.restheart-core.8.0.8.source-code.restheart-default-config-no-mongodb.yml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of restheart-core Show documentation
Show all versions of restheart-core Show documentation
RESTHeart Core - Core services for RESTHeart
The newest version!
# RESTHeart Configuration File.
## See ## See https://restheart.org/docs/default-configuration
---
# HTTP Listener
# WARNING: Using the http listener is not secure.
http-listener:
enabled: true
host: localhost
port: 8080
# HTTPS Listener
https-listener:
enabled: false
host: localhost
port: 4443
# The https listener requires setting up a TLS certificate.
# See https://restheart.org/docs/security/tls/
keystore-path: null
keystore-password: null
certificate-password: null
# AJP Listener
ajp-listener:
enabled: false
host: localhost
port: 8009
# Auth Token Authentication
# The verified token is generated by the enabled token manager
# see https://restheart.org/docs/security/authentication#token-authentication
tokenBasicAuthMechanism:
enabled: true
# Basic Authentication
# see https://restheart.org/docs/security/authentication#basic-authentication
basicAuthMechanism:
enabled: true
authenticator: fileRealmAuthenticator
# JSON Web Token Authentication
# see https://restheart.org/docs/security/authentication#jwt-authentication
jwtAuthenticationMechanism:
enabled: false
algorithm: HS256
key: secret
base64Encoded: false
usernameClaim: sub
rolesClaim: roles
fixedRoles: []
issuer: restheart.org
audience: null
# Digest Authentication
# see https://restheart.org/docs/security/authentication#digest-authentication
digestAuthMechanism:
# digest authentication is disabled by default
# because it requires the passwords to be stored in plaintext
# and mongoRealmAuthenticator hashes the passwords by default (bcrypt-hashed-password: true)
enabled: false
realm: RESTHeart Realm
domain: localhost
authenticator: fileRealmAuthenticator
# For development purposes. Always authenticate the request with the given user
# see https://restheart.org/docs/security/authentication#identity-authentication
identityAuthMechanism:
enabled: false
username: admin
roles:
- admin
- user
# fileRealmAuthenticator defines users credentials and roles in a simple yml file.
# see https://restheart.org/docs/security/authentication#file-realm-authenticator
fileRealmAuthenticator:
enabled: true
#conf-file: ./users.yml
users:
- userid: admin
password: null
roles: [admin]
# mongoRealAuthenticator authenticates users defined in a MongoDB collection.
# see https://restheart.org/docs/security/authentication#mongo-realm-authenticator
mongoRealmAuthenticator:
enabled: false
users-db: restheart
users-collection: users
prop-id: _id
prop-password: password
json-path-roles: $.roles
bcrypt-hashed-password: true
bcrypt-complexity: 12
enforce-minimum-password-strength: false
# Integer from 0 to 4
# 0 Weak (guesses < 3^10)
# 1 Fair (guesses < 6^10)
# 2 Good (guesses < 8^10)
# 3 Strong (guesses < 10^10)
# 4 Very strong (guesses >= 10^10)
minimum-password-strength: 3
create-user: true
create-user-document: '{"_id": "admin", "password": "$2a$12$lZiMMNJ6pkyg4uq/I1cF5uxzUbU25aXHtg7W7sD2ED7DG1wzUoo6u", "roles": ["admin"]}'
# create-user-document.password must be hashed when bcrypt-hashed-password=true
# default password is 'secret'
# see https://bcrypt-generator.com but replace initial '$2y' with '$2a'
cache-enabled: false
cache-size: 1_000
cache-ttl: 60_000 # in msecs
cache-expire-policy: AFTER_WRITE
# Cookie Authentication
# see: https://restheart.org/docs/security/authentication#cookie-authentication
# Sets the auth cookie when the request has been successfully authenticated
# and the query parameter '?set-auth-cookie' is present
# The cookie is populated from the auth token generated by the currently enabled Token Manager.
# It is compatible with both rndTokenManager and jwtTokenManager
authCookieSetter:
enabled: false # Not enabled by default
name: rh_auth # The name of the cookie to be set
domain: localhost # The domain within which the cookie is valid.
path: / # The cookie path, applicable to the entire domain.
http-only: true # If true enhances security by making the cookie inaccessible to JavaScript.
same-site: true # Restricts the cookie to first-party contexts, preventing CSRF attacks.
same-site-mode: strict # Strictly prevents the cookie from being sent along with cross-site requests.
expires-ttl: 86_400 # Defines the duration (in seconds, default 1 day) for which the cookie is valid.
# Constructs the Authorization header using the auth cookie,
# It is compatible with both Basic and JWT authentication mechanisms.
# It reads the auth cookie (if present) and formats the value appropriately
# to create an Authorization header.
authCookieHandler:
enabled: false # Not enabled by default
# This service handles the clearing of the auth cookie in response to a POST /logout request.
# When this endpoint is called, it effectively wipes the auth cookie from the user's browser,
# effectively logging out the user.
authCookieRemover:
enabled: false # Not enabled by default
secure: false # If request to clean the cookie should be authenticated
defaultUri: /logout # The endpoint that triggers this service.
# fileAclAuthorizer authorizes requests according to the Access Control List defined in a YAML file.
# see https://restheart.org/docs/security/authorization#file-acl-authorizer
fileAclAuthorizer:
enabled: true
#conf-file: ./acl.yml
permissions:
- role: admin
predicate: path-prefix('/')
priority: 0
# mongoAclAuthorizer authorizes requests according to the Access Control List defined in a MongoDB collection.
# see https://restheart.org/docs/security/authorization#mongo-acl-authorizer
mongoAclAuthorizer:
enabled: false
acl-db: restheart
acl-collection: acl
# clients with root-role can execute any request
root-role: admin
cache-enabled: true
cache-size: 1_000
cache-ttl: 5_000 # in msecs
cache-expire-policy: AFTER_WRITE
# originVetoer protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted
# see https://restheart.org/docs/security/authorization#originvetoer
originVetoer:
enabled: false
whitelist:
- https://restheart.org
- http://localhost
# optional list of paths for whose the Origin header
# is not checked. values can be absolute paths
# or patterns like /{var}/path/to/resource/*
# ignore-paths:
# - /{tenant}/bucket.files/{id}/binary
# - /coll/docid
# fullAuthorizer authorizes all requests
fullAuthorizer:
enabled: false
authentication-required: true
# Token Manager
# see https://restheart.org/docs/security/authentication#token-managers
# If a token-manager is configured, RESTHeart will use it to generate
# and verify auth tokens.
# If more than one token-manager are defined, the first one will be used
# The token is returned to the caller via auth-token header when the user
# autheticates successfully. The token can be used by Authentication Mechanisms.
# rndTokenService generates auth tokens using a random number generator.
rndTokenManager:
enabled: true
ttl: 15 # in minutes
srv-uri: /tokens
# jwtTokenManager generates JWT auth tokens.
# Use this in clustered deployments, since all nodes sharing the key
# can verify the token independently
jwtTokenManager:
enabled: false
key: secret
ttl: 15 # in minutes
srv-uri: /tokens
issuer: restheart.org
audience: null
# additional JWT claims from accounts properties
account-properties-claims:
# - foo # property name
# - /nested/property # xpath expr for nested properties
# Provider the MongoClient via @Inject('mclient')
mclient:
enabled: false
# see https://docs.mongodb.com/manual/reference/connection-string/
connection-string: mongodb://127.0.0.1
# MongoDB REST and Websocket API
# see https://restheart.org/docs/tutorial
mongo:
enabled: false
uri: /
# Use mongo-mounts to expose MongoDb resources binding them to API URIs.
#
# The parameter 'what' identifies the MongoDb resource to expose.
# The format is /db[/coll[/docid]]
# Use the wildcard '*' to expose all dbs.
#
# The parameter 'where' defines the URI to bind the resource to.
# It can be an absolute path (eg. /api) or path template (eg. /{foo}/bar/*).
# The values of the path templates properties are available:
# - in the 'what' property (e.g. what: /{foo}_db/coll)
# - programmatically from MongoRequest.getPathTemplateParamenters() method.
#
# It is not possible to mix absolute paths and path templates: 'where' URIs
# need to be either all absolute paths or all path templates.
#
# Examples:
# The following exposes all MongoDb resources.
# In this case the URI of a document is /db/coll/docid
#
# - what: "*"
# where: /
#
# The following binds the URI /database to the db 'db'
# In this case the URI of a document is /database/coll/docid
#
# - what: /db
# where: /database
#
# The following binds the URI /api to the collection 'db.coll'
# In this case the URI of a document is /api/docid
#
# - what: /db/coll
# where: /api
mongo-mounts:
- what: /restheart
where: /
# Default representation format https://restheart.org/docs/mongodb-rest/representation-format/#other-representation-formats
default-representation-format: STANDARD
# Default etag check policy https://restheart.org/docs/mongodb-rest/etag/#etag-policy
etag-check-policy:
db: REQUIRED_FOR_DELETE
coll: REQUIRED_FOR_DELETE
doc: OPTIONAL
# get collection cache speedups GET /coll?cache requests
get-collection-cache-enabled: true
get-collection-cache-size: 100
get-collection-cache-ttl: 10_000 # Time To Live, in msecs, default 10 seconds
get-collection-cache-docs: 1_000 # number of documents to cache for each request
# Check if aggregation variables use operators. https://restheart.org/docs/mongodb-rest/aggregations/#security-considerations
aggregation-check-operators: true
# default-pagesize is the number of documents returned when the pagesize query
# parameter is not specified
# see https://restheart.org/docs/read-docs#paging
default-pagesize: 100
# max-pagesize sets the maximum allowed value of the pagesize query parameter
# generally, the greater the pagesize, the more json serializan overhead occurs
# the rule of thumb is not exeeding 1000
max-pagesize: 1_000
# local-cache allows to cache the db and collection properties to drammatically
# improve performaces. Without caching, a GET on a document would requires
# two additional queries to retrieve the db and the collection properties.
# Pay attention to local caching only in case of multi-node deployments (horizontal scalability).
# In this case a change in a db or collection properties would reflect on other
# nodes at worst after TTL milliseconds (cache entries time to live).
# In most of the cases Dbs and collections properties only change at development time.
local-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
local-cache-ttl: 60_000 # msecs
# cache for JSON Schemas
schema-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
schema-cache-ttl: 60_000 # msecs
# The time limit in milliseconds for processing queries. Set to 0 for no time limit.
query-time-limit: 0
# The time limit in milliseconds for processing aggregations. Set to 0 for no time limit.
aggregation-time-limit: 0
changeStreamActivator:
enabled: false
txnsActivator:
enabled: false
graphAppDefinitionPatchChecker:
enabled: false
mongoClients:
enabled: false
# MongoDB GraphQL API
# see https://restheart.org/docs/mongodb-graphql/
graphql:
enabled: false
uri: /graphql
db: restheart
collection: gql-apps
# default-limit is used for queries that don't not specify a limit
default-limit: 100
# max-limit is the maximum value for a Query limit
max-limit: 1000
# The time limit in milliseconds for processing queries. Set to 0 for no time limit.
query-time-limit: 0
verbose: false
cacheInvalidator:
enabled: false
csvLoader:
enabled: false
# Proxied resources - expose exrernal API with RESTHeart acting as a reverese proxy
# see https://restheart.org/docs/proxy
# options:#
# - location (required) The location URI to bound to the HTTP proxied server.
# - proxy-pass (required) The URL of the HTTP proxied server. It can be an array of URLs for load balancing.
# - name (optional) The name of the proxy. It is required to identify 'restheart'.
# - rewrite-host-header (optional, default true) should the HOST header be rewritten to use the target host of the call.
# - connections-per-thread (optional, default 10) Controls the number of connections to create per thread.
# - soft-max-connections-per-thread (optional, default 5) Controls the number of connections to create per thread.
# - max-queue-size (optional, default 0) Controls the number of connections to create per thread.
# - connections-ttl (optional, default -1) Connections Time to Live in seconds.
# - problem-server-retry (optional, default 10) Time in seconds between retries for problem server.
proxies:
# - location: /anything
# proxy-pass: https://httpbin.org/anything
# name: anything
# Static Web Resources - serve static files with RESTHeart acting a web server
# see https://restheart.org/docs/static-resources
static-resources:
# - what: /path/to/resources
# where: /static
# welcome-file: index.html
# embedded: false
# Service to GET and DELETE (invalidate) the user auth token generated by the TokenManager
authTokenService:
uri: /tokens
# Simple ping service
ping:
enabled: true
msg: Greetings from RESTHeart!
# Returns the roles of the authenticated user
roles:
uri: /roles
# a global blacklist for mongodb operators in filter query parameter
filterOperatorsBlacklist:
blacklist: [ "$where" ]
enabled: true
# bruteForceAttackGuard defends from brute force password cracking attacks
# by returning `429 Too Many Requests` when more than
# `max-failed-attempts` requests with wrong credentials
# are received in last 10 seconds from the same ip
bruteForceAttackGuard:
enabled: false
# max number of failed attempts in 10 seconds sliding window
# before returning 429 Too Many Requests
max-failed-attempts: 5
# if true, the source ip is obtained from X-Forwarded-For header
# this requires that header beeing set by the proxy, dangerous otherwise
trust-x-forwarded-for: false
# when X-Forwarded-For has multiple values,
# take into account the n-th from last element
# e.g. with [x.x.x.x, y.y.y.y., z.z.z.z, k.k.k.k]
# 0 -> k.k.k.k
# 2 -> y.y.y.y
x-forwarded-for-value-from-last-element: 0
# Sets the X-Powered-By: restheart.org response header
xPoweredBy:
enabled: true
# Sets the Date response header
dateHeader:
enabled: true
# Logging
# see https://restheart.org/docs/logging
# Options:
# - log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# - log-to-console: true => log messages to the console (default value: true)
# - ansi-console: use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
# - log-to-file: true => log messages to a file (default value: false)
# - log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# - packages: only messages form these packages are logged, e.g. [ "org.restheart", "com.restheart", "io.undertow", "org.mongodb" ]
# - full-stacktrace: true to log the full stacktrace of exceptions
# - requests-log-mode: 0 => no log, 1 => light log, 2 => detailed dump (use 2 only for development, it can log credentials)
# - tracing-headers (default, empty = no tracing): add tracing HTTP headers (Use with %X{header-name} in logback.xml); see https://restheart.org/docs/auditing
logging:
log-level: INFO
log-to-console: true
ansi-console: true
log-to-file: false
log-file-path: restheart.log
packages: [ "org.restheart", "com.restheart" ]
full-stacktrace: false
requests-log-mode: 1
tracing-headers:
# - x-b3-traceid # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
# - x-b3-spanid
# - x-b3-parentspanid
# - x-b3-sampled # ^^
# - uber-trace-id # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
# - traceparent # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
# - tracestate # ^^
# Metrics
# see https://restheart.org/docs/metrics
requestsMetricsCollector:
enabled: false
uri: /metrics
include: [ "/*" ]
exclude: [ "/metrics", "/metrics/*" ]
jvmMetricsCollector:
enabled: false
# base configuration for core module
core:
# The name of this instance. Displayed in log, also allows to implement instance specific custom code
name: default-no-mongodb
# The directory containing the plugins jars.
# The path is either absolute (starts with /) or relative to the restheart.jar file
# Just add the plugins jar to plugins-directory and they will be automatically
# added to the classpath and registered.
# Alsways add the package org.restheart to the list
plugins-directory: plugins
# Set to true for verbose logging of jar scanning for plugins
plugins-scanning-verbose: false
# Limit the scanning of classes annotated with @RegisterPlugin
# to the specified packages. It can speedup the boot time
# in case of huge plugin jars. It is usually not required.
# Use an empty array to not limit scanning.
plugins-packages: []
# Optionally define the base url of this instance
# Useful when RESTHeart is mediated by a reverse proxy or an API gateway to determine the instance's correct URL
base-url: null
# Number of I/O threads created for non-blocking tasks. Suggested value: core*8.
# if <= 0, use the number of cores.
io-threads: 0
# Initial number of platform carrier threads for executing worker virtual threads in blocking operations.
# Suggested value: 1.5*core.
# if <= 0, use 1.5 times the number of cores.
workers-scheduler-parallelism: 0
# Max number of platform carrier threads for executing worker virtual threads in blocking operations.
workers-scheduler-max-pool-size: 256
# set to true to pool buffers for io-threads. buffers pooling is always disabled for virtual worker threads.
buffers-pooling: true
# Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
# Setting to 1024 * 16 - 20; the 20 is to allow some space for getProtocol headers, see UNDERTOW-1209
buffer-size: 16364
# Specifies whether the buffer pool for I/O threads should use direct buffers.
# Direct buffers enable the JVM to leverage native I/O operations if supported by the system.
# Virtual working threads always use heap buffers because they are faster for their operations.
direct-buffers: true
# In order to save bandwitdth, force requests to support the giz encoding (if not, requests will be rejected)
force-gzip-encoding: false
# true to allow unescaped characters in URL
allow-unescaped-characters-in-url: true
# Connection Options
connection-options:
# Enable HTTP/2 support
# Note: HTTP2 as implemented by major browsers requires the use of TLS
# How to enable TLS https://restheart.org/docs/security/tls/
# How to check HTTP/2 protocol https://stackoverflow.com/a/54164719/4481670
ENABLE_HTTP2: true
# The maximum size of a HTTP header block, in bytes.
# If a client sends more data that this as part of the request header then the connection will be closed.
# Defaults to 1Mbyte.
MAX_HEADER_SIZE: 1048576
# The default maximum size of a request entity.
# Defaults to unlimited.
MAX_ENTITY_SIZE: -1
#The default maximum size of the HTTP entity body when using the mutiltipart parser.
# Generall this will be larger than MAX_ENTITY_SIZE
# If this is not specified it will be the same as MAX_ENTITY_SIZE
MULTIPART_MAX_ENTITY_SIZE: -1
# The idle timeout in milliseconds after which the channel will be closed.
# If the underlying channel already has a read or write timeout set
# the smaller of the two values will be used for read/write timeouts.
# Defaults to unlimited (-1).
IDLE_TIMEOUT: -1
# The maximum allowed time of reading HTTP request in milliseconds.
# -1 or missing value disables this functionality.
REQUEST_PARSE_TIMEOUT: -1
# The amount of time the connection can be idle with no current requests
# before it is closed;
# Defaults to unlimited (-1).
NO_REQUEST_TIMEOUT: -1
# The maximum number of query parameters that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 1000.
MAX_PARAMETERS: 1000
# The maximum number of headers that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_HEADERS: 200
# The maximum number of cookies that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_COOKIES: 200
# The charset to use to decode the URL and query parameters.
# Defaults to UTF-8.
URL_CHARSET: UTF-8
# If this is true then a Connection: keep-alive header will be added to responses,
# even when it is not strictly required by the specification.
# Defaults to true
ALWAYS_SET_KEEP_ALIVE: true