6 files changed, 50 insertions, 29 deletions

diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile
index 4580e48..33de6f1 100644
--- a/ci/container/Dockerfile
+++ b/ci/container/Dockerfile
@@ -55,8 +55,8 @@ ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0
 ENV VNLIB_ARGON2_DLL_PATH=/app/lib/libargon2.so
 
 #set default env variables
-ENV MAX_BOOKMARKS=5000
-ENV REG_TOKEN_DURATION_MIN=360
+ENV MAX_BOOKMARKS=5000           \
+ REG_TOKEN_DURATION_MIN=360
 
 #SQL Config
 ENV SQL_LIB_PATH=VNLib.Plugins.Extensions.Sql.SQLite.dll
@@ -66,29 +66,34 @@ ENV SQL_CONNECTION_STRING="Data Source=data/simple-bookmark.db;"
 ENV MAX_LOGIN_ATTEMPS=10
 
 #HC Vault
-ENV HC_VAULT_ADDR=""
-ENV HC_VAULT_TOKEN=""
-ENV HC_VAULT_TRUST_CERT=false
+ENV HC_VAULT_ADDR=""            \
+ HC_VAULT_TOKEN=""              \
+ HC_VAULT_TRUST_CERT=false
 
 #VNCACHE (default to memory only)
-ENV CACHE_ASM_PATH=VNLib.Data.Caching.Providers.VNCache.dll
-ENV MEMCACHE_ONLY=true		
-ENV REDIS_CONNECTION_STRING=""
-ENV VNCACHE_INITIAL_NODES=[]
+ENV CACHE_ASM_PATH=VNLib.Data.Caching.Providers.VNCache.dll \
+ MEMCACHE_ONLY=true             \
+ REDIS_CONNECTION_STRING=""     \
+ VNCACHE_INITIAL_NODES=[]
 
 #SECRETS
-ENV PASSWORD_PEPPER=""
-ENV DATABASE_PASSWORD=""
-ENV REDIS_PASSWORD=""
-ENV VNCACHE_CLIENT_PRIVATE_KEY=""
-ENV VNCACHE_CACHE_PUBLIC_KEY=""
+ENV PASSWORD_PEPPER=""          \
+ DATABASE_PASSWORD=""           \
+ REDIS_PASSWORD=""              \
+ VNCACHE_CLIENT_PRIVATE_KEY=""  \
+ VNCACHE_CACHE_PUBLIC_KEY=""
+
 
 #HTTP/PROXY Config
-ENV HTTP_DOWNSTREAM_SERVERS=[]
-ENV HTTP_TRACE_ON=false
+ENV HTTP_DOWNSTREAM_SERVERS=[]  \
+ HTTP_TRACE_ON=false
+
 #set default certificate files to the self signed ones created in the build container
 ENV SSL_JSON='{"cert": "ssl/cert.pem", "privkey":"ssl/key.pem"}'
 
+#disable plugin debugging by default
+ENV DEBUG_PLUGINS=false
+
 #run the init script within dumb-init
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["ash", "./run.sh"]
diff --git a/ci/container/config-templates/Essentials.Accounts-template.json b/ci/container/config-templates/Essentials.Accounts-template.json
index 6e36986..68568a9 100644
--- a/ci/container/config-templates/Essentials.Accounts-template.json
+++ b/ci/container/config-templates/Essentials.Accounts-template.json
@@ -1,5 +1,5 @@
 {
-  "debug": false,
+  "debug": ${DEBUG_PLUGINS},
 
   //endpoints
 
diff --git a/ci/container/config-templates/PageRouter-template.json b/ci/container/config-templates/PageRouter-template.json
index 7cfdf24..98dded3 100644
--- a/ci/container/config-templates/PageRouter-template.json
+++ b/ci/container/config-templates/PageRouter-template.json
@@ -1,5 +1,5 @@
 {
-  "debug": false,
+  "debug": ${DEBUG_PLUGINS},
   "store": {
     "route_file": "static/routes.xml"
   }
diff --git a/ci/container/config-templates/SessionProvider-template.json b/ci/container/config-templates/SessionProvider-template.json
index e281edf..328f06f 100644
--- a/ci/container/config-templates/SessionProvider-template.json
+++ b/ci/container/config-templates/SessionProvider-template.json
@@ -1,6 +1,6 @@
 {
 
