Extensible Service Proxy startup options

The Extensible Service Proxy (ESP) is an NGINX-based proxy that enables Cloud Endpoints to provide API management features. You configure ESP by specifying options when you start the ESP Docker container. When the ESP container starts, it runs a script called start_esp, which writes the NGINX configuration file by using the options that you specified and launches ESP.

You specify ESP startup options in the docker run command, for example:

sudo docker run \
    --detach \
    gcr.io/endpoints-release/endpoints-runtime:1 \
    --service=SERVICE_NAME \
    --rollout_strategy=managed \

If you are deploying ESP to Kubernetes, you specify the startup options in your deployment manifest file in the args field, for example:

- name: esp
  image: gcr.io/endpoints-release/endpoints-runtime:1
  args: [

The following table describes ESP's startup options.

Short option Long option Description
-s SERVICE_NAME --service SERVICE_NAME Sets the name of the Endpoints service.

Available in ESP version 1.7.0 and later. Specify either managed or fixed. The --rollout_strategy=managed option configures ESP to use the latest deployed service configuration. When you specify this option, up to 5 minutes after you deploy a new service configuration, ESP detects the change and automatically begins using it. We recommend that you specify this option instead of a specific configuration ID for ESP to use. You don't need to specify the --version option when you set --rollout_strategy to managed.

-v CONFIG_ID --version CONFIG_ID Sets the service configuration ID to be used by ESP. See Getting the service name and configuration ID for the information you need to set this option. When you specify --rollout_strategy=fixed or when you don't include the --rollout_strategy option, you must include the --version option and specify a configuration ID. In this case, every time you deploy a new Endpoints configuration, you must restart ESP with the new configuration ID.
-p HTTP1_PORT --http_port HTTP1_PORT Sets the ports that ESP exposes for HTTP/1.x connections.1
-P HTTP2_PORT --http2_port HTTP2_PORT Sets the ports that ESP exposes for HTTP/2 connections.1
-S SSL_PORT --ssl_port SSL_PORT Sets the ports that ESP exposes for HTTPS connections.1
-a BACKEND --backend BACKEND Sets the address for the HTTP/1.x application backend server. The default value for the backend address is
You can specify a protocol prefix, for example:
If you don't specify a protocol prefix, the default is http.
If your backend server is running on Compute Engine in a container, you can specify the container name and the port, for example:
To specify that the backend accepts gRPC traffic, add the prefix grpc://. For example;
If your backend server is running on Compute Engine in a container, and it accepts gRPC traffic, you can specify the container name and the port, for example:
-N STATUS_PORT --status_port STATUS_PORT Sets the status port (default: 8090).
none --disable_cloud_trace_auto_sampling By default, ESP samples 1 request out of every 1000 or 1 request out of every 10 seconds is enabled with Cloud Trace. Set this flag to disable such auto sampling. Cloud Trace can still be enabled from request HTTP headers with trace context regardless of this flag value. See Tracing your API for more information.
-n NGINX_CONFIG --nginx_config NGINX_CONFIG Sets the location for the custom NGINX configuration file. If you specify this option, ESP fetches the specified configuration file and then immediately launches NGINX with the provided custom configuration file. See Using a custom nginx config for GKE for more information.
-k SERVICE_ACCOUNT_KEY --service_account_key SERVICE_ACCOUNT_KEY Sets the service account credentials JSON file. If provided, ESP uses the service account to generate an access token to call Service Infrastructure APIs. The only time you need to specify this option is when ESP is running on platforms other than Google Cloud, such as your local desktop, Kubernetes, or another cloud provider. See Creating a service account for more information.
-z HEALTHZ_PATH --healthz HEALTHZ_PATH Define a health checking endpoint on the same ports as the application backend. For example, -z healthz makes ESP return code 200 for location /healthz, instead of forwarding the request to the backend. Default: not used.
none --dns DNS_RESOLVER Specify a dns resolver. For example, --dns uses the GCP Metadata server as the DNS resolver. If not specified, default is

1 These ports are optional and must be distinct from each other. If you don't specify any port option, ESP accepts HTTP/1.x connections on port 8080. For HTTPS connections, ESP expects the TLS secrets to be located at /etc/nginx/ssl/nginx.crt and /etc/nginx/ssl/nginx.key.

Sample command-line invocations

The following examples show how to use some of the command-line arguments:

To start ESP to handle requests coming in at HTTP/1.x port 80 and HTTPS port 443 and send the requests to your API backend at

sudo docker run \
    --detach \
     --service=echo-api.endpoints.example-project-12345.cloud.goog \
        --rollout_strategy=managed \
        --http_port=80 \
        --ssl_port=443 \

To start ESP with a custom NGINX configuration by using the service account credentials file to fetch the service config and connect to the service control:

sudo docker run \
    --detach \
    --volume=$HOME/Downloads:/esp \
    gcr.io/endpoints-release/endpoints-runtime:1 \
    --service=echo-api.endpoints.example-project-12345.cloud.goog \
    --rollout_strategy=managed \
    --service_account_key=/esp/serviceaccount.json \

Note that you must use the Docker flags --volume or --mount to mount the JSON file containing the private key for the service account and the custom NGINX config file as volumes inside ESP's Docker container. The preceding example maps the $HOME/Downloads directory on the local computer to the esp directory in the container. When you save the private key file for the service account, it is typically downloaded to the Downloads directory. You can copy the private key file to another directory if you want to. See Manage data in Docker for more information.

Adding CORS support to ESP

Please refer to Support CORS for a description of available CORS support options. This section describes using ESP startup flags to support CORS.

To enable CORS support in ESP, include the --cors_preset option and set it to either basic or cors_with_regex. When you include --cors_preset=basic or --cors_preset=cors_with_regex, ESP:

  • Assumes all location paths have the same CORS policy.
  • Responds to both simple requests and preflight HTTP OPTIONS requests.
  • Caches the result of the preflight OPTIONS request for up to 20 days (1728000 seconds).
  • Sets the response headers to the following values:

    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization
    Access-Control-Expose-Headers: Content-Length,Content-Range

To override the default value of Access-Control-Allow-Origin, specify one of the following options:

Option Description
--cors_allow_origin Use with --cors_preset=basic to set Access-Control-Allow-Origin to a specific origin.
--cors_allow_origin_regex Use with --cors_preset=cors_with_regex. Allows you to use a regular expression to set Access-Control-Allow-Origin.

The regular expression in the preceding example allows an origin with either http or https and any subdomain of example.com.

After setting --cors_preset=basic or --cors_preset=cors_with_regex to enable CORS, you can override the default values of the other response headers by specifying one or more of the following options:

Option Description
--cors_allow_methods Sets Access-Control-Allow-Methods to the specified HTTP methods. Specify the HTTP methods as a string with each HTTP method separated by a comma.
--cors_allow_headers Sets Access-Control-Allow-Headers to the specified HTTP headers. Specify the HTTP headers as a string with each HTTP header separated by a comma.
--cors_allow_credentials Includes the Access-Control-Allow-Credentials header with the value true in responses. By default, the Access-Control-Allow-Credentials header isn't included in responses.
--cors_expose_headers Sets Access-Control-Expose-Headers to the specified headers. Specify which headers can be exposed as part of the response as a string with each header separated by a comma.

If the ESP CORS startup options don't suit the needs of your application, you can create a custom nginx.conf file with the CORS support that your application requires. For more information, see Creating a custom nginx.conf to support CORS.

What's next

Learn about: