forked from ntv-one/rport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rportd.example.conf
506 lines (428 loc) · 24.7 KB
/
rportd.example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rportd.example.config
#
# DESCRIPTION: Configuration file for the rport server
#
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
#
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
# CREATED: 10/10/2020
#======================================================================================================================
[server]
## Defines the IP address and port the HTTP server listens on.
## This is where the rport clients connect to.
## Defaults: "0.0.0.0:8080"
#address = "0.0.0.0:8080"
## Optionally defines full client connect URL(s).
## Defaults to http://{address}
## This setting is only used to return via an API call where rportd is listening for client connections.
## The pairing script generates a ready-to-use client configuration based on this {url}.
## Also useful, if you run the rportd behind a reverse proxy or a port forwarding
## and the external URL differs from the internal address and port.
## Accepts a single string like 'url = "http://rport.example.com"'
## or a list like 'url = ["http://rport.example.com", "http://192.168.1.1:8000"]
#url = "http://rport.example.com"
## Optionally defines the hostname or IP address used to generate links pointing to running tunnels.
## By default, all links are relative to the URL of the API or UI.
## If you run the API/UI behind a reverse proxy that is incapable of forwarding raw TCP/UDP packets,
## you can specify a separated tunnel_host to access tunnels, bypassing the reverse proxy.
#tunnel_host = "tunnels.rport.example.com"
## Optionally defines a custom pairing service URL.
## Defaults to https://pairing.rport.io
## To run your own pairing service, refer to https://github.com/cloudradar-monitoring/rport-pairing
## Accepts a single string like
#pairing_url = "https://pairing.example.com"
## An optional string to seed the generation of a ECDSA public and private key pair.
## Highly recommended. Not using it is a big security risk.
## Use "openssl rand -hex 18" to generate a secure key seed.
key_seed = "<YOUR_SEED>"
## An optional string representing a single client auth credentials, in the form of <client-auth-id>:<password>.
## This is equivalent to creating an {auth_file} with '{"<client-auth-id>":"<password>"}'.
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
auth = "clientAuth1:1234"
## An optional path to a json file with client credentials.
## This is for authentication of the rport tunnel clients.
## The file should contain a map with clients credentials defined like:
## {
## "<client-auth-id1>": "<password1>",
## "<client-auth-id2>": "<password2>"
## }
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/client-auth.json"
## An optional name of a database table for client authentication.
## Requires a global database connection. See below.
## The table must be created manually.
## Learn how to create them https://oss.rport.io/get-started/client-authentication/#using-a-database-table
#auth_table = "clients_auth"
## When using an {auth_file} or a database table, creating separate credentials for each client is recommended.
## It increases security because you can lock out clients individually.
## If {auth_multiuse_creds} is false, a client is rejected if another client with the same id is connected
## or has been connected within the {keep_disconnected_clients} interval.
## Defaults: true
#auth_multiuse_creds = true
## Having set {auth_multiuse_creds} = false, you can omit specifying a client-id.
## You can use the client-auth-id as client-id to slim down the client configuration.
## Defaults: false
#equate_clientauthid_clientid = false
## If you want to delegate the creation and maintenance to an external tool
## you should turn {auth_write} off.
## The API will reject all writing access to the client auth with HTTP 403.
## Applies only to {auth_file} and {auth_table}.
## Default: true
#auth_write = true
## Specifies another HTTP server to proxy requests to when rportd receives a normal HTTP request.
#proxy = "http://intranet.lan:8080/"
## Defines a list of port numbers or ranges of server ports,
## that would be used for automatic and manual port assignment.
## Creating reverse tunnels will fail if the requested server port is not listed here.
## Defaults to ['20000-30000'].
## Example:
## used_ports = [ '1024-2000', '9000', '9090' ]
#used_ports = ['20000-30000']
## Defines a list of port numbers or ranges of server ports,
## that would not be used for automatic and manual port assignment.
## Values that are not included in the {used_ports} are ignored.
## Defaults to ['1-1024'].
## If no ports should be excluded, then set it to "[]".
#excluded_ports = ['1-1024']
