From 5908b65b9e5935040b7de0800dcae433e9e00179 Mon Sep 17 00:00:00 2001 From: Timm Fitschen <t.fitschen@indiscale.com> Date: Wed, 5 Feb 2020 22:56:10 +0100 Subject: [PATCH] DOC: resolved TODOs in server.conf --- conf/core/server.conf | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/conf/core/server.conf b/conf/core/server.conf index c030c624..462a1690 100644 --- a/conf/core/server.conf +++ b/conf/core/server.conf @@ -1,8 +1,9 @@ # Set the timezone of the server -# TODO: add example +# e.g. TIMEZONE=Europe/Berlin or TIMEZONE=UTC. +# Leaving this empty means that the server assumes the timezone of the host. TIMEZONE= # Set the name of the server owner -# TODO: add example +# e.g: SERVER_OWNER=XY Department SERVER_OWNER= # Name of this CaosDB Server SERVER_NAME=CaosDB Server @@ -40,7 +41,6 @@ TMP_FILES=./CaosDBFileSystem/TMP/ # Shared folder # Additional folder for longer term storage of scripting API output. # In contrast to the script's working directory, these subdirectories are publicly accessible. -# TODO: add more details SHARED_FOLDER=./CaosDBFileSystem/Shared/ # Path to the chown script which is needed by the drop off box in order to change permissions of files. @@ -48,8 +48,7 @@ CHOWN_SCRIPT=./misc/chown_script/caosdb_chown_dropoffbox # This file is responsible for setting individual user and group permissions. USER_SOURCES_INI_FILE=./conf/ext/usersources.ini -# The default state of users that are not configured in the usersources file -# TODO: add more details +# The default state of users which are added to the internal user source. NEW_USER_DEFAULT_ACTIVITY=INACTIVE # If set to true, unauthenticated access to the database is possible with an anonymous user. AUTH_OPTIONAL=FALSE @@ -82,22 +81,24 @@ SERVER_PORT_HTTPS=443 # HTTP port of this server instance. SERVER_PORT_HTTP=80 -# TODO: description missing +# Initial number of HTTPConnection objects in the pool. INITIAL_CONNECTIONS=1 -# TODO: description missing +# Maximum number of parallel HTTPConnections of the server MAX_CONNECTIONS=10 # -------------------------------------------------- # HTTPS options # -------------------------------------------------- -# TODO: Descriptions missing +# Allowed TLS versions HTTPS_ENABLED_PROTOCOLS=TLSv1.3 TLSv1.2 +# Forbidden TLS versions HTTPS_DISABLED_PROTOCOLS=SSLv3 SSLv2Hello TLSv1.1 TLSv1.0 +# Allowed cipher suites which are used for the encryption of the HTTP payload. HTTPS_ENABLED_CIPHER_SUITES=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# Forbidden cipher suites which are used for the encryption of the HTTP payload. HTTPS_DISABLED_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -# TODO: Please check # Password for the private key for the HTTPS server. CERTIFICATES_KEY_PASSWORD= # Path to the keystore which typically ends in jks. @@ -113,11 +114,12 @@ CERTIFICATES_KEY_STORE_PASSWORD= # 10 min SESSION_TIMEOUT_MS=600000 -# TODO: Description missing +# Time after which activation tokens for the activation of new users (internal +# user sources) expire. # 7days ACTIVATION_TIMEOUT_MS=604800000 -# TODO: description missing +# The value for the HTTP cache directive "max-age" WEBUI_HTTP_HEADER_CACHE_MAX_AGE=28800 # -------------------------------------------------- @@ -149,19 +151,22 @@ CACHE_DISABLE=false # The server is allowed to create symlinks to files and folders within this whitelist of directories. INSERT_FILES_IN_DIR_ALLOWED_DIRS= -# TODO: please check # Sudo password of the system. # Needed by the drop off box to set file permissions. SUDO_PASSWORD= -# If set to true ACL checks are circumvented during querying. -# TODO: add more details +# If set to false ACL checks are circumvented during querying. This may leak information but is a lot faster. QUERY_FILTER_ENTITIES_WITHOUT_RETRIEVE_PERMISSIONS=TRUE -# TODO: add description and possible options +# When checking the ACL of an entity roles which are unknown to the server +# raise an error (when set to MUST) or a warning (when set to SHOULD). +# Unknown roles occur when a user or group is removed or when entities are +# loaded from other instances of the CaosDB Server where different users are +# present. +# CHECK_ENTITY_ACL_ROLES_MODE=[MUST,SHOULD] CHECK_ENTITY_ACL_ROLES_MODE=MUST -# Location of the initial ACL file for entities. -# TODO: add more details +# Location of the global ACL file for entities. The global ACL is implicitly +# part of any Entity ACL. GLOBAL_ENTITY_PERMISSIONS_FILE=./conf/core/global_entity_permissions.xml -- GitLab