-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated documentation to include all of the existing envvars, re-orde…
…red them a bit, and included some more information like which have default values. Also already updated the wiki page. Signed-off-by: Amndeep Singh Mann <[email protected]>
- Loading branch information
Showing
2 changed files
with
63 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,70 +1,84 @@ | ||
| # For more information on any of these variables, see https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration#github | ||
|
|
||
| # If a variable does not have a value assigned, remove the variable. (e.g if you aren't using a custom DATABASE_NAME, remove the DATABASE_NAME line.) | ||
|
|
||
| # Services | ||
|
|
||
| ## Frontend | ||
| CLASSIFICATION_BANNER_TEXT=<If a sensitivity classification banner should be shown to users, for example FOUO (if nothing is provided, no banner is shown)> | ||
| CLASSIFICATION_BANNER_TEXT_COLOR=<The color of the text on the sensitivity classification banner, if enabled (defaults to white)> | ||
| CLASSIFICATION_BANNER_COLOR=<The color of the sensitivity classification banner, if enabled (defaults to red)> | ||
|
|
||
| ## Backend | ||
| NODE_ENV=<development, production, or test (no default, must be set)> | ||
| PORT=<Port that the app starts up on (if nothing is provided, defaults to 3000)> | ||
| EXTERNAL_URL=<The external URL for your Heimdall deployment, for example https://heimdall.mitre.org> | ||
| ADMIN_EMAIL=<email for default admin user (if nothing is provided, defaults to [email protected])> | ||
| ADMIN_USES_EXTERNAL_AUTH=<if the default admin user uses alternative/external authentication (if nothing is provided, defaults to false) | ||
| ADMIN_PASSWORD=<Password for admin user (if nothing is provided, defaults to a randomly generated password that will only be shown on initial setup)> | ||
| LOCAL_LOGIN_DISABLED=<If internal user login should be allowed, if not then only alternative authention providers can be used, (if nothing provided, defaults to false)> | ||
| REGISTRATION_DISABLED=<If public user registration should be allowed, if not then only the administrator user can create users (defaults to false)> | ||
| ONE_SESSION_PER_USER=<If users are only allowed to be logged in on one browser, (defaults to false)> | ||
| JWT_SECRET=<JSON Web Token Secret (no default, must be set)> | ||
| JWT_EXPIRE_TIME=<JSON Web Token Length of time before signature expires (if nothing is provided, defaults to 60s)> | ||
| API_KEY_SECRET=<API Key Token Secret (no default, API keys are disabled if this is not set)> | ||
| MAX_FILE_UPLOAD_SIZE=<Maximum size for evaluation uploads in megabytes (defaults to 50)> | ||
|
|
||
| ## Database | ||
| DATABASE_HOST=<Hostname where the database exists (if nothing is provided, defaults to 127.0.0.1)> | ||
| DATABASE_PORT=<Port to connect to the database (if nothing is provided, defaults to 5432)> | ||
| DATABASE_USERNAME=<Username to authenticate to the database (if nothing is provided, defaults to postgres)> | ||
| DATABASE_PASSWORD=<Password to authenticate to the database (if nothing is provided, defaults to no password)> | ||
| DATABASE_NAME=<Name of the database (if nothing is provided, defaults to heimdall-server-NODE_ENV)> | ||
| DATABASE_SSL=<Whether or not to use SSL certificate authentication (if nothing is provided, defaults to false)> | ||
| DATABASE_SSL_INSECURE=<Whether or not to ignore SSL issues (security risk if enabled, if nothing is provided, defaults to false)> | ||
| DATABASE_SSL_KEY=<Full path to SSL key OR the key itself (no default, must be set if using SSL)> | ||
| DATABASE_SSL_CERT=<Full path to SSL certificate OR the certificate itself (no default, must be set if using SSL)> | ||
| DATABASE_SSL_CA=<Full path to SSL certificate authority OR the certificate authority itself (no default, must be set if using SSL)> | ||
| DATABASE_NAME=<Name of the database (if nothing is provided, defaults to heimdall-server-NODE_ENV)> | ||
