221 lines
8.3 KiB
Django/Jinja
221 lines
8.3 KiB
Django/Jinja
# -*- coding: utf-8 -*-
|
|
|
|
# Application version suffix, e.g. 'beta1', 'dev'. Usually an empty string
|
|
# for GA releases.
|
|
APP_SUFFIX = ''
|
|
|
|
##########################################################################
|
|
# Server settings
|
|
##########################################################################
|
|
|
|
SERVER_MODE = True
|
|
|
|
# Enable X-Frame-Option protection.
|
|
# Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable.
|
|
# Note that "DENY" is NOT supported (and will be silently ignored).
|
|
# See https://tools.ietf.org/html/rfc7034 for more info.
|
|
X_FRAME_OPTIONS = "SAMEORIGIN"
|
|
|
|
# The Content-Security-Policy header allows you to restrict how resources
|
|
# such as JavaScript, CSS, or pretty much anything that the browser loads.
|
|
# see https://content-security-policy.com/#source_list for more info
|
|
# e.g. "default-src https: data: 'unsafe-inline' 'unsafe-eval';"
|
|
CONTENT_SECURITY_POLICY = "default-src http: data: blob: 'unsafe-inline' " \
|
|
"'unsafe-eval';"
|
|
|
|
# STRICT_TRANSPORT_SECURITY_ENABLED when set to True will set the
|
|
# Strict-Transport-Security header
|
|
STRICT_TRANSPORT_SECURITY_ENABLED = False
|
|
|
|
# The X-Content-Type-Options header forces the browser to honor the response
|
|
# content type instead of trying to detect it, which can be abused to
|
|
# generate a cross-site scripting (XSS) attack.
|
|
# e.g. nosniff
|
|
X_CONTENT_TYPE_OPTIONS = "nosniff"
|
|
|
|
# The browser will try to prevent reflected XSS attacks by not loading the
|
|
# page if the request contains something that looks like JavaScript and the
|
|
# response contains the same data. e.g. '1; mode=block'
|
|
X_XSS_PROTECTION = "1; mode=block"
|
|
|
|
# This param is used to validate ALLOWED_HOSTS for the application
|
|
# This will be used to avoid Host Header Injection attack
|
|
# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
|
|
# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
|
|
# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
|
|
# vulnerable to Host Header Injection attack)
|
|
ALLOWED_HOSTS = []
|
|
|
|
SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
|
|
|
|
##########################################################################
|
|
# Log settings
|
|
##########################################################################
|
|
|
|
# Debug mode?
|
|
DEBUG = False
|
|
|
|
##########################################################################
|
|
# User account and settings storage
|
|
##########################################################################
|
|
|
|
# Allow database connection passwords to be saved if the user chooses.
|
|
# Set to False to disable password saving.
|
|
ALLOW_SAVE_PASSWORD = True
|
|
|
|
##########################################################################
|
|
# Session expiration support
|
|
##########################################################################
|
|
# SESSION_EXPIRATION_TIME is the interval in Days. Session will be
|
|
# expire after the specified number of *days*.
|
|
SESSION_EXPIRATION_TIME = 1
|
|
|
|
# CHECK_SESSION_FILES_INTERVAL is interval in Hours. Application will check
|
|
# the session files for cleanup after specified number of *hours*.
|
|
CHECK_SESSION_FILES_INTERVAL = 12
|
|
|
|
# USER_INACTIVITY_TIMEOUT is interval in Seconds. If the pgAdmin screen is left
|
|
# unattended for <USER_INACTIVITY_TIMEOUT> seconds then the user will
|
|
# be logged out. When set to 0, the timeout will be disabled.
|
|
# If pgAdmin doesn't detect any activity in the time specified (in seconds),
|
|
# the user will be forcibly logged out from pgAdmin. Set to zero to disable
|
|
# the timeout.
|
|
# Note: This is applicable only for SERVER_MODE=True.
|
|
USER_INACTIVITY_TIMEOUT = {{ open_asfa_pgadmin_inactivity_timeout }}
|
|
|
|
# OVERRIDE_USER_INACTIVITY_TIMEOUT when set to True will override
|
|
# USER_INACTIVITY_TIMEOUT when long running queries in the Query Tool
|
|
# or Debugger are running. When the queries complete, the inactivity timer
|
|
# will restart in this case. If set to False, user inactivity may cause
|
|
# transactions or in-process debugging sessions to be aborted.
|
|
OVERRIDE_USER_INACTIVITY_TIMEOUT = True
|
|
|
|
##########################################################################
|
|
|
|
# These settings are used when running in web server mode for confirming
|
|
# and resetting passwords etc.
|
|
# See: http://pythonhosted.org/Flask-Mail/ for more info
|
|
# MAIL_SERVER = 'localhost'
|
|
# MAIL_PORT = 25
|
|
# MAIL_USE_SSL = False
|
|
# MAIL_USE_TLS = False
|
|
# MAIL_USERNAME = ''
|
|
# MAIL_PASSWORD = ''
|
|
# MAIL_DEBUG = False
|
|
|
|
# Flask-Security overrides Flask-Mail's MAIL_DEFAULT_SENDER setting, so
|
|
# that should be set as such:
|
|
SECURITY_EMAIL_SENDER = '{{ open_asfa_pgadmin_email }}'
