kore/conf/kore.conf.example

# Example Kore configuration

# Below you will find all available configuration
# options for Kore. Options which have a default value
# and can be left out of the configuration are commented
# out with their default value specified.

# Maximum length to queue pending connections (see listen(2))
# MUST be set before any bind directive.
#socket_backlog			5000

# Server configuration.
bind		127.0.0.1 443
#bind_unix	/var/run/kore.sock

# The worker process root directory. If chrooting was not disabled
# at startup the worker processes will chroot into this directory.
#
# If this configuration option is not set, Kore will take the current
# working directory as the root.
root		/home/joris/src/kore

# Worker processes will run as the specified user. If this option is
# missing Kore will run as the current user.
runas		joris

# How many worker processes Kore will spawn. If the directive
# worker_set_affinity is set to 1 (the default) Kore will automatically
# pin these worker processes to different CPU cores in your system.
# NOTE: If you set this to the maximum number of cores you have
# in your system (or more) you might consider turning off affinity
# if you are running CPU heavy services on the same machine.
workers		4

# The number of active connections each worker can handle.
# You might have to tweak this number based on your hardware.
#worker_max_connections		512

# Limit of maximum open files per worker.
#worker_rlimit_nofiles		768

# Limit the number of new connections a worker can accept
# in a single event loop. By default Kore will accept as
# many new connections it can up to worker_max_connections.
#
# NOTE: If you are running benchmark tools that throw all
# connections at Kore at the same time (when they are less
# then worker_max_connections) or you have an actual reason
# to not spend too much time in the accept loop this setting
# will make a HUGE positive difference.

# Number of accept() calls a worker will do at most in one go
# before releasing the lock to others.
#worker_accept_threshold		16

# What should the Kore parent process do if a worker
# process unexpectedly exits. The default policy is that
# the worker process is automatically restarted.
#
# If you want the kore server to exit if a worker dies
# you can swap the policy to "terminate".
#worker_death_policy		restart

# Workers bind themselves to a single CPU by default.
# Turn this off by setting this option to 0
#worker_set_affinity		1

# Store the pid of the main process in this file.
#pidfile	kore.pid

# If TLS is enabled you can specify a file where Kore will read
# initial entropy from and save entropy towards when exiting.
#
# Note that if you enable this you must provide the first iteration
# of this file by generating 1024 cryptographically safe random bytes
# and writing them to the file specified.
#
# Kore will refuse to start if the specified file does not exist,
# is of the wrong size or cannot be opened in anyway.
#
# NOTE: This file location must be inside your chrooted environment.
#rand_file	random.data

# Key manager specific options.
#	If TLS is enabled you will need to specify paths to the domain
#	certificate and key that Kore will load. This loading is done
#	from the keymgr (separate process) and all paths must be relative
#	to the keymgr_root configuration option.
#
#	keymgr_root	The root path the keymgr will chdir into.
#				If chroot was not disable at startup time
#				the keymgr process will chroot into here.
#
#	keymgr_runas	The user to run the keymgr as.
#
#	If privsep and chrooting is enabled at startup time but these
#	configuration options were not set, they will take over the
#	values from the 'root' and 'runas' configuration options.
#
#keymgr_root
#keymgr_runas

# Filemap settings
#	filemap_index	Name of the file to be used as the directory
#				index for a filemap.
#filemap_index index.html

# HTTP specific settings.
#	http_header_max		Maximum size of HTTP headers (in bytes).
#
#	http_header_timeout	Timeout in seconds for receiving the
#				HTTP headers before the connection is closed.
#
#	http_body_max		Maximum size of an HTTP body (in bytes).
#				If set to 0 disallows requests with a body
#				all together.
#
#	http_body_timeout	Timeout in seconds for receiving the
#				HTTP body in full before the connection
#				is closed with an 408.
#
#	http_body_disk_offload	Number of bytes after which Kore will use
#				a temporary file to hold the HTTP body
#				instead of holding it in memory. If set to
#				0 no disk offloading will be done. This is
#				turned off by default.
#
#	http_body_disk_path	Path where Kore will store any temporary
#				HTTP body files.
#
#	http_keepalive_time	Maximum seconds an HTTP connection can be
#				kept alive by the browser.
#				(Set to 0 to disable keepalive completely).
#
#	http_hsts_enable	Send Strict Transport Security header in
#				all responses. Parameter is the age.
#				(Set to 0 to disable sending this header).
#
#	http_request_limit	Limit the number of HTTP requests workers
#				can queue up.
#
#	http_request_ms		The number of milliseconds workers can max
#				spend inside the HTTP processing loop.
#
#http_header_max	4096
#http_header_timeout	10
#http_body_max		1024000
#http_body_timeout	60
#http_keepalive_time	0
#http_hsts_enable	31536000
#http_request_limit	1000
#http_request_ms	10
#http_body_disk_offload	0
#http_body_disk_path	tmp_files

# Websocket specific settings.
#	websocket_maxframe	Specifies the maximum frame size we can receive
#	websocket_timeout	Specifies the time in seconds before a websocket
#				connection would be closed due to inactivity.
#websocket_maxframe	16384
#websocket_timeout	120

# Configure the number of available threads for background tasks.
#task_threads		2

# Load modules (you can load multiple at the same time).
# An additional parameter can be specified as the "onload" function
# which Kore will call when the module is loaded/reloaded.
load contrib/examples/generic/example.module	example_load

