Configuration

################################################
#               Manager settings               #
################################################

# The 'manager' section defines some basic settings of the Mangement Portal.
[manager]

# The ip port to listen for requests on.
listen = "0.0.0.0:8443"

# If true, TLS will be enabled.
tls = true

# Paths for TLS certificate and key files, if 'manager.tls' is set to true.
certFile = "./server.crt"
keyFile = "./server.key"

# Configuration of Let's Encrypt certificates.
letsEncrypt = false
letsEncryptDomain = ""

################################################
#           Manager backend settings           #
################################################

# The 'manager.backend' section defines how to connect to Redis and InfluxDB.
# Multiple backends can be defines in order for one Management Portal to connect to
# several sets for workers.
[[manager.backend]]

# The name of the backend.
backendID = "default"

# Addresses of redis nodes
redisAddress = ["localhost:6379"]

# If Redis Sentinel is used, this sets the master name
redisMaster = ""

# Username for redis
redisUser = ""

# Password for redis
redisPassword = ""

# Whether to use TLS for redis connections
redisUseTLS = false

# If 'true', TLS certificate errors for Redis will be ignored.
redisIgnoreTLS = false

# Redis connect timeout specified in milliseconds. Defaults to 250 if not set.
redisConnectTimeout = 250

# Redis read timeout specified in milliseconds. Defaults to 250 if not set.
redisReadTimeout = 250

# Redis write timeout specified in milliseconds. Defaults to 250 if not set.
redisWriteTimeout = 250

# The InfluxDB configuration. These settings are optional.
influxAddress = ""
influxToken = ""
influxIgnoreTLS = false

# This is a default configuration file. It is possible to load environment variables at
# runtime with the syntax `${}'. ie:
# listen = "0.0.0.0:${PORT}"

################################################
#               Network settings               #
################################################

# The 'network' section defines the basic server configuration of the reverse proxy.
[network]

# The IP and port to listen for requests on.
listen = "0.0.0.0:443"

# If true, TLS will be enabled.
tls = true

# Sets the minimum TLS version the reverse proxy will use. Allowed values are:
# 'TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3'
# If this option is not set, TLS 1.2 is used as the default.
tlsMinVersion = ""

# Paths for TLS certificate and key files that are used if 'network.tls' is set to true.
# This certificate and key will be used as fallback when *no* certificate and key is
# specified for an endpoint.
certFile = "./server.crt"
keyFile = "./server.key"

# If 'true', this Worker will  be able to provision certificates via Let's Encrypt. Note
# that each endpoint where Let's Encrypt certificates are want must also have the
# 'endpoint.letsEncrypt' value set to 'true'.
letsEncrypt = false

# If 'true', TLS certificate errors from the backend server will be ignored.
# This is for example useful if self-signed or otherwise internal certificates are used.
ignoreTLS = false

# 'network.disallowPrivate' ensures that private IP addresses cannot be accessed by the
# proxy. 'network.disallowLocal' ensures that that only global unicast addresses can be
# accessed by the proxy, disallowing addresses such as loopback or multicast addresses
# (note that private addresses count as global). These options are useful to restrict
# Management Portal users from attempting to access local or private infrastructure.
disallowLocal = false
disallowPrivate = false

# The timeout, in seconds, before giving up on requests to the backend server.
remoteTimeout = 5

# If true, the Worker will assume that the last entry in the last `X-Forwarded-For`
# header is the actual client IP for use in logs and IP allow-lists for endpoints.
# Additionally the last field in X-Forwarded-Proto will be used to determine whether to
# set "Secure" on outgoing cookies.
# Incompatible with 'network.useProxyProtocol'.
behindProxy = false

# When true, PROXY protocol will be enabled on the listening socket. Both version 1
# (text based) and version 2 (binary based) are supported. Incompatible with
# 'network.behindProxy'.
useProxyProtocol = false


################################################
#             Bootloader settings              #
################################################