## An optional param to define a local directory path to store internal data.
## By default, "/var/lib/rport" is used.
## If the directory doesn't exist, it will be created.
## On Linux, you must create this directory because an unprivileged user
## don't have the right to create a directory in /var/lib.
## Ideally, this directory is the homedir of the rport user and has been created along with the user.
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
data_dir = "/var/lib/rport"
## By default all Sqlite3 databases are opened with WAL enabled.
## This is a performance enhancement. Do not turn off, unless you have good reasons.
#sqlite_wal = true
## An optional parameter to define whether disconnected clients get purged from the database.
## By default, disconnected clients are NOT purged.
#purge_disconnected_clients = false
## An optional parameter to define a duration to keep info (clients, tunnels, etc) about disconnected clients.
## By default is "1h". A value of "0" means disconnected clients are purged immediately.
## Requires 'purge_disconnected_clients = true', otherwise ignored.
## Value can contain suffixes "h"(hours), "m"(minutes), "s"(seconds); Maximum allowed: 168h (=7days)
#keep_disconnected_clients = "1h"
## An optional parameter to define an interval to purge disconnected clients from storage.
## Requires 'purge_disconnected_clients = true', otherwise ignored
## Value can contain suffixes "h"(hours), "m"(minutes), "s"(seconds).
## By default, 1 minute is used.
#purge_disconnected_clients_interval = "1m"
## A background task will continuously check the client connection status by sending pings at the specified interval.
## Value can contain suffixes "h"(hours), "m"(minutes), "s"(seconds).
## Enabled by default with a '5m' interval. This task cannot be switched off. Fastest interval allowed = '2m'
#check_clients_connection_interval = "5m"
## Timeout per client for the above clients' connection check.
## If client does not respond within timeout, it's considered disconnected.
## Value can contain suffixes "h"(hours), "m"(minutes), "s"(seconds).
## By default, 30 seconds are used.
#check_clients_connection_timeout = "30s"
## An optional parameter to define a limit for data that can be sent by API requests.
## By default is set to 10240(10Kb).
#max_request_bytes = 10240
## An optional parameter to define a limit for data that can be sent by rport clients.
## By default is set to 524288(512Kb).
#max_request_bytes_client = 524288
## The maximum upload size of a file in bytes.
## If exceeded, an error is returned. Please note that max_request_bytes is not affecting the file upload API
## https://oss.rport.io/advanced/file-reception/
## Defaults: 10485760 bytes (~ 10.5 MB).
#max_filepush_size = 10485760
## An optional parameter to define a timeout in seconds to observe the remote command execution.
## Defaults: 60.
#run_remote_cmd_timeout_sec = 60
## An optional parameter to define a timeout to check whether a remote destination of a requested new tunnel is available,
## i.e. whether a given remote port is open on a client machine. By default, "2s" is used.
#check_port_timeout = "1s"
## There is no technical requirement to run the rport server under the root user.
## Running it as root is an unnecessary security risk.
## You don't even need root-rights to run rport on tcp ports below 1024.
## Use "setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/rportd" to allow the usage of any tcp ports.
## Hint: setcap must be applied after each update of the binary.
## Consider integrating it into the systemd service file as an ExecStartPre option.
## Rport exits with an error if started as root, unless you explicitly allow it.
## Defaults to false
#allow_root = false
## Protect your server against password guessing.
## Force clients to wait N seconds (float) between unsuccessful login attempts.
## This is per client auth id.
## A message like
## 'client-listener: Failed login attempt for client auth id "abc", forcing to wait for {client_login_wait}s ({ip})'
## is logged to the info log.
## Consider changing the log_level to 'info' to trace failed login attempts.
## Learn more https://oss.rport.io/advanced/securing-the-rport-server/
## Defaults: 2.0
#client_login_wait = 2.0
## After {max_failed_login} consecutive failed login-in attempts, ban the source IP address for {ban_time} seconds.
## HTTP Status 423 is returned.
## A message like
## 'Maximum of {max_failed_login} login attempts reached. Visitor ({remote-ip}) banned. Ban expiry: 2021-04-16T11:22:26+00:00'
## is logged to the info log.
## Banning happens on HTTP level.
## Consider banning on network level using fail2ban.
## Learn more https://oss.rport.io/advanced/securing-the-rport-server/
## Defaults: max_failed_login = 5, ban_time = 3600
#max_failed_login = 5
#ban_time = 3600
## To enable testing endpoints (/test/commands/ui and /test/scripts/ui) for ws endpoints (/ws/commands and /ws/scripts) provide
## true for `enable_ws_test_endpoints`
## Defaults: enable_ws_test_endpoints = false
#enable_ws_test_endpoints = false
## Enable the creation of tunnel proxies with giving certificate- and key-file
## Defaults: not enabled
#tunnel_proxy_cert_file = "/var/lib/rport/server.crt"
#tunnel_proxy_key_file = "/var/lib/rport/server.key"
## If specified, rportd will serve novnc javascript app from this directory.
#novnc_root = "/var/lib/rport/novncroot"
## Host and port where guacd daemon is listening.
## If specified, rportd will serve remote desktop connections in browser through Apache Guacamole.
#guacd_address = "127.0.0.1:4822"
## Maximum number of results to keep for commands, scripts and schedules execution
#jobs_max_results = 10000
[logging]
## Specifies log file path for global logging
## Not setting {log_file} turns logging off.
log_file = "/var/log/rport/rportd.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'info'
log_level = "info"
[api]
## Defines the IP address and port the API server listens on.
## Specify non-empty {address} to enable API support.
address = "0.0.0.0:3000"
## Defines <user>:<password> authentication pair for accessing the API. Enables access for a single user.
## Learn more about api auth options and get examples https://oss.rport.io/get-started/api-authentication/
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
auth = "admin:foobaz"
## Use a json file containing users, passwords and groups.
## Passwords are expected to be bcrypt encoded.
## Learn more about api auth options and get examples https://oss.rport.io/get-started/api-authentication/
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/api-auth.json"
## An optional name of database tables for api user authentication.
## Requires a global database connection. See below.
## Tables must be created manually.
## Learn how to create them https://oss.rport.io/get-started/api-authentication/#database
#auth_user_table = "users"
#auth_group_table = "groups"
#auth_group_details_table = "group_details"
## The rport server can treat all requests as pre-authenticated by a reverse proxy based on a http header.
## This option is enabled if auth_header is set.
## If the header exists, the request is considered valid and a session is created.
## Inside the same or a different header, the username must be submitted.
#auth_header = "Authentication-IsAuthenticated"
#user_header = "Authentication-User"
## If the user doesn't exist yet, it can be created on-the-fly.
## Disabled by default
#create_missing_users = true
## If users are created on-the-fly to which user group do they belong?
## Applies also to all users created by an OAuth authentication (Rport Plus only)
#default_user_group = "Administrators"
## Use two-factor authentication to generate auth tokens.
## Learn more on https://oss.rport.io/get-started/api-authentication/#two-factor-auth
## Using 2FA will disable HTTP basic authentication on all API endpoints except '/login'. It triggers sending 2FA
## verification code to a user using a chosen delivery method. This code can be further verified using '/verify-2fa' endpoint.
## Two-factor authentication requires either a valid SMTP or Pushover setup.
## Your user-password store (json files or DB table) needs an additional field 'two_fa_send_to'.
## 2FA is not available if you use a single static user-password pair set directly in the rportd.conf.
## Use either 'smtp', 'pushover' or a path to an executable binary or script.
## Executables must read recipients details from the environment. Check our examples from the link above.
## Sending the token has a default timeout of 10 seconds.
## 2FA is disabled by default.
## Token sent via the specified delivery method has a default lifetime of 600 seconds.
#two_fa_token_delivery = 'smtp'
#two_fa_token_ttl_seconds = 600
#two_fa_send_timeout = 10s
## When using an executable for token delivery, you can optionally specify how the two_fa_send_to is validated on changes.
