forked from pilinux/gorest
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.env.sample
315 lines (300 loc) · 8.8 KB
/
.env.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
#
# APPLICATION
#
APP_NAME=app-name
APP_SCHEMA=http
APP_HOST=localhost
APP_PORT=8999
# serverenv = development OR production
APP_ENV=development
#
# Get real IP of the client
#
# when using Cloudflare's CDN:
# TRUSTED_PLATFORM=cf
#
# when running on Google App Engine:
# TRUSTED_PLATFORM=google
#
# when using apache or nginx reverse proxy without
# Cloudflare's CDN or Google App Engine:
# [Default value]
TRUSTED_PLATFORM=X-Real-Ip
#
# config for nginx:
# =================
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Sentry.io
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_SENTRY=no
SentryDSN=https://[email protected]/xyz
#
# User password minimum length
#
MIN_PASS_LENGTH=6
#
# Basic Auth
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_BASIC_AUTH=yes
USERNAME=your_username
PASSWORD=secret_password
#
# JWT
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_JWT=yes
ACCESS_KEY=Use_a_strong_and_long_random_key
REFRESH_KEY=Use_another_strong_and_long_random_key
# expires tokens in minutes
ACCESS_KEY_TTL=5
REFRESH_KEY_TTL=60
AUDIENCE=
ISSUER=gorest
# NotBefore for ACCESS_KEY in seconds
NOT_BEFORE_ACC=0
# NotBefore for REFRESH_KEY in seconds
NOT_BEFORE_REF=0
SUBJECT=
#
# HashPass config
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_HASHING=yes
# The amount of memory used by the Argon2 algorithm (in kibibytes)
# HASHPASSMEMORY * 1024
HASHPASSMEMORY=64
# The number of iterations (or passes) over the memory
HASHPASSITERATIONS=2
# The number of threads (or lanes) used by the algorithm
# Changing the value of the Parallelism parameter changes the hash output
HASHPASSPARALLELISM=2
# Length of the random salt. 16 bytes is recommended for password hashing
HASHPASSSALTLENGTH=16
# Length of the generated key (or password hash). 16 bytes or more is recommended
HASHPASSKEYLENGTH=32
#
# Email verification and password recovery
#
VERIFY_EMAIL=no
RECOVER_PASSWORD=no
#
# Two-Factor Authentication
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_2FA=no
TWO_FA_ISSUER=gorest
# SHA1 = 1, SHA256 = 256, SHA512 = 512
# FreeOTP supports SHA1, SHA256 SHA512
# Authy, Google Authenticator, Microsoft Authenticator, Okta
# support only SHA1
# So, better to use only SHA1 for now
TWO_FA_CRYPTO=1
# TWO_FA_DIGITS = 6, 7 or 8
TWO_FA_DIGITS=6
TWO_FA_VERIFIED=verified
TWO_FA_ON=on
TWO_FA_OFF=off
TWO_FA_INVALID=invalid
# Must be a local directory with relative path
# where the main application is hosted
TWO_FA_QR_PATH=tmp
#
# App Firewall
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_FIREWALL=yes
# Allow all IP [LISTTYPE=whitelist | IP=*]
# Block all IP [LISTTYPE=blacklist | IP=*]
# Allow one or several IPs [LISTTYPE=whitelist | IP=x.x.x.x]
# Block one or several IPs [LISTTYPE=blacklist | IP=x.x.x.x]
LISTTYPE=whitelist
# LISTTYPE=blacklist
# IP - comma-separated list
# IP=192.168.0.1,10.0.0.1
IP=*
#
# CORS
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_CORS=yes
#
# Access-Control-Allow-Origin
# Indicates whether the response can be shared with requesting code from the given origin
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
CORS_ORIGIN=*
#
# Access-Control-Allow-Credentials
# Indicates whether or not the actual request can be made using credentials
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
CORS_CREDENTIALS=true
#
# Access-Control-Allow-Headers
# Indicate which HTTP headers can be used during the actual request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
CORS_HEADERS=Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, Accept, Origin, Cache-Control, X-Requested-With
#
# Access-Control-Expose-Headers
# Which response headers should be made available to scripts running in the browser
# in response to a cross-origin request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
CORS_EXPOSE_HEADERS=Content-Length
#
# Access-Control-Allow-Methods
# Specifies one or more allowed methods
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