# The 'bootloader' section contains some basic configuration of the Bootloader.
[bootloader]

# Addresses of redis nodes
redisAddress = ["localhost:6379"]

# If Redis Sentinel is used, this sets the master name
redisMaster = ""

# Username for redis
redisUser = ""

# Password for redis
redisPassword = ""

# Whether to use TLS for redis connections
redisUseTLS = false

# The maximum number of Redis connections to pool. Note that this is per Worker
# instance, so keep this in mind if you are subject to connection limitations.
redisMaxConn = 100

# If 'true', TLS certificate errors for Redis will be ignored.
redisIgnoreTLS = false

# Redis connect timeout specified in milliseconds. Defaults to 250 if not set.
redisConnectTimeout = 250

# Redis read timeout specified in milliseconds. Defaults to 250 if not set.
redisReadTimeout = 250

# Redis write timeout specified in milliseconds. Defaults to 250 if not set.
redisWriteTimeout = 250

# The InfluxDB configuration. These settings are optional.
influxAddress = ""
influxIgnoreTLS = false
influxToken = ""

# Path to a configuration file for the Web Application Firewall. The file must contain a
# set of ModSecurity rules.
modSecurityConf = ""

# This option can be set to 'true' in order to run the Worker in "standalone" mode. Each
# endpoint can then be configured in this file (see the 'endpoint' section below), instead
# of configuring them through the Management Portal.
fsEndpoints = false

# Can be set to "redis" or "local". For "redis", state is shared amongst
# workers through the configured Redis instance. With "local", state is stored
# in memory in the worker. The "redis" instance is required for sharing
# sessions across multiple workers and for persistence across restarts. The
# recommended value is "redis".
sessionBackend = "redis"


################################################
#               Cache settings                 #
################################################

# The 'cache' settings controls some basic settings of the Worker's HTTP cache.
[cache]

# A path to folder where the cached files will be stored. The path must be absolute.
# Note that *all* contents of the folder will be deleted when the Worker starts.
folder = ""

# The maximum file size to cache, in bytes.
maxFileSize = 0

# The maximum total size of the cache, in bytes.
maxSize = 0


################################################
#              Endpoint settings               #
################################################

# When 'bootloader.fsEndpoints' is 'true' configuration of each endpoint will be read from
# this section. Otherwise, this section has no effect. The 'bootloader.fsEndpoints' option
# is *not* recommended for production deployments.
[[endpoint]]

################################################
#          Endpoint general settings           #
################################################

# Disables Codesealer protection for this endpoint. Traffic is still forwarded, but new
# requests will be unprotected.
disable = false

# This URL should match the hostname of the Codesealer instance. The reverse proxy will
# only process and protect requests that match the URL defined in this option - any
# other requests will result in a `404 Not Found` response. Allowed values are URLs of
# the form '<scheme>://<hostname or IP>[:port]' The scheme must be either `http` or
# `https`. The port is optional. A single leading `*` wildcard is allowed in the
# hostname.
remoteIn = "https://localhost:8443"

# This is the address where Codesealer will proxy requests to. Allowed values are URLs
# of the form '<scheme>://<hostname or IP>[:port]' The scheme must be either `http` or
# `https`. The port is optional.
#
# All requests matching the Incoming URL will be sent to this address instead. The
# request itself will not be altered - in particular, by default the `Hostname` header
# will not be modified.
remoteOut = "http://localhost:9000"

# This list of scripts will select which scripts are protected. Only scripts that occur
# in HTML '<script>' tags will be protected this way. The entries need to match the
# 'src' attribute in corresponding '<script>' tags exactly. When 'endpoint.scriptOptOut'
# is 'true', entries in this list can be prefixed with 'optout:' to remove protection
# from selected scripts.
scriptOptIn = []

# When 'true', all scripts that occur in HTML '<script>' tags are protected by
# Codesealer Enterprise automatically. Note that scripts inserted dynamically after page
# load are not protected by this option - see instead the 'endpoint.enableXhr' section.
scriptOptOut = true

