EthSigner command line¶
This reference describes the syntax of the EthSigner Command Line Interface (CLI) options.
Specifying options¶
EthSigner options can be specified:
- On the command line
- As an environment variable
- In a TOML configuration file.
If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.
Environment variables¶
For each command line option, the equivalent environment variable is:
- Upper-case
_
replaces-
- Has an
ETHSIGNER_
prefix
For example, set --data-path
using the ETHSIGNER_DATA_PATH
environment variable.
You can include subcommand options as environment variables as well, for example set multikey-signer --directory
using the ETHSIGNER_MULTIKEY_SIGNER_DIRECTORY
environment variable.
Options¶
config-file¶
The path to the TOML configuration file. The default is none
.
--config-file=<FILE>
--config-file=/home/me/me_node/config.toml
ETHSIGNER_CONFIG_FILE=/home/me/me_node/config.toml
chain-id
¶
Chain ID of the network to receive the signed transactions.
--chain-id=<chainId>
--chain-id=2017
ETHSIGNER_CHAIN_ID=2017
chain-id=2017
data-path
¶
Directory in which to store temporary files.
--data-path=<PATH>
--data-path=/Users/me/my_node/data
ETHSIGNER_DATA_PATH=/Users/me/my_node/data
data-path="/Users/me/my_node/data"
downstream-http-host
¶
Host to which received requests are forwarded. Default is localhost
.
--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14
ETHSIGNER_DOWNSTREAM_HTTP_HOST=192.168.05.14
downstream-http-host="192.168.05.14"
downstream-http-path
¶
Path to which received requests are forwarded. Default is /
.
Might be required if connecting to a cloud-based Ethereum client such as Infura.
--downstream-http-path=<downstreamHttpPath>
--downstream-http-path=/v3/d0e63ca5bb1e4eef2284422efbc51a56
ETHSIGNER_DOWNSTREAM_HTTP_PATH=/v3/d0e63ca5bb1e4eef2284422efbc51a56
downstream-http-path="/v3/d0e63ca5bb1e4eef2284422efbc51a56"
downstream-http-port
¶
Port to which received requests are forwarded.
--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174
ETHSIGNER_DOWNSTREAM_HTTP_PORT=6174
downstream-http-port=6174
downstream-http-request-timeout
¶
Timeout period (in milliseconds) for downstream requests. Default is 5000.
--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000
ETHSIGNER_DOWNSTREAM_HTTP_REQUEST_TIMEOUT=3000
downstream-http-request-timeout=3000
downstream-http-tls-enabled
¶
Enable or disable TLS for server connections. Defaults to false
.
--downstream-http-tls-enabled[=<true|false>]
--downstream-http-tls-enabled
ETHSIGNER_DOWNSTREAM_HTTP_TLS_ENABLED
downstream-http-tls-enabled
downstream-http-tls-ca-auth-enabled
¶
Allow connections to servers with trusted CAs.
Defaults to true
.
--downstream-http-tls-ca-auth-enabled[=<true|false>]
--downstream-http-tls-ca-auth-enabled=false
ETHSIGNER_DOWNSTREAM_HTTP_TLS_CA_AUTH_ENABLED=false
downstream-http-tls-ca-auth-enabled=false
downstream-http-tls-keystore-file
¶
Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.
--downstream-http-tls-keystore-file=<keystoreFile>
--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_FILE=/Users/me/my_node/keystore.pfx
downstream-http-tls-keystore-file="/Users/me/my_node/keystore.pfx"
downstream-http-tls-keystore-password-file
¶
Password file used to decrypt the keystore.
--downstream-http-tls-keystore-password-file=<passwordFile>
--downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt
downstream-http-tls-known-servers-file
¶
File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.
--downstream-http-tls-known-servers-file=<serversFile>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KNOWN_SERVERS_FILE=/Users/me/my_node/knownServers
downstream-http-tls-known-servers-file="/Users/me/my_node/knownServers"
http-cors-origins
¶
A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.
Listed domains can access the node using JSON-RPC. If your client interacts with EthSigner using a browser app (such as Remix or a block explorer), you must allow the client domains.
The default value is none
. If you do not allow any domains, browser apps cannot interact with your EthSigner node.
