CLI & Environment Reference
Overview
Section titled “Overview”SecBeat uses environment variables for runtime configuration. There are no command-line flags.
Mitigation Node
Section titled “Mitigation Node”Basic Usage
Section titled “Basic Usage”# Run with default config detection./mitigation-node
# Run with specific configSECBEAT_CONFIG=config.prod ./mitigation-nodeEnvironment Variables
Section titled “Environment Variables”| Variable | Description | Default |
|---|---|---|
SECBEAT_CONFIG | Config file name (without .toml extension) | Auto-detect |
MITIGATION_CONFIG | Legacy config name (fallback) | DEPLOYMENT_ENV detection |
DEPLOYMENT_ENV | Environment (production or development) | Auto-detect |
RUST_LOG | Log level filter | info |
SYN_COOKIE_SECRET | Secret for SYN cookie generation | Required in production |
MANAGEMENT_API_KEY | API authentication key | Required in production |
SECBEAT_AUTO_GENERATE_CERTS | Auto-generate TLS certs (dev only) | false |
SECBEAT_HOSTNAME | Hostname for generated certs | localhost |
Configuration File Resolution
Section titled “Configuration File Resolution”The mitigation node searches for config files in this order:
{SECBEAT_CONFIG}.toml(root directory)mitigation-node/config/{SECBEAT_CONFIG}.tomlmitigation-node/config/default.toml(final fallback)
Operation Modes
Section titled “Operation Modes”Set via [platform].mode or [mitigation].operation_mode in config:
| Mode | Description | Requirements |
|---|---|---|
tcp | Basic TCP proxy | None |
syn | SYN flood protection | Linux, CAP_NET_RAW |
l7 | Full HTTP/TLS/WAF | None |
auto | Auto-detect from features | None |
Examples
Section titled “Examples”# DevelopmentSECBEAT_CONFIG=config.dev RUST_LOG=debug ./mitigation-node
# ProductionSECBEAT_CONFIG=config.prod \ SYN_COOKIE_SECRET=$(cat /etc/secbeat/secrets/syn-cookie) \ MANAGEMENT_API_KEY=$(cat /etc/secbeat/secrets/api-key) \ RUST_LOG=info \ ./mitigation-node
# Dockerdocker run -d \ -e SECBEAT_CONFIG=config.prod \ -e SYN_COOKIE_SECRET=your-secret \ -e RUST_LOG=info \ secbeat/mitigation-node:latestOrchestrator
Section titled “Orchestrator”Basic Usage
Section titled “Basic Usage”./orchestrator-nodeConfiguration
Section titled “Configuration”The orchestrator currently uses hardcoded defaults. Configuration via environment variables or files is planned for a future release.
| Setting | Default Value |
|---|---|
| API bind address | 127.0.0.1:3030 |
| Metrics address | 127.0.0.1:9091 |
| NATS URL | nats://127.0.0.1:4222 |
| Heartbeat timeout | 30 seconds |
| Min fleet size | 1 |
| Scale up CPU threshold | 80% |
| Scale down CPU threshold | 30% |
Environment Variables
Section titled “Environment Variables”| Variable | Description |
|---|---|
RUST_LOG | Log level filter |
:::caution Work in Progress The orchestrator is under active development. External configuration support will be added in a future release. :::
Logging Configuration
Section titled “Logging Configuration”RUST_LOG Syntax
Section titled “RUST_LOG Syntax”# Global levelRUST_LOG=debug
# Module-specificRUST_LOG=mitigation_node=debug,hyper=warn
# Trace specific componentsRUST_LOG=mitigation_node::syn_proxy=trace,mitigation_node::waf=debugLog Levels
Section titled “Log Levels”| Level | Description |
|---|---|
error | Critical errors only |
warn | Warnings and errors |
info | Standard operational logs |
debug | Detailed debugging info |
trace | Very verbose tracing |
Systemd Service
Section titled “Systemd Service”Service File
Section titled “Service File”[Unit]Description=SecBeat Mitigation NodeAfter=network.target nats.service
[Service]Type=simpleUser=secbeatGroup=secbeatWorkingDirectory=/opt/secbeatExecStart=/usr/local/bin/mitigation-node
# EnvironmentEnvironment="SECBEAT_CONFIG=config.prod"Environment="RUST_LOG=info"EnvironmentFile=/etc/secbeat/secrets.env
# SecurityAmbientCapabilities=CAP_NET_RAW CAP_NET_ADMINNoNewPrivileges=truePrivateTmp=trueProtectSystem=strictReadWritePaths=/var/log/secbeat
Restart=alwaysRestartSec=10
[Install]WantedBy=multi-user.targetSecrets File
Section titled “Secrets File”Create /etc/secbeat/secrets.env:
SYN_COOKIE_SECRET=your-32-byte-hex-secretMANAGEMENT_API_KEY=your-api-keyORCHESTRATOR_API_KEY=your-orchestrator-keyService Management
Section titled “Service Management”# Start servicesudo systemctl start secbeat-mitigation
# Enable on bootsudo systemctl enable secbeat-mitigation
# Check statussudo systemctl status secbeat-mitigation
# View logssudo journalctl -u secbeat-mitigation -fDocker Commands
Section titled “Docker Commands”Build Image
Section titled “Build Image”docker build -t secbeat/mitigation-node:latest .Run Container
Section titled “Run Container”docker run -d \ --name secbeat \ -p 8443:8443 \ -p 9090:9090 \ -p 9191:9191 \ -p 9999:9999 \ -v /path/to/config.prod.toml:/app/config.prod.toml:ro \ -v /path/to/certs:/app/certs:ro \ -e SECBEAT_CONFIG=config.prod \ -e RUST_LOG=info \ -e SYN_COOKIE_SECRET=your-secret \ secbeat/mitigation-node:latestDocker Compose
Section titled “Docker Compose”# Start all servicesdocker-compose up -d
# View logsdocker-compose logs -f mitigation-node
# Stop servicesdocker-compose downTroubleshooting
Section titled “Troubleshooting”Check Listening Ports
Section titled “Check Listening Ports”sudo lsof -i :8443sudo netstat -tlnp | grep mitigation-nodeVerify Capabilities
Section titled “Verify Capabilities”# Check capabilitiesgetcap /usr/local/bin/mitigation-node
# Set capabilities for SYN proxysudo setcap cap_net_raw,cap_net_admin+ep /usr/local/bin/mitigation-nodeTest Endpoints
Section titled “Test Endpoints”# Health checkcurl http://localhost:9999/api/v1/status
# Metricscurl http://localhost:9191/metrics
# HTTPS proxycurl -k https://localhost:8443/Debug Logging
Section titled “Debug Logging”# Maximum verbosityRUST_LOG=trace SECBEAT_CONFIG=config.dev ./mitigation-node 2>&1 | tee debug.logNext Steps
Section titled “Next Steps”- Configuration Reference - TOML configuration options
- API Reference - REST API endpoints
- Quick Start - Getting started guide