# User serviceable configuration of luci
#
# This configuration file uses a rather uncommon structure because it is
# intended to be parseable by both shell and Python's ConfigParser.  If you
# want to change any configuration item listed (i.e. to explicitly redefine
# luci's defaults for this item), uncomment particular line and set your
# value.  Each configurable item is preceeded with descriptive comment.
#
# Please be aware that changing anything else may render this file defective
# when unexpected content found here!
#
# Remember to restart the luci service for the changes to take effect.


# ===========================================================================
# INITSCRIPT CONFIGURATION
# Shell syntax (i.e. FOO=bar, BAZ="white-spaced string")
# ===========================================================================
[ INITSCRIPT ]

# Change this to set log file; this file either must not exist (so it is
# initially created in ownership of user running initscript, presumably root,
# and then luci becomes its owner) or must be writeable for luci
# directly; note that some setup tasks may still log to /var/log/luci/luci.log
#LOG_FILE="path_to/log_file"

# Uncomment this to override default behaviour of removing run time data
# (files maintained by middleware handling cache and sessions) everytime
# the luci service is stopped (and also on service start)
#KEEP_RUNTIME_DATA=1

# Change this to set a positive integer specifying a period of both how long
# to wait in the initscript before PID file is created (if it lasts) and
# before claiming the start as unsuccessful despite luci just may be still
# being initialized (due to the arrangement of the startup sequence, incl.
# possibility of configuration error being discovered after both initial
# fork and PID file creation occurred in the deployed server).
# You are strongly advised to change this value if you observe
# "Start not finished yet" message upon starting luci with initscript,
# which arises from self-check related to the former period (which then
# serves as a good heuristic also for the latter and more subtle one).
#PID_FILE_WAIT=2


INIT_CONFIG=`cat -E <<"#END#"

#
# From this point, everything is in Python's ConfigParser syntax
# (i.e. no quoted strings and the syntax is generally more relaxed)
#

# ===========================================================================
# GLOBAL SSL/TLS CONFIGURATION
# These options are, by default, propagated to both server (HTTPS
# connections initiated by the web browsers) and application (SSL/TLS
# connections against ricci instances) sections below if the contained
# items are uncommented and configured per the user's requirements.
# Note that the propagation to particular section is suppressed if either:
# - option originally, per respective comment, referring to "%(ssl.*)s"
#   (mechanism allowing for this sort of propagation) is set to explicit
#   value, in which case this new value will be effectively used in that
#   context instead, or
# - such an option is commented out, in which case the respective default
#   as intended by luci authors will be used
# ===========================================================================
[DEFAULT]

# Change this to force luci to use custom SSL certificate (given the path of
# PEM file containing both the certificate itself and respective private key),
# otherwise its self-signed certificate managed automatically by luci
# service is used instead.
#ssl.pem = path_to/ssl_cert_pem_file

# Change this to pass custom cipher list to be used by underlying OpenSSL
# library in the SSL/TLS context.  RC4 cipher is implicitly filtered out from
# OpenSSL defaults, but can be, with caution, reenabled with "" or DEFAULT.
#ssl.cipher_list = ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4

# SSLv2 and SSLv3 versions of the protocol are prevented by default,
# but can be, with caution, reenabled with this option below.
#ssl.allow_insecure = true

# ===========================================================================
# SERVER CONFIGURATION
# ===========================================================================
[server:main]

# Change this to set the host IPv4 (and, in turn, respective network interface)
# running luci binds at;  this is particularly useful when it should be bound
# only at a specific one according to its IP address (0.0.0.0 => any interface)
#host = 127.0.0.1

# Change this to set the port running luci binds at;  please note that you
# cannot use privileged ports (i.e. <1024) because it runs as a non-root user
#port = 4443

# Web browser/HTTPS specific equivalent of ssl.pem option above.
# Keep uncommented and set to "%(ssl.pem)s" to prefer that one.
# Note: If this configuration item is active and no such file can be read,
#       starting luci service will fail
ssl_pem = %(ssl.pem)s

# Web browser/HTTPS specific equivalent of ssl.cipher_list option above.
# Keep uncommented and set to "%(ssl.cipher_list)s" to prefer that one.
ssl_cipher_list = %(ssl.cipher_list)s

# Web browser/HTTPS specific equivalent of ssl.allow_insecure option above.
# Keep uncommented and set to "%(ssl.allow_insecure)s" to prefer that one.
ssl_allow_insecure = %(ssl.allow_insecure)s

use=config:%(base_config)s

# ===========================================================================
# APPLICATION CONFIGURATION
# ===========================================================================
[app:main]

# Change this to override default number of seconds of inactivity after which
# the luci authenticated session will timeout
# (requires repoze.who >= 1.0.14)
#who.auth_tkt_timeout = 600

# ricci daemon/SSL specific equivalent of ssl.pem option above.
# Keep uncommented and set to "%(ssl.pem)s" to prefer that one.
# Note: If this configuration item is active and no such file can be read,
#       connecting to ricci daemons will fail
ricci.cert_pem = %(ssl.pem)s

# ricci daemon/SSL specific equivalent of ssl.cipher_list option above.
# Keep uncommented and set to "%(ssl.cipher_list)s" to prefer that one.
ricci.cipher_list = %(ssl.cipher_list)s

# ricci daemon/SSL specific equivalent of ssl.allow_insecure option above.
# Keep uncommented and set to "%(ssl.allow_insecure)s" to prefer that one.
ricci.allow_insecure = %(ssl.allow_insecure)s

# Specify custom static HTTP headers (if not colliding with the system
# ones) or suppress implicit ones preconfigured for higher security
# (X-Frame-Options, Content-Security-Policy, Strict-Transport-Security)
# by setting them to empty value "".
#
# Following demonstrates single, whitespace-preceded ';' starts a comment.
#header.Foo-Header = UnlikeHeaderNameThisIsCaseSensitive  ; this is comment
#
# Following header option may need to be used if properly anchored
# certificate is NOT specified via 'ssl_pem' and one wants to suppress
# noisy complaints wrt. STS in debugging console of some web browsers...
#header.Strict-Transport-Security = ""
#
# ... while following value may need to be temporarily used when downgrading
# properly anchored certificate to a self-signed one so as to prevent lock
# out of particular browser(s) that already observed/noted the associated
# host requires Strict Transport Security (default when properly anchored
# certificate is used and STS not overridden in this user configuration)
# -- as an intermediate step, while this option is on, visit luci with
# affected browsers, then downgrade to self-signed cert without worries.
#header.Strict-Transport-Security = max-age=0
#
# Following header can also provide additional level of security in case
# a static custom properly rooted certificate is used; RFC 7469 Appendix A.
# (https://tools.ietf.org/html/rfc7469#appendix-A) details how to generate
# FP and FP-BACKUP values below, just substitute 'ssl_pem' value above and
# a (required) backup certificate path for 'certificate.pem' respectively.
#header.Public-Key-Pins = max-age=604800; pin-sha256="FP"; pin-sha256="FP-BACKUP"

use=config:%(base_config)s

#END#`
