-
Notifications
You must be signed in to change notification settings - Fork 51
/
.env.sample
405 lines (384 loc) · 11.9 KB
/
.env.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
#
# APPLICATION
#
APP_NAME=app-name
APP_SCHEMA=http
APP_HOST=localhost
APP_PORT=8999
# serverenv = development OR production
APP_ENV=development
RELEASE_VERSION_OR_COMMIT_NUMBER=
#
# Get real IP of the client
#
# when using Cloudflare's CDN:
# TRUSTED_PLATFORM=cf
#
# when running on Google App Engine:
# TRUSTED_PLATFORM=google
#
# when using apache or nginx reverse proxy without
# Cloudflare's CDN or Google App Engine:
# [Default value]
TRUSTED_PLATFORM=X-Real-Ip
#
# config for nginx:
# =================
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Sentry.io
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_SENTRY=no
SentryDSN=https://[email protected]/xyz
# Performance tracing
# By default, it is disabled
# Activate by setting it to yes
SENTRY_ENABLE_TRACING=no
# Set sample rate to 1.0 to capture 100%
# of transactions for performance monitoring.
# We recommend adjusting this value in production.
SENTRY_TRACES_SAMPLE_RATE=0.0
#
# User password minimum length
#
MIN_PASS_LENGTH=6
#
# Basic Auth
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_BASIC_AUTH=yes
USERNAME=your_username
PASSWORD=secret_password
#
# JWT
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_JWT=yes
# Accepted algorithms: HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512
JWT_ALG=HS256
ACCESS_KEY=Use_a_strong_and_long_random_key
REFRESH_KEY=Use_another_strong_and_long_random_key
# expires tokens in minutes
ACCESS_KEY_TTL=5
REFRESH_KEY_TTL=60
PRIV_KEY_FILE_PATH=./private-key.pem
PUB_KEY_FILE_PATH=./public-key.pem
AUDIENCE=
ISSUER=gorest
# NotBefore for ACCESS_KEY in seconds
NOT_BEFORE_ACC=0
# NotBefore for REFRESH_KEY in seconds
NOT_BEFORE_REF=0
SUBJECT=
#
# When user logs off, invalidate the tokens
# A Redis database is required for this feature
# By default, it is disabled
# Activate by setting it to yes
INVALIDATE_JWT=
#
# Auth cookie
#
# By default, it is disabled
# Activate by setting it to yes
AUTH_COOKIE_ACTIVATE=no
AUTH_COOKIE_PATH=/
AUTH_COOKIE_DOMAIN=your-domain.com
# Activate by setting it to yes
AUTH_COOKIE_SECURE=yes
# Activate by setting it to yes
AUTH_COOKIE_HttpOnly=yes
# Accepted values: strict, lax, none, or keep it empty
AUTH_COOKIE_SameSite=strict
# Disable by setting it to no, it is enabled by default
SERVE_JWT_AS_RESPONSE_BODY=
#
# HashPass config
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_HASHING=yes
# The amount of memory used by the Argon2 algorithm (in kibibytes)
# HASHPASSMEMORY * 1024
HASHPASSMEMORY=64
# The number of iterations (or passes) over the memory
HASHPASSITERATIONS=2
# The number of threads (or lanes) used by the algorithm
# Changing the value of the Parallelism parameter changes the hash output
HASHPASSPARALLELISM=2
# Length of the random salt. 16 bytes is recommended for password hashing
HASHPASSSALTLENGTH=16
# Length of the generated key (or password hash). 16 bytes or more is recommended
HASHPASSKEYLENGTH=32
# NIST 800-63B recommends using a secret value of at least 112 bits
# When this field is empty, no secret will be used for hashing
HASH_SECRET=
#
# Save user email in encrypted form at rest
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_CIPHER=
CIPHER_KEY=
#
# For blake2b hashing with optional secret
#
BLAKE2B_SECRET=
#
# Email verification and password recovery
#
# By default, these are disabled
# Activate by setting them to yes
VERIFY_EMAIL=no
RECOVER_PASSWORD=no
#
# Two-Factor Authentication
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_2FA=no
TWO_FA_ISSUER=gorest
# SHA1 = 1, SHA256 = 256, SHA512 = 512
# FreeOTP supports SHA1, SHA256 SHA512
# Authy, Google Authenticator, Microsoft Authenticator, Okta
# support only SHA1
# So, better to use only SHA1 for now
TWO_FA_CRYPTO=1
