From 3c7d82bb96789a66cf07dbf63a944c519c052c44 Mon Sep 17 00:00:00 2001 From: community Date: Mon, 19 Jun 2023 09:12:11 +0000 Subject: [PATCH] GITBOOK-17: Add DEFGUARD_SECRET_KEY variable --- .../setting-up-your-instance/docker-compose.md | 17 +++++++---------- .../environmental-variables-configuration.md | 1 + 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/features/setting-up-your-instance/docker-compose.md b/features/setting-up-your-instance/docker-compose.md index 25d4ee6..5ea9750 100644 --- a/features/setting-up-your-instance/docker-compose.md +++ b/features/setting-up-your-instance/docker-compose.md @@ -1,4 +1,4 @@ -# Deploy Defguard with docker compose +# Docker Compose We prepared a [git repository](https://github.com/DefGuard/deployment) with docker-compose configuration, clone it: @@ -16,23 +16,22 @@ cp .env.template .env And then edit the values in `.env` file to setup your secrets. Those should be kept... well, secret. {% hint style="info" %} -You can generate random strings for secrets with e.g.: `openssl rand -base64 30` +You can generate random strings for secrets with e.g.: `openssl rand -base64 48` {% endhint %} ## SSL setup {% hint style="warning" %} -It's crytically important to ensure SSL encryption between Defguard and Gateway services. -You should only skip this step if you plan to have a reverse proxy in between that adds encryption itself. +It's crytically important to ensure SSL encryption between Defguard and Gateway services. You should only skip this step if you plan to have a reverse proxy in between that adds encryption itself. {% endhint %} You'll need a valid: + * CA certificate (defguard-ca.pem) - used by Gateway for Defguard identity verification & encryption * Certificate for Defguard signed by CA (defguard.crt) - used by Defguard to serve gateway gRPC * Private key for Defguard (defguard.key) - used by Defguard for encryption -[Here](https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/) is a good tutorial on how to -generate a self-signed certificate. +[Here](https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/) is a good tutorial on how to generate a self-signed certificate. Put the certificates in .volumes/ssl directory. @@ -50,8 +49,7 @@ That's it, Defguard should be running on port 80 of your server ([http://localho ## OpenID RSA setup -By default Defguard uses [HMAC](https://en.wikipedia.org/wiki/HMAC) algorithm for OIDC token validation. -If you want to use [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)), you'll have to: +By default Defguard uses [HMAC](https://en.wikipedia.org/wiki/HMAC) algorithm for OIDC token validation. If you want to use [RSA](https://en.wikipedia.org/wiki/RSA\_\(cryptosystem\)), you'll have to: 1. Create volume directory: @@ -80,5 +78,4 @@ core: ## LDAP -To setup LDAP integration, you'll have to configure environment variables for core service. -You'll find more info on how to do this [here](../ldap-synchronization-setup.md). +To setup LDAP integration, you'll have to configure environment variables for core service. You'll find more info on how to do this [here](../ldap-synchronization-setup.md). diff --git a/in-depth/environmental-variables-configuration.md b/in-depth/environmental-variables-configuration.md index a3a558e..465debb 100644 --- a/in-depth/environmental-variables-configuration.md +++ b/in-depth/environmental-variables-configuration.md @@ -32,6 +32,7 @@ Environment variables that are **not already set** are loaded from .env files by * `DEFGUARD_AUTH_SECRET` : JWT secret key for encrypting user tokens, default: `DEFGUARD_AUTH_SECRET` * `DEFGUARD_YUBIBRIDGE_SECRET` : JWT secret key for encrypting YubiBridge tokens, default: `DEFGUARD_YUBIBRIDGE_SECRET` * `DEFGUARD_GATEWAY_SECRET` : JWT secret key for encrypting Gateway tokens, default: `DEFGUARD_GATEWAY_SECRET` +* DEFGUARD\_SECRET\_KEY: JWT secret key for encrypting private cookies; must be at least 64 characters long * `DEFGUARD_WG_SERVICE_URL` : WireGuard service instance to connect to, default: `http://wireguard:50051` * `DEFGUARD_URL` : URL of your server instance, default `localhost:8000`, Needed for OpenID discovery endpoint to work correctly. * `DEFGUARD_WEBAUTHN_RP_ID` (optional): Relying on party ID and relying on party origin for WebAuthn used for MFA. By default, it's generated by using a base domain of `DEFGUARD_URL` (for example https://defguard.example.com is converted to defguard.example.com).