.restheart.7.7.11.source-code.restheart-default-config-no-mongodb.yml Maven / Gradle / Ivy
# RESTHeart Configuration File.
## See https://restheart.org/docs/setup/#configuration-files
---
# HTTP Listener
# WARNING: Using the http listener is not secure.
http-listener:
enabled: true
host: localhost
port: 8080
# HTTPS Listener
https-listener:
enabled: false
host: localhost
port: 4443
# The https listener requires setting up a TLS certificate.
# See https://restheart.org/docs/security/tls/
keystore-path: null
keystore-password: null
certificate-password: null
# AJP Listener
ajp-listener:
enabled: false
host: localhost
port: 8009
# Auth Token Authentication
# The verified token is generated by the enabled token manager
# see https://restheart.org/docs/security/authentication#token-authentication
tokenBasicAuthMechanism:
enabled: true
# Basic Authentication
# see https://restheart.org/docs/security/authentication#basic-authentication
basicAuthMechanism:
enabled: true
authenticator: fileRealmAuthenticator
# JSON Web Token Authentication
# see https://restheart.org/docs/security/authentication#jwt-authentication
jwtAuthenticationMechanism:
enabled: false
algorithm: HS256
key: secret
base64Encoded: false
usernameClaim: sub
rolesClaim: null
fixedRoles:
# - jwt-role
issuer: restheart.org
audience: null
# Digest Authentication
# see https://restheart.org/docs/security/authentication#digest-authentication
digestAuthMechanism:
# digest authentication is disabled by default
# because it requires the passwords to be stored in plaintext
# and mongoRealmAuthenticator hashes the passwords by default (bcrypt-hashed-password: true)
enabled: false
realm: RESTHeart Realm
domain: localhost
authenticator: fileRealmAuthenticator
# For development purposes. Always authenticate the request with the given user
# see https://restheart.org/docs/security/authentication#identity-authentication
identityAuthMechanism:
enabled: false
username: admin
roles:
- admin
- user
# fileRealmAuthenticator defines users credentials and roles in a simple yml file.
# see https://restheart.org/docs/security/authentication#file-realm-authenticator
fileRealmAuthenticator:
enabled: true
#conf-file: ./users.yml
users:
- userid: admin
password: null
roles: [admin]
# mongoRealAuthenticator authenticates users defined in a MongoDB collection.
# see https://restheart.org/docs/security/authentication#mongo-realm-authenticator
mongoRealmAuthenticator:
enabled: false
users-db: restheart
users-collection: users
prop-id: _id
prop-password: password
json-path-roles: $.roles
bcrypt-hashed-password: true
bcrypt-complexity: 12
enforce-minimum-password-strength: false
# Integer from 0 to 4
# 0 Weak (guesses < 3^10)
# 1 Fair (guesses < 6^10)
# 2 Good (guesses < 8^10)
# 3 Strong (guesses < 10^10)
# 4 Very strong (guesses >= 10^10)
minimum-password-strength: 3
create-user: true
create-user-document: '{"_id": "admin", "password": "$2a$12$lZiMMNJ6pkyg4uq/I1cF5uxzUbU25aXHtg7W7sD2ED7DG1wzUoo6u", "roles": ["admin"]}'
# create-user-document.password must be hashed when bcrypt-hashed-password=true
# default password is 'secret'
# see https://bcrypt-generator.com but replace initial '$2y' with '$2a'
cache-enabled: false
cache-size: 1000
cache-ttl: 60000
cache-expire-policy: AFTER_WRITE
# fileAclAuthorizer authorizes requests according to the Access Control List defined in a YAML file.
# see https://restheart.org/docs/security/authorization#file-acl-authorizer
fileAclAuthorizer:
enabled: true
#conf-file: ./acl.yml
permissions:
- role: admin
predicate: path-prefix('/')
