#====================================================================================================================== # vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120 #====================================================================================================================== # # FILE: rportd.example.config # # DESCRIPTION: Configuration file for the rport server # # BUGS: https://github.com/cloudradar-monitoring/rport/issues # # HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md # # COPYRIGHT: (c) 2020 by the CloudRadar Team, # # LICENSE: MIT # ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io) # CREATED: 10/10/2020 #====================================================================================================================== [server] ## Defines the IP address and port the HTTP server listens on. ## This is where the rport clients connect to. ## Defaults: "0.0.0.0:8080" address = "0.0.0.0:__CLIENT_PORT__" ## Optionally defines full client connect URL(s). ## Defaults to http://{address} ## This setting is only used to return via an API call where rportd is listening for client connections. ## The pairing script generates a ready-to-use client configuration based on this {url}. ## Also useful, if you run the rportd behind a reverse proxy or a port forwarding ## and the external URL differs from the internal address and port. ## Accepts a single string like 'url = "http://rport.example.com"' ## or a list like 'url = ["http://rport.example.com", "http://192.168.1.1:8000"] url = "http://__DOMAIN__:__CLIENT_PORT__" ## Optionally defines the hostname or IP address used to generate links pointing to running tunnels. ## By default, all links are relative to the URL of the API or UI. ## If you run the API/UI behind a reverse proxy that is incapable of forwarding raw TCP/UDP packets, ## you can specify a separated tunnel_host to access tunnels, bypassing the reverse proxy. #tunnel_host = "tunnels.rport.example.com" ## Optionally defines a custom pairing service URL. ## Defaults to https://pairing.rport.io ## To run your own pairing service refer to https://github.com/cloudradar-monitoring/rport-pairing ## Accepts a single string like #pairing_url = "https://pairing.example.com" ## An optional string to seed the generation of a ECDSA public and private key pair. ## Highly recommended. Not using it is a big security risk. ## Use "openssl rand -hex 18" to generate a secure key seed. key_seed = "__KEY_SEED__" ## An optional string representing a single client auth credentials, in the form of :. ## This is equivalent to creating an {auth_file} with '{"":""}'. ## Use either {auth_file}/{auth_table} or {auth}. Not both. ## If multiple auth options are enabled, rportd exits with an error. #auth = "clientAuth1:1234" ## An optional path to a json file with client credentials. ## This is for authentication of the rport tunnel clients. ## The file should contain a map with clients credentials defined like: ## { ## "": "", ## "": "" ## } ## Use either {auth_file}/{auth_table} or {auth}. Not both. ## If multiple auth options are enabled, rportd exits with an error. #auth_file = "/var/lib/rport/client-auth.json" ## An optional name of a database table for client authentication. ## Requires a global database connection. See below. ## The table must be created manually. ## Learn how to create them https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table auth_table = "clients_auth" ## When using an {auth_file} or a database table creating separate credentials for each client is recommended. ## It increases security because you can lock out clients individually. ## If {auth_multiuse_creds} is false a client is rejected if another client with the same id is connected ## or has been connected within the {keep_lost_clients} interval. ## Defaults: true #auth_multiuse_creds = true ## Having set {auth_multiuse_creds} = false, you can omit specifying a client-id. ## You can use the client-auth-id as client-id to slim down the client configuration. ## Defaults: false #equate_clientauthid_clientid = false ## If you want to delegate the creation and maintenance to an external tool ## you should turn {auth_write} off. ## The API will reject all writing access to the client auth with HTTP 403. ## Applies only to {auth_file} and {auth_table}. ## Default: true #auth_write = true ## Specifies another HTTP server to proxy requests to when rportd receives a normal HTTP request. #proxy = "http://intranet.lan:8080/" ## Defines a list of port numbers or ranges of server ports, ## that would be used for automatic