Configuration
app.env
(located in deploy
directory) controls the behaviour of your SysReptor installation.
After making changes, go to sysreptor/deploy
and restart the containers:
1 |
|
Cloud ยท We take care of all configurations. If you want to change anything, please contact us.
Avaliable Options
Self-Hosted
Django Secret Key
Django server secret key (see https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-SECRET_KEY). Make sure this key remains secret.
Generate random secret key: | |
---|---|
1 |
|
Example (regenerate this value!): | |
---|---|
1 |
|
Data Encryption at Rest
Encrypt data at rest by configuring an encryption key. This will encrypt sensitive data in your database and files uploaded in your notes (except images, images are also encrypted).
Database and file storage administrators cannot access encrypted data. The key is held in the web application. Data encryption at rest does not help against malicious actors with access to the web server.
You have to define one DEFAULT_ENCRYPTION_KEY_ID
which will be used for data encryption. However, you can rotate your keys by defining multiple keys in ENCRYPTION_KEYS
.
All specified keys are used for decrypting stored data.
Note that the DEFAULT_ENCRYPTION_KEY_ID
must be part of ENCRYPTION_KEYS
.
Generate random encryption keys: | |
---|---|
1 |
|
Example (regenerate these values!): | |
---|---|
1 2 |
|
Debug mode
Debug mode enables Django's debug toolbar and stack traces. Do not use debug mode in production environments.
Example: | |
---|---|
1 |
|
Allowed Hosts
Comma-separated allowed hostnames/domain names for this installation.
Example: | |
---|---|
1 |
|
FIDO2/WebAuthn
If you want to use FIDO2/WebAuthn for MFA, you have to define the hostname (WebAuthn Relying Party ID) of your installation.
Example: | |
---|---|
1 |
|
License Key
Pro only
License key for SysReptor Professional.
Example: | |
---|---|
1 |
|
Single Sign-On (SSO)
Pro only
Configuration for SSO via OIDC. Find detailed instructions at https://docs.sysreptor.com/setup/oidc-setup/.
OIDC example: | |
---|---|
1 2 3 4 5 6 |
|
If your reverse proxy enforces authentication and provides the username via a HTTP-Header, use following settings to enable SSO.
Remote-User example | |
---|---|
1 2 |
|
By default users can decide whether they want to log in via SSO or username/password. It is possible to disable login via username/password. Make sure all users have SSO identities configured before enabling this option. Else they will not be able to log in anymore.
Disable username/password authentication example | |
---|---|
1 |
|
Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Azure AD and username/password). This setting will redirect users to the default authentication provider, skipping the selection. Other authentication providers can still be used if login via the default provider fails.
Possible values: azure
, google
, remoteuser
, local
(username/password authentication)
Default authentication provider example | |
---|---|
1 2 |
|
Spell Check
Pro only
You can add words to the spell check dictionary in the markdown editor (see https://docs.sysreptor.com/reporting/spell-check/).
Words are added to a global spell check dictionary by default, which is available to all users. If words should be added to user's personal spell check dictionaries, set this setting to true
.
Using both global and personal dictionaries at the same time is not possible. Words of personal dictionaries are not shared between users. If one user adds an unknown word to their personal dictionary, the spell checker will still detect an error for other users, even when they are working in the same project or finding.
Spell check dictionary configuration | |
---|---|
1 |
|
The picky mode enables additional spell check rules.
It is also possible to selectively enable and disable rules or rule-categories by passing a LanguageTool configuration as JSON.
See https://languagetool.org/http-api/ for available options on the /check
request.
See https://community.languagetool.org/rule/list for available rules (note: rule IDs might differ for languages).
Spell check rule configuration | |
---|---|
1 2 |
|
Languages
Configure which languages are available in the language selection. By default all languages are shown. When this setting is configured, only selected languages are shown. All other languages are hidden.
This setting also defines the order of languages in the selection. The first language is used as default.
Example: | |
---|---|
1 |
|
Archiving
Pro only
Archived projects require at least ARCHIVING_THRESHOLD
number of users to restore the archive (see https://docs.sysreptor.com/reporting/archiving/).
By default two users are required, enforcing a 4-eye principle.
If ARCHIVING_THRESHOLD=1
every user is able to restore archived projects on their own, disabling the 4-eye principle.
Changing this setting does not affect previously archived projects.
Example: | |
---|---|
1 |
|
The process of archiving finished projects and deleting old archives can be automated by following settings. The values are time spans in days.
Example: | |
---|---|
1 2 3 4 |
|
Private Designs
Users without Designer permission can create and edit private designs that cannot be read or used by other users. If a pentest project is created using a private design, a copy of the private design becomes accessible by project members. Use this setting to enable private designs.
Example: | |
---|---|
1 |
|
Guest Users
Restrict capabilities of guest users.
Example: | |
---|---|
1 2 3 4 5 6 |
|
S3 Storage
Uploaded files and images can be stored in an S3 bucket. Files are stored on the filesystem in a docker volume by default. If data at rest encryption is configured files are encrypted (except images, images are also encrypted).
DEFAULT_S3_*
settings to apply to all file storages. It is possible to configure different settings per storage.
Global storage configuration: store everything in S3 bucket | |
---|---|
1 2 3 4 5 6 |
|
Uploaded file storage configuration | |
---|---|
1 2 3 4 5 6 7 |
|
Uploaded image storage configuration | |
---|---|
1 2 3 4 5 6 7 |
|
Uploaded asset storage configuration | |
---|---|
1 2 3 4 5 6 7 |
|
Archived project files can also be uploaded to an S3 bucket. Archives are stored on the filesystem in a docker volume by default.
Archived file storage configuratio | |
---|---|
1 2 3 4 5 6 7 |
|
Backup Key
Pro only
API key used for creating backups via REST API. The key should be random and must have 20 or more characters. Find more information at https://docs.sysreptor.com/backups/.
Make sure this key remains secret.
Generate random backup key: | |
---|---|
1 |
|
Example (do not use this value!): | |
---|---|
1 |
|
Compress Images
Uploaded images are compressed to reduce file size, but to retain quality suitable for PDF files. Disable image compression using this setting.
Example: | |
---|---|
1 |
|
PDF Rendering
PDFs are compressed via ghostscript
when generating the final report (not in previews).
PDF compression reduces the file size, but can lead to quality loss of images and differences between the preview and the final PDF.
PDF compression is enabled by default. Disable PDF compression using this setting.
Example: | |
---|---|
1 |
|
SysReptor limits the rendering time a PDF can take. If the rendering time exceeds the limit, the PDF render task is aborted. The default limit is 300 seconds (5 minutes). If you experience slow PDF rendering, try to optimize your design before increasing the limit.
Example: | |
---|---|
1 |
|
Reverse Proxy
Interpret X-Forwarded-*
headers when SysReptor is behind a reverse proxy.
See also https://docs.djangoproject.com/en/stable/ref/settings/#use-x-forwarded-host
1 2 |
|
When SysReptor is accessible via HTTPS (recommended), use following setting to redirect all HTTP requests to HTTPS.
This flag also enables setting the Secure
flag for cookies.
1 |
|
Proxy Server
Set the proxy variables HTTP_PROXY
and HTTPS_PROXY
to allow outbound connections using a proxy server.
Example: | |
---|---|
1 2 |
|
The proxy server must be reachable from container
Make sure that the proxy server is reachable from inside your docker container.
Loopback addresses (e. g. 127.0.0.1
) or localhost
will not work.
Custom CA Certificates
If your SysReptor is behind a proxy with a custom certificate, you can use this setting to specify your custom CA certificates.
1 |
|
WebSockets
Disable WebSockets and always use HTTP fallback for collaborative editing. This is not recommended because some features are only available with WebSockets and HTTP fallback has higher latency. This setting sould only be activated if WebSockets are blocked by a firewall or not supported by a reverse proxy.
Example: | |
---|---|
1 |
|
Plugins
Extend the functionality of SysReptor by enabling plugins. Plugins are disabled by default and need to be explicitly enabled.
ENABLED_PLUGINS
is a comma separated list of plugin names or plugin IDs.
Example: | |
---|---|
1 |
|
Some plugins require additional configuration. These plugin settings are configured as separate entries in app.env
.
Please refer to the plugin documentation for more information on available plugin setting.