|
|
|
|
# Check for new versions of the application?
|
|
UPGRADE_CHECK_ENABLED = False
|
|
|
|
|
|
##########################################################################
|
|
# SSH Tunneling supports only for Python 2.7 and 3.4+
|
|
##########################################################################
|
|
SUPPORT_SSH_TUNNEL = False
|
|
|
|
##########################################################################
|
|
# Allows pgAdmin4 to create session cookies based on IP address, so even
|
|
# if a cookie is stolen, the attacker will not be able to connect to the
|
|
# server using that stolen cookie.
|
|
# Note: This can cause problems when the server is deployed in dynamic IP
|
|
# address hosting environments, such as Kubernetes or behind load
|
|
# balancers. In such cases, this option should be set to False.
|
|
##########################################################################
|
|
ENHANCED_COOKIE_PROTECTION = True
|
|
|
|
#
|
|
SESSION_COOKIE_SAMESITE = 'Lax'
|
|
SESSION_COOKIE_SECURE = False
|
|
SESSION_COOKIE_HTTPONLY = True
|
|
|
|
##########################################################################
|
|
# External Authentication Sources
|
|
##########################################################################
|
|
|
|
# Default setting is internal
|
|
# External Supported Sources: ldap, kerberos
|
|
# Multiple authentication can be achieved by setting this parameter to
|
|
# ['ldap', 'internal']. pgAdmin will authenticate the user with ldap first,
|
|
# in case of failure internal authentication will be done.
|
|
|
|
AUTHENTICATION_SOURCES = ['internal']
|
|
|
|
##########################################################################
|
|
# LDAP Configuration
|
|
##########################################################################
|
|
|
|
# After ldap authentication, user will be added into the SQLite database
|
|
# automatically, if set to True.
|
|
# Set it to False, if user should not be added automatically,
|
|
# in this case Admin has to add the user manually in the SQLite database.
|
|
LDAP_AUTO_CREATE_USER = True
|
|
|
|
# Connection timeout
|
|
LDAP_CONNECTION_TIMEOUT = 10
|
|
|
|
# Server connection details (REQUIRED)
|
|
# example: ldap://<ip-address>:<port> or ldap://<hostname>:<port>
|
|
LDAP_SERVER_URI = 'ldap://<ip-address>:<port>'
|
|
|
|
# The LDAP attribute containing user names. In OpenLDAP, this may be 'uid'
|
|
# whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED)
|
|
LDAP_USERNAME_ATTRIBUTE = '<User-id>'
|
|
|
|
##########################################################################
|
|
# 3 ways to configure LDAP as follows (Choose anyone):
|
|
|
|
# 1. Dedicated User binding
|
|
|
|
# LDAP Bind User DN Example: cn=username,dc=example,dc=com
|
|
# Set this parameter to allow the connection to bind using a dedicated user.
|
|
# After the connection is made, the pgadmin login user will be further
|
|
# authenticated by the username and password provided
|
|
# at the login screen.
|
|
LDAP_BIND_USER = None
|
|
|
|
# LDAP Bind User Password
|
|
LDAP_BIND_PASSWORD = None
|
|
|
|
# OR ####################
|
|
# 2. Anonymous Binding
|
|
|
|
# Set this parameter to allow the anonymous bind.
|
|
# After the connection is made, the pgadmin login user will be further
|
|
# authenticated by the username and password provided
|
|
|
|
LDAP_ANONYMOUS_BIND = False
|
|
|
|
# OR ####################
|
|
# 3. Bind as pgAdmin user
|
|
|
|
# BaseDN (REQUIRED)
|
|
# AD example:
|
|
# (&(objectClass=user)(memberof=CN=MYGROUP,CN=Users,dc=example,dc=com))
|
|
# OpenLDAP example: CN=Users,dc=example,dc=com
|
|
LDAP_BASE_DN = '<Base-DN>'
|
|
|
|
##########################################################################
|
|
|
|
# Search ldap for further authentication (REQUIRED)
|
|
# It can be optional while bind as pgAdmin user
|
|
LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'
|
|
|
|
# Filter string for the user search.
|
|
# For OpenLDAP, '(cn=*)' may well be enough.
|
|
# For AD, you might use '(objectClass=user)' (REQUIRED)
|
|
LDAP_SEARCH_FILTER = '(objectclass=*)'
|
|
|
|
# Search scope for users (one of BASE, LEVEL or SUBTREE)
|
|
LDAP_SEARCH_SCOPE = 'SUBTREE'
|
|
|
|
# Use TLS? If the URI scheme is ldaps://, this is ignored.
|
|
LDAP_USE_STARTTLS = False
|
|
|
|
# TLS/SSL certificates. Specify if required, otherwise leave empty
|
|
LDAP_CA_CERT_FILE = ''
|
|
LDAP_CERT_FILE = ''
|
|
LDAP_KEY_FILE = ''
|