# Load a python file (if built with PYTHON=1)
#python_import src/index.py example_load

# Validators
#	validator	name	type	regex|function
#
validator	v_example	function	v_example_func
validator	v_regex		regex		^/test/[a-z]*$
validator	v_number	regex		^[0-9]*$
validator	v_session	function	v_session_validate

# Specify what TLS version to be used. Default is TLSv1.2
# Allowed values:
#	1.2 for TLSv1.2 (default)
#	1.0 for TLSv1.0
#	both for TLSv1.0 and TLSv1.2
#tls_version	1.2

# Specify the TLS ciphers that will be used.
#tls_cipher	ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA

# Required DH parameters for TLS.
#tls_dhparam	dh2048.pem

# OpenBSD specific settings.
# Add more pledges if your application requires more privileges.
# All worker processes call pledge(2) after dropping privileges
# (even if -rn was specified).
# By default Kore will use the following promises: "stdio rpath inet error"
#pledge dns wpath

# Authentication configuration
#
# Using authentication blocks you can define a standard way for
# Kore to validate your users. In the example below we create
# a authentication block called auth_example, which requires
# a cookie (session_id) to be set.
#
# If no cookie is present or the cookie is not valid according
# to the set validator, Kore will redirect the browser to the
# URI set in authentication_uri.
#
# Page handlers can be bound to authentication by specifying
# authentication block at the end of the page directive (see below).
authentication auth_example {
	# The authentication type denotes the way the user should
	# be authenticated.
	#
	# Allow values:
	#	- cookie (checks for the cookie presence + pass to validator)
	#	- header (checks for header presence + pass to validator)
	#	- request (passes the http_request to the validator)
	#
	# Use cases for request could for example be IP based ACLs or
	# any other criteria that can be extracted from a http_request.
	#
	# The request type does not need an authentication_validator.
	#
	authentication_type		cookie

	# The name of whatever we are looking for.
	authentication_value		session_id

	# The validator that will be called to verify the cookie.
	# Note this is YOUR validator, Kore does not have built-in
	# session support. You must add this manually using your
	# preferred method (Storing it in postgres, redis, ...)
	authentication_validator	v_session

	# The URI Kore will redirect to if a authentication fails.
	# If this is not set, Kore will return a simple 403.
	authentication_uri		/private
}

# Domain configuration
#
# Each domain configuration starts with listing what domain
# the directives that follow are to be applied upon.
#
# Additionally you can specify the following in a domain configuration:
#
#	accesslog
#		- File where all requests are logged.
#
#	NOTE: due to current limitations the client_verify CA path
#	MUST be in the 'root' of the Kore workers, not the keymgr.
#
#	client_verify [CA] [optional CRL]
#		- Turns on client verification, requiring the client to
#		  send a certificate that will be verified by the given CA.
#	client_verify_depth [depth]
#		- Configure the depth for x509 chain validation.
#		  By default 1.
#
# Handlers
#
# Handlers are either static (for fixed paths) or dynamic.
# Dynamic handlers take a POSIX regular expression as its path.
#
# Syntax:
#	handler		path		module_callback		[auth block]
#
# Note that the auth block is optional and if set will force Kore to
# authenticate the user according to the authentication block its settings
# before allowing access to the page.

# Example domain that responds to localhost.
domain localhost {
	certfile	cert/server.crt
	certkey		cert/server.key
	accesslog	/var/log/kore_access.log

	# Page handlers with no authentication required.
	static		/css/style.css		serve_style_css
	static		/			serve_index
	static		/intro.jpg		serve_intro
	static		/b64test		serve_b64test
	static		/upload			serve_file_upload
	static		/lock-test		serve_lock_test
	static		/validator		serve_validator
	static		/params-test		serve_params_test
	static		/private		serve_private

	# Restrict some URIs to certain methods
	restrict /private post
	restrict /validator post get head

	# Page handlers with authentication.
	static		/private/test	serve_private_test	auth_example

	# Allow access to files from the directory static_files via
	# the /files/ URI.
	#
	# Note the directory given must be relative to the root configuration
	# option.
	filemap		/files/			static_files

	# Configure /params-test POST to only accept the following parameters.
	# They are automatically tested against the validator listed.
	# If the validator would fail Kore will automatically remove the
	# failing parameter, indicating something was wrong with it.
	# Any parameters not present in the params block are also filtered out.
	params post /params-test {
		validate	test1		v_example
		validate	test2		v_regex
	}

	# Configure a GET parameter that /params-test can received. As before
	# this is validated against the validator and removed if validation
	# fails. All extra parameters in the GET query are filtered out.
	params get /params-test {
		validate	arg1		v_example
		validate	id		v_number
	}

	# Configure a params block for allowed parameters in the
	# querystring when performing a POST against /params-test.
	# You do this by prefixing the method with the qs: marker.
	# In the param blocks below we allow the parameter "post_id"
	# in the querystring validated by v_number when a POST is
	# done against the supplied URL.
	params qs:post /params-test {
		validate	post_id		v_number
	}
}

#domain domain.com {
#	certfile		cert/other/server.crt
#	certkey			cert/other/server.key
#	accesslog		/var/log/other_kore_access.log
#	client_verify		/other/ca.crt
#	client_verify_depth	1

#	static		/css/style.css		serve_style_css
#	static		/			serve_index
#	dynamic		^/[a-z0-9_]*$		serve_profile
#}