kore.conf.example (12025B)
1 # Example Kore configuration
2
3 # Below you will find all available configuration
4 # options for Kore. Options which have a default value
5 # and can be left out of the configuration are commented
6 # out with their default value specified.
7
8 # Maximum length to queue pending connections (see listen(2))
9 # MUST be set before any bind directive.
10 #socket_backlog 5000
11
12 # Server configuration.
13 server tls {
14 bind 127.0.0.1 443
15 #unix /var/run/kore.sock
16 }
17
18 #server notls {
19 # bind 127.0.0.1 80
20 # tls no
21 #}
22
23 # Kore can have multiple settings for each processes that run under it.
24 # There are 3 different type of processes:
25 #
26 # 1) A worker process, these handle the HTTP requests and your code
27 # runs inside of these.
28 # 2) A keymgr process, this handles your domain private keys
29 # and signing during the TLS handshakes. It also holds your
30 # ACME account-key and will sign ACME requests.
31 # 3) An acme process, this talks to the ACME servers.
32 #
33 # You can individually turn on/off chrooting and dropping user
34 # privileges per process. The -n and -r command-line options
35 # are a global override for skipping chroot or dropping user
36 # permissions on all processes.
37 #
38 # If no root/runas options are set in a process, it will inherit the
39 # default values from the worker processes.
40 #
41 # The worker processes will get the current working directory or
42 # current user if no options where specified for it.
43 #
44 # Configures the worker processes.
45 privsep worker {
46 # The user the workers will run as.
47 runas kore
48
49 # The root directory for the worker processes, if chroot isn't
50 # skipped, this is the directory it will chroot into.
51 #
52 # If not set, Kore will take the current working directory.
53 root /var/chroot/kore
54
55 # We could configure this process to not chroot and only
56 # chdir into its root directory.
57 #skip chroot
58 }
59
60 # Configures the keymgr process.
61 # If TLS is enabled you will need to specify paths to the domain
62 # certificate and key that Kore will load. This loading is done
63 # from the keymgr (separate process) and all paths must be relative
64 # to the keymgr process its root configuration option.
65 privsep keymgr {
66 # The user the keymgr will run as.
67 runas keymgr
68
69 # The root directory for the keymgr process. In this example
70 # we do not turn off chroot for this process so the keymgr
71 # will chroot into this directory.
72 root /etc/keymgr
73 }
74
75 # Configure Kore to log all worker output to a certain file.
76 #
77 # This forces all logs from the workers to be written to this file
78 # instead of stdout. Note that this is not the actual access log.
79 #
80 # Any message logged by your application with kore_log() will also
81 # appear under here.
82 #logfile /var/log/kore.log
83
84 # How many worker processes Kore will spawn. If the directive
85 # worker_set_affinity is set to 1 (the default) Kore will automatically
86 # pin these worker processes to different CPU cores in your system.
87 # NOTE: If you set this to the maximum number of cores you have
88 # in your system (or more) you might consider turning off affinity
89 # if you are running CPU heavy services on the same machine.
90 workers 4
91
92 # The number of active connections each worker can handle.
93 # You might have to tweak this number based on your hardware.
94 #worker_max_connections 512
95
96 # Disable accepting of normal connections on a given worker process.
97 #worker_no_accept 2
98
99 # Limit of maximum open files per worker.
100 #worker_rlimit_nofiles 768
101
102 # Limit the number of new connections a worker can accept
103 # in a single event loop. By default Kore will accept as
104 # many new connections it can up to worker_max_connections.
105 #
106 # NOTE: If you are running benchmark tools that throw all
107 # connections at Kore at the same time (when they are less
108 # then worker_max_connections) or you have an actual reason
109 # to not spend too much time in the accept loop this setting
110 # will make a HUGE positive difference.
111
112 # Number of accept() calls a worker will do at most in one go
113 # before releasing the lock to others.
114 #worker_accept_threshold 16
115
116 # What should the Kore parent process do if a worker
117 # process unexpectedly exits. The default policy is that
118 # the worker process is automatically restarted.
119 #
120 # If you want the kore server to exit if a worker dies
121 # you can swap the policy to "terminate".