-  "debug": false,
+  "debug": ${DEBUG_PLUGINS},
 
   //Provider assemblies to load
   "provider_assemblies": [ "VNLib.Plugins.Sessions.VNCache.dll" ],
@@ -16,6 +16,10 @@
     //time (in seconds) a session is valid for
     "valid_for_sec": 3600,
     //The maxium number of connections waiting for the cache server responses
-    "max_waiting_connections": 100
+    "max_waiting_connections": 100,
+    //Enforce strict cross-origin session checks
+    "strict_cors": true,
+    ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen)
+    "strict_tls_protocol": true
   } 
 }
\ No newline at end of file
diff --git a/ci/container/config-templates/SimpleBookmark-template.json b/ci/container/config-templates/SimpleBookmark-template.json
index 610673e..8736d8d 100644
--- a/ci/container/config-templates/SimpleBookmark-template.json
+++ b/ci/container/config-templates/SimpleBookmark-template.json
@@ -1,7 +1,7 @@
 {
 
   //Comments are allowed
-  "debug": false, //Enables obnoxious debug logging
+  "debug": ${DEBUG_PLUGINS}, //Enables obnoxious debug logging
 
   "bm_endpoint": {
 
diff --git a/ci/container/docker-compose.yaml b/ci/container/docker-compose.yaml
index 63de647..2840160 100644
--- a/ci/container/docker-compose.yaml
+++ b/ci/container/docker-compose.yaml
@@ -19,24 +19,33 @@ services:
     environment:
       MAX_BOOKMARKS: "5000"
       REG_TOKEN_DURATION_MIN: "360"  #6 hours
+      
       #SQL Config
       SQL_LIB_PATH: "VNLib.Plugins.Extensions.Sql.SQLite.dll"
       SQL_CONNECTION_STRING: "Data Source=data/simple-bookmark.db;"
-      #HC Vault
-      HC_VAULT_ADDR: ""
-      HC_VAULT_TOKEN: ""
-      HC_VAULT_TRUST_CERT: "false"
+
+      #HC Vault client config
+      #HC_VAULT_ADDR: ""
+      #HC_VAULT_TOKEN: ""
+      #HC_VAULT_TRUST_CERT: "false"
+
       #VNCACHE (default to memory only)
       CACHE_ASM_PATH: "VNLib.Data.Caching.Providers.VNCache.dll"
       MEMCACHE_ONLY: "true"
       REDIS_CONNECTION_STRING: ""
       #at least one node required if MEMCACHE_ONLY is false
       VNCACHE_INITIAL_NODES: "[]"
-      #ACCOUNTS
+      
+      #Accounts plugin config
       MAX_LOGIN_ATTEMPS: "10"
 
       #SECRETS
-      PASSWORD_PEPPER: ""   #A base64 encoded secret is required. raw string, vault://, file:// allowed
+      #All secrets may be a raw value, read from a file, 
+      #an environment variable, or a vault path
+      # file://mysecret.txt     reads the secret from a file (case sensitive)
+      # env://MY_SECRET         reads the secret from an environment variable (case sensitive)
+      # vault://kv/data/secret?secret=value   reads the value of the mysecret key in the secret/data path
+      PASSWORD_PEPPER: ""     #Must be a base64 encoded value, of realtivley any size
       DATABASE_PASSWORD: ""
       REDIS_PASSWORD: ""
       #if MEMCACHE_ONLY is false, then the following keys are required to connect to a VNCACHE cluster
@@ -44,8 +53,11 @@ services:
       VNCACHE_CACHE_PUBLIC_KEY: ""
 
       #HTTP
-      HTTP_DOWNSTREAM_SERVERS: '[]'
-      HTTP_TRACE_ON: "false"
+      HTTP_DOWNSTREAM_SERVERS: '[]'   #a comma separated list of downstream ip addresses
+      HTTP_TRACE_ON: "false"          #enable http trace logging, requires --debug CLI flag
+
+      #Very Verbose plugin logging, required --debug CLI flag, prints literally everything to the logger
+      DEBUG_PLUGINS: "false"
       
       SERVER_ARGS: "--setup" #remove the setup flag after you are done setting up the server