Kyle Isom
ec7c966ad2
- Trusted proxy config option for proxy-aware IP extraction used by rate limiting and audit logs; validates proxy IP before trusting X-Forwarded-For / X-Real-IP headers - TOTP replay protection via counter-based validation to reject reused codes within the same time step (±30s) - RateLimit middleware updated to extract client IP from proxy headers without IP spoofing risk - New tests for ClientIP proxy logic (spoofed headers, fallback) and extended rate-limit proxy coverage - HTMX error banner script integrated into web UI base - .gitignore updated for mciasdb build artifact Security: resolves CRIT-01 (TOTP replay attack) and DEF-03 (proxy-unaware rate limiting); gRPC TOTP enrollment aligned with REST via StorePendingTOTP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
# mcias.conf.docker.example — Config template for container deployment
|
|
#
|
|
# Mount this file into the container at /etc/mcias/mcias.conf:
|
|
#
|
|
# docker run -d \
|
|
# --name mcias \
|
|
# -v /path/to/mcias.conf:/etc/mcias/mcias.conf:ro \
|
|
# -v /path/to/certs:/etc/mcias:ro \
|
|
# -v mcias-data:/data \
|
|
# -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
|
|
# -p 8443:8443 \
|
|
# -p 9443:9443 \
|
|
# mcias:latest
|
|
#
|
|
# The container runs as uid 10001 (mcias). Ensure that:
|
|
# - /data volume is writable by uid 10001
|
|
# - TLS cert and key are readable by uid 10001
|
|
#
|
|
# TLS: The server performs TLS termination inside the container; there is no
|
|
# plain-text mode. Mount your certificate and key under /etc/mcias/.
|
|
# For Let's Encrypt certificates, mount the live/ directory read-only.
|
|
|
|
[server]
|
|
listen_addr = "0.0.0.0:8443"
|
|
grpc_addr = "0.0.0.0:9443"
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
# If a reverse proxy (nginx, Caddy, Traefik) sits in front of this container,
|
|
# set trusted_proxy to its container IP so real client IPs are used for rate
|
|
# limiting and audit logging. Leave commented out for direct exposure.
|
|
# trusted_proxy = "172.17.0.1"
|
|
|
|
[database]
|
|
# VOLUME /data is declared in the Dockerfile; map a named volume here.
|
|
path = "/data/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
# Pass the passphrase via the MCIAS_MASTER_PASSPHRASE environment variable.
|
|
# Set it with: docker run -e MCIAS_MASTER_PASSPHRASE=your-passphrase ...
|
|
# or with a Docker secret / Kubernetes secret.
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|