.\" Hey, EMACS: -*- nroff -*- .\" (C) Copyright 2014-2017 WPIA Software Team , .\" .TH GIGI.PROPERTIES 5 "March 21, 2017" WPIA .\" Please adjust this date whenever revising the manpage. .SH NAME gigi.properties \- Gigi configuration file .SH SYNOPSIS .I /etc/gigi.properties .SH DESCRIPTION The file .I gigi.properties contains the configuration for the WPIA .BR gigi (1) system. It is a Java properties file with \fIname=value\fR assignments and \fI# comment lines\fR. The following options can be set: .TP .B appName The name of the main application, for example \fISomeCA\fR. .TP .B appIdentifier The .B \%appName in a format suitable for inclusion in Internet domain names and HTTP URLs, used in challenges to verify Internet domain name ownership via DNS or HTTP. This identifier should be limited to lowercase ASCII letters, numbers and perhaps hyphens. .TP .B name.suffix The main Internet domain name suffix of the application. Used for administrative email addresses (e.g., \fIsupport@\fBname.suffix\fR) and for all other domain names that are not explicitly specified (see \fBname.*\fR below). Defaults to \fIwpia.local\fR. .TP .B host The IP address that Gigi listens on, for example 127.0.0.1. .TP .B http.port The port on which Gigi is reachable from outside via HTTP (that is, the port it uses to refer to itself in hyperlinks), and also the port on which Gigi listens unless .B \%http.bindPort is specified. Usually 80. .TP .B https.port The port on which Gigi is reachable from outside via HTTPS (that is, the port it uses to refer to itself in hyperlinks), and also the port on which Gigi listens unless .B \%https.bindPort is specified. Usually 443. .TP .B http.bindPort The port on which Gigi listens for HTTP requests, or .IR stdin to specify that Gigi has received a socket on file descriptor 0 (standard input) which it should use for HTTP (for example, via .BR \%systemd.socket (5) or .BR inetd (1)). .TP .B https.bindPort The port on which Gigi listens for HTTPS requests, or .IR stdin to specify that Gigi has received a socket on file descriptor 0 (standard input) which it should use for HTTPS (for example, via .BR \%systemd.socket (5) or .BR inetd (1)). Not used if .B \%proxy is .IR true . .TP .B proxy If .IR true , Gigi expects to sit behind a proxy server that handles HTTPS, for example .BR \%apache2 (8) or .BR \%nginx (1). The real client IP, real protocol and (if present) real client certificate are expected to be transferred in the \fI\%X-Real-IP\fR, \fI\%X-Real-Proto\fR and \fI\%X-Client-Cert\fR HTTP headers. .B \%https.bindPort is not used. .TP .B sql.driver The JDBC driver used for connecting to the database. As PostgreSQL is currently the only supported database, the only value that really makes sense is \fI\%org.postgresql.Driver\fR. .TP .B sql.url The database URL that Gigi connects to, for example \fI\%jdbc:postgresql://localhost/gigi\fR. .TP .B sql.user The user name that Gigi uses to connect to the database. .TP .B sql.password The password that Gigi uses to connect to the database. .TP .B emailProvider The fully-qualified name of a Java class that Gigi uses to send emails. The only value available in production is \fIclub.wpia.gigi.email.Sendmail\fR. .TP .B emailProvider.smtpHost The host to which the .B \%emailProvider should try to connect. Defaults to \fI\%localhost\fR. .TP .B emailProvider.smtpPort The port to which the .B \%emailProvider should try to connect. Defaults to \fI25\fR. .TP .B highFinancialValue A path to a plain text file of Internet domain names, one per line, which Gigi should refuse to issue certificates to. .TP .B knownPasswordHashes A path to a file of SHA-1 hashes of known passwords. The file should contain the hashes in binary format, without any separators, and should be sorted. Gigi will refuse user passwords with hashes that are found in this file. If this option is specified, Gigi will refuse startup if the file cannot be opened, otherwise it will attempt to use the file .I /usr/share/pwned-passwords/pwned-passwords.bin (provided by the \fBpwned-passwords-bin\fR package) but continue startup if the file cannot be opened. .TP .B time.testValidMonths The maximum time, in months, for which a passed agent quiz is considered recent. Defaults to \fI12\fR. .TP .B time.reverificationDays The minimum time, in days, that needs to pass before a name can be verified by the same agent again. Defaults to \fI90\fR. .TP .B time.verificationMaxAgeMonths The maximum time, in months, for which a verification is considered recent. Defaults to \fI24\fR. .TP .B time.verificationFreshMonths The maximum time period, in months, in which a verification can be entered into the system after it took place. Defaults to \fI39\fR. .TP .B time.emailPingMonths The maximum time period, in months, in which an email address can be used to create client certificates before it must be verified again. Defaults to \fI6\fR. .TP .B gigi.uid Gigi will try to change to this user ID (see .BR \%setuid (2)) after opening its communication sockets. This allows Gigi to bind to privileged ports as the superuser and then drop privileges and run as a normal user. This should rarely be necessary: it is much safer to not start Gigi as superuser in the first place and instead only run it with the \fBCAP_NET_BIND_SERVICE\fR capability (see .BR \%capabilities (7)), or to have a privileged parent process (for example .BR \%systemd (1)) create the socket and pass it to Gigi (see .BR \%http.bindPort ). If .B \%gigi.uid and .B \%gigi.gid are both \fI-1\fR, this mechanism is disabled. Defaults to \fI65534\fR, the user ID of the \fInobody\fR user on Debian GNU/Linux systems. .TP .B gigi.gid Analogous to .BR \%gigi.uid : Gigi will try to change to this group ID (see .BR \%setgid (2)) after opening its communication sockets. Defaults to \fI65534\fR. .TP .B scrypt.params The parameters to the scrypt password hashing function. Defaults to \fI14;8;1\fR. .TP .B name.www The Internet domain name for the main application, served both via HTTP and HTTPS. Defaults to \fI\%www.\fBname.suffix\fR. .TP .B name.secure The Internet domain name for the forced-secure version of the application. Gigi only serves this domain via HTTPS, and requires authentication via a client certificate. Defaults to \fI\%secure.\fBname.suffix\fR. .TP .B name.static The Internet domain name for static resources, like CSS style sheets and JS resources. Defaults to \fI\%static.\fBname.suffix\fR. .TP .B name.api The Internet domain name for the Gigi API, which is used to issue certificates and receive quiz results. Defaults to \fI\%api.\fBname.suffix\fR. .TP .B name.link The Internet domain name of a link redirector service. Gigi does not provide this service itself, but links to it as a place for external documentation. Defaults to \fI\%link.\fBname.suffix\fR. .TP .B name.g2.crt The Internet domain name of a server that hosts a certificate repository containing the certificates generated during the NRE procedure. This service is also not provided by Gigi. Defaults to \fI\%g2.crt.\fBname.suffix\fR. .SH SEE ALSO .BR gigi (1)