## Ignored when using SMTP or Pushover for token delivery.
## Use two_fa_send_to_type = 'email' to accept only valid email address.
## Or use a regular expression, for example
## two_fa_send_to_type = 'regex'
## two_fa_send_to_regex = '[a-z0-9]{10}'
#two_fa_send_to_type = 'none'
## To enable time-based onetime tokens generated by apps likes Google or Microsoft Authenticator,
## set 'totp_enabled = true'.
## Your user-password store (json files or DB table) needs an additional text field 'totp_secret'.
#totp_enabled = false
## Learn more on https://oss.rport.io/get-started/api-authentication/#two-factor-auth
## Before sending the token generated by the authenticator app,
## users should do a login attempt. Otherwise, they can request tokens directly without login.
## 'totp_login_session_ttl' sets the timeout after which totp codes won't be accepted
#totp_login_session_ttl = '600s'
## If you run multiple RPort servers, you should give them different totp account names
## to differentiate them on your authenticator app.
#totp_account_name = 'RPort'
## Defines JWT secret used to generate new tokens.
## If not set, it will be generated by server. (This causes all users to be logged out on server restart)
## Use 'pwgen 18 1' or 'openssl rand -hex 9' to generate a secure secret.
jwt_secret = "<YOUR_SECRET>"
## If specified, rportd will serve static files from this directory on the same API address.
## This is the place where the frontend files (html/js) go.
## Learn how to install the frontend https://oss.rport.io/get-started/rport-frontend/
#doc_root = "/var/lib/rport/docroot"
## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
## Intermediate certificates should be included in cert_file if required.
#cert_file = "/var/lib/rport/server.crt"
#key_file = "/var/lib/rport/server.key"
## Specifies file for API access logs. Logs will be written in Combined Log Format.
## If this is not set, the API access logs are disabled.
#access_log_file = "/var/log/rport/api-access.log"
## Protect your API server against password guessing.
## Force users to wait N seconds (float) between unsuccessful login attempts.
## This is per username.
## Defaults: 2.0
#user_login_wait = 2.0
## After X failed login-in attempts, ban the source IP address for Z seconds.
#max_failed_login = 5
#ban_time = 3600
## Each action is logged and stored in a database to follow up who did what when.
## The audit log is enabled by default. The data is stored in {data_dir}.audit_log.db
#enable_audit_log = true
## Storing the full remote IP address of the API users might violate privacy protection regulations.
## Using obfuscation stores only the first three segments of the IP address (IPv4 only).
## Turned off by default.
#use_ip_obfuscation = false
## Depending on the number of actions your rport server performs, the audit log can grow fast.
## By default, the audit_log database file is changed every month.
## Consider changing to a faster rotation.
#audit_log_rotation = 'monthly', possible values: yearly, monthly, weekly, daily
[database]
## Global configuration of a database connection.
## The database and the initial schema must be created manually.
## Learn how to use a database:
## for api auth: https://oss.rport.io/get-started/api-authentication/#database
## for clients auth: https://oss.rport.io/get-started/client-authentication/#using-a-database-table
## Supported: MySQL/MariaDB and Sqlite3
## For MySQL or MariaDB.
#db_type = "mysql"
## For Sqlite3.
#db_type = "sqlite"
## Only for MySQL/Mariadb, ignored for Sqlite.
#db_host = "127.0.0.1:3306"
#db_host = "socket:/var/run/mysqld/mysqld.sock"
## Credentials, only for MySQL/Mariadb, ignored for Sqlite.
#db_user = "rport"
#db_password = "password"
## For MySQL/MariaDB name of the database.
#db_name = "rport"
## For Sqlite full path to the sqlite3 file.
#db_name = "/var/lib/rport/database.sqlite3"
[pushover]
## Pushover settings for sending push messages via Pushover.net. Currently, used only for sending two-factor auth tokens.
## Learn more on https://oss.rport.io/get-started/2fa-messaging/#pushover
## Required (only if pushover is specified as {api.two_fa_token_delivery}): pushover API token and user key
#api_token = 'abc123'
#user_key = 'user123'
[smtp]
