mirror of
https://github.com/YunoHost-Apps/rportd_ynh.git
synced 2024-09-03 20:16:15 +02:00
398 lines
19 KiB
Text
398 lines
19 KiB
Text
#======================================================================================================================
|
|
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
|
|
#======================================================================================================================
|
|
#
|
|
# FILE: rportd.example.config
|
|
#
|
|
# DESCRIPTION: Configuration file for the rport server
|
|
#
|
|
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
|
|
#
|
|
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
|
|
#
|
|
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
|
|
#
|
|
# LICENSE: MIT
|
|
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
|
|
# CREATED: 10/10/2020
|
|
#======================================================================================================================
|
|
|
|
[server]
|
|
## Defines the IP address and port the HTTP server listens on.
|
|
## This is where the rport clients connect to.
|
|
## Defaults: "0.0.0.0:8080"
|
|
address = "0.0.0.0:__CLIENT_PORT__"
|
|
|
|
## Optionally defines full client connect URL(s).
|
|
## Defaults to http://{address}
|
|
## This setting is only used to return via an API call where rportd is listening for client connections.
|
|
## The pairing script generates a ready-to-use client configuration based on this {url}.
|
|
## Also useful, if you run the rportd behind a reverse proxy or a port forwarding
|
|
## and the external URL differs from the internal address and port.
|
|
## Accepts a single string like 'url = "http://rport.example.com"'
|
|
## or a list like 'url = ["http://rport.example.com", "http://192.168.1.1:8000"]
|
|
url = "http://__DOMAIN__:__CLIENT_PORT__"
|
|
|
|
## Optionally defines the hostname or IP address used to generate links pointing to running tunnels.
|
|
## By default, all links are relative to the URL of the API or UI.
|
|
## If you run the API/UI behind a reverse proxy that is incapable of forwarding raw TCP/UDP packets,
|
|
## you can specify a separated tunnel_host to access tunnels, bypassing the reverse proxy.
|
|
#tunnel_host = "tunnels.rport.example.com"
|
|
|
|
## Optionally defines a custom pairing service URL.
|
|
## Defaults to https://pairing.rport.io
|
|
## To run your own pairing service refer to https://github.com/cloudradar-monitoring/rport-pairing
|
|
## Accepts a single string like
|
|
#pairing_url = "https://pairing.example.com"
|
|
|
|
## An optional string to seed the generation of a ECDSA public and private key pair.
|
|
## Highly recommended. Not using it is a big security risk.
|
|
## Use "openssl rand -hex 18" to generate a secure key seed.
|
|
key_seed = "__KEY_SEED__"
|
|
|
|
## An optional string representing a single client auth credentials, in the form of <client-auth-id>:<password>.
|
|
## This is equivalent to creating an {auth_file} with '{"<client-auth-id>":"<password>"}'.
|
|
## Use either {auth_file}/{auth_table} or {auth}. Not both.
|
|
## If multiple auth options are enabled, rportd exits with an error.
|
|
#auth = "clientAuth1:1234"
|
|
|
|
## An optional path to a json file with client credentials.
|
|
## This is for authentication of the rport tunnel clients.
|
|
## The file should contain a map with clients credentials defined like:
|
|
## {
|
|
## "<client-auth-id1>": "<password1>",
|
|
## "<client-auth-id2>": "<password2>"
|
|
## }
|
|
## Use either {auth_file}/{auth_table} or {auth}. Not both.
|
|
## If multiple auth options are enabled, rportd exits with an error.
|
|
#auth_file = "/var/lib/rport/client-auth.json"
|
|
|
|
## An optional name of a database table for client authentication.
|
|
## Requires a global database connection. See below.
|
|
## The table must be created manually.
|
|
## Learn how to create them https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table
|
|
auth_table = "clients_auth"
