EthSigner command line
This reference describes the syntax of the EthSigner Command Line Interface (CLI) options.
Specifying options
EthSigner options can be specified:
- On the command line
- As an environment variable
- In a TOML configuration file.
If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.
Environment variables
For each command line option, the equivalent environment variable is:
- Upper-case
_replaces-- Has an
ETHSIGNER_prefix
For example, set --data-path using the ETHSIGNER_DATA_PATH environment variable.
You can include subcommand options as environment variables as well, for example set
multikey-signer --directory using the ETHSIGNER_MULTIKEY_SIGNER_DIRECTORY environment variable.
Options
config-file
The path to the TOML configuration file.
The default is none.
--config-file=<FILE>
--config-file=/home/me/me_node/config.toml
ETHSIGNER_CONFIG_FILE=/home/me/me_node/config.toml
chain-id
Chain ID of the network to receive the signed transactions.
--chain-id=<chainId>
--chain-id=2017
ETHSIGNER_CHAIN_ID=2017
chain-id=2017
data-path
Directory in which to store temporary files.
--data-path=<PATH>
--data-path=/Users/me/my_node/data
ETHSIGNER_DATA_PATH=/Users/me/my_node/data
data-path="/Users/me/my_node/data"
downstream-http-host
Host to which received requests are forwarded. Default is localhost.
--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14
ETHSIGNER_DOWNSTREAM_HTTP_HOST=192.168.05.14
downstream-http-host="192.168.05.14"
downstream-http-path
Path to which received requests are forwarded. Default is /.
Might be required if connecting to a cloud-based Ethereum client such as Infura.
--downstream-http-path=<downstreamHttpPath>
--downstream-http-path=/v3/d0e63ca5bb1e4eef2284422efbc51a56
ETHSIGNER_DOWNSTREAM_HTTP_PATH=/v3/d0e63ca5bb1e4eef2284422efbc51a56
downstream-http-path="/v3/d0e63ca5bb1e4eef2284422efbc51a56"
downstream-http-port
Port to which received requests are forwarded.
--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174
ETHSIGNER_DOWNSTREAM_HTTP_PORT=6174
downstream-http-port=6174
downstream-http-request-timeout
Timeout period (in milliseconds) for downstream requests. Default is 5000.
--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000
ETHSIGNER_DOWNSTREAM_HTTP_REQUEST_TIMEOUT=3000
downstream-http-request-timeout=3000
downstream-http-tls-enabled
Enable or disable TLS for server connections.
Defaults to false.
--downstream-http-tls-enabled[=<true|false>]
--downstream-http-tls-enabled
ETHSIGNER_DOWNSTREAM_HTTP_TLS_ENABLED
downstream-http-tls-enabled
downstream-http-tls-ca-auth-enabled
Allow connections to servers with trusted CAs.
Defaults to true.
--downstream-http-tls-ca-auth-enabled[=<true|false>]
--downstream-http-tls-ca-auth-enabled=false
ETHSIGNER_DOWNSTREAM_HTTP_TLS_CA_AUTH_ENABLED=false
downstream-http-tls-ca-auth-enabled=false
downstream-http-tls-keystore-file
Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.
--downstream-http-tls-keystore-file=<keystoreFile>
--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_FILE=/Users/me/my_node/keystore.pfx
downstream-http-tls-keystore-file="/Users/me/my_node/keystore.pfx"
downstream-http-tls-keystore-password-file
Password file used to decrypt the keystore.
--downstream-http-tls-keystore-password-file=<passwordFile>
--downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt
downstream-http-tls-known-servers-file
File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.
--downstream-http-tls-known-servers-file=<serversFile>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KNOWN_SERVERS_FILE=/Users/me/my_node/knownServers
downstream-http-tls-known-servers-file="/Users/me/my_node/knownServers"
http-cors-origins
A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.
Listed domains can access the node using JSON-RPC. If your client interacts with EthSigner using a browser app (such as Remix or a block explorer), you must allow the client domains.
The default value is none. If you do not allow any domains, browser apps cannot interact with your
EthSigner node.
