management

The management clause configures the built‑in management interface. Its primary purpose is to expose operational and configuration management capabilities (e.g. status, statistics, backends, policies) over an HTTP or HTTPS endpoint protected by static user credentials.

Keep the management interface restricted (bind to 127.0.0.1 or a dedicated administrative network segment, and use TLS in production).

Please use the radiator web templating to generate a proper management clause for your needs. The example below is mainly for educational purposes or emergency uses as it has clear text passwords.

Example

management {
    http {
        listen {
            protocol tls;
            port 9443;
            ip 127.0.0.1;
        }

        credentials {
            user "admin" {
                password "StrongChangeMe!";
                privilege write;
            }
            user "monitor" {
                password "ReadOnly123";
                privilege read;
            }
        }

        tls {
            certificate "MGMT_CERT";
            certificate_key "MGMT_KEY";
        }
    }
}

Blocks

Block	Purpose
`http { ... }`	Enables and configures the management HTTP(S) service.
`listen { ... }`	Network binding (protocol, port, IP).
`credentials { ... }`	Static credential store with one or more `user` blocks.
`user "NAME" { ... }`	Defines a management account.
`tls { ... }`	HTTPS certificate/key references (only if `protocol tls`).

Listener Configuration

Directive	Values	Description
`protocol`	`tcp`, `tls`	Use `tls` for encrypted management.
`port`	Integer (1–65535)	Default examples use 9443 (unprivileged HTTPS).
`ip`	IPv4 / IPv6 address	Bind address. Use `127.0.0.1` for local-only.

For dual-stack support, declare separate listeners if needed (if the runtime requires explicit IPv6 binding).

Credentials

Each user requires:

password – Plain text in config (plan a secrets strategy; do not commit production secrets to VCS).
privilege – read grants read-only access; write grants mutating operations (e.g. reloading, altering configs where supported).

TLS

To serve HTTPS:

Define certificate/key in the global certificates clause.
Reference them inside the tls block (certificate, certificate_key).
Switch listen.protocol to tls.

Privilege Model (High-Level)

Privilege	Capabilities (indicative)
`read`	View status, statistics, health info.
`write`	All read capabilities plus configuration or runtime modification endpoints (where implemented).

If an endpoint requires higher privilege than provided, the request should be rejected.