Tip
For testing and development purposes, use "all"
or "*"
to accept requests from any domain. We don’t recommend accepting requests from any domain for production environments.
--http-cors-origins=<httpListenHost>
--http-cors-origins="http://remix.ethereum.org","http://medomain.com"
ETHSIGNER_HTTP_CORS_ORIGINS="http://remix.ethereum.org","http://medomain.com"
http-cors-origins=["http://remix.ethereum.org","https://meotherdomain.com"]
http-listen-host
¶
Host on which JSON-RPC HTTP listens. Default is localhost
.
--http-listen-host=<httpListenHost>
--http-listen-host=10.100.111.1
ETHSIGNER_HTTP_LISTEN_HOST=10.100.111.1
http-listen-host="10.100.111.1"
http-listen-port
¶
Port on which JSON-RPC HTTP listens. Default is 8545.
--http-listen-port=<httpListenPort>
--http-listen-port=6174
ETHSIGNER_HTTP_LISTEN_PORT=6174
http-listen-port=6174
logging
¶
Logging verbosity levels. Options are: OFF
, FATAL
, WARN
, INFO
, DEBUG
, TRACE
, ALL
. Default is INFO
.
-l, --logging=<LOG VERBOSITY LEVEL>
--logging=DEBUG
ETHSIGNER_LOGGING=DEBUG
logging="DEBUG"
metrics-enabled
¶
Enables the metrics exporter. The default is false
.
--metrics-enabled[=<true|false>]
ETHSIGNER_METRICS_ENABLED=true
metrics-enabled=true
metrics-category
¶
Categories for which to track metrics. Options are HTTP
, SIGNING
, JVM
, and PROCESS
. All categories are enabled by default.
Note
There are currently no metrics available for the HTTP
and SIGNING
categories.
--metrics-category=<metrics-category>[,metrics-category...]...
--metrics-category=HTTP,SIGNING
ETHSIGNER_METRICS_CATEGORY=HTTP,SIGNING
metrics-category=["HTTP","SIGNING"]
metrics-host
¶
The host on which Prometheus accesses EthSigner metrics. The default is 127.0.0.1
.
--metrics-host=<HOST>
--metrics-host=127.0.0.1
ETHSIGNER_METRICS_HOST=127.0.0.1
metrics-host="127.0.0.1"
metrics-host-allowlist
¶
A comma-separated list of hostnames to allow access to the EthSigner metrics. By default, EthSigner accepts access from localhost
and 127.0.0.1
.
Tip
To allow all hostnames, use “*”. We don’t recommend allowing all hostnames for production environments.
--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"
--metrics-host-allowlist=medomain.com,meotherdomain.com
ETHSIGNER_METRICS_HOST_ALLOWLIST=medomain.com,meotherdomain.com
metrics-host-allowlist=["medomain.com", "meotherdomain.com"]
metrics-port
¶
The port (TCP) on which Prometheus accesses EthSigner metrics. The default is 9546
.
--metrics-port=<PORT>
--metrics-port=6174
ETHSIGNER_METRICS_PORT=6174
metrics-port=6174
tls-allow-any-client
¶
Allows any client to connect.
Important
Cannot be used with --tls-allow-ca-clients
and --tls-known-clients-file
--tls-allow-any-client
ETHSIGNER_TLS_ALLOW_ANY_CLIENT
tls-allow-any-client
tls-allow-ca-clients
¶
Allows clients signed with trusted CA certificates to connect.
--tls-allow-ca-clients
ETHSIGNER_TLS_ALLOW_CA_CLIENTS
tls-allow-ca-clients
tls-keystore-file
¶
PKCS #12 formatted keystore. Used to enable TLS for client connections.
--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx
ETHSIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx
tls-keystore-file="/Users/me/my_node/certificate.pfx"
tls-keystore-password-file
¶
Password file used to decrypt the keystore.
--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
tls-keystore-password-file=/Users/me/my_node/password.txt
tls-known-clients-file
¶
File containing the SHA-256 fingerprints of authorized clients.
--tls-known-clients-file=<clientsFile>
--tls-known-clients-file=/Users/me/my_node/knownClients
ETHSIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients
tls-known-clients-file="/Users/me/my_node/knownClients"
help
¶
Displays the help and exits.
-h, --help
version
¶
Displays the version and exits.
-V, --version