Sindbad~EG File Manager
--[[
This file contains a module with all the configuration. The configuration depends of the type of server being
deployed. It can be an openresty on a shared hosting or an openresty on a edge server like Ipxtender. There are
some small difference between those usages.
--]]
local _M = {}
--[[
Nginx Internal cache settings.
Multi-level layered cache stored directly in the Nginx shared memory, with a L1 cache on the worker too.
We can choose to activate the internal nginx cache or not.
--]]
_M.useInternalCache = true -- Set to true to use the Nginx internal cache, and not read everything from redis
_M.internalCacheErrTtl = 5 -- Nginx internal cache TTL for error (microcache of error to avoid lot a requests - slow/IO)
_M.internalCacheTtl = 1800 -- TTL for valid response. The SSL + ProxyPass stuff are cached to avoid lookup to the RedisDB
--[[
DDOS Mitigation confguration. 3 methods avaiables : Cookie challenge, JS challenge, Captcha
--]]
-- Cookie Challenge
_M.cookieSecret = 'b59d8d6c-0a07-4b14-99f6-75b3514004fd' -- Secret used for the Cookie challenge
-- JS Challenge
_M.jsSecret = '55c1c106-335a-4271-9843-eaeebe4a0ed4' -- Secret used on the JS Challenge
_M.minCost = 1 -- For the JS Mitigation, minimal cost for the PoW. The lower number to found will equal to this.
_M.maxCost = 2000 -- For the JS Mitigation, maximal cost for the PoW. The maximal number to found will be equal to this.
-- Captcha challenge
_M.captchaSecret = '78a3864a-dfd7-4ad8-8636-de7879bddb8f' -- Secret used for the Captcha challenge (used in the hashes)
_M.captchaProvider = 'hcaptcha' -- Possible values are 'recaptcha', 'hcaptcha', 'friendlycaptcha'
--_M.captchaSiteKey = '0add66af-e260-4ede-842c-51d7c392638a'
--_M.captchaSecretKey = '0xC954c245a1811164e399d3c713Ea13C861317B7E'
--_M.captchaSiteKey = 'FCMI0VA732LEGG1O' -- The site key (the public one)
--_M.captchaSecretKey = 'A1N5P30PQID9CQ4C3BK44OO60C2FNDCGMB6BK1ESGQVNUTD7AASFU6BFUA' -- The secret key (the private one)
_M.captchaSiteKey = '0add66af-e260-4ede-842c-51d7c392638a' -- Hcaptcha (or Recaptcha) site key
_M.captchaSecretKey = '0xC954c245a1811164e399d3c713Ea13C861317B7E' -- Hcaptcha (or Recaptcha) secret key
-- Global config
_M.reqCredit = 5000 -- (not used at the moment) Default number of requests credit given when a challenge is passed
_M.captchaMultiplier = 10 -- (not used at the moment) When a captcha is passed, the added requests credits are : reqCredit * captchaMultiplier
-- Auto-detection and mitigation configuration
_M.mitigationType = {
Cookie = 'cookie',
Js = 'js',
Captcha = 'captcha',
Drop = '444', -- Return a 444 error closing the connection
TmpBan = 'tmp-ban', -- Similar to 444 but more efficient. Put the IP in a temporary ban list, also drop on the SSL handshake directly.
}
_M.tmpBanTime = 3600 -- The temporary ban, in second.
_M.autoMitigationConfig = {
-- Counter type.
-- ['d'] for the count of request / domain / timeframe
-- ['i'] for the count of req / ip / timeframe (ip req on the whole search, not on a per domain basis)
['d'] = {
300, -- Timeframe in second. Also for each timeframe the max value is reseted to the value of the (first mitigation threshold - Leakage)
60, -- Leakage period in second. On each 'Leakage period' we decrease the requests counter by the 'Leackage amount'
5000, -- Leakage amount.
{
-- Should be ordered by mitigation severity (least to worst)
{
30000,
_M.mitigationType.Js
},
{
60000,
_M.mitigationType.Captcha
},
}
},
['i'] = {
300, 60, 100,
{
-- {2000, _M.mitigationType.Cookie },
{500, _M.mitigationType.Js },
{700, _M.mitigationType.Captcha },
{1000, _M.mitigationType.Drop },
{1200, _M.mitigationType.TmpBan },
}
}
}
--[[
SSL Related configuration
--]]
_M.fetchOcspLocally = true -- Set to true to allow Openresty to fetch the OCSP Response himself when the OCSP does not exists in Redis
_M.defaultSslCrt = '/var/cpanel/ssl/cpanel/mycpanel.pem' -- Note : not sure it's still used
_M.defaultSslKey = '/var/cpanel/ssl/cpanel/mycpanel.pem' -- Note : not sure it's still used
--[[
Server cache (Varnish, LSLB)
Informations about the cache server. It's used to detect if a request is for a cache server. If so, it will use
the correct backend from backends.conf. On the redis DB we just one 1 IP / 1 Port for the cache servers but in
reality we can have multiple cache server.
--]]
_M.varnish_ip = '109.234.163.160'
_M.varnish_port = '6081'
_M.lslb_ip = '109.234.163.160'
_M.lslb_port = '8081'
--[[
Miscellaneous config
--]]
_M.serverType = 'mutu' -- Define the type of server, mutu or edge.
_M.debugMode = 1 -- If set to 1 will log stuff to Nginx debug log
_M.redisRetryCount = 3 -- The number of tries when we can't retrieve something from Redis
_M.redisSleepBetweenTries = 0.01 -- Sleep, in second, between the tries
_M.redisTimeout = 1000 -- Timeout for Redis, in ms
-- @see https://github.com/openresty/lua-resty-redis#check-list-for-issues for tweaking the 2 values bellow
_M.redisKeepaliveTimeout = 60000 -- Keepalive time in the connection pool (value in ms !)
_M.redisKeepalivePoolSize = 100 -- Number of instance in the connection pool
_M.redisConfig = {
{ host = 'unix:/var/run/redis/o2redis.sock', port = nil, pass = '80b003e2-649c-4e32-88ae-c3db503ed774', master = true },
}
--[[
Configuration override if the server is the type of 'edge' (meaning ipxtender)
--]]
if _M.serverType == 'edge' then
_M.defaultSslCrt = '/etc/pki/nginx/nginx.crt'
_M.defaultSslKey = '/etc/pki/nginx/private/nginx.key'
_M.redisConfig = {
{ host = 'unix:/var/run/redis/redis.sock', port = nil, pass = nil, master = false },
{ host = '109.234.160.136', port = 6379, pass = '80b003e2-649c-4e32-88ae-c3db503ed774', master = true}
}
end
return _M
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists