143 lines
		
	
	
		
			No EOL
		
	
	
		
			4.7 KiB
		
	
	
	
		
			TOML
		
	
	
	
	
	
			
		
		
	
	
			143 lines
		
	
	
		
			No EOL
		
	
	
		
			4.7 KiB
		
	
	
	
		
			TOML
		
	
	
	
	
	
| # =============================================================================
 | |
| # CHECKPOINT SECURITY CONFIGURATION
 | |
| # =============================================================================
 | |
| # This configuration controls the checkpoint security middleware that protects
 | |
| # your services with proof-of-work challenges and token-based authentication.
 | |
| # =============================================================================
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # CORE SETTINGS
 | |
| # -----------------------------------------------------------------------------
 | |
| [Core]
 | |
| # Enable or disable the checkpoint system entirely
 | |
| Enabled = true
 | |
| 
 | |
| # Cookie name for storing checkpoint tokens
 | |
| CookieName = "checkpoint_token"
 | |
| 
 | |
| # Cookie domain (empty = host-only cookie for localhost)
 | |
| # Set to ".yourdomain.com" for all subdomains
 | |
| CookieDomain = ""
 | |
| 
 | |
| # Enable URL path sanitization to prevent path traversal attacks
 | |
| SanitizeURLs = true
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # PROOF OF WORK SETTINGS
 | |
| # -----------------------------------------------------------------------------
 | |
| [ProofOfWork]
 | |
| # Number of leading zeros required in the SHA-256 hash
 | |
| Difficulty = 4
 | |
| 
 | |
| # Random salt length in bytes
 | |
| SaltLength = 16
 | |
| 
 | |
| # Time allowed to solve a challenge before it expires
 | |
| ChallengeExpiration = "3m"
 | |
| 
 | |
| # Maximum attempts per IP address per hour
 | |
| MaxAttemptsPerHour = 10
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # PROOF OF SPACE-TIME SETTINGS (Optional additional verification)
 | |
| # -----------------------------------------------------------------------------
 | |
| [ProofOfSpaceTime]
 | |
| # Enable consistency checks for PoS-Time verification
 | |
| Enabled = true
 | |
| 
 | |
| # Maximum allowed ratio between slowest and fastest PoS runs
 | |
| ConsistencyRatio = 1.35
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # TOKEN SETTINGS
 | |
| # -----------------------------------------------------------------------------
 | |
| [Token]
 | |
| # How long tokens remain valid
 | |
| Expiration = "24h"
 | |
| 
 | |
| # Maximum age for used nonces before cleanup
 | |
| MaxNonceAge = "24h"
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # STORAGE PATHS
 | |
| # -----------------------------------------------------------------------------
 | |
| [Storage]
 | |
| # HMAC secret storage location
 | |
| SecretPath = "./data/checkpoint_secret.json"
 | |
| 
 | |
| # Token database directory
 | |
| TokenDBPath = "./db/tokenstore"
 | |
| 
 | |
| # Interstitial page templates (in order of preference)
 | |
| InterstitialTemplates = [
 | |
|   "/pages/interstitial/page.html",
 | |
|   "/pages/ipfilter/default.html"
 | |
| ]
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # EXCLUSION RULES
 | |
| # -----------------------------------------------------------------------------
 | |
| # Define which requests should bypass the checkpoint system.
 | |
| # Each rule can specify:
 | |
| #   - Path (required): URL path or prefix to match
 | |
| #   - Hosts (optional): Specific hostnames this rule applies to
 | |
| #   - UserAgents (optional): User-Agent patterns to match
 | |
| # -----------------------------------------------------------------------------
 | |
| 
 | |
| [[Exclusion]]
 | |
| # Skip checkpoint for all API endpoints (required for Immich and similar apps)
 | |
| Path = "/api"
 | |
| Hosts = ["gallery.caileb.com"]  # Optional: only for specific hosts
 | |
| 
 | |
| [[Exclusion]]
 | |
| # Skip checkpoint for health checks
 | |
| Path = "/health"
 | |
| 
 | |
| [[Exclusion]]
 | |
| # Skip checkpoint for metrics endpoint
 | |
| Path = "/metrics"
 | |
| 
 | |
| # [[Exclusion]]
 | |
| # Example: Mobile app API with specific user agent
 | |
| # Path = "/mobile-api"
 | |
| # UserAgents = ["MyApp/", "Dart/"]
 | |
| 
 | |
| # [[Exclusion]]
 | |
| # Example: Host-specific exclusion
 | |
| # Path = "/admin"
 | |
| # Hosts = ["admin.internal.com"]
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # BYPASS KEYS
 | |
| # -----------------------------------------------------------------------------
 | |
| # Special keys that can bypass the checkpoint when provided
 | |
| 
 | |
| [[BypassKeys]]
 | |
| # Query parameter bypass
 | |
| Type = "query"
 | |
| Key = "bypass_key"
 | |
| Value = "your-secret-key-here"
 | |
| Hosts = ["music.caileb.com"]  # Optional: restrict to specific hosts
 | |
| 
 | |
| [[BypassKeys]]
 | |
| # Header bypass
 | |
| Type = "header"
 | |
| Key = "X-Bypass-Token"
 | |
| Value = "another-secret-key"
 | |
| # Hosts = []  # If empty or omitted, applies to all hosts
 | |
| 
 | |
| # -----------------------------------------------------------------------------
 | |
| # FILE EXTENSION HANDLING
 | |
| # -----------------------------------------------------------------------------
 | |
| [Extensions]
 | |
| # Only apply checkpoint to these file extensions (for HTML content)
 | |
| # Empty = check all paths
 | |
| IncludeOnly = [".html", ".htm", ".shtml", ""]
 | |
| 
 | |
| # Never apply checkpoint to these file extensions
 | |
| # This takes precedence over IncludeOnly
 | |
| Exclude = [
 | |
|   ".js", ".css", ".png", ".jpg", ".jpeg", ".gif", ".svg",
 | |
|   ".ico", ".woff", ".woff2", ".ttf", ".eot", ".map",
 | |
|   ".json", ".xml", ".txt", ".webp", ".avif"
 | |
| ] |