143 lines
5.4 KiB
Plaintext
143 lines
5.4 KiB
Plaintext
# Caddy Proxy Manager Environment Configuration
|
|
# Copy this file to .env and update with your secure values
|
|
# IMPORTANT: chmod 600 .env after creating it
|
|
|
|
# =============================================================================
|
|
# REQUIRED SECURITY SETTINGS (PRODUCTION)
|
|
# =============================================================================
|
|
|
|
# Session Secret (REQUIRED)
|
|
# Generate with: openssl rand -base64 32
|
|
# Must be at least 32 characters in production
|
|
SESSION_SECRET=your-secure-session-secret-here-min-32-chars
|
|
|
|
# Admin Credentials (REQUIRED)
|
|
# USERNAME: Any username (e.g., "admin" is fine)
|
|
# PASSWORD: Must be 12+ characters with:
|
|
# - Uppercase letters (A-Z)
|
|
# - Lowercase letters (a-z)
|
|
# - Numbers (0-9)
|
|
# - Special characters (!@#$%^&* etc.)
|
|
ADMIN_USERNAME=admin
|
|
ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!
|
|
|
|
# =============================================================================
|
|
# APPLICATION CONFIGURATION
|
|
# =============================================================================
|
|
|
|
# Public base URL for the application (IMPORTANT!)
|
|
# This is the URL where users access your Caddy Proxy Manager interface.
|
|
#
|
|
# ** REQUIRED FOR OAUTH: If using OAuth2/OIDC authentication, this MUST match
|
|
# the redirect URI configured in your OAuth provider exactly.
|
|
# The redirect URI will be: {BASE_URL}/api/auth/callback/oauth2
|
|
#
|
|
# Examples:
|
|
# - Local development: http://localhost:3000
|
|
# - Production with domain: https://caddy-manager.example.com
|
|
# - Production with IP: http://192.168.1.100:3000
|
|
#
|
|
# IMPORTANT: Do not include a trailing slash
|
|
BASE_URL=http://localhost:3000
|
|
|
|
# =============================================================================
|
|
# ROOTLESS OPERATION (OPTIONAL)
|
|
# =============================================================================
|
|
|
|
# User and Group IDs for running containers as non-root
|
|
# Set these to match your host user to avoid permission issues with volumes
|
|
# Find your UID/GID with: id -u / id -g
|
|
#
|
|
# Defaults:
|
|
# - Web service: PUID=10001, PGID=10001
|
|
# - Caddy service: PUID=10000, PGID=10000
|
|
#
|
|
# For matching your host user (recommended for development):
|
|
# PUID=1000
|
|
# PGID=1000
|
|
|
|
# =============================================================================
|
|
# OAUTH2/OIDC AUTHENTICATION (OPTIONAL)
|
|
# =============================================================================
|
|
|
|
# OAuth2/OIDC Provider (works with Authentik, Authelia, Keycloak, etc.)
|
|
# Enable OAuth2 authentication with any OIDC-compliant provider
|
|
OAUTH_ENABLED=false
|
|
OAUTH_PROVIDER_NAME=OAuth2 # Display name (e.g., "Authentik", "Keycloak")
|
|
OAUTH_CLIENT_ID=
|
|
OAUTH_CLIENT_SECRET=
|
|
OAUTH_ISSUER= # OIDC discovery URL (e.g., https://auth.example.com/application/o/app/)
|
|
|
|
# Optional: Override auto-discovered URLs (only if OIDC discovery doesn't work)
|
|
# OAUTH_AUTHORIZATION_URL=
|
|
# OAUTH_TOKEN_URL=
|
|
# OAUTH_USERINFO_URL=
|
|
|
|
# OAuth Settings
|
|
OAUTH_ALLOW_AUTO_LINKING=false # Auto-link OAuth to accounts without passwords
|
|
|
|
# Example for Authentik:
|
|
# OAUTH_ENABLED=true
|
|
# OAUTH_PROVIDER_NAME=Authentik
|
|
# OAUTH_CLIENT_ID=your-client-id
|
|
# OAUTH_CLIENT_SECRET=your-client-secret
|
|
# OAUTH_ISSUER=https://auth.example.com/application/o/caddy-proxy/
|
|
#
|
|
# IMPORTANT: Configure the redirect URI in your OAuth provider:
|
|
# Redirect URI = {BASE_URL}/api/auth/callback/oauth2
|
|
# Example: http://localhost:3000/api/auth/callback/oauth2
|
|
# or: https://caddy-manager.example.com/api/auth/callback/oauth2
|
|
|
|
# =============================================================================
|
|
# OPTIONAL: ADVANCED CONFIGURATION
|
|
# =============================================================================
|
|
|
|
# Database configuration (usually no need to change)
|
|
# DATABASE_URL=file:/app/data/caddy-proxy-manager.db
|
|
|
|
# Caddy Admin API endpoint (usually no need to change)
|
|
# CADDY_API_URL=http://caddy:2019
|
|
|
|
# Certificate storage directory (usually no need to change)
|
|
# CERTS_DIRECTORY=./data/certs
|
|
|
|
# Login rate limiting (optional, for custom rate limit settings)
|
|
# LOGIN_MAX_ATTEMPTS=5
|
|
# LOGIN_WINDOW_MS=300000
|
|
# LOGIN_BLOCK_MS=900000
|
|
|
|
# =============================================================================
|
|
# SECURITY NOTES
|
|
# =============================================================================
|
|
#
|
|
# Production Security (Strictly Enforced):
|
|
# - Application will refuse to start without proper credentials
|
|
# - Default values (admin/admin) are automatically rejected
|
|
# - All requirements are validated at startup
|
|
#
|
|
# Quick Setup for Production:
|
|
# export SESSION_SECRET=$(openssl rand -base64 32)
|
|
# export ADMIN_USERNAME="admin"
|
|
# export ADMIN_PASSWORD="YourStr0ng-P@ssw0rd!"
|
|
#
|
|
# Development Mode:
|
|
# export NODE_ENV=development
|
|
# # Default credentials (admin/admin) work in development
|
|
#
|
|
# Security Best Practices:
|
|
# 1. Never commit your .env file to version control
|
|
# 2. Generate unique secrets for each deployment
|
|
# 3. Use strong passwords with mixed case, numbers, and special characters
|
|
# 4. Rotate secrets regularly in production
|
|
# 5. Keep file permissions restricted (chmod 600 .env)
|
|
# 6. Never share credentials via insecure channels
|
|
|
|
# =============================================================================
|
|
# GEOIP UPDATE (OPTIONAL)
|
|
# =============================================================================
|
|
|
|
# GeoIP Update (Optional - for geoblocking support)
|
|
# Get credentials at: https://www.maxmind.com/en/geolite2/signup
|
|
GEOIPUPDATE_ACCOUNT_ID=
|
|
GEOIPUPDATE_LICENSE_KEY=
|