| JWT_SECRET=<JSON Web Token Secret (no default, must be set)> | ||
| JWT_EXPIRE_TIME=<JSON Web Token Length of time before signature expires (if nothing is provided, defaults to 60s)> | ||
| API_KEY_SECRET=<API Key Token Secret (no default, API keys are disabled if this is not set)> | ||
| NODE_ENV=<development, production, or test (no default, must be set)> | ||
| HEIMDALL_HEADLESS_TESTS=<run integration tests in a headless browser (if nothing is provided, defaults to true)> | ||
| ADMIN_EMAIL=<email for default admin user (if nothing is provided, defaults to [email protected])> | ||
| ADMIN_USES_EXTERNAL_AUTH=<if the default admin user uses alternative authentication (if nothing is provided, defaults to false) | ||
| ADMIN_PASSWORD=<Password for admin user (if nothing is provided, defaults to a randomly generated password)> | ||
| LOCAL_LOGIN_DISABLED=<If internal user login should be allowed, if not then only alternative authention providers can be used, (if nothing provided, defaults to false)> | ||
| REGISTRATION_DISABLED=<If public user registration should be allowed, if not then only the administrator user can create users (defaults to false)> | ||
| EXTERNAL_URL=<The external URL for your Heimdall deployment, for example https://heimdall.mitre.org> | ||
| ONE_SESSION_PER_USER=<If users are only allowed to be logged in on one browser, (defaults to false)> | ||
| CLASSIFICATION_BANNER_TEXT=<If a sensitivity classification banner should be shown to users, for example FOUO (if nothing is provided, no banner is shown)> | ||
| CLASSIFICATION_BANNER_TEXT_COLOR=<The color of the text on the sensitivity classification banner, if enabled (defaults to white)> | ||
| CLASSIFICATION_BANNER_COLOR=<The color of the sensitivity classification banner, if enabled (defaults to red)> | ||
| DATABASE_SSL_CA=<Full path to SSL certificate authority OR the certificate authority itself (no default, must be set if using SSL)> | ||
|
|
||
| ## Reverse proxy | ||
| NGINX_HOST=<Templated out as the 'server_name' for the NGINX configuration (no default, must be set if using the provided example NGINX configuration)> | ||
|
|
||
| # Authentication | ||
|
|
||
| # Oauth Client IDs and Secrets, If a variable does not have client id values assigned then the feature is disabled. | ||
| GITHUB_CLIENTID=<Github Application Client ID> | ||
| GITHUB_CLIENTSECRET=<Github Application Client Secret> | ||
| ## LDAP Configuration | ||
| LDAP_ENABLED=<If you want to enable LDAP login (defaults to false)> | ||
| LDAP_HOST=<Your LDAP target server (no default, must be set to use LDAP)> | ||
| LDAP_PORT=<Your LDAP target port (if nothing is provided, defaults to 389)> | ||
| LDAP_BINDDN=<The Dn of the user used for lookups (no default, must be set to use LDAP)> | ||
| LDAP_PASSWORD=<Your LDAP user's passwords used for lookups (no default, must be set to use LDAP)> | ||
| # Here you set your LDAP searchbase, for more info see https://docs.oracle.com/cd/E19693-01/819-0997/auto45/index.html | ||
| # If you're using Active Directory, you probably want "OU=Users, DC=<yourdomain>, DC=local" | ||
| LDAP_SEARCHBASE="<Your LDAP search base (no default, must be set to use LDAP)>" | ||
| # Here you set your LDAP search filter, for more info see https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html | ||
| # If you are using Active Directory Users, you probably want "sAMAccountName={{username}}" | ||
| LDAP_SEARCHFILTER="<Your LDAP search filter (defaults to (sAMAccountName={{username}})>" | ||
| LDAP_NAMEFIELD="<The field that contains the user's full name (defaults to name)>" | ||
| LDAP_MAILFIELD="<The field that contains the user's email (defaults to mail)>" | ||
|
|
||
| ## OAuth Client IDs and Secrets, If a variable does not have client id values assigned then the feature is disabled. | ||
| GOOGLE_CLIENTID=<Google Application Client ID (Usually in the shape of xxxxxx.apps.googleusercontent.com, no default, must be set to Google)> | ||
| GOOGLE_CLIENTSECRET="<Google Application Client Secret (no default, must be set to use Google)>" | ||
