-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexample.env
More file actions
113 lines (102 loc) · 4.22 KB
/
example.env
File metadata and controls
113 lines (102 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# --- SERVER SECRETS ---
# Generate a random 32-character string for AES encryption
# Example: openssl rand -hex 16
# REQUIRED: the service refuses to start if this is empty or shorter than 16 chars.
SERVER_SECRET=your_random_32_character_secret_here
# --- LOGGING ---
# Log level: debug, info, warn, error
LOG_LEVEL=info
# --- INITIAL ADMIN USER ---
INITIAL_USER=admin
INITIAL_PASSWORD=your_secure_password_here
INITIAL_EMAIL=admin@example.com
# Optional: Pre-set a 2FA secret (Base32 format)
INITIAL_2FA_SECRET=YOUR_BASE32_2FA_SECRET_HERE
# --- REDIS CONFIGURATION ---
REDIS_HOST=rauth-auth-redis
REDIS_PORT=6379
REDIS_PASSWORD=your_redis_password_here
# --- AUTHENTICATION SETTINGS ---
# Domain for the auth cookie (e.g., .example.com)
COOKIE_DOMAIN=example.com
# Token validity in minutes (2880 = 2 days)
TOKEN_VALIDITY_MINUTES=2880
# Frequency of automatic session token rotation (0 = disabled)
# Rotating tokens periodically (e.g. every 30 mins) makes stolen tokens
# useless after a short period. Requires proxy to forward Set-Cookie.
TOKEN_ROTATION_MINUTES=0
# Whitelist of allowed hosts for redirection (comma separated)
ALLOWED_HOSTS=localhost,127.0.0.1
# List of allowed country codes (comma separated, e.g. US,DE)
ALLOWED_COUNTRIES=
# How to handle a country change for an existing session:
# strict = log the user out immediately (default)
# lenient = log/audit the change but keep the session (good for roaming/VPN/CGNAT)
# The ALLOWED_COUNTRIES allowlist is always enforced regardless of this setting.
GEO_CHANGE_MODE=strict
# Optional: Manual list of allowed WebAuthn origins (comma separated)
# Useful if running behind a proxy or on a non-standard port.
# Example: https://auth.example.com,http://localhost:5980
WEBAUTHN_ORIGINS=
# Public URL of the auth service (used for links in emails)
# Example: https://auth.example.com
PUBLIC_URL=http://localhost:5980
# Port to expose the auth service on the host
AUTH_PORT=5980
# --- IP EXTRACTION (Reverse Proxy Trust) ---
# RAuth includes "Smart IP Detection": it automatically trusts X-Forwarded-For
# and X-Real-IP if the connection comes from a private network (Docker/LAN).
# Enable these ONLY if your proxy is on a public IP or for explicit control.
TRUST_CLOUDFLARE_IP=false
TRUST_X_REAL_IP=false
TRUST_X_FORWARDED_FOR=false
# --- PASSWORD POLICY ---
PWD_MIN_LENGTH=8
PWD_REQUIRE_UPPER=true
PWD_REQUIRE_LOWER=true
PWD_REQUIRE_NUMBER=true
PWD_REQUIRE_SPECIAL=true
# Reject passwords found in the built-in common/breached blocklist
PWD_CHECK_COMMON=true
# bcrypt work factor (cost) for password hashing (4-31; default 12)
BCRYPT_COST=12
# --- OBSERVABILITY ---
# Comma-separated list of trusted IPs or CIDR ranges for /metrics
METRICS_ALLOWED_IPS=127.0.0.1,::1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
# --- RATE LIMITING ---
# Maximum login attempts before being blocked (per IP)
RATE_LIMIT_LOGIN_MAX=30
# Time window in seconds for login attempts to reset
RATE_LIMIT_LOGIN_DECAY=300
# Maximum registration attempts before being blocked (per IP)
RATE_LIMIT_REG_MAX=10
# Time window in seconds for registration attempts to reset
RATE_LIMIT_REG_DECAY=300
# Maximum token validation attempts before being blocked (per IP)
RATE_LIMIT_VALIDATE_MAX=1000
# Time window in seconds for validation attempts to reset
RATE_LIMIT_VALIDATE_DECAY=60
# --- ADVANCED RATE LIMITING (Brute Force Protection) ---
# Basic IP Throttling for ALL requests (GET/POST) to login page
RATE_LIMIT_LOGIN_ACCESS_MAX=300
RATE_LIMIT_LOGIN_ACCESS_DECAY=60
# Max failed login attempts for a specific account before lockout
RATE_LIMIT_LOGIN_FAIL_USER_MAX=10
# Time window in seconds for account lockout to reset
RATE_LIMIT_LOGIN_FAIL_USER_DECAY=300
# Max failed login attempts from an IP across all users (bot detection)
RATE_LIMIT_LOGIN_FAIL_IP_MAX=50
# Time window in seconds for global IP failure reset
RATE_LIMIT_LOGIN_FAIL_IP_DECAY=600
# --- GEO SERVICE CONFIGURATION ---
# Get your credentials at https://www.maxmind.com/
MAXMIND_ACCOUNT_ID=your_maxmind_account_id
MAXMIND_LICENSE_KEY=your_maxmind_license_key
MAXMIND_DB_PATH=/app/geoip/GeoLite2-Country.mmdb
GEOIP_EDITION_IDS=GeoLite2-Country
# --- SMTP / EMAIL CONFIGURATION ---
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your_email@gmail.com
SMTP_PASS=your_app_password
SMTP_FROM=your_email@gmail.com