hedgedoc/docs/configuration-config-file.md
Sheogorath a2522888b2
Remove PDF export
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:05:54 +01:00

12 KiB

Configuration Using Config file

You can choose to configure CodiMD with either a config file or with environment variables. The config file is processed in lib/config/index.js - so this is the first place to look if anything is missing not obvious from this document. The default values are defined in lib/config/default.js, in case you wonder if you even need to override it.

Environment variables take precedence over configurations from the config files. To get started, it is a good idea to take the config.json.example and copy it to config.json before filling in your own details.

Node.JS

variables example values description
debug true or false set debug mode, show more logs

CodiMD basics

variables example values description
db { "dialect": "sqlite", "storage": "./db.codimd.sqlite" } set the db configs, see more here
dbURL mysql://localhost:3306/database Set the db in URL style. If set, then the relevant db config entries will be overridden.
forbiddenNoteIDs ['robots.txt'] disallow creation of notes, even if allowFreeUrl is true
loglevel info Defines what kind of logs are provided to stdout. Available options: debug, verbose, info, warn, error
imageUploadType imgur, s3, minio, azure, lutim or filesystem(default) Where to upload images. For S3, see our Image Upload Guides for S3 or MinIO
sourceURL https://github.com/codimd/server/tree/<current commit> Provides the link to the source code of CodiMD on the entry page (Please, make sure you change this when you run a modified version)
staticCacheTime 1 * 24 * 60 * 60 * 1000 static file cache time
tooBusyLag 70 CPU time for one event loop tick until node throttles connections. (milliseconds)
heartbeatInterval 5000 socket.io heartbeat interval
heartbeatTimeout 10000 socket.io heartbeat timeout
documentMaxLength 100000 note max length

CodiMD paths stuff

these are rarely used for various reasons.

variables example values description
defaultNotePath ./public/default.md default note file path1, empty notes will be created with this template.
dhParamPath ./cert/dhparam.pem SSL dhparam path1 (only need when you set useSSL)
sslCAPath ['./cert/COMODORSAAddTrustCA.crt'] SSL ca chain1 (only need when you set useSSL)
sslCertPath ./cert/codimd_io.crt SSL cert path1 (only need when you set useSSL)
sslKeyPath ./cert/client.key SSL key path1 (only need when you set useSSL)
tmpPath ./tmp/ temp directory path1
docsPath ./public/docs docs directory path1
viewPath ./public/views template directory path1
uploadsPath ./public/uploads uploads directory1 - needs to be persistent when you use imageUploadType filesystem

CodiMD Location

variables example values description
domain localhost domain name
urlPath codimd sub URL path, like www.example.com/<urlpath>
host localhost interface/ip to listen on
port 80 port to listen on
path /var/run/codimd.sock path to UNIX domain socket to listen on (if specified, host and port are ignored)
protocolUseSSL true or false set to use SSL protocol for resources path (only applied when domain is set)
useSSL true or false set to use SSL server (if true, will auto turn on protocolUseSSL)
urlAddPort true or false set to add port on callback URL (ports 80 or 443 won't be applied) (only applied when domain is set)
allowOrigin ['localhost'] domain name whitelist

CSP and HSTS

variables example values description
hsts {"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true} HSTS options to use with HTTPS (default is the example value, max age is a year)
csp {"enable": true, "directives": {"scriptSrc": "trustworthy-scripts.example.com"}, "upgradeInsecureRequests": "auto", "addDefaults": true} Configures Content Security Policy. Directives are passed to Helmet - see their documentation for more information on the format. Some defaults are added to the configured values so that the application doesn't break. To disable this behaviour, set addDefaults to false. Further, if usecdn is on, some CDN locations are allowed too. By default (auto), insecure (HTTP) requests are upgraded to HTTPS via CSP if useSSL is on. To change this behaviour, set upgradeInsecureRequests to either true or false.

