diff --git a/.env.example b/.env.example new file mode 100644 index 00000000..fee6d8bf --- /dev/null +++ b/.env.example @@ -0,0 +1,73 @@ +# Caddy Proxy Manager Environment Configuration +# Copy this file to .env and update with your secure values +# IMPORTANT: chmod 600 .env after creating it + +# ============================================================================= +# REQUIRED SECURITY SETTINGS (PRODUCTION) +# ============================================================================= + +# Session Secret (REQUIRED) +# Generate with: openssl rand -base64 32 +# Must be at least 32 characters in production +SESSION_SECRET=your-secure-session-secret-here-min-32-chars + +# Admin Credentials (REQUIRED) +# USERNAME: Any username (e.g., "admin" is fine) +# PASSWORD: Must be 12+ characters with: +# - Uppercase letters (A-Z) +# - Lowercase letters (a-z) +# - Numbers (0-9) +# - Special characters (!@#$%^&* etc.) +ADMIN_USERNAME=admin +ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here! + +# ============================================================================= +# APPLICATION CONFIGURATION +# ============================================================================= + +# Public base URL for the application +BASE_URL=http://localhost:3000 + +# ============================================================================= +# OPTIONAL: ADVANCED CONFIGURATION +# ============================================================================= + +# Database configuration (usually no need to change) +# DATABASE_URL=file:./data/caddy-proxy-manager.db + +# Caddy Admin API endpoint (usually no need to change) +# CADDY_API_URL=http://caddy:2019 + +# Certificate storage directory (usually no need to change) +# CERTS_DIRECTORY=./data/certs + +# Login rate limiting (optional, for custom rate limit settings) +# LOGIN_MAX_ATTEMPTS=5 +# LOGIN_WINDOW_MS=300000 +# LOGIN_BLOCK_MS=900000 + +# ============================================================================= +# SECURITY NOTES +# ============================================================================= +# +# Production Security (Strictly Enforced): +# - Application will refuse to start without proper credentials +# - Default values (admin/admin) are automatically rejected +# - All requirements are validated at startup +# +# Quick Setup for Production: +# export SESSION_SECRET=$(openssl rand -base64 32) +# export ADMIN_USERNAME="admin" +# export ADMIN_PASSWORD="YourStr0ng-P@ssw0rd!" +# +# Development Mode: +# export NODE_ENV=development +# # Default credentials (admin/admin) work in development +# +# Security Best Practices: +# 1. Never commit your .env file to version control +# 2. Generate unique secrets for each deployment +# 3. Use strong passwords with mixed case, numbers, and special characters +# 4. Rotate secrets regularly in production +# 5. Keep file permissions restricted (chmod 600 .env) +# 6. Never share credentials via insecure channels diff --git a/.gitignore b/.gitignore index 0d70147e..8e974863 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ dist data *.log .env* +!.env.example /.idea tsconfig.tsbuildinfo /caddy-data diff --git a/README.md b/README.md index ff0b9e0f..c2041aef 100644 --- a/README.md +++ b/README.md @@ -142,9 +142,12 @@ Visit `http://localhost:3000/login` and sign in with your credentials. | `ADMIN_USERNAME` | Admin login username | `admin` | **Yes** | | `ADMIN_PASSWORD` | Admin password (see requirements below) | `admin` (dev only) | **Yes** | | `BASE_URL` | Public URL of the dashboard | `http://localhost:3000` | No | -| `CADDY_API_URL` | Caddy Admin API endpoint | `http://caddy:2019` | No | -| `DATABASE_PATH` | SQLite file path | `/app/data/caddy-proxy-manager.db` | No | -| `PRIMARY_DOMAIN` | Default domain for Caddy config | `caddyproxymanager.com` | No | +| `CADDY_API_URL` | Caddy Admin API endpoint | `http://caddy:2019` (prod)
`http://localhost:2019` (dev) | No | +| `DATABASE_URL` | SQLite database URL | `file:./data/caddy-proxy-manager.db` | No | +| `CERTS_DIRECTORY` | Certificate storage directory | `./data/certs` | No | +| `LOGIN_MAX_ATTEMPTS` | Max login attempts before rate limit | `5` | No | +| `LOGIN_WINDOW_MS` | Rate limit window in milliseconds | `300000` (5 min) | No | +| `LOGIN_BLOCK_MS` | Rate limit block duration in milliseconds | `900000` (15 min) | No | **Production Security Requirements (Strictly Enforced):**