diff options
Diffstat (limited to 'ci')
| -rw-r--r-- | ci/config/Essentials.Accounts.json | 5 | ||||
| -rw-r--r-- | ci/config/SessionProvider.json | 8 | ||||
| -rw-r--r-- | ci/config/config.json | 81 | ||||
| -rw-r--r-- | ci/config/routes.xml | 14 | ||||
| -rw-r--r-- | ci/install.ps1 | 11 |
5 files changed, 62 insertions, 57 deletions
diff --git a/ci/config/Essentials.Accounts.json b/ci/config/Essentials.Accounts.json index b28caf4..a5756b0 100644 --- a/ci/config/Essentials.Accounts.json +++ b/ci/config/Essentials.Accounts.json @@ -68,6 +68,9 @@ "otp_time_diff_sec": 30, "otp_key_size": 64, "pubkey_cookie_name": "client-id", - "pubkey_signing_key_size": 32 + "pubkey_signing_key_size": 32, + "strict_origin": false, + "strict_path": true, //Can be enabled if front-end is running on the same server + //"allowed_origins": [""] } }
\ No newline at end of file diff --git a/ci/config/SessionProvider.json b/ci/config/SessionProvider.json index a578b0d..5573a05 100644 --- a/ci/config/SessionProvider.json +++ b/ci/config/SessionProvider.json @@ -10,12 +10,16 @@ //Cache system key prefix "cache_prefix": "websessions", //The session cookie name - "cookie_name": "VNSession", + "cookie_name": "cmnext-ses", //Size in bytes for generated session ids "cookie_size": 40, //time (in seconds) a session is valid for "valid_for_sec": 3600, //The maxium number of connections waiting for the cache server responses - "max_waiting_connections": 100 + "max_waiting_connections": 100, + //Enforce strict cross-origin session checks + "strict_cors": true, + ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen) + "strict_tls_protocol": true } }
\ No newline at end of file diff --git a/ci/config/config.json b/ci/config/config.json index b410399..29a0665 100644 --- a/ci/config/config.json +++ b/ci/config/config.json @@ -37,7 +37,13 @@ }, //Path to managed compressor library - "compression_lib": null, + "compression_lib": "lib/vnlib.net.compression/VNLib.Net.Compression.dll", + + //Setup the native lib + "vnlib.net.compression": { + "lib_path": "lib/vnlib_compress.dll", + "level": 1 + }, //Maximum ammount of time a request is allowed to be processed (includes loading or waiting for sessions) before operations will be cancelled and a 503 returned "max_execution_time_ms": 20000, @@ -45,6 +51,9 @@ //Collection of objects to define hosts+interfaces to build server listeners from "virtual_hosts": [ { + //Enable nginx-style connection tracing for this endpoint + "trace": false, + //The interface to bind to, you may not mix TLS and non-TLS connections on the same interface "interface": { "address": "0.0.0.0", @@ -78,6 +87,7 @@ "X-Content-Type-Options": "nosniff", "X-Xss-Protection": "1; mode=block", "X-Frame-Options": "DENY", + "Server": "VNLib.Webserver", "Content-Security-Policy": "default-src 'self' https://cdn.ckeditor.com 'unsafe-inline'; img-src 'self' blob: data:; frame-src 'none'; object-src 'none'; referrer no-referrer-when-downgrade; upgrade-insecure-requests; block-all-mixed-content;" }, @@ -88,30 +98,23 @@ //"cors_allowed_authority": [ "localhost:8080" ], //Define a TLS certificate (enables TLS on the interface) - "disabled ssl": { + "ssl": { //Cert may be pem or pfx (include private key in pfx, or include private key in a pem file) - "cert": "/path/to/cert.pfx|pem", + "cert": "ssl/cert.pem", //A pem encoded private key, REQUIRED if using a PEM certificate, may be encrypted with a password - "privkey": "/path/to/private_key.pem", + "privkey": "ssl/key.pem", //An optional password for the ssl private key - "password": "plain-text-password", + //"password": "plain-text-password", //requires that any client connecting to this host present a valid certificate "client_cert_required": false }, //A list of error file objects, files are loaded into memory (and watched for changes) and returned when the specified error code occurs - "error_files": [ - /* - { - "code": 404, - "path": "404.html" - }, - */ - ], + "error_files": [], //The default "cache_default_sec": 864000 @@ -125,59 +128,55 @@ "hot_reload": false, "reload_delay_sec": 2, "path": "plugins", - "config_dir": "config" + "config_dir": "config", + "assets": "plugins/assets/" }, - "disabled sys_log": { - //"path": "path/to/syslog/file", + "sys_log": { + "path": "data/logs/syslog.txt", //"template": "serilog template for writing to file", - //"flush_sec": 5, - //"retained_files": 31, - //"file_size_limit": 10485760, - //"interval": "infinite" + "flush_sec": 5, + "retained_files": 10, + "file_size_limit": 10485760, + "interval": "infinite" }, "disabled app_log": { - //"path": "path/to/applog/file", + "path": "data/logs/applog.txt", //"template": "serilog template for writing to file", - //"flush_sec": 5, - //"retained_files": 31, - //"file_size_limit": 10485760, - //"interval": "infinite" + "flush_sec": 5, + "retained_files": 10, + "file_size_limit": 10485760, + "interval": "infinite" }, //Sql for the users database "sql": { - "db_type": "sqlite", //mysql, mssql(default), sqlite - "source": "cmnext.db" //For sqlite only - - //"hostname": "example.com", - //"username": "cmnext", - //"catalog": "cmnext", - //"min_pool_size": 5, - //"ms_security": false + "debug": false, + "provider": "VNLib.Plugins.Extensions.Sql.SQLite.dll", + "source": "data/cmnext.db" //For sqlite only }, //caching should be setup globally after VNCache #78a47dd - "cache":{ + "cache": { //Load the vncache dll "assembly_name": "VNLib.Data.Caching.Providers.VNCache.dll", //Defaulting to memory only for now "memory_only": true, //enable memory cache "memory_cache": { - "buckets": 20, - "bucket_size": 5000, - "max_age_sec": 600, - "refresh_interval_sec": 60, - "zero_all": false, - "max_object_size": 8128 + "buckets": 20, + "bucket_size": 5000, + "max_age_sec": 600, + "refresh_interval_sec": 60, + "zero_all": false, + "max_object_size": 8128 } }, //Global secrets object, used by the host and pluings for a specialized secrets "secrets": { //"db_password": "" - "passwords": "yourbase64passwordsecret" + "passwords": "file://secrets/password-pepper.json" } } diff --git a/ci/config/routes.xml b/ci/config/routes.xml index 49d9553..85f9830 100644 --- a/ci/config/routes.xml +++ b/ci/config/routes.xml @@ -26,19 +26,21 @@ <path>/assets/*</path> </route> - <!--Overwrite all other requests to the index file (catch all) using the ServeOther routine (4)--> + <!--Show the index file when navigating to /--> <route routine="4" privilege="0"> - - <!--Wildcard hostname--> <hostname>*</hostname> + <path>/</path> + <alternate>index.html</alternate> + </route> - <!--Declares that all files after / will be matched by this rule--> + <!--Redirect all other pages back to the app (homepage)--> + <route routine="2" privilege="0"> + <hostname>*</hostname> <path>/*</path> - - <!--Return to the root path, lets the file processor handle extension searching--> <alternate>/</alternate> </route> + <!--All routes that do not match will be allowed, this is only / since it does not have a matching rule--> </routes>
\ No newline at end of file diff --git a/ci/install.ps1 b/ci/install.ps1 index 4c42c18..7a5c455 100644 --- a/ci/install.ps1 +++ b/ci/install.ps1 @@ -1,15 +1,12 @@ -param([String] $BaseUrl, [String] $ModuleName, [String] $ProjectName, [String]$FileName) +param([String] $BaseUrl, [String] $ModuleName, [String] $ProjectName, [String]$FileName, [String]$Version) -#get the latest file -Invoke-WebRequest "$BaseUrl/$ModuleName/@latest" -OutFile latest.txt -#read the file into a variable -$latest = Get-Content latest.txt +$_src = "$BaseUrl/$ModuleName/$Version/$ProjectName/$FileName" #download the latest version -Invoke-WebRequest "$BaseUrl/$ModuleName/$latest/$ProjectName/$FileName" -OutFile $FileName +Invoke-WebRequest "$_src" -OutFile $FileName #download latest sha256 -Invoke-WebRequest "$BaseUrl/$ModuleName/$latest/$ProjectName/$FileName.sha256" -OutFile "$FileName.sha256" +Invoke-WebRequest "$_src.sha256" -OutFile "$FileName.sha256" #verify the file $hash = (Get-FileHash $FileName -Algorithm SHA256).Hash |