Privacy and External Requests

variables example values description
allowGravatar true or false set to false to disable Libravatar as profile picture source on your instance. Libravatar is a federated open-source alternative to Gravatar.
useCDN true or false set to use CDN resources or not (default is false)

Users and Privileges

variables example values description
allowAnonymous true or false Set to allow anonymous usage (default is true).
allowAnonymousEdits true or false If allowAnonymous is true: allow users to select freely permission, allowing guests to edit existing notes (default is false).
allowFreeURL true or false Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from Etherpad.
defaultPermission freely, editable, limited, locked, protected or private Set notes default permission (only applied on signed-in users).
sessionName connect.sid Cookie session name.
sessionLife 14 * 24 * 60 * 60 * 1000 (14 days) Cookie session life time in milliseconds.
sessionSecret secret Cookie session secret. If none is set, one will randomly generated on each startup, meaning all your users will be logged out.

Login methods

Email (local account)

variables example values description
email true or false Set to allow email sign-in. The default is true.
allowEmailRegister true or false Set to allow registration of new accounts using an email address. If set to false, you can still create accounts using the command line - see bin/manage_users for details (In production mode, remember to run it with NODE_ENV set as production in the enviroment). This setting has no effect if email is false. The default for allowEmailRegister is true.

Dropbox Login

variables example values description
dropbox {clientID: ..., clientSecret: ...} An object containing the client ID and the client secret obtained by the Dropbox developer tools

Facebook Login

variables example values description
facebook {clientID: ..., clientSecret: ...} An object containing the client ID and the client secret obtained by the Facebook app console

GitHub Login

variables example values description
github {clientID: ..., clientSecret: ...} An object containing the client ID and the client secret obtained by the GitHub developer page. For more details have a look at the GitHub auth guide.

GitLab Login

variables example values description
gitlab {baseURL: ..., scope: ..., version: ..., clientID: ..., clientSecret: ...} An object containing your GitLab application data. Refer to the GitLab guide for more details!

Google Login

variables example values description
google {clientID: ..., clientSecret: ..., hostedDomain: ...} An object containing the client ID and the client secret obtained by the Google API console

LDAP Login

variables example values description
ldap {providerName: ..., url: ..., bindDn: ..., bindCredentials: ..., searchBase: ..., searchFilter: ..., searchAttributes: ..., usernameField: ..., useridField: ..., tlsca: ...} An object detailing the LDAP connection. Refer to the LDAP-AD guide for more details!

OAuth2 Login

variables example values description
oauth2 {baseURL: ..., userProfileURL: ..., userProfileUsernameAttr: ..., userProfileDisplayNameAttr: ..., userProfileEmailAttr: ..., tokenURL: ..., authorizationURL: ..., clientID: ..., clientSecret: ...} An object detailing your OAuth2 provider. Refer to the Mattermost or Nextcloud examples for more details!

SAML Login

variables example values description
saml {idpSsoUrl: ..., idpCert: ..., issuer: ..., identifierFormat: ..., disableRequestedAuthnContext: ..., groupAttribute: ..., externalGroups: [], requiredGroups: [], attribute: {id: ..., username: ..., email: ...}} An object detailing your SAML provider. Refer to the OneLogin and SAML guides for more details!

Twitter Login

variables example values description
twitter {consumerKey: ..., consumerSecret: ...} An object containing the consumer key and secret obtained by the Twitter developer tools. For more details have a look at the Twitter auth guide

Upload Storage

Most of these have never been documented for the config.json, feel free to expand these

Amazon S3

variables example values description
s3 { "accessKeyId": "YOUR_S3_ACCESS_KEY_ID", "secretAccessKey": "YOUR_S3_ACCESS_KEY", "region": "YOUR_S3_REGION" } When imageuploadtype be set to s3, you would also need to setup this key, check our S3 Image Upload Guide
s3bucket YOUR_S3_BUCKET_NAME bucket name when imageUploadType is set to s3 or minio

Azure Blob Storage

Imgur

MinIO

variables example values description
minio { "accessKey": "YOUR_MINIO_ACCESS_KEY", "secretKey": "YOUR_MINIO_SECRET_KEY", "endpoint": "YOUR_MINIO_HOST", port: 9000, secure: true } When imageUploadType is set to minio, you need to set this key. Also check out our Minio Image Upload Guide

Lutim

variables example values description
lutim {"url": "YOUR_LUTIM_URL"} When imageUploadType is set to lutim, you can setup the lutim url

1: relative paths are based on CodiMD's base directory