CORS_METHODS=GET, POST, PUT, PATCH, DELETE
#
# Access-Control-Max-Age
# Indicates how long the results of a preflight request can be cached
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
CORS_MAXAGE=3600
#
# X-Content-Type-Options
# Prevent some browsers from MIME-sniffing the response
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
CORS_X_CONTENT_TYPE=nosniff
#
# X-Frame-Options
# Protect website against clickjacking
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034#section-2.1
# X-Frame-Options: DENY, SAMEORIGIN
CORS_X_FRAME=DENY
#
# Referrer-Policy
# Set a strict Referrer Policy to mitigate information leakage
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
CORS_REFERRER=strict-origin-when-cross-origin
#
# Content-Security-Policy
# Mitigate the risk of cross-site scripting and other content-injection attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://content-security-policy.com/
# https://developers.google.com/web/fundamentals/security/csp
CORS_CONTENT_SECURITY=default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'
#
# Timing-Allow-Origin
# Allow cross-origin access to the timing information for all resources
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
CORS_TIMING_ALLOW_ORIGIN=*
#
# Strict-Transport-Security
# HTTP Strict Transport Security (HSTS)
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# Strict-Transport-Security: max-age=63072000; includeSubDomains
# To enable HSTS preload inclusion: https://hstspreload.org/#deployment-recommendations
# Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
CORS_HSTS=
#
# HTML Templates
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_VIEW=no
# Must be a local directory with relative path
# where the main application is hosted
TEMPLATE_DIR=templates
#
# RDBMS
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_RDBMS=no
# Supported dbDriver: mysql, postgres, sqlite3
DBDRIVER=dbDriver
DBUSER=dbUser
DBPASS=dbPass
DBNAME=dbName
DBHOST=localhost
DBPORT=dbport
DBSSLMODE=disable
DBTIMEZONE=Europe/Berlin
#
# Max number of connections in the idle connection pool
DBMAXIDLECONNS=10
#
# Max number of open connections in the database
DBMAXOPENCONNS=100
#
# Max amount of time a connection may be reused
# Example:
# 1h
# 10m
# 20s
# 2h30m
# 2h30m45s
DBCONNMAXLIFETIME=1h
#
# Silent level = 1
# Error level = 2
# Warn level = 3
# Info level = 4
DBLOGLEVEL=1
#
# REDIS
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_REDIS=no
REDISHOST=127.0.0.1
REDISPORT=6379
POOLSIZE=10
# Context deadline in second
CONNTTL=5
#
# MONGO
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_MONGO=no
# Manual: https://docs.mongodb.com/manual/reference/connection-string/
# For MongoDB Atlas
# MONGO_URI=mongodb+srv://<username>:<password>@<cluster>.<subdomain>.mongodb.net/<cluster>?retryWrites=true&w=majority
# For standard connection on the local machine with auth
MONGO_URI=mongodb://<username>:<password>@<IP>:<PORT>/?retryWrites=true&w=majority
# For standard connection on the local machine without auth
# MONGO_URI=mongodb://<IP>:<PORT>/?retryWrites=true&w=majority
MONGO_APP=any_app_name
# Connection pool
MONGO_POOLSIZE=50
MONGO_MONITOR_POOL=yes
# MONGO_MONITOR_POOL=no
# Mongo client context deadline in second
MONGO_CONNTTL=10
#
# EMAIL SERVICE
#
# Activate by setting it to yes
# Deactivate by setting it to no
ACTIVATE_EMAIL_SERVICE=no
# Supported providers: postmark
EMAIL_SERVICE_PROVIDER=postmark
# EMAIL_API_TOKEN: For postmark, it is the server token
EMAIL_API_TOKEN=
# Activate by setting it to yes
EMAIL_TRACK_OPENS=no
# EMAIL_TRACK_LINKS: Possible options -
# "None", "HtmlAndText", "HtmlOnly", "TextOnly"
EMAIL_TRACK_LINKS=None
# EMAIL_DELIVERY_TYPE: message stream ID
EMAIL_DELIVERY_TYPE=outbound
EMAIL_VERIFY_TEMPLATE_ID=0
EMAIL_PASS_RECOVER_TEMPLATE_ID=0
EMAIL_VERIFY_CODE_LENGTH=8
EMAIL_PASS_RECOVER_CODE_LENGTH=12
EMAIL_VERIFY_TAG=emailVerification
EMAIL_PASS_RECOVER_TAG=passwordRecover
EMAIL_HTML_MODEL=product_url:https://github.com/pilinux/gorest;product_name:gorest;company_name:pilinux;company_address:Country
EMAIL_VERIFY_VALIDITY_PERIOD=86400
EMAIL_PASS_RECOVER_VALIDITY_PERIOD=1800