# TWO_FA_DIGITS = 6, 7 or 8
TWO_FA_DIGITS=6
TWO_FA_VERIFIED=verified
TWO_FA_ON=on
TWO_FA_OFF=off
TWO_FA_INVALID=invalid
# Must be a local directory with relative path
# where the main application is hosted
TWO_FA_QR_PATH=tmp
# By default, sha2-256 hash of user's password is used to encrypt
# 2-FA secret. To harden the security with blake2b (with optional
# secret), set TWO_FA_DOUBLE_HASH=yes
TWO_FA_DOUBLE_HASH=
#
# App Firewall
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_FIREWALL=yes
# Allow all IP [LISTTYPE=whitelist | IP=*]
# Block all IP [LISTTYPE=blacklist | IP=*]
# Allow one or several IPs [LISTTYPE=whitelist | IP=x.x.x.x]
# Block one or several IPs [LISTTYPE=blacklist | IP=x.x.x.x]
LISTTYPE=whitelist
# LISTTYPE=blacklist
# IP - comma-separated list, IPv4, IPv6, CIDR
# IP=192.168.0.1,10.0.0.1,172.16.0.0/12,2400:cb00::/32
IP=*
#
# CORS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_CORS=yes
#
# Access-Control-Allow-Origin
# Indicates whether the response can be shared with requesting code from the given origin
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
CORS_ORIGIN=*
#
# Access-Control-Allow-Credentials
# Indicates whether or not the actual request can be made using credentials
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
CORS_CREDENTIALS=true
#
# Access-Control-Allow-Headers
# Indicate which HTTP headers can be used during the actual request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
CORS_HEADERS=Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, Accept, Origin, Cache-Control, X-Requested-With
#
# Access-Control-Expose-Headers
# Which response headers should be made available to scripts running in the browser
# in response to a cross-origin request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
CORS_EXPOSE_HEADERS=Content-Length
#
# Access-Control-Allow-Methods
# Specifies one or more allowed methods
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
CORS_METHODS=GET, POST, PUT, PATCH, DELETE, OPTIONS
#
# Access-Control-Max-Age
# Indicates how long the results of a preflight request can be cached
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
CORS_MAXAGE=3600
#
# X-Content-Type-Options
# Prevent some browsers from MIME-sniffing the response
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
CORS_X_CONTENT_TYPE=nosniff
#
# X-Frame-Options
# Protect website against clickjacking
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034#section-2.1
# X-Frame-Options: DENY, SAMEORIGIN
CORS_X_FRAME=DENY
#
# Referrer-Policy
# Set a strict Referrer Policy to mitigate information leakage
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
CORS_REFERRER=strict-origin-when-cross-origin
#
# Content-Security-Policy
# Mitigate the risk of cross-site scripting and other content-injection attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://content-security-policy.com/
# https://developers.google.com/web/fundamentals/security/csp
CORS_CONTENT_SECURITY=default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'
#
# Timing-Allow-Origin
# Allow cross-origin access to the timing information for all resources
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
CORS_TIMING_ALLOW_ORIGIN=*
#
# Strict-Transport-Security
# HTTP Strict Transport Security (HSTS)
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# Strict-Transport-Security: max-age=63072000; includeSubDomains
# To enable HSTS preload inclusion: https://hstspreload.org/#deployment-recommendations
# Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
CORS_HSTS=
# Origin Validation
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_ORIGIN_VALIDATION=no
