# Configuration Reference

# Properties

# acme_use_auto_tls

  • type: bool
  • default: no

Enable automatic certificates from https://letsencrypt.org. acme_hostname must also be set.

# acme_hostname

  • type: string

The hostname for which you want a certificate issued. This hostname must resolve to the servers public IP address.

# acme_cache_dir

  • type: string

Path to the directory containing the Let's Encrypt account id and any requested TLS certificates.

# audit_retention_days

  • type: int
  • default: 7

Number of days to retain entries in the audit log.

# authentication_log

Generate detailed logs of all authentication events.

Events:

LOGIN_SUCCESS: user provided valid credentials
LOGIN_FAILED: user provided invalid credentials
LOGIN_BLOCKED: login attempt from blocked IP address
IP_BANNED: IP address banned after too many failed login attempts
BAN_EXPIRED: IP address ban expired

Sample Configuration:

authentication_log:
  enabled: yes
  path: /var/log/filemage/auth.log
  format: logfmt
  max_size_mb: 10
  max_backups: 3
  max_age_days: 28
  compress: yes

Sample Output:

time=2020-04-04T01:12:03.8093335Z remote=172.18.0.1 user=bob event=LOGIN_FAILED
time=2020-04-04T01:12:08.7606184Z remote=172.18.0.1 user=bob event=LOGIN_SUCCESS
time=2020-04-04T01:12:12.5485004Z remote=172.18.0.1 event=IP_BANNED
time=2020-04-04T01:12:12.5485566Z remote=172.18.0.1 user=bob event=LOGIN_FAILED
time=2020-04-04T01:12:30.9450762Z remote=172.18.0.1 user=bob event=LOGIN_BLOCKED

# azure_active_directory

  • type: map

    • # client_id

      • type: string

      Azure Active Directory Application (client) ID.

    • # tenant_id

      • type: string

      Azure Active Directory Directory (tenant) ID.

Configure Azure Active Directory as a login provider.

# azure_upload_buffer_size

  • type: int
  • default: 10485760

Size in bytes of Azure blob block size.

# tls_certificate

  • type: string
  • default: /opt/filemage/cert.pem

Path to a file containing a TLS certificate in PEM format.

# tls_certificate_key

  • type: string
  • default: /opt/filemage/key.pem

Path to a file containing the secret key for the TLS certificate.

# tls_min_version

  • type: string
  • default: 1.0

Lowest available TLS version.

# tls_max_version

  • type: string
  • default: 1.2

Highest available TLS version.

# tls_ciphers

  • type: list
  • default:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • supported:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256.
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA.
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA.
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

# tls_prefer_server_ciphers

  • type: bool
  • default: no

Prefer server ciphers over client ciphers.

# http_address

  • type: string
  • default: 0.0.0.0

The bind address of the HTTP and HTTPS listener.

# http_cors_origins

  • type: list

List of CORS whitelisted hostnames.

# http_session_age

  • type: int
  • default: 604800

Max age in seconds of browser session cookie.

# http_healthcheck_path

  • type: string
  • default: /healthz

Path of health check endpoint.

# http_port

  • type: int
  • default: 80

The port used by the HTTP listener.

# https_port

  • type: int
  • default: 443

The port used by the HTTPS listener. Set to -1 to disable.

# pg_host

  • type: string
  • default: /var/run/postgresql/

Database hostname or unix socket.

# pg_port

  • type: int
  • default: 5432

Database port.

# pg_user

  • type: string
  • default: filemage

Database user.

# pg_password

  • type: string

Database user password.

# pg_database

  • type: string
  • default: filemage

Database name.

# pg_ssl_mode

  • type: string

Database SSL connection mode.

# ftp_address

  • type: string
  • default: 0.0.0.0

Bind address of the FTP listener.

# ftp_port

  • type: int
  • default: 21

The port used by the FTP listener.

# ftp_public_address

  • type: string

The IP address presented to clients for passive connections. You may provide a hostname which will be resolved at startup.

# ftp_data_port_start

  • type: int
  • default: 32768

Start value of passive mode FTP port range.

# ftp_data_port_end

  • type: int
  • default: 65535

End value of passive mode FTP port range.

Note

When deploying from Azure Marketplace, this range is set to 6000-6005.

# ftp_idle_timeout

  • type: int
  • default: 900

Seconds to wait before terminating idle FTP command connections. Set to 0 to disable.

# ftp_require_tls

  • type: bool
  • default: no

Require FTP connections to use TLS after connecting when in implicit mode.

# ftp_tls_mode

  • type: string
  • default: implict

Use 'implicit' or 'explicit' when TLS enabled for FTP.

# ftp_proxy_protocol

  • type: bool
  • default: no

Enable compatibility with Proxy Protocol v1 and v2.

# ftp_pasv_promiscuous

  • type: bool
  • default: no

Don't compare remote IP of command connection and data connection in passive mode.

# ftp_log

  • type: log_config

    • # path

      • type: string
      • default: /var/log/filemage/ftp.log

Generate detailed logs of all received FTP commands.

