reverse proxy (e.g. nginx) that already strips this information.
Filesystem path to the trust-store certificate collection (PEM) used to validate the peer's certificate. Required for mTLS; for one-way TLS the JDK default trust store is used when this is empty.