-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
149 lines (115 loc) · 5.46 KB
/
.env.example
File metadata and controls
149 lines (115 loc) · 5.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# CrowdSieve Configuration
# =============================================================================
# Proxy Settings
# =============================================================================
PROXY_PORT=8080
CAPI_URL=https://api.crowdsec.net
PROXY_TIMEOUT_MS=30000
FORWARD_ENABLED=true
# =============================================================================
# Storage
# =============================================================================
# Storage type: sqlite (default) or postgres
STORAGE_TYPE=sqlite
# SQLite settings (used when STORAGE_TYPE=sqlite)
DATABASE_PATH=./data/crowdsieve.db
# PostgreSQL settings (used when STORAGE_TYPE=postgres)
# POSTGRES_HOST=localhost
# POSTGRES_PORT=5432
# POSTGRES_DATABASE=crowdsieve
# POSTGRES_USER=crowdsieve
# POSTGRES_PASSWORD=your-secure-password
# POSTGRES_SSL=false
# POSTGRES_SSL_REJECT_UNAUTHORIZED=true # Set to false only for self-signed certificates
# POSTGRES_POOL_SIZE=10
# Data retention
RETENTION_DAYS=30
# =============================================================================
# Logging
# =============================================================================
LOG_LEVEL=info
LOG_FORMAT=json
# =============================================================================
# GeoIP
# =============================================================================
GEOIP_DB_PATH=./data/geoip-city.mmdb
# =============================================================================
# Security
# =============================================================================
# CORS origin (leave empty to reject all cross-origin requests; set to a specific origin to allow it)
# Example: http://localhost:3000 or https://dashboard.example.com
CORS_ORIGIN=
# Dashboard API authentication key (leave empty for development/no auth)
# Generate with: openssl rand -hex 32
DASHBOARD_API_KEY=
# Rate limiting (requests per time window)
RATE_LIMIT_MAX=100
RATE_LIMIT_WINDOW=60000
# =============================================================================
# Dashboard OIDC Authentication (Optional)
# =============================================================================
# When configured, users must authenticate via OpenID Connect to access the dashboard.
# If not configured, the dashboard is accessible without authentication.
# OIDC Provider URL (e.g., Keycloak realm, Auth0 tenant, Okta issuer)
# OIDC_ISSUER=https://auth.example.com/realms/myrealm
# OAuth2 Client credentials
# OIDC_CLIENT_ID=crowdsieve-dashboard
# OIDC_CLIENT_SECRET=your-client-secret
# Session encryption secret (minimum 32 characters)
# Generate with: openssl rand -hex 32
# SESSION_SECRET=your-random-session-secret-at-least-32-chars
# Force secure cookies (HTTPS only). Auto-detected in production.
# Set to 'true' when behind a reverse proxy terminating TLS.
# SESSION_COOKIE_SECURE=true
# Base URL for callbacks (auto-detected if not set)
# NEXTAUTH_URL=https://dashboard.example.com
# =============================================================================
# JWE Token Decryption (Optional)
# =============================================================================
# Enable decryption of encrypted tokens (JWE) from the OIDC provider.
# Supports both ID tokens and back-channel logout tokens.
# When enabled, CrowdSieve publishes its public encryption key at /api/jwks
# so the OIDC provider can encrypt tokens for CrowdSieve.
# Enable JWE decryption (default: false)
# JWE_ENABLED=true
# Path to store encryption keys (recommended for production)
# If not set, keys are regenerated on each restart
# JWE_KEYS_PATH=./data/jwks.json
# Key encryption algorithm (default: RSA-OAEP-256)
# JWE_KEY_ALG=RSA-OAEP-256
# Supported content encryption algorithms (comma-separated, default: A256GCM,A128GCM)
# JWE_CONTENT_ALGS=A256GCM,A128GCM
# Number of days before automatically rotating keys (disabled if not set)
# JWE_KEY_ROTATION_DAYS=30
# =============================================================================
# JWS Client Authentication (Optional)
# =============================================================================
# Enable private_key_jwt authentication (RFC 7523) instead of client_secret.
# When enabled, CrowdSieve authenticates to the OIDC provider using a signed
# JWT assertion instead of a client secret. The public keys are published
# at /api/jwks for the provider to verify the assertions.
#
# Benefits:
# - No shared secret to manage
# - Stronger authentication (asymmetric keys)
# - Required by some high-security OIDC providers
# Enable private_key_jwt authentication (default: false)
# JWS_ENABLED=true
# Key signing algorithm (default: RS256)
# JWS_KEY_ALG=RS256
# =============================================================================
# Client Validation
# =============================================================================
# Enable validation of CrowdSec clients against CAPI (default: false)
CLIENT_VALIDATION_ENABLED=false
# Cache TTL for validated clients in seconds (default: 604800 = 1 week)
CLIENT_VALIDATION_CACHE_TTL=604800
# Cache TTL when CAPI is unreachable in seconds (default: 3600 = 1 hour)
CLIENT_VALIDATION_CACHE_TTL_ERROR=3600
# Timeout for CAPI validation requests in milliseconds (default: 5000)
CLIENT_VALIDATION_TIMEOUT_MS=5000
# Maximum number of entries in memory LRU cache (default: 1000)
CLIENT_VALIDATION_MAX_MEMORY_ENTRIES=1000
# Fail-closed mode: reject requests when CAPI is unavailable (default: false)
# Set to true for security-sensitive deployments
CLIENT_VALIDATION_FAIL_CLOSED=false