|
|
|
|
## When using an {auth_file} or a database table creating separate credentials for each client is recommended.
|
|
## It increases security because you can lock out clients individually.
|
|
## If {auth_multiuse_creds} is false a client is rejected if another client with the same id is connected
|
|
## or has been connected within the {keep_lost_clients} interval.
|
|
## Defaults: true
|
|
#auth_multiuse_creds = true
|
|
|
|
## Having set {auth_multiuse_creds} = false, you can omit specifying a client-id.
|
|
## You can use the client-auth-id as client-id to slim down the client configuration.
|
|
## Defaults: false
|
|
#equate_clientauthid_clientid = false
|
|
|
|
## If you want to delegate the creation and maintenance to an external tool
|
|
## you should turn {auth_write} off.
|
|
## The API will reject all writing access to the client auth with HTTP 403.
|
|
## Applies only to {auth_file} and {auth_table}.
|
|
## Default: true
|
|
#auth_write = true
|
|
|
|
## Specifies another HTTP server to proxy requests to when rportd receives a normal HTTP request.
|
|
#proxy = "http://intranet.lan:8080/"
|
|
|
|
## Defines a list of port numbers or ranges of server ports,
|
|
## that would be used for automatic and manual port assignment.
|
|
## Creating reverse tunnels will fail if the requested server port is not listed here.
|
|
## Defaults to ['20000-30000'].
|
|
## Example:
|
|
## used_ports = [ '1024-2000', '9000', '9090' ]
|
|
used_ports = ['__USED_START_PORT__-__USED_END_PORT__']
|
|
|
|
## Defines a list of port numbers or ranges of server ports,
|
|
## that would not be used for automatic and manual port assignment.
|
|
## Values that are not included in the {used_ports} are ignored.
|
|
## Defaults to ['1-1024'].
|
|
## If no ports should be excluded then set it to "[]".
|
|
#excluded_ports = ['1-1024']
|
|
|
|
## An optional param to define a local directory path to store internal data.
|
|
## By default, "/var/lib/rport" is used.
|
|
## If the directory doesn't exist, it will be created.
|
|
## On Linux you must create this directory because an unprivileged user
|
|
## don't have the right to create a directory in /var/lib.
|
|
## Ideally this directory is the homedir of the rport user and has been created along with the user.
|
|
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
|
|
data_dir = "__DATADIR__"
|
|
|
|
## By default all Sqlite3 databases are opened with WAL enabled.
|
|
## This is a performance enhancement. Do not turn off, unless you have good reasons.
|
|
#sqlite_wal = true
|
|
|
|
## An optional param to define whether disconnected clients get cleaned up.
|
|
## By default the clients are cleaned up.
|
|
#cleanup_lost_clients = true
|
|
|
|
## An optional param to define a duration to keep info (clients, tunnels, etc) about active and disconnected clients.
|
|
## By default is "1h". To disable it set it to "0". Disconnected clients are purged immediately.
|
|
## When cleanup_lost_clients = false, this has no effect.
|
|
## It can contain "h"(hours), "m"(minutes), "s"(seconds).
|
|
## Maximum allowed: 168h (=7days)
|
|
keep_lost_clients = "168h"
|
|
|
|
## An optional param to define an interval to clean up internal storage from obsolete
|
|
## disconnected clients. It can contain "h"(hours), "m"(minutes), "s"(seconds).
|
|
## By default, 1 minute is used.
|
|
#cleanup-clients-interval = "1m"