and manual port assignment. ## Creating reverse tunnels will fail if the requested server port is not listed here. ## Defaults to ['20000-30000']. ## Example: ## used_ports = [ '1024-2000', '9000', '9090' ] used_ports = ['__USED_START_PORT__-__USED_END_PORT__'] ## Defines a list of port numbers or ranges of server ports, ## that would not be used for automatic and manual port assignment. ## Values that are not included in the {used_ports} are ignored. ## Defaults to ['1-1024']. ## If no ports should be excluded then set it to "[]". #excluded_ports = ['1-1024'] ## An optional param to define a local directory path to store internal data. ## By default, "/var/lib/rport" is used. ## If the directory doesn't exist, it will be created. ## On Linux you must create this directory because an unprivileged user ## don't have the right to create a directory in /var/lib. ## Ideally this directory is the homedir of the rport user and has been created along with the user. ## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport data_dir = "__DATADIR__" ## By default all Sqlite3 databases are opened with WAL enabled. ## This is a performance enhancement. Do not turn off, unless you have good reasons. #sqlite_wal = true ## An optional param to define whether disconnected clients get cleaned up. ## By default the clients are cleaned up. #cleanup_lost_clients = true ## An optional param to define a duration to keep info (clients, tunnels, etc) about active and disconnected clients. ## By default is "1h". To disable it set it to "0". Disconnected clients are purged immediately. ## When cleanup_lost_clients = false, this has no effect. ## It can contain "h"(hours), "m"(minutes), "s"(seconds). ## Maximum allowed: 168h (=7days) keep_lost_clients = "168h" ## An optional param to define an interval to clean up internal storage from obsolete ## disconnected clients. It can contain "h"(hours), "m"(minutes), "s"(seconds). ## By default, 1 minute is used. #cleanup-clients-interval = "1m" ## An optional param to define a limit for data that can be sent by API requests. ## By default is set to 10240(10Kb). #max_request_bytes = 10240 ## An optional param to define a limit for data that can be sent by rport clients. ## By default is set to 524288(512Kb). #max_request_bytes_client = 524288 ## The maximum upload size of a file in bytes. ## If exceeded, an error is returned. Please note that max_request_bytes is not affecting the file upload API ## https://oss.rport.io/docs/no18-file-upload.html ## Defaults: 10485760 bytes (ca 10,5 MB). #max_filepush_size = 10485760 ## An optional param to define a timeout in seconds to observe the remote command execution. ## Defaults: 60. #run_remote_cmd_timeout_sec = 60 ## An optional param to define a timeout to check whether a remote destination of a requested new tunnel is available, ## i.e. whether a given remote port is open on a client machine. By default, "2s" is used. #check_port_timeout = "1s" ## There is no technical requirement to run the rport server under the root user. ## Running it as root is an unnecessary security risk. ## You don't even need root-rights to run rport on tcp ports below 1024. ## Use "setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/rportd" to allow the usage of any tcp ports. ## Hint: setcap must be applied after each update of the binary. ## Consider integrating it into the systemd service file as an ExecStartPre option. ## Rport exits with an error if started as root unless you explicitly allow it. ## Defaults to false #allow_root = false ## Protect your server against password guessing. ## Force clients to wait N seconds (float) between unsuccessful login attempts. ## This is per client auth id. ## A message like ## 'client-listener: Failed login attempt for client auth id "abc", forcing to wait for {client_login_wait}s ({ip})' ## is logged to the info log. ## Consider changing the log_level to 'info' to trace failed login attempts. ## Learn more https://oss.rport.io/docs/no10-securing-the-server.html ## Defaults: 2.0 #client_login_wait = 2.0 ## After {max_failed_login} consecutive failed login-in attempts ban the source IP address for {ban_time} seconds. ## HTTP Status 423 is returned. ## A message like ## 'Maximum of {max_failed_login} login attempts reached. Visitor ({remote-ip}) banned. Ban expiry: 2021-04-16T11:22:26+00:00' ## is logged to the info log. ## Banning happens on HTTP level. ## Consider banning on network level using fail2ban. ## Learn more https://oss.rport.io/docs/no10-securing-the-server.html ## Defaults: max_failed_login = 5, ban_time = 3600 #max_failed_login = 5 #ban_time = 3600 ## To enable testing endpoints (/test/commands/ui and /test/scripts/ui) for ws endpoints (/ws/commands and /ws/scripts) provide ## true for `enable_ws_test_endpoints` ## Defaults: enable_ws_test_endpoints = false #enable_ws_test_endpoints = false ## Enable the creation of tunnel proxies with giving certificate- and key-file ## Defaults: not enabled tunnel_proxy_cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem" tunnel_proxy_key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem" ## If specified, rportd will serve novnc javascript app from this directory. novnc_root = "__FINALPATH__/noVNC" ## Host and port where guacd daemon is listening. ## If specified, rportd will serve remote desktop connections in browser through Apache Guacamole. guacd_address = "127.0.0.1:__GUACD_PORT__" ## Maximum number of results to keep for commands, scripts and schedules execution #jobs_max_results = 10000 [logging] ## Specifies log file path for global logging ## Not setting {log_file} turns logging off. log_file = "/var/log/__APP__/__APP__.log" ## Specify log level. Values: 'error', 'info', 'debug'. ## Defaults to 'info' log_level = "info" [api] ## Defines the IP address and port the API server listens on. ## Specify non-empty {address} to enable API support. address = "127.0.0.1:__API_PORT__" ## Defines : authentication pair for accessing the API. Enables access for a single user. ## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html ## Use either {auth_file}/{auth_user_table} or {auth}. Not both. ## If multiple auth options are enabled, rportd exits with an error. #auth = "admin:foobaz" ## Use a json file containing users, passwords and groups. ## Passwords are expected to be bcrypt encoded. ## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html ## Use either {auth_file}/{auth_user_table} or {auth}. Not both. ## If multiple auth options are enabled, rportd exits with an error. #auth_file = "/var/lib/rport/api-auth.json" ## An optional name of two database tables for api user authentication. ## Requires a global database connection. See below. ## Tables must be created manually. ## Learn how to create them https://oss.rport.io/docs/no02-api-auth.html#database auth_user_table = "users" auth_group_table = "groups" ## The rport server can treat all requests as pre-authenticated by a reverse proxy based on a http header. ## This option is enabled if auth_header is set. ## If the header exists, the request is considered valid and a session is created. ## Inside the same or a different header, the username must be submitted. #auth_header = "Authentication-IsAuthenticated" #user_header = "Authentication-User" ## If the user doesn't exist yet, it can be created on-the-fly. ## Disabled by default #create_missing_users = true ## If users are created on-the-fly to which user group do they belong? #default_user_group = "Administrators" ## Use two-factor authentication to generate auth tokens. ## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth ## Using 2FA will disable HTTP basic authentication on all API endpoints except '/login'. It triggers sending 2FA ## verification code to a user using a chosen delivery method. This code can be further verified using '/verify-2fa' endpoint. ## Two-factor authentication requires either a valid SMTP or Pushover setup. ## Your user-password store (json files or DB table) needs an additional field 'two_fa_send_to'. ## 2FA is not available if you use a single static user-password pair set directly in the rportd.conf. ## Use either 'smtp', 'pushover' or a path to an executable binary or script. ## Executables must read recipients details from the environment. Check our examples from the link above. ## Sending the token has a default timeout of 10 seconds. ## 2FA is disabled by default. ## Token sent via the specified delivery method has a default lifetime of 600 seconds. #two_fa_token_delivery = 'smtp' #two_fa_token_ttl_seconds = 600 #two_fa_send_timeout = 10s ## When using an executable for token delivery, you can optionally specify how the two_fa_send_to is validated on changes. ## Ignored when using SMTP or Pushover for token delivery. ## Use two_fa_send_to_type = 'email' to accept only valid email address. ## Or use a regular expression, for example ## two_fa_send_to_type = 'regex' ## two_fa_send_to_regex = '[a-z0-9]{10}' #two_fa_send_to_type = 'none' ## To enable time-based onetime tokens generated by apps likes Google or Microsoft Authenticator, ## set 'totp_enabled = true'. ## Your user-password store (json files or DB table) needs