Environment Variables Reference
Environment Variables Reference
Section titled “Environment Variables Reference”This is the complete reference for all environment variables you can configure on a Broch server deployment.
Core Configuration
Section titled “Core Configuration”Required — The application will not start without these.
| Variable | Description | Default | Secret |
|---|---|---|---|
ASPNETCORE_ENVIRONMENT | ASP.NET Core environment name | Production | No |
ASPNETCORE_URLS | HTTP listener binding (TLS terminated at ingress) | http://+:8080 | No |
BROCH_LICENSE | License key issued by Broch | — | Yes |
Broch__AdminEmail | Administrator email address | — | No |
API__WILDCARDHOSTNAME | Wildcard hostname for tunnel subdomains (e.g., tunnels.company.com) | — | No |
Database
Section titled “Database”Required — The application will not start without a database connection.
| Variable | Description | Default | Secret |
|---|---|---|---|
DATABASE__PROVIDER | Database provider (only PostgreSQL is supported) | PostgreSQL | No |
ConnectionStrings__DefaultConnection | PostgreSQL connection string | — | Yes |
Example: Host=localhost;Database=broch;Username=postgres;Password=secret
Authentication
Section titled “Authentication”Required — The application will not start without authentication configuration.
| Variable | Description | Default | Secret |
|---|---|---|---|
AUTHENTICATION__PROVIDER | Identity provider type: AzureAd, EntraExternalId, Auth0, Okta | — | No |
AUTHENTICATION__CLIENTID | OAuth client ID from your IdP | — | No |
AUTHENTICATION__CLIENTSECRET | OAuth client secret from your IdP | — | Yes |
AUTHENTICATION__ADMINROLES | Comma-separated role names that grant admin access | — | No |
Provider-Specific Variables
Section titled “Provider-Specific Variables”Azure Entra ID:
| Variable | Description | Default |
|---|---|---|
AUTHENTICATION__TENANTID | Azure tenant ID | — |
AUTHENTICATION__INSTANCE | Azure login endpoint | https://login.microsoftonline.com/ |
Auth0:
| Variable | Description | Default |
|---|---|---|
AUTHENTICATION__DOMAIN | Auth0 domain (e.g., contoso.auth0.com) | — |
AUTHENTICATION__AUDIENCE | OAuth audience identifier | Falls back to Client ID |
AUTHENTICATION__SCOPES | OAuth scopes (e.g., openid,profile,email) | — |
Okta:
| Variable | Description | Default |
|---|---|---|
AUTHENTICATION__DOMAIN | Okta organization domain (e.g., contoso.okta.com) | — |
AUTHENTICATION__AUDIENCE | OAuth audience identifier | Falls back to Client ID |
AUTHENTICATION__SCOPES | OAuth scopes (e.g., openid,profile,email) | — |
API & Networking
Section titled “API & Networking”| Variable | Description | Default | Required |
|---|---|---|---|
API__URLSEPARATOR | Separator between tunnel name and hostname: . (dot) or - (hyphen) | . | No |
| Variable | Description | Default | Required |
|---|---|---|---|
SSH__PORT | SSH server port for tunnel connections | 2222 | No |
SSH__HOSTKEYPATH | Directory path for SSH host keys | /app/ssh_keys | No |
Licensing & Central Server
Section titled “Licensing & Central Server”| Variable | Description | Default | Required |
|---|---|---|---|
CENTRALSERVER__ENABLELICENSEVALIDATION | Enable license validation against central server | true | No |
CENTRALSERVER__VALIDATIONTIMEOUTSECONDS | Timeout for license validation requests (seconds) | 10 | No |
BROCH_LICENSE_FILE | Path to pre-generated license file (air-gapped mode) | — | Conditional |
BROCH_LICENSE_PUBLIC_KEY_FILE | Path to RSA public key PEM file (air-gapped mode) | — | Conditional |
Air-gapped mode: If your deployment cannot reach Broch’s central server, provide
BROCH_LICENSE_FILEandBROCH_LICENSE_PUBLIC_KEY_FILEto validate licenses locally. Contact Broch for the public key.