|
|
|
|
## An optional param to define a limit for data that can be sent by API requests.
|
|
## By default is set to 10240(10Kb).
|
|
#max_request_bytes = 10240
|
|
|
|
## An optional param to define a limit for data that can be sent by rport clients.
|
|
## By default is set to 524288(512Kb).
|
|
#max_request_bytes_client = 524288
|
|
|
|
## The maximum upload size of a file in bytes.
|
|
## If exceeded, an error is returned. Please note that max_request_bytes is not affecting the file upload API
|
|
## https://oss.rport.io/docs/no18-file-upload.html
|
|
## Defaults: 10485760 bytes (ca 10,5 MB).
|
|
#max_filepush_size = 10485760
|
|
|
|
## An optional param to define a timeout in seconds to observe the remote command execution.
|
|
## Defaults: 60.
|
|
#run_remote_cmd_timeout_sec = 60
|
|
|
|
## An optional param to define a timeout to check whether a remote destination of a requested new tunnel is available,
|
|
## i.e. whether a given remote port is open on a client machine. By default, "2s" is used.
|
|
#check_port_timeout = "1s"
|
|
|
|
## There is no technical requirement to run the rport server under the root user.
|
|
## Running it as root is an unnecessary security risk.
|
|
## You don't even need root-rights to run rport on tcp ports below 1024.
|
|
## Use "setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/rportd" to allow the usage of any tcp ports.
|
|
## Hint: setcap must be applied after each update of the binary.
|
|
## Consider integrating it into the systemd service file as an ExecStartPre option.
|
|
## Rport exits with an error if started as root unless you explicitly allow it.
|
|
## Defaults to false
|
|
#allow_root = false
|
|
|
|
## Protect your server against password guessing.
|
|
## Force clients to wait N seconds (float) between unsuccessful login attempts.
|
|
## This is per client auth id.
|
|
## A message like
|
|
## 'client-listener: Failed login attempt for client auth id "abc", forcing to wait for {client_login_wait}s ({ip})'
|
|
## is logged to the info log.
|
|
## Consider changing the log_level to 'info' to trace failed login attempts.
|
|
## Learn more https://oss.rport.io/docs/no10-securing-the-server.html
|
|
## Defaults: 2.0
|
|
#client_login_wait = 2.0
|
|
|
|
## After {max_failed_login} consecutive failed login-in attempts ban the source IP address for {ban_time} seconds.
|
|
## HTTP Status 423 is returned.
|
|
## A message like
|
|
## 'Maximum of {max_failed_login} login attempts reached. Visitor ({remote-ip}) banned. Ban expiry: 2021-04-16T11:22:26+00:00'
|
|
## is logged to the info log.
|
|
## Banning happens on HTTP level.
|
|
## Consider banning on network level using fail2ban.
|
|
## Learn more https://oss.rport.io/docs/no10-securing-the-server.html
|
|
## Defaults: max_failed_login = 5, ban_time = 3600
|
|
#max_failed_login = 5
|
|
#ban_time = 3600
|
|
|
|
## To enable testing endpoints (/test/commands/ui and /test/scripts/ui) for ws endpoints (/ws/commands and /ws/scripts) provide
|
|
## true for `enable_ws_test_endpoints`
|
|
## Defaults: enable_ws_test_endpoints = false
|
|
#enable_ws_test_endpoints = false
|
|
|
|
## Enable the creation of tunnel proxies with giving certificate- and key-file
|
|
## Defaults: not enabled
|
|
tunnel_proxy_cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem"
|
|
tunnel_proxy_key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem"
|
|
|
|
## If specified, rportd will serve novnc javascript app from this directory.
|
|
novnc_root = "__FINALPATH__/noVNC"
|
|
|
|
## Host and port where guacd daemon is listening.
|
|
## If specified, rportd will serve remote desktop connections in browser through Apache Guacamole.
|
|
guacd_address = "127.0.0.1:__GUACD_PORT__"
|
|
|
|
## Maximum number of results to keep for commands, scripts and schedules execution
|
|
#jobs_max_results = 10000
|
|
|
|
[logging]
|
|
## Specifies log file path for global logging
|
|
## Not setting {log_file} turns logging off.
|
|
log_file = "/var/log/__APP__/__APP__.log"
|
|
|
|
## Specify log level. Values: 'error', 'info', 'debug'.
|
|
## Defaults to 'info'
|
|
log_level = "info"
|
|
|
|
[api]
|
|
## Defines the IP address and port the API server listens on.
|
|
## Specify non-empty {address} to enable API support.
|
|
address = "127.0.0.1:__API_PORT__"
|
|
|
|
## Defines <user>:<password> authentication pair for accessing the API. Enables access for a single user.
|
|
## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html
|
|
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
|
|
## If multiple auth options are enabled, rportd exits with an error.
|
|
#auth = "admin:foobaz"
