-
Notifications
You must be signed in to change notification settings - Fork 39
/
Copy pathminum.config
248 lines (195 loc) · 8.69 KB
/
minum.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
###########################################################################
###########################################################################
#
# The Minum configuration file. All of these values have further
# detail, particularly in their assigned default values, in
# the Constants.java file.
#
###########################################################################
###########################################################################
### The port used for our plain, non-secure server
### Options: usually 1-1024 are reserved ports. See https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
SERVER_PORT=8080
### the port for our secure, TLS 1.3 server
### notes above for SERVER_PORT apply here as well
SSL_SERVER_PORT=8443
### the name of our host on the internet. Used by our
### system when it needs to build a self-referencing URL.
HOST_NAME=localhost
### database top-level directory. In other words, this is where
### the database is located.
DB_DIRECTORY=out/simple_db
### static files top-level directory. These are the files that are
### served as-is, without any further computation, such as image files.
STATIC_FILES_DIRECTORY=src/test/webapp/static/
### The log levels are:
###
### Related to the business purposes of the application. That is,
### the very highest-level, perhaps least-common logging messages.
### AUDIT
###
### Information useful for debugging.
### DEBUG
###
###
### Most often, indicates an error resulting from a bug in the program.
### These should be taken very seriously - fix them when found.
### ASYNC_ERROR
###
###
### Information marked as trace is pretty much entered for
### the same reason as DEBUG - i.e. so we can see important
### information about the running state of the program. The
### only difference is that trace information is very voluminous.
### That is, there's tons of it, and it could make it harder
### to find the important information amongst a lot of noise.
### For that reason, TRACE is usually turned off.
### TRACE
###
### list them here, separated by commas
### Options: DEBUG,TRACE,ASYNC_ERROR,AUDIT
LOG_LEVELS=DEBUG,ASYNC_ERROR,AUDIT
### --------------------------------------------------------------------
### --------------------------------------------------------------------
### Advanced configuration section
### following are more advanced configurations. Enjoy, but be careful.
### --------------------------------------------------------------------
### --------------------------------------------------------------------
###
### Certificates
###
### Information needed for the TLS certs.
### Search online for more information about keystore.
#KEYSTORE_PATH=/path/to/file
#KEYSTORE_PASSWORD=mypassword123
### This value is sent out for browsers to use.
### It is the length of time, in seconds, for static files to be cached,
### per the provisions of the Cache-Control header, e.g.
###
### "Cache-Control: max-age=" + STATIC_FILE_CACHE_TIME
###
#STATIC_FILE_CACHE_TIME=300
### TheBrig (TheBrig.java) manages a collection of identifiers
### for attackers of our system. Disabling it here will cause it
### to abdicate its job - mainly for testing purposes - probably
### performance testing. The value should be "true" or "false"
#IS_THE_BRIG_ENABLED=true
### This property lets the user add mappings between file suffixes
### and mime types. For example, "png" to "image/png" or whatever.
### See https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
###
### Try to follow the syntax here.
EXTRA_MIME_MAPPINGS = \
png,image/png, \
wav,audio/wav, \
mp4,video/mp4
### These are error messages that arrive to the server code
### when an unusual request arrives, potentially signifying an attack.
### Do note that several of these are likely to show up if you
### are running testing tools against the app.
### also, understand that while our code may interpret
### a request as an attack, nothing else will happen unless TheBrig
### is enabled, in which case the offender will be added to a list
### and denied connection.
###
### If a request causes any of these exception messages, the ip address of that client will be barred from the
### system for the length of time in VULN_SEEKING_JAIL_DURATION, and each additional request
### during that time will extend the duration similarly.
SUSPICIOUS_ERRORS = \
Insufficient buffer remaining for AEAD cipher fragment,\
The client supported protocol versions,\
no cipher suites in common,\
Client requested protocol TLSv1.1 is not enabled or supported in server context,\
Received fatal alert\: unsupported_certificate,\
SSLv2Hello is not enabled,\
The ClientHello.legacy_version field is not TLS 1.2,\
Client requested protocol SSLv3 is not enabled or supported in server context,\
Received fatal alert\: bad_certificate\
### Similar to the property "suspiciousErrors", these endpoints
### are often associated with attackers, and will immediately
### result in being deemed as such.
###
### If a request contains any of these values, the ip address of that client will be barred from the
### system for the length of time in VULN_SEEKING_JAIL_DURATION, and each additional request
### during that time will extend the duration similarly.
SUSPICIOUS_PATHS = \
.env,\
.git/config,\
?XDEBUG_SESSION_START\=phpstorm,\
_ignition/health-check/,\
ab2g,\
ab2h,\
actuator/gateway/routes,\
config.json,\
dns-query,\
geoserver/web/,\
info.php,\
loginuser%27,\
mgmt/shared/authn/login,\
owa/auth/logon.aspx,\
public/_ignition/health-check/,\
remote/fgt_lang,\
server-status,\
sitemap.xml,\
sitemap.xml.gz,\
t4,\
telescope/requests,\
tmui/login.jsp,\
version,\
webtools/control/main,\
wp-includes/wlwmanifest.xml,\
wp-login.ph,\
### This describes the maximum length of bytes, total, Minum will read from a body.
### By default, set to 10 megabytes. Be aware that there is some subtlety here. The
### system will parse the data as it pulls from the socket. If your system is expected
### to handle large data uploads, it would be worthwhile to investigate the code in
### places like BodyProcessor.extractBodyFromBytes
###
### If a request exceeds this value, the ip address of that client will be barred from the
### system for the length of time in VULN_SEEKING_JAIL_DURATION, and each additional request
### during that time will extend the duration similarly.
#MAX_READ_SIZE_BYTES=10485760
### The maximum bytes allowed for a single line when the server is reading by line. This
### will affect the headers, including the request and status lines. It may be necessary
### to increase this value if your server requires larger headers, such as when using
### JWT's for authentication.
###
### If a request exceeds this value, the ip address of that client will be barred from the
### system for the length of time in VULN_SEEKING_JAIL_DURATION, and each additional request
### during that time will extend the duration similarly.
#MAX_READ_LINE_SIZE_BYTES=1024
### How long we will wait before closing a connection, if we are
### on a keep-alive connection. The default value is probably fine
### in most cases.
#KEEP_ALIVE_TIMEOUT_SECONDS=3
### A timeout, in milliseconds, for TCP sockets. If this value
### is a positive integer, the socket will block for that length
### of time. If zero, it is interpreted as an infinite timeout
### This is a good option to consider if you are doing debugging -
### it is much easier to debug without a timeout interrupting
### your work. That is to say, this might be set to zero for
### local debugging, and cleared or set to some positive value
### for production.
#SOCKET_TIMEOUT_MILLIS=7000
### Length of time, in milliseconds, bad actors will be prevented
### from connecting.
#VULN_SEEKING_JAIL_DURATION=10000
### Here is another option you might adjust to improve local
### debugging and feature development. The default is true,
### because it has nice performance to use a cache for all
### static files. But, if you set this to false in local
### development, it will not cache anything, meaning that
### every adjustment to a static file (e.g. css, js files)
### will be immediately sent from the server. Of course, you
### still need to consider any potential caching on the browser.
#USE_CACHE_FOR_STATIC_FILES=true
### This defines how many static files we will store in a LRU
### cache in our program. This means all static files like
### css or js files, and static images, will get stored in this
### cache, up to a maximum count as set here. This is a bit
### of a function of how many static files you expect to have
### in combination with how large those files are. The more
### in the cache, the more memory it takes. In many cases,
### there should not be too much concern, but here is a dial
### for it, just in case.
#MAX_ELEMENTS_LRU_CACHE_STATIC_FILES=1000