Telemetry (Optional)
Section titled “Telemetry (Optional)”Application Performance Monitoring (APM) and distributed tracing.
| Variable | Description | Default | Required |
|---|---|---|---|
BROCHTELEMETRY__PROVIDER | Telemetry provider: (disabled), ApplicationInsights, DataDog | | No |
BROCHTELEMETRY__APPLICATIONINSIGHTSCONNECTIONSTRING | Application Insights connection string | — | Conditional |
OTEL_SERVICE_NAME | OpenTelemetry service name for tracing | broch-api | No |
Logging (Optional)
Section titled “Logging (Optional)”Structured log routing to external services.
| Variable | Description | Default | Required |
|---|---|---|---|
BROCHLOGGING__PROVIDER | Logging provider: (console only), DataDog, Seq | | No |
BROCHLOGGING__MINIMUMLEVEL | Minimum log level: Verbose, Debug, Information, Warning, Error, Fatal | Information | No |
BROCHLOGGING__ENABLECONSOLELOGGING | Enable console logging alongside external provider | false | No |
DataDog Logging
Section titled “DataDog Logging”| Variable | Description | Default |
|---|---|---|
BROCHLOGGING__DATADOG__APIKEY | DataDog API key | — |
BROCHLOGGING__DATADOG__SERVICENAME | DataDog service name tag | broch-server |
BROCHLOGGING__DATADOG__ENVIRONMENT | DataDog environment tag | production |
BROCHLOGGING__DATADOG__SITE | DataDog site: datadoghq.com (US) or datadoghq.eu (EU) | datadoghq.com |
Seq Logging
Section titled “Seq Logging”| Variable | Description | Default |
|---|---|---|
BROCHLOGGING__SEQ__SERVERURL | Seq server URL | http://localhost:5341 |
Health Check Endpoints
Section titled “Health Check Endpoints”Use these endpoints to monitor server health and readiness in your deployment:
| Endpoint | Purpose | Returns |
|---|---|---|
GET /healthz | Liveness probe — is the process running? | Always 200 if running |
GET /health/ready | Readiness probe — is the server ready to accept traffic? | 200 when auth + license are valid, 503 otherwise |
GET /api/configuration | Client version policy (for CLI/app version compatibility) | JSON with version requirements |
Use /health/ready for load balancer health checks. The server delays accepting traffic until authentication configuration has loaded from the central server.
Common Configuration Examples
Section titled “Common Configuration Examples”Minimal Docker Compose (Embedded Database)
Section titled “Minimal Docker Compose (Embedded Database)”ASPNETCORE_ENVIRONMENT=ProductionASPNETCORE_URLS=http://+:8080BROCH_LICENSE=<your-license-key>API__WILDCARDHOSTNAME=tunnels.company.comDATABASE__PROVIDER=PostgreSQLConnectionStrings__DefaultConnection=Host=postgres;Database=broch;Username=postgres;Password=<secure-password>AUTHENTICATION__PROVIDER=AzureAdAUTHENTICATION__CLIENTID=<your-client-id>AUTHENTICATION__CLIENTSECRET=<your-client-secret>AUTHENTICATION__TENANTID=<your-tenant-id>AUTHENTICATION__INSTANCE=https://login.microsoftonline.com/AUTHENTICATION__ADMINROLES=AdminProduction with Logging & Monitoring
Section titled “Production with Logging & Monitoring”# CoreASPNETCORE_ENVIRONMENT=ProductionASPNETCORE_URLS=http://+:8080BROCH_LICENSE=<your-license-key>API__WILDCARDHOSTNAME=tunnels.company.com
# Database (Managed)DATABASE__PROVIDER=PostgreSQLConnectionStrings__DefaultConnection=postgres://user:pass@rds-endpoint:5432/broch
# AuthAUTHENTICATION__PROVIDER=OktaAUTHENTICATION__DOMAIN=company.okta.comAUTHENTICATION__CLIENTID=<your-client-id>AUTHENTICATION__CLIENTSECRET=<your-client-secret>AUTHENTICATION__ADMINROLES=broch_admin
# LoggingBROCHLOGGING__PROVIDER=DataDogBROCHLOGGING__DATADOG__APIKEY=<your-api-key>BROCHLOGGING__DATADOG__SERVICENAME=broch-prodBROCHLOGGING__DATADOG__ENVIRONMENT=production
# TelemetryBROCHTELEMETRY__PROVIDER=DataDogSecrets Management
Section titled “Secrets Management”Never commit secrets (license keys, client secrets, connection strings, API keys) to version control. Use your platform’s secure secret storage:
- Docker: Docker secrets or environment files excluded from git
- Kubernetes: Kubernetes secrets
- Azure: Azure Key Vault
- AWS: AWS Secrets Manager
- DigitalOcean: App Platform encrypted environment variables
Questions?
Section titled “Questions?”Contact Broch at [email protected] for configuration questions or deployment guidance.
Copyright (c) 2026 Broch. All rights reserved.