caddy-proxy-manager/.env.example

# Caddy Proxy Manager Environment Configuration
# Copy this file to .env and update with your secure values
# IMPORTANT: chmod 600 .env after creating it

# =============================================================================
# REQUIRED SECURITY SETTINGS (PRODUCTION)
# =============================================================================

# Session Secret (REQUIRED)
# Generate with: openssl rand -base64 32
# Must be at least 32 characters in production
SESSION_SECRET=your-secure-session-secret-here-min-32-chars

# Admin Credentials (REQUIRED)
# USERNAME: Any username (e.g., "admin" is fine)
# PASSWORD: Must be 12+ characters with:
#   - Uppercase letters (A-Z)
#   - Lowercase letters (a-z)
#   - Numbers (0-9)
#   - Special characters (!@#$%^&* etc.)
ADMIN_USERNAME=admin
ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!

# =============================================================================
# APPLICATION CONFIGURATION
# =============================================================================

# Public base URL for the application
BASE_URL=http://localhost:3000

# =============================================================================
# OAUTH2/OIDC AUTHENTICATION (OPTIONAL)
# =============================================================================

# OAuth2/OIDC Provider (works with Authentik, Authelia, Keycloak, etc.)
# Enable OAuth2 authentication with any OIDC-compliant provider
OAUTH_ENABLED=false
OAUTH_PROVIDER_NAME=OAuth2             # Display name (e.g., "Authentik", "Keycloak")
OAUTH_CLIENT_ID=
OAUTH_CLIENT_SECRET=
OAUTH_ISSUER=                          # OIDC discovery URL (e.g., https://auth.example.com/application/o/app/)

# Optional: Override auto-discovered URLs (only if OIDC discovery doesn't work)
# OAUTH_AUTHORIZATION_URL=
# OAUTH_TOKEN_URL=
# OAUTH_USERINFO_URL=

# OAuth Settings
OAUTH_ALLOW_AUTO_LINKING=false         # Auto-link OAuth to accounts without passwords

# Example for Authentik:
# OAUTH_ENABLED=true
# OAUTH_PROVIDER_NAME=Authentik
# OAUTH_CLIENT_ID=your-client-id
# OAUTH_CLIENT_SECRET=your-client-secret
# OAUTH_ISSUER=https://auth.example.com/application/o/caddy-proxy/
# Redirect URI: {BASE_URL}/api/auth/callback/oauth2

# =============================================================================
# OPTIONAL: ADVANCED CONFIGURATION
# =============================================================================

# Database configuration (usually no need to change)
# DATABASE_URL=file:/app/data/caddy-proxy-manager.db

# Caddy Admin API endpoint (usually no need to change)
# CADDY_API_URL=http://caddy:2019

# Certificate storage directory (usually no need to change)
# CERTS_DIRECTORY=./data/certs

# Login rate limiting (optional, for custom rate limit settings)
# LOGIN_MAX_ATTEMPTS=5
# LOGIN_WINDOW_MS=300000
# LOGIN_BLOCK_MS=900000

# =============================================================================
# SECURITY NOTES
# =============================================================================
#
# Production Security (Strictly Enforced):
# - Application will refuse to start without proper credentials
# - Default values (admin/admin) are automatically rejected
# - All requirements are validated at startup
#
# Quick Setup for Production:
#   export SESSION_SECRET=$(openssl rand -base64 32)
#   export ADMIN_USERNAME="admin"
#   export ADMIN_PASSWORD="YourStr0ng-P@ssw0rd!"
#
# Development Mode:
#   export NODE_ENV=development
#   # Default credentials (admin/admin) work in development
#
# Security Best Practices:
# 1. Never commit your .env file to version control
# 2. Generate unique secrets for each deployment
# 3. Use strong passwords with mixed case, numbers, and special characters
# 4. Rotate secrets regularly in production
# 5. Keep file permissions restricted (chmod 600 .env)
# 6. Never share credentials via insecure channels