|
|
|
|
## Use a json file containing users, passwords and groups.
|
|
## Passwords are expected to be bcrypt encoded.
|
|
## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html
|
|
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
|
|
## If multiple auth options are enabled, rportd exits with an error.
|
|
#auth_file = "/var/lib/rport/api-auth.json"
|
|
|
|
## An optional name of two database tables for api user authentication.
|
|
## Requires a global database connection. See below.
|
|
## Tables must be created manually.
|
|
## Learn how to create them https://oss.rport.io/docs/no02-api-auth.html#database
|
|
auth_user_table = "users"
|
|
auth_group_table = "groups"
|
|
|
|
## The rport server can treat all requests as pre-authenticated by a reverse proxy based on a http header.
|
|
## This option is enabled if auth_header is set.
|
|
## If the header exists, the request is considered valid and a session is created.
|
|
## Inside the same or a different header, the username must be submitted.
|
|
#auth_header = "Authentication-IsAuthenticated"
|
|
#user_header = "Authentication-User"
|
|
## If the user doesn't exist yet, it can be created on-the-fly.
|
|
## Disabled by default
|
|
#create_missing_users = true
|
|
## If users are created on-the-fly to which user group do they belong?
|
|
#default_user_group = "Administrators"
|
|
|
|
## Use two-factor authentication to generate auth tokens.
|
|
## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth
|
|
## Using 2FA will disable HTTP basic authentication on all API endpoints except '/login'. It triggers sending 2FA
|
|
## verification code to a user using a chosen delivery method. This code can be further verified using '/verify-2fa' endpoint.
|
|
## Two-factor authentication requires either a valid SMTP or Pushover setup.
|
|
## Your user-password store (json files or DB table) needs an additional field 'two_fa_send_to'.
|
|
## 2FA is not available if you use a single static user-password pair set directly in the rportd.conf.
|
|
## Use either 'smtp', 'pushover' or a path to an executable binary or script.
|
|
## Executables must read recipients details from the environment. Check our examples from the link above.
|
|
## Sending the token has a default timeout of 10 seconds.
|
|
## 2FA is disabled by default.
|
|
## Token sent via the specified delivery method has a default lifetime of 600 seconds.
|
|
#two_fa_token_delivery = 'smtp'
|
|
#two_fa_token_ttl_seconds = 600
|
|
#two_fa_send_timeout = 10s
|
|
## When using an executable for token delivery, you can optionally specify how the two_fa_send_to is validated on changes.
|
|
## Ignored when using SMTP or Pushover for token delivery.
|
|
## Use two_fa_send_to_type = 'email' to accept only valid email address.
|
|
## Or use a regular expression, for example
|
|
## two_fa_send_to_type = 'regex'
|
|
## two_fa_send_to_regex = '[a-z0-9]{10}'
|
|
#two_fa_send_to_type = 'none'
|
|
|
|
## To enable time-based onetime tokens generated by apps likes Google or Microsoft Authenticator,
|
|
## set 'totp_enabled = true'.
|
|
## Your user-password store (json files or DB table) needs an additional text field 'totp_secret'.
|
|
#totp_enabled = false
|
|
## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth
|
|
## Before sending the token generated by the authenticator app,
|
|
## users should do a login attempt. Otherwise thye can request tokens directly without login.
|
|
## 'totp_login_session_ttl' sets the timeout after which totp codes won't be accepted
|
|
#totp_login_session_ttl = '600s'
|
|
|
|
## If you run multiple RPort servers, you should give them different totp account names
|
|
## to differentiate them on your authenticator app.
|
|
totp_account_name = '__DOMAIN__'
|
|
|
|
## Defines JWT secret used to generate new tokens.
|
|
## If not set, it will be generated by server.
|
|
jwt_secret = "__JWT_SECRET__"
|
|
|
|
## If specified, rportd will serve static files from this directory on the same API address.
|
|
## This is the place where the frontend files (html/js) go.
|
|
## Learn how to install the frontend https://oss.rport.io/docs/no07-frontend.html
|
|
doc_root = "__FINALPATH__/frontend"
|
|
|
|
## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
|
|
## Intermediate certificates should be included in cert_file if required.
|
|
#cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem"
|
|
#key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem"