priority: 0
# mongoAclAuthorizer authorizes requests according to the Access Control List defined in a MongoDB collection.
# see https://restheart.org/docs/security/authorization#mongo-acl-authorizer
mongoAclAuthorizer:
enabled: false
acl-db: restheart
acl-collection: acl
# clients with root-role can execute any request
root-role: admin
cache-enabled: true
cache-size: 1000
cache-ttl: 5000
cache-expire-policy: AFTER_WRITE
# originVetoer protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted
# see https://restheart.org/docs/security/authorization#originvetoer
originVetoer:
enabled: false
whitelist:
- https://restheart.org
- http://localhost
# optional list of paths for whose the Origin header
# is not checked. values can be absolute paths
# or patterns like /{var}/path/to/resource/*
# ignore-paths:
# - /{tenant}/bucket.files/{id}/binary
# - /coll/docid
# fullAuthorizer authorizes all requests
fullAuthorizer:
enabled: false
authentication-required: true
# Token Manager
# see https://restheart.org/docs/security/authentication#token-managers
# If a token-manager is configured, RESTHeart will use it to generate
# and verify auth tokens.
# If more than one token-manager are defined, the first one will be used
# The token is returned to the caller via auth-token header when the user
# autheticates successfully. The token can be used by Authentication Mechanisms.
# rndTokenService generates auth tokens using a random number generator.
rndTokenManager:
enabled: true
ttl: 15
srv-uri: /tokens
# jwtTokenManager generates JWT auth tokens.
# Use this in clustered deployments, since all nodes sharing the key
# can verify the token independently
jwtTokenManager:
enabled: false
key: secret
ttl: 15
srv-uri: /tokens
issuer: restheart.org
audience: null
# additional JWT claims from accounts properties
account-properties-claims:
# - foo # property name
# - /nested/property # xpath expr for nested properties
# Provider the MongoClient via @Inject('mclient') and @Inject('mclient-reactive')
mclient:
enabled: false
# see https://docs.mongodb.com/manual/reference/connection-string/
connection-string: mongodb://127.0.0.1
# MongoDB REST and Websocket API
# see https://restheart.org/docs/tutorial
mongo:
enabled: false
uri: /
# Use mongo-mounts to expose MongoDb resources binding them to API URIs.
#
# The parameter 'what' identifies the MongoDb resource to expose.
# The format is /db[/coll[/docid]]
# Use the wildcard '*' to expose all dbs.
#
# The parameter 'where' defines the URI to bind the resource to.
# It can be an absolute path (eg. /api) or path template (eg. /{foo}/bar/*).
# The values of the path templates properties are available:
# - in the 'what' property (e.g. what: /{foo}_db/coll)
# - programmatically from MongoRequest.getPathTemplateParamenters() method.
#
# It is not possible to mix absolute paths and path templates: 'where' URIs
# need to be either all absolute paths or all path templates.
#
# Examples:
# The following exposes all MongoDb resources.
# In this case the URI of a document is /db/coll/docid
#
# - what: "*"
# where: /
#
# The following binds the URI /database to the db 'db'
# In this case the URI of a document is /database/coll/docid
#
# - what: /db
# where: /database
#
# The following binds the URI /api to the collection 'db.coll'
# In this case the URI of a document is /api/docid
#
# - what: /db/coll
# where: /api
mongo-mounts:
- what: /restheart
where: /
# Default representation format https://restheart.org/docs/mongodb-rest/representation-format/#other-representation-formats
default-representation-format: STANDARD
# Default etag check policy https://restheart.org/docs/mongodb-rest/etag/#etag-policy
etag-check-policy:
db: REQUIRED_FOR_DELETE
coll: REQUIRED_FOR_DELETE
doc: OPTIONAL
# get collection cache speedups GET /coll?cache requests
get-collection-cache-enabled: true
get-collection-cache-size: 100
get-collection-cache-ttl: 10_000 # Time To Live, default 10 seconds
get-collection-cache-docs: 1000 # number of documents to cache for each request
# Check if aggregation variables use operators. https://restheart.org/docs/mongodb-rest/aggregations/#security-considerations