|
|
||
| GITHUB_CLIENTID=<Github Application Client ID (no default, must be set to use Github)> | ||
| GITHUB_CLIENTSECRET=<Github Application Client Secret (no default, must be set to use Github)> | ||
| GITHUB_ENTERPRISE_INSTANCE_BASE_URL=<Github Enterprise Instance Base URL (default=https://github.com/)> | ||
| GITHUB_ENTERPRISE_INSTANCE_API_URL=<Github Enterprise Instance API URL (default=https://api.github.com/)> | ||
|
|
||
| GITLAB_CLIENTID=<Gitlab Application Client ID> | ||
| GITLAB_CLIENTSECRET=<Gitlab Application Client Secret> | ||
| GITLAB_CLIENTID=<Gitlab Application Client ID (not default, must be set to use Gitlab)> | ||
| GITLAB_CLIENTSECRET=<Gitlab Application Client Secret (no default, must be set to use Gitlab)> | ||
| GITLAB_BASEURL=<Gitlab Base URL (default=https://gitlab.com)> | ||
|
|
||
| GOOGLE_CLIENTID=<Google Application Client ID (apps.googleusercontent.com)> | ||
| GOOGLE_CLIENTSECRET="<Google Application Client Secret>" | ||
|
|
||
| OKTA_DOMAIN="<yourdomain>.okta.com" | ||
| OKTA_CLIENTID=<Your Client ID> | ||
| OKTA_CLIENTSECRET=<Your Client Secret> | ||
|
|
||
| # Custom OIDC Service | ||
| OIDC_NAME=<What you want your authentication method to be named on the frontend> | ||
| OIDC_ISSUER=<Your OIDC Base URL, for example: https://sample.us.auth0.com> | ||
| OIDC_AUTHORIZATION_URL=<Your OIDC authorization endpoint, for example: https://sample.us.auth0.com/authorize> | ||
| OIDC_TOKEN_URL=<Your OIDC token endpoint, for example: https://sample.us.auth0.com/oauth/token> | ||
| OIDC_USER_INFO_URL=<Your OIDC user info endpoint, for example: https://sample.us.auth0.com/userinfo> | ||
| OIDC_CLIENTID=<Your OIDC Client ID> | ||
| OIDC_CLIENT_SECRET=<Your OIDC Client Secret> | ||
| ## Custom OIDC Service | ||
| OIDC_NAME=<What you want your authentication method to be named on the frontend (no default, must be set)> | ||
| OIDC_ISSUER=<Your OIDC Base URL, for example: https://sample.us.auth0.com (no default, must be set)> | ||
| OIDC_AUTHORIZATION_URL=<Your OIDC authorization endpoint, for example: https://sample.us.auth0.com/authorize (no default, must be set)> | ||
| OIDC_TOKEN_URL=<Your OIDC token endpoint, for example: https://sample.us.auth0.com/oauth/token (no default, must be set)> | ||
| OIDC_USER_INFO_URL=<Your OIDC user info endpoint, for example: https://sample.us.auth0.com/userinfo (no default, must be set)> | ||
| OIDC_CLIENTID=<Your OIDC Client ID (no default, must be set)> | ||
| OIDC_CLIENT_SECRET=<Your OIDC Client Secret (no default, must be set)> | ||
| OIDC_EXTERNAL_GROUPS=<Synchronize user groups from external OIDC provider; Groups are not created automatically, users are only mapped into existing groups - true or false (defaults to false if not provided)> | ||
|
|
||
| # LDAP Configuration | ||
| LDAP_ENABLED=<If you want to enable LDAP login (true/false)> | ||
| LDAP_HOST=<Your LDAP target server> | ||
| LDAP_PORT=<Your LDAP target port (if nothing is provided, defaults to 389)> | ||
| LDAP_BINDDN=<The Dn of the user used for lookups> | ||
| LDAP_PASSWORD=<Your LDAP user's passwords used for lookups> | ||
| # Here you set your LDAP searchbase, for more info see https://docs.oracle.com/cd/E19693-01/819-0997/auto45/index.html | ||
| # If you're using Active Directory, you probably want "OU=Users, DC=<yourdomain>, DC=local" | ||
| LDAP_SEARCHBASE="<Your LDAP search base>" | ||
| # Here you set your LDAP search filter, for more info see https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html | ||
| # If you are using Active Directory Users, you probably want "sAMAccountName={{username}}" | ||
| LDAP_SEARCHFILTER="<Your LDAP search filter (if nothing is provided, defaults to (sAMAccountName={{username}})>" | ||
| LDAP_NAMEFIELD="<The field that contains the user's full name (if nothing is provided, defaults to name)>" | ||
| LDAP_MAILFIELD="<The field that contains the user's email (if nothing is provided, defaults to mail)>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters