-
Notifications
You must be signed in to change notification settings - Fork 136
/
rportd.example.conf
242 lines (203 loc) · 11.2 KB
/
rportd.example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rportd.example.config
#
# DESCRIPTION: Configuration file for the rport server
#
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
#
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
# CREATED: 10/10/2020
#======================================================================================================================
[server]
## Defines the IP address and port the HTTP server listens on.
## This is where the rport clients connect to.
## Defaults: "0.0.0.0:8080"
#address = "0.0.0.0:8080"
## Optionally defines full client connect URL.
## Defaults to http://{address}
## This setting is only used to return via an API call where rportd is listening for connections.
## Useful, if you run the rportd behind a reverse proxy and the external URL differs from the internal address and port.
#url = "http://example.com"
## An optional string to seed the generation of a ECDSA public and private key pair.
## Highly recommended. Not using it is a big security risk.
## Use "openssl rand -hex 18" to generate a secure key seed.
key_seed = "5448e69530b4b97fb510f96ff1550500b093"
## An optional string representing a single client auth credentials, in the form of <client-auth-id>:<password>.
## This is equivalent to creating an {auth_file} with '{"<client-auth-id>":"<password>"}'.
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
auth = "clientAuth1:1234"
## An optional path to a json file with client credentials.
## This is for authentication of the rport tunnel clients.
## The file should contain a map with clients credentials defined like:
## {
## "<client-auth-id1>": "<password1>",
## "<client-auth-id2>": "<password2>"
## }
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/client-auth.json"
## An optional name of a database table for client authentication.
## Requires a global database connection. See below.
## The table must be created manually.
## Learn how to create them https://github.com/cloudradar-monitoring/rport/blob/master/docs/client-auth.md#using-a-database-table
#auth_table = "clients_auth"
## When using an {auth_file} or a database table creating separate credentials for each client is recommended.
## It increases security because you can lock out clients individually.
## If {auth_multiuse_creds} is false a client is rejected if another client with the same id is connected
## or has been connected within the {keep_lost_clients} interval.
## Defaults: true
#auth_multiuse_creds = true
## Having set {auth_multiuse_creds} = false, you can omit specifying a client-id.
## You can use the client-auth-id as client-id to slim down the client configuration.
## Defaults: false
#equate_clientauthid_clientid = false
## If you want to delegate the creation and maintenance to an external tool
## you should turn {auth_write} off.
## The API will reject all writing access to the client auth with HTTP 403.
## Applies only to {auth_file} and {auth_table}.
## Default: true
#auth_write = true
## Specifies another HTTP server to proxy requests to when rportd receives a normal HTTP request.
#proxy = "http://intranet.lan:8080/"
## Defines a list of port numbers or ranges of server ports,
## that would not be used for automatic port assignment.
## Defaults to ['1-1024'].
## If all ports should be used then set to "[]".
excluded_ports = [
'1-1024',
'8888',
'8080'
]
## An optional param to define a local directory path to store internal data.
## By default, "/var/lib/rport" is used.
## If the directory doesn't exist, it will be created.
## On Linux you must create this directory because an unprivileged user
## don't have the right to create a directory in /var/lib.
## Ideally this directory is the homedir of the rport user and has been created along with the user.
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
data_dir = "/var/lib/rport"
## An optional param to define a duration to keep info (clients, tunnels, etc) about active and disconnected clients.
## By default is "1h". To disable it set it to "0". It can contain "h"(hours), "m"(minutes), "s"(seconds).
#keep_lost_clients = "1h"
## An optional param to define an interval to flush info (clients, tunnels, etc) about active
## and disconnected clients to disk. It can contain "h"(hours), "m"(minutes), "s"(seconds).
## By default, 1 second is used.
#save_clients_interval = "5s"
## An optional param to define an interval to clean up internal storage from obsolete
## disconnected clients. It can contain "h"(hours), "m"(minutes), "s"(seconds).
## By default, 3 seconds is used.
#cleanup-clients-interval = "5s"
## An optional param to define a limit for data that can be sent by rport clients and API requests.
## By default is set to 2048(2Kb).
#max_request_bytes = 2048
## An optional param to define a timeout in seconds to observe the remote command execution.
## Defaults: 60.
#run_remote_cmd_timeout_sec = 60
## An optional param to define a timeout to check whether a remote destination of a requested new tunnel is available,
## i.e. whether a given remote port is open on a client machine. By default, "2s" is used.
#check_port_timeout = "1s"
## There is no technical requirement to run the rport server under the root user.
## Running it as root is an unnecessary security risk.
## You don't even need root-rights to run rport on tcp ports below 1024.
## Use "setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/rportd" to allow the usage of any tcp ports.
## Hint: setcap must be applied after each update of the binary.
## Consider integrating it into the systemd service file as an ExecStartPre option.
## Rport exits with an error if started as root unless you explicitly allow it.
## Defaults to false
#allow_root = false
## NOTE: THIS OPTION IS NOT AVAILABLE YET
## Multi-tenancy
## Rport server can isolate clients and users from different tenants.
## Visit https://github.com/cloudradar-monitoring/rport/blob/master/docs/multi-tenancy.md
## Requires auth_table, auth_user_table, auth_group_table.
## Defaults to false.
#multi_tenancy = false
[logging]
## Specifies log file path for global logging
## Not setting {log_file} turns logging off.
log_file = "/var/log/rport/rportd.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'error'
log_level = "error"
## NOTE: THIS OPTION IS NOT AVAILABLE YET
## Specifies a log file path or database table for audit logging
## The audit log contains sensitive data about all users and their actions.
## Who has created a tunnel or executed a command when on which system(s)?
## It is your duty, to keep the file tidy, for example by using logrotate.
## Not setting {audit_log_file} or {audit_log_table} turns audit logging off.
## On conflicting settings rportd exits with an error.
#audit_log_file = "/var/log/rport/rportd-audit.log"
## NOTE: THIS OPTION IS NOT AVAILABLE YET
## An optional name of a database table to store the audit log.
## Requires a global database connection. See below.
## It is your duty, to keep the table tidy, for example by creating a cron.
## An example can be found here https://github.com/cloudradar-monitoring/rport/blob/master/docs/logging.md#database
## Not setting {audit_log_file} or {audit_log_table} turns audit logging off.
#audit_log_table = "audit_log"
[api]
## Defines the IP address and port the API server listens on.
## Specify non-empty {address} to enable API support.
address = "127.0.0.1:3000"
## Defines <user>:<password> authentication pair for accessing the API. Enables access for a single user.
## Learn more about api auth options and get examples
## https://github.com/cloudradar-monitoring/rport/blob/master/docs/api-auth.md
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
auth = "admin:foobaz"
## Use a json file containing users, passwords and groups.
## Passwords are expected to be bcrypt encoded.
## Learn more about api auth options and get examples
## https://github.com/cloudradar-monitoring/rport/blob/master/docs/api-auth.md
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/api-auth.json"
## An optional name of two database tables for api user authentication.
## Requires a global database connection. See below.
## Tables must be created manually.
## Learn how to create them https://github.com/cloudradar-monitoring/rport/blob/master/docs/api-auth.md#database
#auth_user_table = "users"
#auth_group_table = "groups"
## Defines JWT secret used to generate new tokens.
## If not set, it will be generated by server.
jwt_secret = "quei1too2Jae3xootu"
## If specified, rportd will serve static files from this directory on the same API address.
## This is the place where the frontend files (html/js) go.
## Learn how to install the frontend https://github.com/cloudradar-monitoring/rport/blob/master/docs/frontend.md
#doc_root = "/var/lib/rport/docroot"
## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
## Intermediate certificates should be included in cert_file if required.
#cert_file = "/var/lib/rport/server.crt"
#key_file = "/var/lib/rport/server.key"
## Specifies file for API access logs. Logs will be written in Combined Log Format.
## If this is not set the API access logs are disabled.
#access_log_file = "/var/log/rport/api-access.log"
[database]
## Global configuration of a database connection.
## The database and the initial schema must be created manually.
## Learn how to use a database:
## for api auth: https://github.com/cloudradar-monitoring/rport/blob/master/docs/api-auth.md#database
## for clients auth: https://github.com/cloudradar-monitoring/rport/blob/master/docs/client-auth.md#using-a-database-table
## Supported: MySQL/MariaDB and Sqlite3
## For MySQL or MariaDB.
#db_type = "mysql"
## For Sqlite3.
#db_type = "sqlite"
## Only for MySQL/Mariadb, ignored for Sqlite.
#db_host = "127.0.0.1:3306"
#db_host = "socket:/var/run/mysqld/mysqld.sock"
## Credentials, only for MySQL/Mariadb, ignored for Sqlite.
#db_user = "rport"
#db_password = "password"
## For MySQL/MariaDB name of the database.
#db_name = "rport"
## For Sqlite full path to the sqlite3 file.
#db_name = "/var/lib/rport/database.sqlite3"