aggregation-check-operators: true
# default-pagesize is the number of documents returned when the pagesize query
# parameter is not specified
# see https://restheart.org/docs/read-docs#paging
default-pagesize: 100
# max-pagesize sets the maximum allowed value of the pagesize query parameter
# generally, the greater the pagesize, the more json serializan overhead occurs
# the rule of thumb is not exeeding 1000
max-pagesize: 1000
# local-cache allows to cache the db and collection properties to drammatically
# improve performaces. Without caching, a GET on a document would requires
# two additional queries to retrieve the db and the collection properties.
# Pay attention to local caching only in case of multi-node deployments (horizontal scalability).
# In this case a change in a db or collection properties would reflect on other
# nodes at worst after TTL milliseconds (cache entries time to live).
# In most of the cases Dbs and collections properties only change at development time.
local-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
local-cache-ttl: 60000
# cache for JSON Schemas
schema-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
schema-cache-ttl: 60000
# The time limit in milliseconds for processing queries. Set to 0 for no time limit.
query-time-limit: 0
# The time limit in milliseconds for processing aggregations. Set to 0 for no time limit.
aggregation-time-limit: 0
changeStreamActivator:
enabled: false
txnsActivator:
enabled: false
graphAppDefinitionPatchChecker:
enabled: false
mongoClients:
enabled: false
# MongoDB GraphQL API
# see https://restheart.org/docs/mongodb-graphql/
graphql:
enabled: false
uri: /graphql
db: restheart
collection: gql-apps
# app definitions are cached. this sets the time to live in msecs
app-def-cache-ttl: 10_000
# default-limit is used for queries that don't not specify a limit
default-limit: 100
# max-limit is the maximum value for a Query limit
max-limit: 1000
# The time limit in milliseconds for processing queries. Set to 0 for no time limit.
query-time-limit: 0
verbose: false
cacheInvalidator:
enabled: false
csvLoader:
enabled: false
# Proxied resources - expose exrernal API with RESTHeart acting as a reverese proxy
# see https://restheart.org/docs/proxy
# options:#
# - location (required) The location URI to bound to the HTTP proxied server.
# - proxy-pass (required) The URL of the HTTP proxied server. It can be an array of URLs for load balancing.
# - name (optional) The name of the proxy. It is required to identify 'restheart'.
# - rewrite-host-header (optional, default true) should the HOST header be rewritten to use the target host of the call.
# - connections-per-thread (optional, default 10) Controls the number of connections to create per thread.
# - soft-max-connections-per-thread (optional, default 5) Controls the number of connections to create per thread.
# - max-queue-size (optional, default 0) Controls the number of connections to create per thread.
# - connections-ttl (optional, default -1) Connections Time to Live in seconds.
# - problem-server-retry (optional, default 10) Time in seconds between retries for problem server.
proxies:
# - location: /anything
# proxy-pass: https://httpbin.org/anything
# name: anything
# Static Web Resources - serve static files with RESTHeart acting a web server
# see https://restheart.org/docs/static-resources
static-resources:
# - what: /path/to/resources
# where: /static
# welcome-file: index.html
# embedded: false
# Service to GET and DELETE (invalidate) the user auth token generated by the TokenManager
authTokenService:
uri: /tokens
# Simple ping service
ping:
enabled: true
msg: Greetings from RESTHeart!
# Returns the roles of the authenticated user
roles:
uri: /roles
# a global blacklist for mongodb operators in filter query parameter
filterOperatorsBlacklist:
blacklist: [ "$where" ]
enabled: true
# bruteForceAttackGuard defends from brute force password cracking attacks
# by returning `429 Too Many Requests` when more than
# `max-failed-attempts` requests with wrong credentials
# are received in last 10 seconds from the same ip
bruteForceAttackGuard:
enabled: false
# max number of failed attempts in 10 seconds sliding window
# before returning 429 Too Many Requests
max-failed-attempts: 5
# if true, the source ip is obtained from X-Forwarded-For header
# this requires that header beeing set by the proxy, dangerous otherwise
trust-x-forwarded-for: false
# when X-Forwarded-For has multiple values,
# take into account the n-th from last element
# e.g. with [x.x.x.x, y.y.y.y., z.z.z.z, k.k.k.k]
# 0 -> k.k.k.k
# 2 -> y.y.y.y
x-forwarded-for-value-from-last-element: 0
# Logging
# see https://restheart.org/docs/logging
# Options:
# - log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# - log-to-console: true => log messages to the console (default value: true)
# - ansi-console: use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
# - log-to-file: true => log messages to a file (default value: false)
# - log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# - packages: only messages form these packages are logged, e.g. [ "org.restheart", "com.restheart", "io.undertow", "org.mongodb" ]
# - full-stacktrace: true to log the full stacktrace of exceptions
# - requests-log-mode: 0 => no log, 1 => light log, 2 => detailed dump (use 2 only for development, it can log credentials)
# - tracing-headers (default, empty = no tracing): add tracing HTTP headers (Use with %X{header-name} in logback.xml); see https://restheart.org/docs/auditing
logging:
log-level: INFO
log-to-console: true
ansi-console: true
log-to-file: false
log-file-path: restheart.log
packages: [ "org.restheart", "com.restheart" ]
full-stacktrace: false
requests-log-mode: 1
tracing-headers:
# - x-b3-traceid # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
# - x-b3-spanid
# - x-b3-parentspanid
# - x-b3-sampled # ^^
# - uber-trace-id # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
# - traceparent # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
# - tracestate # ^^
# Metrics
# see https://restheart.org/docs/metrics
requestsMetricsCollector:
enabled: false
uri: /metrics
include: [ "/*" ]
exclude: [ "/metrics", "/metrics/*" ]
jvmMetricsCollector:
enabled: false
# base configuration for core module
core:
