-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathenv.example
More file actions
152 lines (125 loc) · 5.78 KB
/
Copy pathenv.example
File metadata and controls
152 lines (125 loc) · 5.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# ============================================================================
# bWall - Firewall Management Dashboard
# Environment Configuration File
# ============================================================================
# Copy this file to .env and update with your actual values
# DO NOT commit .env to version control - it contains sensitive information
# ============================================================================
# ----------------------------------------------------------------------------
# Database Configuration
# ----------------------------------------------------------------------------
# MariaDB/MySQL database connection settings
DB_HOST=localhost
DB_USER=iptables_user
DB_PASSWORD=your_secure_password_here
DB_NAME=iptables_db
# ----------------------------------------------------------------------------
# Application Server Configuration
# ----------------------------------------------------------------------------
# Host to bind the application to
# Use 0.0.0.0 to listen on all interfaces, or specific IP for one interface
APP_HOST=0.0.0.0
# Port to run the application on
APP_PORT=5000
# Base URL for the application (used for OIDC redirects)
# Automatically generated from APP_HOST and APP_PORT if not set
# BASE_URL=http://localhost:5000
# Secret key for Flask sessions (generate a secure random key)
# Generate with: openssl rand -hex 32
SECRET_KEY=your_secret_key_here_generate_with_openssl_rand_hex_32
# ----------------------------------------------------------------------------
# Authentication Configuration
# ----------------------------------------------------------------------------
# Authentication types (comma-separated): ENV, OIDC, LOCAL
# ENV: Simple username/password from environment variables
# OIDC: OpenID Connect (PocketID, etc.)
# LOCAL: Database-backed user accounts
# Order matters - authentication is tried in the order specified
AUTH_TYPE=ENV,OIDC,LOCAL
# ENV Authentication (if ENV is in AUTH_TYPE)
# Default username and password for ENV authentication
ADMIN_USERNAME=bwall
ADMIN_PASSWORD=ReadGoodBooks&BadNetworks
# ----------------------------------------------------------------------------
# OIDC Authentication Configuration (if OIDC is in AUTH_TYPE)
# ----------------------------------------------------------------------------
# PocketID or other OIDC provider issuer URL
# OIDC_ISSUER=https://your-pocketid-instance.example.com
# OIDC client ID from your OIDC provider
# OIDC_CLIENT_ID=your_client_id_here
# OIDC client secret from your OIDC provider
# OIDC_CLIENT_SECRET=your_client_secret_here
# OIDC redirect URI (callback URL)
# Automatically generated from BASE_URL if not set
# OIDC_REDIRECT_URI=http://localhost:5000/oidc_callback
# OIDC post-logout redirect URI
# Automatically generated from BASE_URL if not set
# OIDC_POST_LOGOUT_REDIRECT_URI=http://localhost:5000/
# ----------------------------------------------------------------------------
# AbuseIPDB Configuration
# ----------------------------------------------------------------------------
# AbuseIPDB API key (get from https://www.abuseipdb.com/)
# Leave empty to disable AbuseIPDB integration
ABUSEIPDB_API_KEY=
# AbuseIPDB reporting mode:
# - log_only: Log events only, do not report
# - log_and_hold: Queue reports for review before submitting
# - automatic: Automatically report IPs when blocked
ABUSEIPDB_MODE=log_and_hold
# ----------------------------------------------------------------------------
# Proxy Configuration
# ----------------------------------------------------------------------------
# Enable proxy for external API calls (AbuseIPDB, URL list fetching, etc.)
# PROXY_ENABLED=false
# Proxy server(s) - one per line, format: http://proxy.example.com:8080
# PROXY_SERVERS=
# Proxy authentication (if required)
# PROXY_USERNAME=
# PROXY_PASSWORD=
# Comma-separated list of hosts/domains to bypass proxy
# PROXY_NO_PROXY=localhost,127.0.0.1,*.local
# ----------------------------------------------------------------------------
# CORS Configuration
# ----------------------------------------------------------------------------
# Comma-separated list of allowed origins for CORS
# Automatically generated from BASE_URL if not set
# CORS_ORIGINS=http://localhost:5000,http://127.0.0.1:5000
# ----------------------------------------------------------------------------
# Monitoring Configuration
# ----------------------------------------------------------------------------
# Enable active log monitoring for abusive network activity
# MONITORING_ENABLED=true
# Default threshold for blocking (number of events)
# MONITORING_DEFAULT_THRESHOLD=5
# Default duration window in minutes for threshold evaluation
# MONITORING_DEFAULT_DURATION=60
# History retention policy:
# - full: Keep all records (no pruning)
# - 30: Keep records for 30 days
# - 90: Keep records for 90 days
# - 365: Keep records for 1 year
# MONITORING_HISTORY_RETENTION=90
# Enable permanent ban system
# MONITORING_PERMABAN_ENABLED=true
# Abuse score threshold for permanent ban
# MONITORING_PERMABAN_THRESHOLD=100
# ============================================================================
# Notes:
# ============================================================================
# 1. After creating .env from this example, run:
# chmod 600 .env
# to restrict file permissions
#
# 2. Generate a secure SECRET_KEY:
# openssl rand -hex 32
#
# 3. For production deployments:
# - Use strong passwords for DB_PASSWORD and ADMIN_PASSWORD
# - Set APP_HOST to a specific IP or use a reverse proxy
# - Enable HTTPS and update BASE_URL accordingly
# - Configure OIDC for enterprise authentication
# - Set appropriate CORS_ORIGINS
#
# 4. The quickstart.sh script can help you set up most of these values
# interactively during installation.
# ============================================================================