an additional text field 'totp_secret'. #totp_enabled = false ## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth ## Before sending the token generated by the authenticator app, ## users should do a login attempt. Otherwise thye can request tokens directly without login. ## 'totp_login_session_ttl' sets the timeout after which totp codes won't be accepted #totp_login_session_ttl = '600s' ## If you run multiple RPort servers, you should give them different totp account names ## to differentiate them on your authenticator app. totp_account_name = '__DOMAIN__' ## Defines JWT secret used to generate new tokens. ## If not set, it will be generated by server. jwt_secret = "__JWT_SECRET__" ## If specified, rportd will serve static files from this directory on the same API address. ## This is the place where the frontend files (html/js) go. ## Learn how to install the frontend https://oss.rport.io/docs/no07-frontend.html doc_root = "__FINALPATH__/frontend" ## If both cert_file and key_file are specified, then rportd will use them to serve the API with https. ## Intermediate certificates should be included in cert_file if required. #cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem" #key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem" ## Specifies file for API access logs. Logs will be written in Combined Log Format. ## If this is not set the API access logs are disabled. access_log_file = "/var/log/__APP__/api-access.log" ## Protect your API server against password guessing. ## Force users to wait N seconds (float) between unsuccessful login attempts. ## This is per username. ## Defaults: 2.0 #user_login_wait = 2.0 ## After X failed login-in attempts ban the source IP address for Z seconds. #max_failed_login = 5 #ban_time = 3600 ## Each action is logged and stored in a database to follow up who did what when. ## The audit log is enabled by default. The data is stored in {data_dir}.audit_log.db #enable_audit_log = true ## Storing the full remote IP address of the API users might violate privacy protection regulations. ## Using obfuscation stores only the first three segments of the IP address (IPv4 only). ## Turned off by default. #use_ip_obfuscation = false ## Depending on the number of actions your rport server performs, the audit log can grow fast. ## By default, the audit_log database file is changed every month. ## Consider changing to a faster rotation. #audit_log_rotation = 'monthly' , possible values: yearly, monthly, weekly, daily [database] ## Global configuration of a database connection. ## The database and the initial schema must be created manually. ## Learn how to use a database: ## for api auth: https://oss.rport.io/docs/no02-api-auth.html#database ## for clients auth: https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table ## Supported: MySQL/MariaDB and Sqlite3 ## For MySQL or MariaDB. db_type = "mysql" ## For Sqlite3. #db_type = "sqlite" ## Only for MySQL/Mariadb, ignored for Sqlite. db_host = "127.0.0.1:3306" #db_host = "socket:/var/run/mysqld/mysqld.sock" ## Credentials, only for MySQL/Mariadb, ignored for Sqlite. db_user = "__DB_USER__" db_password = "__DB_PWD__" ## For MySQL/MariaDB name of the database. db_name = "__DB_NAME__" ## For Sqlite full path to the sqlite3 file. #db_name = "/var/lib/rport/database.sqlite3" [pushover] ## Pushover settings for sending push messages via Pushover.net. Currently used only for sending two-factor auth tokens. ## Learn more on https://oss.rport.io/docs/no15-messaging.html#pushover ## Required (only if pushover is specified as {api.two_fa_token_delivery}): pushover API token and user key #api_token = 'abc123' #user_key = 'user123' [smtp] ## SMTP settings for sending email. Currently used only for sending two-factor auth tokens. ## Learn more on https://oss.rport.io/docs/no15-messaging.html#smtp ## Required (only if smtp is specified as {api.two_fa_token_delivery}): ## smtp server and port separated by a colon. e.g. server = 'smtp.gmail.com:2525' ## sender email - an email that is used to send 2FA tokens ## Optional: ## auth_username, specify a username for authentication ## auth_password, specify a password for the username. ## secure = true|false, enable if Implicit(Forced) TLS must be used. server = 'localhost:25' sender_email = '__APP__@__DOMAIN__' #auth_username = 'john.doe' #auth_password = 'secret' secure = false [monitoring] ## The rport server stores monitoring data of the clients for N days. ## https://oss.rport.io/docs/no17-monitoring.html ## Older data is purged automatically. ## Default: 30 days data_storage_days = 30