# The name of this instance. Displayed in log, also allows to implement instance specific custom code
name: default-no-mongodb
# The directory containing the plugins jars.
# The path is either absolute (starts with /) or relative to the restheart.jar file
# Just add the plugins jar to plugins-directory and they will be automatically
# added to the classpath and registered.
# Alsways add the package org.restheart to the list
plugins-directory: plugins
# Set to true for verbose logging of jar scanning for plugins
plugins-scanning-verbose: false
# Limit the scanning of classes annotated with @RegisterPlugin
# to the specified packages. It can speedup the boot time
# in case of huge plugin jars. It is usually not required.
# Use an empty array to not limit scanning.
plugins-packages: []
# Optionally define the base url of this instance
# Useful when RESTHeart is mediated by a reverse proxy or an API gateway to determine the instance's correct URL
base-url: null
# Number of I/O threads created for non-blocking tasks. Suggested value: core*8.
# if <= 0, use the number of cores.
io-threads: 0
# Number of threads created for blocking tasks (such as ones involving db access). Suggested value: core*8
# if < 0, use the number of cores * 8. With 0 working threads, blocking services won't work.
worker-threads: -1
# Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
# Setting to 1024 * 16 - 20; the 20 is to allow some space for getProtocol headers, see UNDERTOW-1209
buffer-size: 16364
# Should the buffer pool use direct buffers, this instructs the JVM to use native (if possible) I/O operations on the buffers
direct-buffers: true
# In order to save bandwitdth, force requests to support the giz encoding (if not, requests will be rejected)
force-gzip-encoding: false
# true to allow unescaped characters in URL
allow-unescaped-characters-in-url: true
# Connection Options
connection-options:
# Enable HTTP/2 support
# Note: HTTP2 as implemented by major browsers requires the use of TLS
# How to enable TLS https://restheart.org/docs/security/tls/
# How to check HTTP/2 protocol https://stackoverflow.com/a/54164719/4481670
ENABLE_HTTP2: true
# The maximum size of a HTTP header block, in bytes.
# If a client sends more data that this as part of the request header then the connection will be closed.
# Defaults to 1Mbyte.
MAX_HEADER_SIZE: 1048576
# The default maximum size of a request entity.
# Defaults to unlimited.
MAX_ENTITY_SIZE: -1
#The default maximum size of the HTTP entity body when using the mutiltipart parser.
# Generall this will be larger than MAX_ENTITY_SIZE
# If this is not specified it will be the same as MAX_ENTITY_SIZE
MULTIPART_MAX_ENTITY_SIZE: -1
# The idle timeout in milliseconds after which the channel will be closed.
# If the underlying channel already has a read or write timeout set
# the smaller of the two values will be used for read/write timeouts.
# Defaults to unlimited (-1).
IDLE_TIMEOUT: -1
# The maximum allowed time of reading HTTP request in milliseconds.
# -1 or missing value disables this functionality.
REQUEST_PARSE_TIMEOUT: -1
# The amount of time the connection can be idle with no current requests
# before it is closed;
# Defaults to unlimited (-1).
NO_REQUEST_TIMEOUT: -1
# The maximum number of query parameters that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 1000.
MAX_PARAMETERS: 1000
# The maximum number of headers that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_HEADERS: 200
# The maximum number of cookies that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_COOKIES: 200
# The charset to use to decode the URL and query parameters.
# Defaults to UTF-8.
URL_CHARSET: UTF-8
# If this is true then a Connection: keep-alive header will be added to responses,
# even when it is not strictly required by the specification.
# Defaults to true
ALWAYS_SET_KEEP_ALIVE: true
# If this is true then a Date header will be added to all responses.
# The HTTP spec says this header should be added to all responses,
# unless the server does not have an accurate clock.
# Defaults to true
ALWAYS_SET_DATE: true© 2015 - 2025 Weber Informatics LLC | Privacy Policy