122 #worker_death_policy restart
123
124 # Workers bind themselves to a single CPU by default.
125 # Turn this off by setting this option to 0
126 #worker_set_affinity 1
127
128 # Store the pid of the main process in this file.
129 #pidfile kore.pid
130
131 # If TLS is enabled you can specify a file where Kore will read
132 # initial entropy from and save entropy towards when exiting.
133 #
134 # Note that if you enable this you must provide the first iteration
135 # of this file by generating 1024 cryptographically safe random bytes
136 # and writing them to the file specified.
137 #
138 # Kore will refuse to start if the specified file does not exist,
139 # is of the wrong size or cannot be opened in anyway.
140 #
141 # NOTE: This file location must be inside your chrooted environment.
142 #rand_file random.data
143
144 # Filemap settings
145 # filemap_index Name of the file to be used as the directory
146 # index for a filemap.
147 #filemap_index index.html
148
149 # HTTP specific settings.
150 # http_header_max Maximum size of HTTP headers (in bytes).
151 #
152 # http_header_timeout Timeout in seconds for receiving the
153 # HTTP headers before the connection is closed.
154 #
155 # http_body_max Maximum size of an HTTP body (in bytes).
156 # If set to 0 disallows requests with a body
157 # all together.
158 #
159 # http_body_timeout Timeout in seconds for receiving the
160 # HTTP body in full before the connection
161 # is closed with an 408.
162 #
163 # http_body_disk_offload Number of bytes after which Kore will use
164 # a temporary file to hold the HTTP body
165 # instead of holding it in memory. If set to
166 # 0 no disk offloading will be done. This is
167 # turned off by default.
168 #
169 # http_body_disk_path Path where Kore will store any temporary
170 # HTTP body files.
171 #
172 # http_keepalive_time Maximum seconds an HTTP connection can be
173 # kept alive by the browser.
174 # (Set to 0 to disable keepalive completely).
175 #
176 # http_hsts_enable Send Strict Transport Security header in
177 # all responses. Parameter is the age.
178 # (Set to 0 to disable sending this header).
179 #
180 # http_request_limit Limit the number of HTTP requests workers
181 # can queue up.
182 #
183 # http_request_ms The number of milliseconds workers can max
184 # spend inside the HTTP processing loop.
185 #
186 # http_server_version Override the server version string.
187 #
188 #http_header_max 4096
189 #http_header_timeout 10
190 #http_body_max 1024000
191 #http_body_timeout 60
192 #http_keepalive_time 0
193 #http_hsts_enable 31536000
194 #http_request_limit 1000
195 #http_request_ms 10
196 #http_body_disk_offload 0
197 #http_body_disk_path tmp_files
198 #http_server_version kore
199
200 # Websocket specific settings.
201 # websocket_maxframe Specifies the maximum frame size we can receive
202 # websocket_timeout Specifies the time in seconds before a websocket
203 # connection would be closed due to inactivity.
204 #websocket_maxframe 16384
205 #websocket_timeout 120
206
207 # Configure the number of available threads for background tasks.
208 #task_threads 2
209
210 # Load modules (you can load multiple at the same time).
211 # An additional parameter can be specified as the "onload" function
212 # which Kore will call when the module is loaded/reloaded.
213 load contrib/examples/generic/example.module example_load
214
215 # Load a python file (if built with PYTHON=1)
216 #python_import src/index.py example_load
217
218 # Validators
219 # validator name type regex|function
220 #
221 validator v_example function v_example_func
222 validator v_regex regex ^/test/[a-z]*$
223 validator v_number regex ^[0-9]*$
224 validator v_session function v_session_validate
225
226 # Specify what TLS version to be used. Default is TLSv1.3 if available.
227 # Otherwise it will use TLS 1.2.
228 # Allowed values:
229 # 1.3 for TLSv1.3 (default, if available)
230 # 1.2 for TLSv1.2
231 # both for TLSv1.2 and TLSv1.3
232 #tls_version 1.3
233
234 # Specify the TLS ciphers that will be used.
235 #tls_cipher AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
236
237 # Required DH parameters for TLS if DHE ciphersuites are in-use.
238 # Defaults to SHARE_DIR/ffdhe4096.pem, can be overwritten.
239 #tls_dhparam /usr/local/share/kore/ffdhe4096.pem
240
241 # OpenBSD specific settings.
242 # Add more pledges if your application requires more privileges.
243 # All worker processes call pledge(2) after dropping privileges
244 # (even if -rn was specified).
245 # By default Kore will use the following promises: "stdio rpath inet error"
246 #pledge dns wpath
247
248 # seccomp specific settings.
249 # If set to "yes", Kore will trace its child processes and properly
250 # log seccomp violations while still allowing the syscalls.
251 #seccomp_tracing yes
252
253 # Authentication configuration
254 #
255 # Using authentication blocks you can define a standard way for
256 # Kore to validate your users. In the example below we create
257 # a authentication block called auth_example, which requires
258 # a cookie (session_id) to be set.
259 #
260 # If no cookie is present or the cookie is not valid according
261 # to the set validator, Kore will redirect the browser to the
262 # URI set in authentication_uri.
263 #
264 # Page handlers can be bound to authentication by specifying
265 # authentication block at the end of the page directive (see below).
266 authentication auth_example {
267 # The authentication type denotes the way the user should
268 # be authenticated.
269 #
270 # Allow values:
271 # - cookie (checks for the cookie presence + pass to validator)
272 # - header (checks for header presence + pass to validator)
273 # - request (passes the http_request to the validator)
274 #
275 # Use cases for request could for example be IP based ACLs or
276 # any other criteria that can be extracted from a http_request.
277 #
278 # The request type does not need an authentication_validator.
279 #
280 authentication_type cookie
281
282 # The name of whatever we are looking for.
283 authentication_value session_id
284
285 # The validator that will be called to verify the cookie.
286 # Note this is YOUR validator, Kore does not have built-in
287 # session support. You must add this manually using your
288 # preferred method (Storing it in postgres, redis, ...)
289 authentication_validator v_session
290
291 # The URI Kore will redirect to if a authentication fails.
292 # If this is not set, Kore will return a simple 403.
293 authentication_uri /private
294 }
295
296 # Domain configuration
297 #
298 # Each domain configuration starts with listing what domain
299 # the directives that follow are to be applied upon.
300 #
301 # Additionally you can specify the following in a domain configuration:
302 #
303 # accesslog
304 # - File where all requests are logged.
305 #
306 # NOTE: due to current limitations the client_verify CA path
307 # MUST be in the 'root' of the Kore workers, not the keymgr.
308 #
309 # client_verify [CA] [optional CRL]
310 # - Turns on client verification, requiring the client to
311 # send a certificate that will be verified by the given CA.
312 # client_verify_depth [depth]
313 # - Configure the depth for x509 chain validation.
314 # By default 1.
315 #
316 # Routes
317 #
318 # Routes can be a static path or a POSIX regular expression.
319 #
320 # route /path {
321 # handler myhandler
322 # methods get post
323 # ...
324 # }
325 #
326
327 # Example domain that responds to localhost.
328 domain localhost {
329 attach tls
330
331 certfile cert/server.crt
332 certkey cert/server.key
333 accesslog /var/log/kore_access.log
334
335 route / {
336 handler index_page
337 methods get
338 }
339
340 route /login {
341 handler login_do
342 methods post
343 validate post username v_username
344 validate post passphrase v_passphrase
345 }
346
347 route /mypages/ {
348 handler mypages_index
349 methods get
350 authenticate auth_example
351 }
352
353 # Allow access to files from the directory route_files via
354 # the /files/ URI.
355 #
356 # Note the directory given must be relative to the root configuration
357 # option.
358 filemap /files/ static_files [auth]
359 }
360
361 # Example redirect 80->443.
362 #domain localhost {
363 # attach notls
364 #
365 # # specific redirect with a capture group and arguments
366 # redirect ^/account/(.*)$ 301 https://localhost/account/$1
367 #
368 # # redirect the others back to root.
369 # redirect ^/.*$ 301 https://localhost
370 #}