## SMTP settings for sending email. Currently, used only for sending two-factor auth tokens.
## Learn more on https://oss.rport.io/get-started/2fa-messaging/#smtp
## Required (only if smtp is specified as {api.two_fa_token_delivery}):
## smtp server and port separated by a colon. e.g. server = 'smtp.gmail.com:2525'
## sender email - an email that is used to send 2FA tokens
## Optional:
## auth_username, specify a username for authentication
## auth_password, specify a password for the username.
## secure = true|false, enable if Implicit(Forced) TLS must be used.
#server = 'smtp.example.com:2525'
#sender_email = '[email protected]'
#auth_username = 'john.doe'
#auth_password = 'secret'
#secure = false
[monitoring]
## The rport server stores monitoring data of the clients for N days.
## https://oss.rport.io/advanced/monitoring/
## Older data is purged automatically.
## Default: 30 days
#data_storage_days = 30
[plus-plugin]
## Rport Plus is a paid for binary extension to Rport.
## Learn more at https://plus.rport.io/
## When using Rport Plus, the plugin path must be specified
# plugin_path = "/usr/local/lib/rport/rport-plus.so"
[plus-oauth]
## The Rport Plus OAuth capability support SSO/OAuth based user sign-in via
## a number of OAuth identity providers.
## Learn more at https://plus.rport.io/auth/oauth-introduction/
## provider - indicates which OAuth provider is to be used. Currently
## must be one of "github", "microsoft" or "google". Required.
# provider = "github"
## authorize_url - OAuth provider base url used for handling the user's
## authorization. Required - if using the web app style flow.
# authorize_url = "https://github.com/login/oauth/authorize"
## device_authorize_url - All the OAuth providers use a different url from
## the authorize_url for the device flow. Required - if using the device
## style flow.
# device_authorize_url = "https://github.com/login/device/code"
## token_url - OAuth provider base url where rportd will get an OAuth
## access token for looking up the user and organization/group info.
## Required.
# token_url = "https://github.com/login/oauth/access_token"
## client_id - identifier assigned to the Rport 'app' configured as part of
## the OAuth provider setup. Required - if not using the google device style
## flow.
# client_id = "<your client id>"
## client_secret - a secret provided by the OAuth provider to be used when
## exchanging an authorization code for OAuth provider tokens. This secret
## must be kept private and should NOT be included in any source code repo
## check-ins, unencrypted cloud backups, etc. Required - if not using the
## google device style flow.
# client_secret = "<your client secret>"
## device_client_id - identifier assigned to the Rport 'app' configured as
## part of the google device flow setup. Required - if using the google device
## style flow, otherwise not used.
# device_client_id = "<your google device client id>"
## device_client_secret - a secret provided by the google device flow setup
## that is used when getting OAuth access tokens.
## This secret must be kept private and should NOT be included in any source
## code repo check-ins, unencrypted cloud backups, etc. Required - if using the
## google device style flow, otherwise not used.
# device_client_secret = "<your google device client secret>"
## The redirect_uri setting is the OAuth provider base url where the OAuth
## provider will redirect (with an authorization code - when using the web app
## style flow) after completing the user’s authorization. If using the RPort
## UI then this setting must be set to http://localhost/oauth/callback.
## Required - if using the web app style flow.
# redirect_uri = "http://localhost:3000/oauth/callback"
## required_organization - GitHub only. Specifies a GitHub organization
## who's users have permission to access the Rport server. The required_organization
## must match the organization name as displayed in the GitHub URL for the
## organization or as under the list of organizations for which the user is a
## member. **Optional** if permitted_user_list or permitted_user_match (see
## below) are being used.
# required_organization = ""
## required_group_id - Microsoft and Google only. Specifies a Microsoft or Google
## group id who's members have permission to access the RPort server. Users who
## are not members of the group will be denied access. Note that not used when
## using the device style flow with google. **Optional**.
# required_group_id = ""
## permitted_user_list - whether Rport OAuth will only allow users configured
## via the existing Rport 'api auth' mechanism. This can be used with the
## required_organization or required_group_id settings to limit users to a
## permitted set in the organization or group. If permitted_user_list is set
## to false then all users in an OAuth provider organization will be allowed
## access, subject to the permitted user config settings.
## If GitHub then one of either required_organization, permitted_user_list or
## permitted_user_match must be set. The options can be combined. Setting
## permitted_user_list or permitted_user_match to false and
## not setting required_organization is not allowed. If Microsoft or Google
## then permitted_user_list is always **Optional**.
# permitted_user_list = true
## permitted_user_match - provides further control of the permitted users via
## a regex value.
## e.g. permitted_user_match="sample-org.com$"
## will match usernames ending in "sample-org.com$".
## Cannot be used at the same time as permitted_user_list.
# permitted_user_match = ""