Sample Configuration:

ftp_log:
  enabled: yes
  path: /var/log/filemage/ftp.log
  format: logfmt
  max_size_mb: 10
  max_backups: 3
  max_age_days: 28
  compress: yes

Sample Output:

time=2019-07-04T02:53:37.9396798Z client=172.20.0.3:21 remote=172.20.0.1:38556 command=AUTH param=TLS session=5e70633e15067daf007031a8151ac249
time=2019-07-04T02:53:37.9611056Z client=172.20.0.3:21 remote=172.20.0.1:38556 command=USER param=filemage session=5e70633e15067daf007031a8151ac249
time=2019-07-04T02:53:37.9620737Z client=172.20.0.3:21 remote=172.20.0.1:38556 command=PASS username=filemage session=5e70633e15067daf007031a8151ac249
time=2019-07-04T02:53:38.0968158Z client=172.20.0.3:21 remote=172.20.0.1:38556 command=OPTS param="UTF8 ON" username=filemage session=5e70633e15067daf007031a8151ac249

# sftp_address

  • type: string
  • default: 0.0.0.0

The bind address of SFTP listener.

# sftp_port

  • type: int
  • default: 2222

Port used by SFTP listener.

# sftp_host_keys

  • type: string
  • default:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key

The paths to the host key files to use.

# sftp_ciphers

  • type: list
  • default:
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com
aes128-ctr
aes192-ctr
aes256-ctr
  • supported:
3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
arcfour
arcfour128
arcfour256
chacha20-poly1305@openssh.com

The list of cipher algorithms that are presented to the client, in the specified order, during the SSH key exchange.

# sftp_key_exchanges

  • type: list
  • default:
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1

The list of key exchange algorithms to use.

# sftp_digests

  • type: list
  • default:
hmac-sha2-256-etm@openssh.com
hmac-sha2-256
hmac-sha1
hmac-sha1-96

The list of MAC digest algorithms to use.

# sftp_log

  • type: log_config

    • # path

      • type: string
      • default: /var/log/filemage/sftp.log

Generate detailed logs of all received SFTP commands.

Sample Configuration:

sftp_log:
  enabled: yes
  path: /var/log/filemage/sftp.log
  format: logfmt
  max_size_mb: 10
  max_backups: 3
  max_age_days: 28
  compress: yes

# sftp_disable_passwords

  • type: bool
  • default: no

Disable password authentication for all users when connecting with SFTP.

# sftp_trusted_user_ca_keys

  • type: list

List of file paths of trusted certificate authority public keys for SSH certificate authentication.

# sftp_idle_timeout

  • type: int
  • default: 0

Seconds to wait before terminating idle SFTP command connections. Set to 0 to disable.

# rename_allow_overwrite

  • type: bool
  • default: no

Allow files to be overwritten when issuing rename commands.

# password_min_length

  • type: int

Minimum length of user passwords.

# password_requirements

  • type: list

Require password contains at least one of the indicated character types.

  • supported:
upper_case
lower_case
digits
special_characters

# connection_log

  • type: log_config

    • # path

      • type: string
      • default: /var/log/filemage/connections.log

Generate detailed logs of all FTP and SFTP connections established to the server.

Sample Configuration:

connection_log:
  enabled: yes
  path: /var/log/filemage/connections.log
  format: json
  max_size_mb: 10
  max_backups: 3
  max_age_days: 28
  compress: yes

Sample Output:

time=2019-07-04T02:53:32.4361712Z client=172.20.0.3:2222 remote=172.20.0.1:57768 msg="open sftp connection"
time=2019-07-04T02:53:37.9370762Z client=172.20.0.3:21 remote=172.20.0.1:38556 msg="open ftp control connection"
time=2019-07-04T02:53:42.2099408Z client=172.20.0.3:6001 remote=172.20.0.1:38624 msg="open ftp passive data connection"

# lockout

  • type: map
    • # enabled

      • type: bool
      • default: no
    • # max_attempts

      • type: int
      • default: 10

      Number of allowed failed login attempts before blocking further login attempts.

    • # interval

      • type: string
      • default: 60
      • unit: seconds

      Interval in seconds during which failed login attempts are evaluated.

    • # ban_duration

      • type: int
      • default: 60
      • unit: seconds

      Duration in seconds during which further login attempts will be blocked.

Block repeated failed login attempts from the same remote IP. Applies to both SFTP and FTP listeners.

Sample Configuration:

lockout:
  enabled: true
  max_attempts: 5
  interval: 15
  ban_duration: 120

# metrics

  • type: map
    • # service

      • type: string

      The metrics service to send metrics data to. Currently only azure is supported.

    • # azure_insights_instrumentation_key

      • type: string

      The instrumentation key for the Azure Insights workspace to use.

# Complex Types

# log_config

  • type: map
    • # enabled

      • type: bool
      • default: no
    • # path

      • type: string
    • # format

      • type: string
      • default: logfmt

      Can be either json or logfmt.

    • # max_size_mb

      • type: int
      • default: 100

      Max file size before rotating.

    • # max_backups

      • type: int
      • default: 5

      Max number of rotated files to keep. Set to 0 to retain all files.

    • # max_age_days

      • type: int
      • default: 0

      Number of days to keep rotated log files. Set to 0 to disable deletion based on age.

    • # compress

      • type: bool
      • default: no

      Compress rotated log files.