Tip
For testing and development purposes, use "all" or "*" to accept requests from any domain.
We don’t recommend accepting requests from any domain for production environments.
--http-cors-origins=<httpListenHost>
--http-cors-origins="http://remix.ethereum.org","http://medomain.com"
ETHSIGNER_HTTP_CORS_ORIGINS="http://remix.ethereum.org","http://medomain.com"
http-cors-origins=["http://remix.ethereum.org","https://meotherdomain.com"]
http-listen-host
Host on which JSON-RPC HTTP listens. Default is localhost.
--http-listen-host=<httpListenHost>
--http-listen-host=10.100.111.1
ETHSIGNER_HTTP_LISTEN_HOST=10.100.111.1
http-listen-host="10.100.111.1"
http-listen-port
Port on which JSON-RPC HTTP listens. Default is 8545.
--http-listen-port=<httpListenPort>
--http-listen-port=6174
ETHSIGNER_HTTP_LISTEN_PORT=6174
http-listen-port=6174
logging
Logging verbosity levels. Options are: OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL.
Default is INFO.
-l, --logging=<LOG VERBOSITY LEVEL>
--logging=DEBUG
ETHSIGNER_LOGGING=DEBUG
logging="DEBUG"
metrics-enabled
Enables the metrics exporter. The default is false.
--metrics-enabled[=<true|false>]
ETHSIGNER_METRICS_ENABLED=true
metrics-enabled=true
metrics-category
Categories for which to track metrics. Options are HTTP, SIGNING, JVM, and PROCESS. All
categories are enabled by default.
Note
There are currently no metrics available for the HTTP and SIGNING categories.
--metrics-category=<metrics-category>[,metrics-category...]...
--metrics-category=HTTP,SIGNING
ETHSIGNER_METRICS_CATEGORY=HTTP,SIGNING
metrics-category=["HTTP","SIGNING"]
metrics-host
The host on which Prometheus accesses EthSigner metrics. The default is
127.0.0.1.
--metrics-host=<HOST>
--metrics-host=127.0.0.1
ETHSIGNER_METRICS_HOST=127.0.0.1
metrics-host="127.0.0.1"
metrics-host-allowlist
A comma-separated list of hostnames to allow access to the EthSigner metrics. By default, EthSigner
accepts access from localhost and 127.0.0.1.
Tip
To allow all hostnames, use “*”. We don’t recommend allowing all hostnames for production environments.
--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"
--metrics-host-allowlist=medomain.com,meotherdomain.com
ETHSIGNER_METRICS_HOST_ALLOWLIST=medomain.com,meotherdomain.com
metrics-host-allowlist=["medomain.com", "meotherdomain.com"]
metrics-port
The port (TCP) on which Prometheus accesses
EthSigner metrics. The default is 8546.
--metrics-port=<PORT>
--metrics-port=6174
ETHSIGNER_METRICS_PORT=6174
metrics-port=6174
tls-allow-any-client
Allows any client to connect.
Important
Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file
--tls-allow-any-client
ETHSIGNER_TLS_ALLOW_ANY_CLIENT
tls-allow-any-client
tls-allow-ca-clients
Allows clients signed with trusted CA certificates to connect.
--tls-allow-ca-clients
ETHSIGNER_TLS_ALLOW_CA_CLIENTS
tls-allow-ca-clients
tls-keystore-file
PKCS #12 formatted keystore. Used to enable TLS for client connections.
--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx
ETHSIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx
tls-keystore-file="/Users/me/my_node/certificate.pfx"
tls-keystore-password-file
Password file used to decrypt the keystore.
--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
tls-keystore-password-file=/Users/me/my_node/password.txt
tls-known-clients-file
File containing the SHA-256 fingerprints of authorized clients.
--tls-known-clients-file=<clientsFile>
--tls-known-clients-file=/Users/me/my_node/knownClients
ETHSIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients
tls-known-clients-file="/Users/me/my_node/knownClients"
help
Displays the help and exits.
-h, --help
version
Displays the version and exits.
-V, --version