From a355e12201f50d8f52738d225c270042913030e2 Mon Sep 17 00:00:00 2001 From: vnugent Date: Mon, 24 Jun 2024 16:46:04 -0400 Subject: ci: Consolidate ci configuration --- .../Essentials.Accounts-template.json | 76 +++++++++ ci/config-templates/PageRouter-template.json | 7 + ci/config-templates/SessionProvider-template.json | 25 +++ ci/config-templates/SimpleBookmark-template.json | 35 +++++ ci/config-templates/config-template.json | 170 +++++++++++++++++++++ ci/config-templates/routes.xml | 46 ++++++ 6 files changed, 359 insertions(+) create mode 100644 ci/config-templates/Essentials.Accounts-template.json create mode 100644 ci/config-templates/PageRouter-template.json create mode 100644 ci/config-templates/SessionProvider-template.json create mode 100644 ci/config-templates/SimpleBookmark-template.json create mode 100644 ci/config-templates/config-template.json create mode 100644 ci/config-templates/routes.xml (limited to 'ci/config-templates') diff --git a/ci/config-templates/Essentials.Accounts-template.json b/ci/config-templates/Essentials.Accounts-template.json new file mode 100644 index 0000000..54e9b58 --- /dev/null +++ b/ci/config-templates/Essentials.Accounts-template.json @@ -0,0 +1,76 @@ +{ + "debug": ${DEBUG_PLUGINS}, + + //endpoints + + "login_endpoint": { + "path": "/api/account/login", + "max_login_attempts": ${MAX_LOGIN_ATTEMPS}, //10 failed attempts in 10 minutes + "failed_attempt_timeout_sec": 600 //10 minutes + }, + + "keepalive_endpoint": { + "path": "/api/account/keepalive", + //Regen token every 10 mins along with cookies + "token_refresh_sec": 600 //10 minutes + }, + + "profile_endpoint": { + "path": "/api/account/profile" + }, + + "password_endpoint": { + "path": "/api/account/reset" + }, + + "mfa_endpoint": { + "path": "/api/account/mfa" + }, + + "logout_endpoint": { + "path": "/api/account/logout" + }, + + "pki_auth_endpoint": { + "path": "/api/account/pki", + "jwt_time_dif_sec": 30, + "max_login_attempts": 10, + "failed_attempt_timeout_sec": 600, + //Configures the PATCH and DELETE methods to update the user's stored key when logged in + "enable_key_update": true + }, + + //If mfa is defined, configures mfa enpoints and enables mfa logins + "mfa": { + "upgrade_expires_secs": 180, + "nonce_size": 64, + + //Defines totp specific arguments + "totp": { + "digits": 6, + "issuer": "Simple-Bookmark", + "period_secs": 30, + "algorithm": "sha1", + "secret_size": 32, + "window_size": 2 + } + }, + + //Defines the included account provider + "account_security": { + //Time in seconds before a session is considered expired + "session_valid_for_sec": 3600, + //Path/domain for all security cookies + "cookie_domain": "", + "cookie_path": "/", + "status_cookie_name": "li", //front-end cookie name must match to detect login status + "otp_header_name": "X-Web-Token", //Front-end header name must match + "otp_time_diff_sec": 30, + "otp_key_size": 64, + "pubkey_cookie_name": "client-id", + "pubkey_signing_key_size": 32, + "strict_origin": false, + "strict_path": true, //Can be enabled if front-end is running on the same server + //"allowed_origins": [""] + } +} \ No newline at end of file diff --git a/ci/config-templates/PageRouter-template.json b/ci/config-templates/PageRouter-template.json new file mode 100644 index 0000000..86a51f8 --- /dev/null +++ b/ci/config-templates/PageRouter-template.json @@ -0,0 +1,7 @@ +{ + "debug": ${DEBUG_PLUGINS}, + "store": { + //All builds require the routes.xml file in the config directory even after variable substitution + "route_file": "config/routes.xml" + } +} \ No newline at end of file diff --git a/ci/config-templates/SessionProvider-template.json b/ci/config-templates/SessionProvider-template.json new file mode 100644 index 0000000..328f06f --- /dev/null +++ b/ci/config-templates/SessionProvider-template.json @@ -0,0 +1,25 @@ +{ + + "debug": ${DEBUG_PLUGINS}, + + //Provider assemblies to load + "provider_assemblies": [ "VNLib.Plugins.Sessions.VNCache.dll" ], + + //Web session provider, valid format for VNCache and also memory sessions + "web": { + //Cache system key prefix + "cache_prefix": "websessions", + //The session cookie name + "cookie_name": "sb-session", + //Size in bytes for generated session ids + "cookie_size": 40, + //time (in seconds) a session is valid for + "valid_for_sec": 3600, + //The maxium number of connections waiting for the cache server responses + "max_waiting_connections": 100, + //Enforce strict cross-origin session checks + "strict_cors": true, + ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen) + "strict_tls_protocol": true + } +} \ No newline at end of file diff --git a/ci/config-templates/SimpleBookmark-template.json b/ci/config-templates/SimpleBookmark-template.json new file mode 100644 index 0000000..8736d8d --- /dev/null +++ b/ci/config-templates/SimpleBookmark-template.json @@ -0,0 +1,35 @@ +{ + + //Comments are allowed + "debug": ${DEBUG_PLUGINS}, //Enables obnoxious debug logging + + "bm_endpoint": { + + "path": "/api/bookmarks", //Path for the bookmarks endpoint + + "config": { + "max_limit": 100, //Max results per page + "default_limit": 20, //Default results per page + "user_quota": ${MAX_BOOKMARKS} //Max bookmarks per user + } + }, + + //System website lookup endpoint (aka curl) + "curl": { + "path": "/api/lookup", + "exe_path": "curl", //Path to the curl executable + "extra_args": [ + "--globoff", //Disables unsafe url globbing + "--no-keepalive", //Disables keepalive, uneeded for a single lookup request + "--max-filesize", "100K", //Max file size 100K + "--max-redirs", "5", //Max redirects 5 + "--location" //Follow redirects + ] + }, + + "registration": { + "path": "/api/register", //Path for the registration endpoint + "token_lifetime_mins": ${REG_TOKEN_DURATION_MIN}, //Token lifetime in minutes + "key_regen_interval_mins": ${REG_TOKEN_DURATION_MIN}0 //Signing key regeneration interval in minutes + } +} \ No newline at end of file diff --git a/ci/config-templates/config-template.json b/ci/config-templates/config-template.json new file mode 100644 index 0000000..7055678 --- /dev/null +++ b/ci/config-templates/config-template.json @@ -0,0 +1,170 @@ +{ + + //Host application config, config is loaded as a read-only DOM that is available + //to the host and loaded child plugins, all elements are available to plugins via the 'HostConfig' property + + "http": { + //The defaut HTTP version to being requests with (does not support http/2 yet) + "default_version": "HTTP/1.1", + //The maxium size (in bytes) of response messges that will be compressed + "compression_limit": 512000, + //Minium response size (in bytes) to compress + "compression_minimum": 2048, + //The size of the buffer to use when parsing multipart/form data uploads + "multipart_max_buf_size": 8192, + //The maxium ammount of data (in bytes) allows for mulitpart/form data file uploads + "multipart_max_size": 80240, + //Absolute maximum size (in bytes) of the request entity body (exludes headers) + "max_entity_size": ${MAX_CONTENT_LENGTH}, + //Keepalive ms for HTTP1.1 keepalive connections + "keepalive_ms": 1000000, + //The buffer size to use when parsing headers (also the maxium request header size allowed) + "header_buf_size": 8128, + //The maxium number of headers allowed in an HTTP request message + "max_request_header_count": 50, + //The maxium number of allowed network connections, before 503s will be issued automatically and connections closed + "max_connections": 5000, + //The size in bytes of the buffer to use when writing response messages + "response_buf_size": 65536, + //time (in ms) to wait for a response from an active connection in recv mode, before dropping it + "recv_timeout_ms": 5000, + //Time in ms to wait for the client to accept transport data before terminating the connection + "send_timeout_ms": 60000, + //The size (in bytes) of the buffer used to store all response header data + "response_header_buf_size": 16384, + //Max number of file uploads allowed per request + "max_uploads_per_request": 10 + }, + + //Compression is installed in the container at lib/ directory along with the native library supporting gzip and brotli + "compression_lib": "lib/vnlib.net.compression/VNLib.Net.Compression.dll", + + //Setup the native lib + "vnlib.net.compression": { + "lib_path": "${COMPRESSION_LIB_PATH}", + "level": 1 + }, + + + //Maxium ammount of time a request is allowed to be processed (includes loading or waiting for sessions) before operations will be cancelled and a 503 returned + "max_execution_time_ms": 20000, + + //Collection of objects to define hosts+interfaces to build server listeners from + "virtual_hosts": [ + { + + "trace": ${HTTP_TRACE_ON}, + + //The interface to bind to, you may not mix TLS and non-TLS connections on the same interface + "interface": { + "address": "0.0.0.0", + "port": 8080 + }, + + //Collection of "trusted" servers to allow proxy header support from + "downstream_servers": ${HTTP_DOWNSTREAM_SERVERS}, + + //The hostname to listen for, "*" as wildcard, and "[system]" as the default hostname for the current machine + "hostname": "*", + "path": "dist/", + + //A list of file extensions to deny access to, if a resource is requested and has one of the following extensions, a 404 is returned + "deny_extensions": [ ".ts", ".json", ".htaccess", ".php" ], + //The default file extensions to append to a resource that does not have a file extension + "default_files": [ "index.html" ], + + //A list of error file objects, files are loaded into memory (and watched for changes) and returned when the specified error code occurs + "error_files": [], + + //The default + "cache_default_sec": 864000, + + "ssl": ${SSL_JSON}, + } + ], + + + //Defines the directory where plugin's are to be loaded from + "plugins": { + //Hot-reload creates collectable assemblies that allow full re-load support in the host application, should only be used for development purposes! + "hot_reload": false, + "path": "plugins/", + "config_dir": "config/", + "assets": "plugins/assets/" + }, + + "sys_log": { + "path": "data/logs/sys-log.txt", + "flush_sec": 5, + "retained_files": 31, + "file_size_limit": 10485760, + "interval": "infinite" + }, + + "app_log": { + "path": "data/logs/app-log.txt", + "flush_sec": 5, + "retained_files": 31, + "file_size_limit": 10485760, + "interval": "infinite" + }, + + //HASHICORP VAULT + "hashicorp_vault": { + "url": "${HC_VAULT_ADDR}", + "token": "${HC_VAULT_TOKEN}", + "trust_certificate": ${HC_VAULT_TRUST_CERT}, + }, + + //SQL CONFIG + "sql": { + "provider": "${SQL_LIB_PATH}", + "connection_string": "${SQL_CONNECTION_STRING}" + }, + + //VNCACHE global config + //Enable vncache as the providers above rely on the object caching server + "cache": { + + "assembly_name": "${CACHE_ASM_PATH}", + "url": "${REDIS_CONNECTION_STRING}", + + //Max size (in bytes) of allowed data to be stored in each user's session object + "max_object_size": 8128, + + //Request timeout + "request_timeout_sec": 10, + + //Time delay between cluster node discovery + "discovery_interval_sec": 120, + + //Initial nodes to discover from + "initial_nodes": ${VNCACHE_INITIAL_NODES}, + + //Disable TLS + "use_tls": false, + + //Setting this value to true will cause the cache store to load a memory-only instance, without remote backing + "memory_only": ${MEMCACHE_ONLY}, + + //enable memory cache + "memory_cache": { + "buckets": 20, + "bucket_size": 5000, + "max_age_sec": 600, + "refresh_interval_sec": 60, + "zero_all": false, + "max_object_size": 8128 + } + }, + + "secrets": { + //Special key used by the loading library for access to the PasswordHashing library to pepper password hashes + "passwords": "${PASSWORD_PEPPER}", + "db_password": "${DATABASE_PASSWORD}", + "client_private_key": "${VNCACHE_CLIENT_PRIVATE_KEY}", + "cache_public_key": "${VNCACHE_CACHE_PUBLIC_KEY}", + "redis_password": "${REDIS_PASSWORD}" + } +} + diff --git a/ci/config-templates/routes.xml b/ci/config-templates/routes.xml new file mode 100644 index 0000000..85f9830 --- /dev/null +++ b/ci/config-templates/routes.xml @@ -0,0 +1,46 @@ + + + + + + + + + + + * + + + /assets/* + + + + + * + / + index.html + + + + + * + /* + / + + + + + + \ No newline at end of file -- cgit