-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy path.env.example
More file actions
158 lines (132 loc) · 8.68 KB
/
Copy path.env.example
File metadata and controls
158 lines (132 loc) · 8.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# InfraGuard Environment Variables
# Copy this file to .env and fill in your values.
# The .env file is loaded automatically when InfraGuard reads its config.
# ── Domain ────────────────────────────────────────────────────────────
# Primary domain(s) for the redirector. Used for TLS cert generation
# and config.yaml references.
INFRAGUARD_DOMAIN=cdn.example.com
INFRAGUARD_DOMAIN_EMAIL=operator@example.com
# ── TLS Certificates ─────────────────────────────────────────────────
# Option 1: Let's Encrypt (set INFRAGUARD_LETSENCRYPT=true)
# Certbot runs automatically and places certs at the paths below.
# Requires port 80 open and INFRAGUARD_DOMAIN resolving to this host.
INFRAGUARD_LETSENCRYPT=false
# Option 2: Bring your own certs (set paths manually)
# If INFRAGUARD_LETSENCRYPT=false, InfraGuard uses these paths.
# If both are missing, a self-signed cert is generated automatically.
INFRAGUARD_TLS_CERT=/app/certs/live/${INFRAGUARD_DOMAIN}/fullchain.pem
INFRAGUARD_TLS_KEY=/app/certs/live/${INFRAGUARD_DOMAIN}/privkey.pem
# ── Dashboard API ─────────────────────────────────────────────────────
# Bearer token required for all /api/* endpoints.
# Generate one with: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
INFRAGUARD_API_TOKEN=
# ── Command Post (multi-instance aggregator) ─────────────────────────
# Tokens for each InfraGuard instance the command post connects to.
# These are referenced in config/command-post.yaml.
# IG_PROD_MYTHIC_TOKEN=
# IG_STAGING_TOKEN=
COMMAND_POST_TOKEN=
# ── Upstream Teamservers ──────────────────────────────────────────────
# Address of your C2 teamserver(s). Referenced in config.yaml via
# ${INFRAGUARD_CS_UPSTREAM} etc. Add only the ones you use.
INFRAGUARD_CS_UPSTREAM=https://10.0.0.5:8443
INFRAGUARD_MYTHIC_UPSTREAM=https://10.0.0.6:443
INFRAGUARD_BRC4_UPSTREAM=https://10.0.0.7:8443
INFRAGUARD_SLIVER_UPSTREAM=https://10.0.0.8:31337
INFRAGUARD_HAVOC_UPSTREAM=https://10.0.0.9:40056
INFRAGUARD_NIGHTHAWK_UPSTREAM=https://10.0.0.10:443
INFRAGUARD_POSHC2_UPSTREAM=https://10.0.0.11:4443
# ── GeoIP ─────────────────────────────────────────────────────────────
# Paths to MaxMind GeoLite2 databases (all optional).
# Download from: https://github.com/P3TERX/GeoLite.mmdb
# Docker auto-download: docker compose --profile geoip up geoip-update
# - GeoLite2-City.mmdb -- country, city, continent (most detailed)
# - GeoLite2-ASN.mmdb -- autonomous system number + organization
# - GeoLite2-Country.mmdb -- country only (lighter alternative to City)
# If City is provided, Country is not needed. ASN is always separate.
# Whitelisted CIDRs are auto-enriched with ASN/geo data on startup.
INFRAGUARD_GEOIP_DB=/app/geoip/GeoLite2-City.mmdb
INFRAGUARD_GEOIP_ASN_DB=/app/geoip/GeoLite2-ASN.mmdb
INFRAGUARD_GEOIP_COUNTRY_DB=/app/geoip/GeoLite2-Country.mmdb
# ── Filter Mode ───────────────────────────────────────────────────────
# "scoring" = filters accumulate scores, block when threshold exceeded (default)
# "hard" = any single filter returning BLOCK immediately rejects the request
INFRAGUARD_FILTER_MODE=scoring
# ── Database ──────────────────────────────────────────────────────────
# Path to the SQLite tracking database.
# IMPORTANT: In Docker, this MUST be under /app/data/ so the proxy and
# dashboard containers share the same database via the mounted volume.
# Docker: /app/data/infraguard.db | Local: infraguard.db
INFRAGUARD_DB_PATH=/app/data/infraguard.db
