Initial commit: Upload Checkpoint project
This commit is contained in:
commit
c0e3781244
32 changed files with 6121 additions and 0 deletions
143
config/checkpoint.toml
Normal file
143
config/checkpoint.toml
Normal file
|
|
@ -0,0 +1,143 @@
|
|||
# =============================================================================
|
||||
# CHECKPOINT SECURITY CONFIGURATION
|
||||
# =============================================================================
|
||||
# This configuration controls the checkpoint security middleware that protects
|
||||
# your services with proof-of-work challenges and token-based authentication.
|
||||
# =============================================================================
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# CORE SETTINGS
|
||||
# -----------------------------------------------------------------------------
|
||||
[Core]
|
||||
# Enable or disable the checkpoint system entirely
|
||||
Enabled = true
|
||||
|
||||
# Cookie name for storing checkpoint tokens
|
||||
CookieName = "checkpoint_token"
|
||||
|
||||
# Cookie domain (empty = host-only cookie for localhost)
|
||||
# Set to ".yourdomain.com" for all subdomains
|
||||
CookieDomain = ""
|
||||
|
||||
# Enable URL path sanitization to prevent path traversal attacks
|
||||
SanitizeURLs = true
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# PROOF OF WORK SETTINGS
|
||||
# -----------------------------------------------------------------------------
|
||||
[ProofOfWork]
|
||||
# Number of leading zeros required in the SHA-256 hash
|
||||
Difficulty = 4
|
||||
|
||||
# Random salt length in bytes
|
||||
SaltLength = 16
|
||||
|
||||
# Time allowed to solve a challenge before it expires
|
||||
ChallengeExpiration = "3m"
|
||||
|
||||
# Maximum attempts per IP address per hour
|
||||
MaxAttemptsPerHour = 10
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# PROOF OF SPACE-TIME SETTINGS (Optional additional verification)
|
||||
# -----------------------------------------------------------------------------
|
||||
[ProofOfSpaceTime]
|
||||
# Enable consistency checks for PoS-Time verification
|
||||
Enabled = true
|
||||
|
||||
# Maximum allowed ratio between slowest and fastest PoS runs
|
||||
ConsistencyRatio = 1.35
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# TOKEN SETTINGS
|
||||
# -----------------------------------------------------------------------------
|
||||
[Token]
|
||||
# How long tokens remain valid
|
||||
Expiration = "24h"
|
||||
|
||||
# Maximum age for used nonces before cleanup
|
||||
MaxNonceAge = "24h"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# STORAGE PATHS
|
||||
# -----------------------------------------------------------------------------
|
||||
[Storage]
|
||||
# HMAC secret storage location
|
||||
SecretPath = "./data/checkpoint_secret.json"
|
||||
|
||||
# Token database directory
|
||||
TokenDBPath = "./db/tokenstore"
|
||||
|
||||
# Interstitial page templates (in order of preference)
|
||||
InterstitialTemplates = [
|
||||
"/pages/interstitial/page.html",
|
||||
"/pages/ipfilter/default.html"
|
||||
]
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# EXCLUSION RULES
|
||||
# -----------------------------------------------------------------------------
|
||||
# Define which requests should bypass the checkpoint system.
|
||||
# Each rule can specify:
|
||||
# - Path (required): URL path or prefix to match
|
||||
# - Hosts (optional): Specific hostnames this rule applies to
|
||||
# - UserAgents (optional): User-Agent patterns to match
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
[[Exclusion]]
|
||||
# Skip checkpoint for all API endpoints (required for Immich and similar apps)
|
||||
Path = "/api"
|
||||
Hosts = ["gallery.caileb.com"] # Optional: only for specific hosts
|
||||
|
||||
[[Exclusion]]
|
||||
# Skip checkpoint for health checks
|
||||
Path = "/health"
|
||||
|
||||
[[Exclusion]]
|
||||
# Skip checkpoint for metrics endpoint
|
||||
Path = "/metrics"
|
||||
|
||||
# [[Exclusion]]
|
||||
# Example: Mobile app API with specific user agent
|
||||
# Path = "/mobile-api"
|
||||
# UserAgents = ["MyApp/", "Dart/"]
|
||||
|
||||
# [[Exclusion]]
|
||||
# Example: Host-specific exclusion
|
||||
# Path = "/admin"
|
||||
# Hosts = ["admin.internal.com"]
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# BYPASS KEYS
|
||||
# -----------------------------------------------------------------------------
|
||||
# Special keys that can bypass the checkpoint when provided
|
||||
|
||||
[[BypassKeys]]
|
||||
# Query parameter bypass
|
||||
Type = "query"
|
||||
Key = "bypass_key"
|
||||
Value = "your-secret-key-here"
|
||||
Hosts = ["music.caileb.com"] # Optional: restrict to specific hosts
|
||||
|
||||
[[BypassKeys]]
|
||||
# Header bypass
|
||||
Type = "header"
|
||||
Key = "X-Bypass-Token"
|
||||
Value = "another-secret-key"
|
||||
# Hosts = [] # If empty or omitted, applies to all hosts
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# FILE EXTENSION HANDLING
|
||||
# -----------------------------------------------------------------------------
|
||||
[Extensions]
|
||||
# Only apply checkpoint to these file extensions (for HTML content)
|
||||
# Empty = check all paths
|
||||
IncludeOnly = [".html", ".htm", ".shtml", ""]
|
||||
|
||||
# Never apply checkpoint to these file extensions
|
||||
# This takes precedence over IncludeOnly
|
||||
Exclude = [
|
||||
".js", ".css", ".png", ".jpg", ".jpeg", ".gif", ".svg",
|
||||
".ico", ".woff", ".woff2", ".ttf", ".eot", ".map",
|
||||
".json", ".xml", ".txt", ".webp", ".avif"
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue