-
-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy path.env.example
More file actions
131 lines (109 loc) · 4.98 KB
/
.env.example
File metadata and controls
131 lines (109 loc) · 4.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Caddy Proxy Manager Environment Configuration
# Copy this file to .env and update with your secure values
# IMPORTANT: chmod 600 .env after creating it
# =============================================================================
# REQUIRED SECURITY SETTINGS (PRODUCTION)
# =============================================================================
# Session Secret (REQUIRED)
# Generate with: openssl rand -base64 32
# Must be at least 32 characters in production
SESSION_SECRET=your-secure-session-secret-here-min-32-chars
# Admin Credentials (REQUIRED)
# USERNAME: Any username (e.g., "admin" is fine)
# PASSWORD: Must be 12+ characters with:
# - Uppercase letters (A-Z)
# - Lowercase letters (a-z)
# - Numbers (0-9)
# - Special characters (!@#$%^&* etc.)
ADMIN_USERNAME=admin
ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!
# =============================================================================
# APPLICATION CONFIGURATION
# =============================================================================
# Public base URL for the application (IMPORTANT!)
# This is the URL where users access your Caddy Proxy Manager interface.
#
# ** REQUIRED FOR OAUTH: If using OAuth2/OIDC authentication, this MUST match
# the redirect URI configured in your OAuth provider exactly.
# The redirect URI will be: {BASE_URL}/api/auth/callback/oauth2
#
# Examples:
# - Local development: http://localhost:3000
# - Production with domain: https://caddy-manager.example.com
# - Production with IP: http://192.168.1.100:3000
#
# IMPORTANT: Do not include a trailing slash
BASE_URL=http://localhost:3000
# =============================================================================
# ROOTLESS OPERATION (OPTIONAL)
# =============================================================================
# User and Group IDs for running containers as non-root
# Set these to match your host user to avoid permission issues with volumes
# Find your UID/GID with: id -u / id -g
#
# Defaults:
# - Web service: PUID=10001, PGID=10001
# - Caddy service: PUID=10000, PGID=10000
#
# For matching your host user (recommended for development):
# PUID=1000
# PGID=1000
# =============================================================================
# OAUTH2/OIDC AUTHENTICATION (OPTIONAL)
# =============================================================================
# OAuth2/OIDC Provider (works with Authentik, Authelia, Keycloak, etc.)
# Enable OAuth2 authentication with any OIDC-compliant provider
OAUTH_ENABLED=false
OAUTH_PROVIDER_NAME=OAuth2 # Display name (e.g., "Authentik", "Keycloak")
OAUTH_CLIENT_ID=
OAUTH_CLIENT_SECRET=
OAUTH_ISSUER= # OIDC discovery URL (e.g., https://auth.example.com/application/o/app/)
# Optional: Override auto-discovered URLs (only if OIDC discovery doesn't work)
# OAUTH_AUTHORIZATION_URL=
# OAUTH_TOKEN_URL=
# OAUTH_USERINFO_URL=
# OAuth Settings
OAUTH_ALLOW_AUTO_LINKING=false # Auto-link OAuth to accounts without passwords
# Example for Authentik:
# OAUTH_ENABLED=true
# OAUTH_PROVIDER_NAME=Authentik
# OAUTH_CLIENT_ID=your-client-id
# OAUTH_CLIENT_SECRET=your-client-secret
# OAUTH_ISSUER=https://auth.example.com/application/o/caddy-proxy/
#
# IMPORTANT: Configure the redirect URI in your OAuth provider:
# Redirect URI = {BASE_URL}/api/auth/callback/oauth2
# Example: http://localhost:3000/api/auth/callback/oauth2
# or: https://caddy-manager.example.com/api/auth/callback/oauth2
# =============================================================================
# OPTIONAL: ADVANCED CONFIGURATION
# =============================================================================
# Database configuration (usually no need to change)
# DATABASE_URL=file:/app/data/caddy-proxy-manager.db
# Caddy Admin API endpoint (usually no need to change)
# CADDY_API_URL=http://caddy:2019
# Certificate storage directory (usually no need to change)
# CERTS_DIRECTORY=./data/certs
# Login rate limiting (optional, for custom rate limit settings)
# LOGIN_MAX_ATTEMPTS=5
# LOGIN_WINDOW_MS=300000
# LOGIN_BLOCK_MS=900000
# =============================================================================
# CLICKHOUSE ANALYTICS (OPTIONAL)
# =============================================================================
# ClickHouse is used for analytics data (traffic events, WAF events).
# Data is automatically retained for 90 days via ClickHouse TTL.
# CLICKHOUSE_PASSWORD is required — generate with: openssl rand -base64 32
CLICKHOUSE_PASSWORD=your-clickhouse-password-here
# CLICKHOUSE_URL=http://clickhouse:8123
# CLICKHOUSE_USER=cpm
# CLICKHOUSE_DB=analytics
# =============================================================================
# GEOIP UPDATE (OPTIONAL)
# =============================================================================
# GeoIP Update (Optional - for geoblocking support)
# To enable the geoipupdate container, set COMPOSE_PROFILES=geoipupdate
# Get credentials at: https://www.maxmind.com/en/geolite2/signup
COMPOSE_PROFILES=
GEOIPUPDATE_ACCOUNT_ID=
GEOIPUPDATE_LICENSE_KEY=