|
|
|
|
## Specifies file for API access logs. Logs will be written in Combined Log Format.
|
|
## If this is not set the API access logs are disabled.
|
|
access_log_file = "/var/log/__APP__/api-access.log"
|
|
|
|
## Protect your API server against password guessing.
|
|
## Force users to wait N seconds (float) between unsuccessful login attempts.
|
|
## This is per username.
|
|
## Defaults: 2.0
|
|
#user_login_wait = 2.0
|
|
|
|
## After X failed login-in attempts ban the source IP address for Z seconds.
|
|
#max_failed_login = 5
|
|
#ban_time = 3600
|
|
|
|
## Each action is logged and stored in a database to follow up who did what when.
|
|
## The audit log is enabled by default. The data is stored in {data_dir}.audit_log.db
|
|
#enable_audit_log = true
|
|
|
|
## Storing the full remote IP address of the API users might violate privacy protection regulations.
|
|
## Using obfuscation stores only the first three segments of the IP address (IPv4 only).
|
|
## Turned off by default.
|
|
#use_ip_obfuscation = false
|
|
|
|
## Depending on the number of actions your rport server performs, the audit log can grow fast.
|
|
## By default, the audit_log database file is changed every month.
|
|
## Consider changing to a faster rotation.
|
|
#audit_log_rotation = 'monthly' , possible values: yearly, monthly, weekly, daily
|
|
|
|
[database]
|
|
## Global configuration of a database connection.
|
|
## The database and the initial schema must be created manually.
|
|
## Learn how to use a database:
|
|
## for api auth: https://oss.rport.io/docs/no02-api-auth.html#database
|
|
## for clients auth: https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table
|
|
## Supported: MySQL/MariaDB and Sqlite3
|
|
|
|
## For MySQL or MariaDB.
|
|
db_type = "mysql"
|
|
|
|
## For Sqlite3.
|
|
#db_type = "sqlite"
|
|
|
|
## Only for MySQL/Mariadb, ignored for Sqlite.
|
|
db_host = "127.0.0.1:3306"
|
|
#db_host = "socket:/var/run/mysqld/mysqld.sock"
|
|
|
|
## Credentials, only for MySQL/Mariadb, ignored for Sqlite.
|
|
db_user = "__DB_USER__"
|
|
db_password = "__DB_PWD__"
|
|
|
|
## For MySQL/MariaDB name of the database.
|
|
db_name = "__DB_NAME__"
|
|
|
|
## For Sqlite full path to the sqlite3 file.
|
|
#db_name = "/var/lib/rport/database.sqlite3"
|
|
|
|
[pushover]
|
|
## Pushover settings for sending push messages via Pushover.net. Currently used only for sending two-factor auth tokens.
|
|
## Learn more on https://oss.rport.io/docs/no15-messaging.html#pushover
|
|
## Required (only if pushover is specified as {api.two_fa_token_delivery}): pushover API token and user key
|
|
#api_token = 'abc123'
|
|
#user_key = 'user123'
|
|
|
|
[smtp]
|
|
## SMTP settings for sending email. Currently used only for sending two-factor auth tokens.
|
|
## Learn more on https://oss.rport.io/docs/no15-messaging.html#smtp
|
|
## Required (only if smtp is specified as {api.two_fa_token_delivery}):
|
|
## smtp server and port separated by a colon. e.g. server = 'smtp.gmail.com:2525'
|
|
## sender email - an email that is used to send 2FA tokens
|
|
## Optional:
|
|
## auth_username, specify a username for authentication
|
|
## auth_password, specify a password for the username.
|
|
## secure = true|false, enable if Implicit(Forced) TLS must be used.
|
|
server = 'localhost:25'
|
|
sender_email = '__APP__@__DOMAIN__'
|
|
#auth_username = 'john.doe'
|
|
#auth_password = 'secret'
|
|
secure = false
|
|
|
|
[monitoring]
|
|
## The rport server stores monitoring data of the clients for N days.
|
|
## https://oss.rport.io/docs/no17-monitoring.html
|
|
## Older data is purged automatically.
|
|
## Default: 30 days
|
|
data_storage_days = 30
|