Documentation

Management interface configuration for HTTP/HTTPS API access and web UI

management

The management clause configures the built‑in management interface. Its primary purpose is to expose operational and configuration management capabilities (e.g. status, statistics, backends, policies) over an HTTP or HTTPS endpoint protected by static user credentials.

Keep the management interface restricted (bind to 127.0.0.1 or a dedicated administrative network segment, and use TLS in production).

Please use the radiator web templating to generate a proper management clause for your needs. The example below is mainly for educational purposes or emergency uses as it has clear text passwords.

Example

management {
    http {
        listen {
            protocol tls;
            port 9443;
            ip 127.0.0.1;
        }

        credentials {
            user "admin" {
                password "StrongChangeMe!";
                privilege write;
            }
            user "monitor" {
                password "ReadOnly123";
                privilege read;
            }
        }

        tls {
            certificate "MGMT_CERT";
            certificate_key "MGMT_KEY";
        }
    }
}

Blocks

BlockPurpose
http { ... }Enables and configures the management HTTP(S) service.
listen { ... }Network binding (protocol, port, IP).
credentials { ... }Static credential store with one or more user blocks.
user "NAME" { ... }Defines a management account.
tls { ... }HTTPS certificate/key references (only if protocol tls).

Listener Configuration

DirectiveValuesDescription
protocoltcp, tlsUse tls for encrypted management.
portInteger (1–65535)Default examples use 9443 (unprivileged HTTPS).
ipIPv4 / IPv6 addressBind address. Use 127.0.0.1 for local-only.

For dual-stack support, declare separate listeners if needed (if the runtime requires explicit IPv6 binding).

Credentials

Each user requires:

  • password – Plain text in config (plan a secrets strategy; do not commit production secrets to VCS).
  • privilegeread grants read-only access; write grants mutating operations (e.g. reloading, altering configs where supported).

TLS

To serve HTTPS:

  1. Define certificate/key in the global certificates clause.
  2. Reference them inside the tls block (certificate, certificate_key).
  3. Switch listen.protocol to tls.

Privilege Model (High-Level)

PrivilegeCapabilities (indicative)
readView status, statistics, health info.
writeAll read capabilities plus configuration or runtime modification endpoints (where implemented).

If an endpoint requires higher privilege than provided, the request should be rejected.