# ── OPSEC ─────────────────────────────────────────────────────────────
# Custom health check endpoint path. Change this to avoid fingerprinting.
# Referenced in config.yaml via ${INFRAGUARD_HEALTH_PATH}.
# Examples: "status", "api/ping", ".well-known/health", "favicon.ico"
INFRAGUARD_HEALTH_PATH=health
# ── Decoy Pages ───────────────────────────────────────────────────────
# Directory containing SPA folders for the "decoy" drop action.
# Each subfolder is a complete site (index.html + assets).
# Docker: /app/pages | Local: pages
IG_DECOY_PAGES_DIR=/app/pages
# Which site folder to serve (e.g., "InfraGuardBlog", "TestBlog")
IG_DECOY_SITE=
# ── Rules / Blocklists ────────────────────────────────────────────────
# Directory containing .htaccess and robots.txt rule files.
# Any files found here are automatically ingested on proxy startup.
# Docker: /app/rules | Local: rules
INFRAGUARD_RULES_DIR=/app/rules
# Path to ingested IP blocklist file (legacy - rules_dir is preferred).
# Generate manually with: infraguard ingest rules/.htaccess --format blocklist -o rules/banned_ips.txt
# Docker: /app/rules/banned_ips.txt | Local: rules/banned_ips.txt
INFRAGUARD_BANNED_IP_FILE=/app/rules/banned_ips.txt
# ── Content Delivery (PwnDrop) ────────────────────────────────────────
# PwnDrop API token for authenticated payload delivery.
# Get this from PwnDrop's admin UI after setup.
# Docker internal URL: http://pwndrop:80
PWNDROP_TOKEN=
# ── Content Delivery (Mythic file staging) ────────────────────────────
# Used with backend type: mythic_file in content_routes.
# MYTHIC_URL: base URL of the Mythic teamserver (default port 7443).
# MYTHIC_STAGE2_FILE_ID: UUID of the file in Mythic's file store.
# Find it in Mythic UI → Payload Management → File Browser, or via:
# mythic-cli shell -> psql -> SELECT agent_file_id FROM filemeta;
# Multiple stages: add one var per payload (MYTHIC_STAGE3_FILE_ID, etc.)
MYTHIC_URL=https://10.0.0.6:7443
MYTHIC_STAGE2_FILE_ID=
# ── Phishing Campaign Tokens ──────────────────────────────────────────
# Static tokens embedded in phishing email links (?t=<value>).
# Analysts who find the URL via CT logs / threat feeds cannot load the
# page without the campaign token from the actual email.
# Generate: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
CAMPAIGN_TOKEN_Q1=
CAMPAIGN_TOKEN_Q2=
# HMAC-signed token alternative (mutually exclusive with static tokens).
# Tokens are self-validating: payload:timestamp:hmac_hex (7-day TTL).
# Generate secret: python3 -c "import secrets; print(secrets.token_hex(32))"
CAMPAIGN_HMAC_SECRET=
# ── Burn Detection / Reputation Monitor ───────────────────────────────
# Google Safe Browsing API key (optional - free tier, 10k queries/day).
# Required only if check_google_safebrowsing: true in config.yaml.
# Get key: https://console.cloud.google.com → Safe Browsing API
GOOGLE_SAFEBROWSING_API_KEY=
# ── SIEM Plugins ──────────────────────────────────────────────────────
# Set these if you enable the corresponding plugin in config.yaml.
# Elasticsearch
ELASTICSEARCH_URL=
ELASTICSEARCH_API_KEY=
# ELASTICSEARCH_PASSWORD=
# Wazuh
WAZUH_API_URL=
WAZUH_INDEXER_URL=
WAZUH_PASSWORD=
# ── Webhook Plugins ───────────────────────────────────────────────────
# Set these if you enable the corresponding plugin in config.yaml.
# Discord
DISCORD_WEBHOOK_URL=
# Slack
SLACK_WEBHOOK_URL=
# Generic Webhook (Rocket.Chat, Mattermost, Teams, custom)
WEBHOOK_URL=
WEBHOOK_TOKEN=
# ── Logging ───────────────────────────────────────────────────────────
INFRAGUARD_LOG_LEVEL=INFO