# When 'true', Codesealer will ignore any TLS errors from the backend server. This is
# for example useful if self-signed or otherwise internal certificates are used. This
# also applies to WebSocket requests.
ignoreRemoteTLS = false

# This option will only take effect if 'network.letsEncrypt' is 'true'. By enabling this
# option, you agree to the at any time applicable TOS for Let's Encrypt. Note: The DNS
# Record for the URL specified in 'endpoint.remoteIn' must point to Codesealer.
letsEncrypt = false

# Paths for TLS certificate and key files that are used if 'network.tls' is set to true.
tlsCertPath = ""
tlsKeyPath = ""

################################################
#            Endpoint ANP settings             #
################################################

# When 'true', all XHR and fetch calls will be automatically replaced with corresponding
# ANP variants.
autoXhr = true

# This allows ANP XHR and fetch to be accessed on the window object. The
# 'endpoint.autoXhr' option must be 'true'.
exposeXhrWindow = true

# When 'true', scripts inserted dynamically on head and body elements will be
# intercepted and independently transferred through ANP.
protectDynamicContent = true

# When 'true', all WebSocket calls will be automatically replaced with corresponding ANP
# variants.
enableWebSocket = false

# This allows ANP WebSockets to be accessed on the window object. The
# 'endpoint.enableWebSocket' option must be 'true'.
exposeWebSocketWindow = false

# A list of allowed endpoints to protect for ANP requests. If the list is empty, all
# domains are allowed.
allowedDomains = []

# Session lifetime for Application Network Protection. If set to 0, the default will be
# used.
sessionLifetime = 0

################################################
#            Endpoint WAF settings             #
################################################

# When 'true', the Web Application Firewall is enabled. See 'bootloader.modSecurityConf'
# for how to configure the WAF.
enableWaf = false

# When 'true', the entire payload of requests, including response headers and body, will
# be passed through the WAF.
wafFullTransaction = false

# When 'true', no requests will be blocked by the WAF, and all interventions will merely
# be logged.
wafMonitorMode = false

################################################
#         Endpoint advanced settings           #
################################################

# This will set the Server Name Indication (SNI) on proxied TLS requests to the provided
# value instead of the requested host. This can be useful if the installed TLS
# certificate on the remote server is issued to a different domain.
SNIOverwrite = ""

# This will set the 'Hostname' header on proxied requests to the provided value instead
# of the requested host. This can be useful if the backend server uses virtual hosting.
HostnameOverwrite = ""

# This option must be 'true' if the backend serves HTML where '<script>' tags occur
# after the '</body>' or '</html>' tags.
invalidHTMLCompat = false

# When 'true', code in the '<body>' tag's 'onload' attribute will be correctly executed.
bodyOnloadCompat = false

# When 'true', window scope compatibility mode will be activated.
windowScopeCompat = false

# When 'true' Codesealer will only allow GET, HEAD and OPTIONS request methods from
# clients that do not have an active Codesealer session, blocking all other methods.
strictSession = false

# When 'true' requests will be redirected to a non-interactive validation page before
# being redirected to the requested URL. Once the session is validated, the validation
# page will not be shown again, unless the session hits a rate limit. This feature can
# reduce the effects of Layer 7 DDoS attacks.
appThrottling = false

# When app throttling is enabled this value will determine the maximum sustained number 
# of requests per second allowed for each client.
appThrottlingRate = 10

# When app throttling is enabled this value will determine the maximum burst of requests 
# allowed for each client.
appThrottlingBurst = 20

# When app throttling is enabled this value will determine the amount of iterations 
# performed in the PoW challenge.
appThrottlingIterations = 256

# When 'true' Codesealer will not set the 'X-Forwarded-For' and 'X-Forwarded-Host'
# headers.
#
# This option is meant for testing scenarios, where adding the headers may confuse
# existing infrastructure. This should not be used in production scenarios.
omitProxyHeaders = false

# When 'true', the 'Content-Security-Policy' HTTP Header will be stripped from all
# requests that have scripts protected. A better solution is to allow 'eval' by setting
# the header "Content-Security-Policy: script-src 'unsafe-eval'".
stripContentSecurity = false

# When 'true' Coesealer will fire a `DOMContentLoaded` and `load` event after loading
# all protected scripts. This will enable applications that rely on these events to
# function properly with Codesealer protection.
injectDOMContentLoaded = false

# Setting this to 'true' will ensure that absolute `Location` header redirects for the
# Outgoing URL are changed to relative URLs instead.
redirectCompat = false

# When 'true', extra cookies will not be attached to responses. This can cause some
# cookies to not be set on protected requests.
disableCSCookies = false

# When 'true', all requests to this endpoint will be terminated as early as possible. This can be used
# to mitigate smaller DoS attacks on multi-endpoint deployments.
killSwitch = false

# When 'true' protected script tags will not have their attributes removed. Note that
# some standard attributes are always removed.
scriptRetainAttributes = false

# The IP addresses listed here will bypass Codesealer protection. Please note that
# additional configuration is needed for Codesealer to see client IPs when using proxy
# servers or load balancing in front of Codesealer.
ipBypassList = []

# If 'true', the behavior of 'ipBypassList' is inverted. This means that only the IPs
# in the bypass list will be protected.
invertIPBypassList = false

# If non-empty, only traffic originating from IP addresses in this list will be allowed
# to access the endpoint.
ipAccessList = []

# The given JavaScript code will be injected into the beginning protected scripts. This
# can be used in debugging scenarios, where it is not feasible to modify certain aspects
# of a protected application.
scriptPreamble = ""

# The given JavaScript code will be injected at the end of all protected scripts. This
# can be used in debugging scenarios, where it is not feasible to modify certain aspects
# of a protected application.
scriptPostamble = ""

# ES6 modules are bundled into a single file by the worker. This option determines
# wheter the resulting bundle should also be minified.
minifyBundles = true

# When set to 'true' this option enables the HTTP cache feature for this endpoint. See
# the the 'cache' section for Worker specific settings and the 'endpoint.cacheRule'
# section for configuration of the cache rules.
cacheEnabled = false

# The 'endpoint.proxyPathFilter' section defines a set of rules for selectively blocking
# requests from being proxied. The rules are processed in order, such that firewall-like
# behavior can be achieved. The first rule to match will take effect. The path matching
# is case insensitive.
[[endpoint.proxyPathFilter]]
block = true
path = "/"

# The 'endpoint.protectionPathFilter' section defines a set of rules for selectively
# bypassing script protection. The rules are processed in order, such that firewall-like
# behavior can be achieved. The first rule to match will take effect. The path
# matching is case insensitive.
[[endpoint.protectionPathFilter]]
bypass = true
path = "/"

# The 'endpoint.scriptReplace' section defines a set of rules for simple search and
# replace in all scripts protected by Codesealer.
[[endpoint.scriptReplace]]
to = ""
from = ""

################################################
#           Endpoint cache settings            #
################################################

# The 'endpoint.cacheRule' section defines a set of rules for Codesealer's internal HTTP
# cache. See also the 'cache' section for Worker specific settings.
[[endpoint.cacheRule]]

# The value of the Content-Type header to match on. Both 'contentType' and 'path' has to
# match for the resource to be cached. The special wildcard value '*' can be used to
# match all content types.
contentType = ""

# The path of the request to match on. Both 'contentType' and 'path' has to match for
# the resource to be cached. The special wildcard value '*' can be used to match all
# paths.
path = ""

# If this value is not zero, the expiry of the cached resource will be overriden.
overrideMaxAge = 0

# When 'true', resources are cached despite 'no-store' directives.
ignoreNoStore = false

# When 'true', resources are cached despite 'no-cache' directives.
ignoreNoCache = false