# IP-Based Rate Limiter
# "S": second, "M": minute, "H": hour, "D": day
# Example: RATE_LIMIT=100-M (100 requests per minute), RATE_LIMIT=100-H (100 requests per hour)
# Keep it empty to disable rate limiter
RATE_LIMIT=100-M
#
# HTML Templates
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_VIEW=no
# Must be a local directory with relative path
# where the main application is hosted
TEMPLATE_DIR=templates
#
# RDBMS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_RDBMS=no
# Supported dbDriver: mysql, postgres, sqlite3
DBDRIVER=dbDriver
DBUSER=dbUser
DBPASS=dbPass
DBNAME=dbName
DBHOST=localhost
DBPORT=dbport
# To enable TLS, set DBSSLMODE from 'disable' to 'require' or 'verify-ca' or 'verify-full'
# require: use host machine's root CAs to verify
# verify-ca or verify-full: perform comprehensive SSL/TLS certificate validation using
# certificate signed by a recognized CA or by a self-signed certificate
DBSSLMODE=disable
# Set minimum supported TLS version
DBSSL_TLS_MIN=1.2
# If DBSSL_ROOT_CA is set, it will be used in TLS
# Otherwise, DBSSL_SERVER_CERT will be used
DBSSL_ROOT_CA=/path/to/ca.pem
DBSSL_SERVER_CERT=/path/to/server-cert.pem
# For authentication of the client to the server, both DBSSL_CLIENT_CERT & DBSSL_CLIENT_KEY are required
DBSSL_CLIENT_CERT=/path/to/client-cert.pem
DBSSL_CLIENT_KEY=/path/to/client-key.pem
DBTIMEZONE=Europe/Berlin
#
# Max number of connections in the idle connection pool
DBMAXIDLECONNS=10
#
# Max number of open connections in the database
DBMAXOPENCONNS=100
#
# Max amount of time a connection may be reused
# Example:
# 1h
# 10m
# 20s
# 2h30m
# 2h30m45s
DBCONNMAXLIFETIME=1h
#
# Silent level = 1
# Error level = 2
# Warn level = 3
# Info level = 4
DBLOGLEVEL=1
#
# REDIS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_REDIS=no
REDISHOST=127.0.0.1
REDISPORT=6379
POOLSIZE=10
# Context deadline in second
CONNTTL=5
#
# MONGO
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_MONGO=no
# Manual: https://docs.mongodb.com/manual/reference/connection-string/
# For MongoDB Atlas
# MONGO_URI=mongodb+srv://<username>:<password>@<cluster>.<subdomain>.mongodb.net/<cluster>?retryWrites=true&w=majority
# For standard connection on the local machine with auth
MONGO_URI=mongodb://<username>:<password>@<IP>:<PORT>/?retryWrites=true&w=majority
# For standard connection on the local machine without auth
# MONGO_URI=mongodb://<IP>:<PORT>/?retryWrites=true&w=majority
MONGO_APP=any_app_name
# Connection pool
MONGO_POOLSIZE=50
MONGO_MONITOR_POOL=yes
# MONGO_MONITOR_POOL=no
# Mongo client context deadline in second
MONGO_CONNTTL=10
#
# EMAIL SERVICE
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_EMAIL_SERVICE=no
# Supported providers: postmark
EMAIL_SERVICE_PROVIDER=postmark
# EMAIL_API_TOKEN: For postmark, it is the server token
EMAIL_API_TOKEN=
# Activate by setting it to yes
EMAIL_TRACK_OPENS=no
# EMAIL_TRACK_LINKS: Possible options -
# "None", "HtmlAndText", "HtmlOnly", "TextOnly"
EMAIL_TRACK_LINKS=None
# EMAIL_DELIVERY_TYPE: message stream ID
EMAIL_DELIVERY_TYPE=outbound
EMAIL_VERIFY_TEMPLATE_ID=0
EMAIL_PASS_RECOVER_TEMPLATE_ID=0
EMAIL_UPDATE_VERIFY_TEMPLATE_ID=0
# Default: EMAIL_VERIFY_USE_UUIDv4 = no, EMAIL_VERIFY_CODE_LENGTH is required
# If EMAIL_VERIFY_USE_UUIDv4 = yes, EMAIL_VERIFY_CODE_LENGTH is ignored
EMAIL_VERIFY_USE_UUIDv4=no
EMAIL_VERIFY_CODE_LENGTH=8
# Default: EMAIL_PASS_RECOVER_USE_UUIDv4 = no, EMAIL_PASS_RECOVER_CODE_LENGTH is required
# If EMAIL_PASS_RECOVER_USE_UUIDv4 = yes, EMAIL_PASS_RECOVER_CODE_LENGTH is ignored
EMAIL_PASS_RECOVER_USE_UUIDv4=no
EMAIL_PASS_RECOVER_CODE_LENGTH=12
EMAIL_VERIFY_TAG=emailVerification
EMAIL_PASS_RECOVER_TAG=passwordRecover
EMAIL_HTML_MODEL=product_url:https://github.com/pilinux/gorest;product_name:gorest;company_name:pilinux;company_address:Country
EMAIL_VERIFY_VALIDITY_PERIOD=86400
EMAIL_PASS_RECOVER_VALIDITY_PERIOD=1800