Server configuration

Connection to data store backend

DB_DSN

Type

string

Default

"sqlite3://file::memory:?cache=shared&mode=memory"

Description

Database connection string.

HTTP Client

HTTP_CLIENT_TLS_INSECURE

Type

bool

Default

false

Description

Allow insecure (invalid, expired TLS/SSL certificates) connections.

We strongly recommend keeping this value set to false except for local development or demos.

HTTP_CLIENT_TIMEOUT

Type

time.Duration

Default

30 * time.Second

Description

Default timeout for clients.

HTTP Server

HTTP_ADDR

Type

string

Default

":80"

Description

IP and port for the HTTP server.

HTTP_LOG_REQUEST

Type

bool

Default

false

Description

Log HTTP requests.

HTTP_LOG_RESPONSE

Type

bool

Default

false

Description

Log HTTP responses.

HTTP_ERROR_TRACING

Type

bool

Default

false

HTTP_ENABLE_HEALTHCHECK_ROUTE

Type

bool

Default

true

HTTP_ENABLE_VERSION_ROUTE

Type

bool

Default

true

Description

Enable /version route.

HTTP_ENABLE_DEBUG_ROUTE

Type

bool

Default

false

Description

Enable /debug route.

HTTP_METRICS

Type

bool

Default

false

Description

Enable (prometheus) metrics.

HTTP_METRICS_NAME

Type

string

Default

"corteza"

Description

Name for metrics endpoint.

HTTP_METRICS_USERNAME

Type

string

Default

"metrics"

Description

Username for the metrics endpoint.

HTTP_METRICS_PASSWORD

Type

string

Default

string(rand.Bytes(5))

Description

Password for the metrics endpoint.

HTTP_REPORT_PANIC

Type

bool

Default

true

Description

Report HTTP panic to Sentry.

HTTP_BASE_URL

Type

string

Default

"/"

Description

Base URL (prefix) for all routes (<baseUrl>/auth, <baseUrl>/api, …​)

HTTP_API_ENABLED

Type

bool

Default

true

HTTP_API_BASE_URL

Type

string

Default

"/"

Description

When webapps are enabled (HTTP_WEBAPP_ENABLED) this is moved to '/api' if not explicitly set otherwise. API base URL is internaly prefixed with baseUrl

HTTP_WEBAPP_ENABLED

Type

bool

Default

false

HTTP_WEBAPP_BASE_URL

Type

string

Default

"/"

Description

Webapp base URL is internaly prefixed with baseUrl

HTTP_WEBAPP_BASE_DIR

Type

string

Default

"./webapp/public"

HTTP_WEBAPP_LIST

Type

string

Default

"admin,compose,workflow,reporter"

HTTP_SSL_TERMINATED

Type

bool

Default

isSecure()

Description

Is SSL termination enabled in ingres, proxy or load balancer that is in front of Corteza? By default, Corteza checks for presence of LETSENCRYPT_HOST environmental variable. This DOES NOT enable SSL termination in Cortreza!

RBAC options

RBAC_LOG

Type

bool

Description

Log RBAC related events and actions

RBAC_SERVICE_USER

Type

string

RBAC_BYPASS_ROLES

Type

string

Default

"super-admin"

Description

Space delimited list of role handles. These roles causes short-circuiting access control check and allowing all operations. System will refuse to start if check-bypassing roles are also listed as authenticated or anonymous auto-assigned roles.

RBAC_AUTHENTICATED_ROLES

Type

string

Default

"authenticated"

Description

Space delimited list of role handles. These roles are automatically assigned to authenticated user. Memberships can not be managed for these roles. System will refuse to start if roles listed here are also listed under anonymous roles

RBAC_ANONYMOUS_ROLES

Type

string

Default

"anonymous"

Description

Space delimited list of role handles. These roles are automatically assigned to anonymous user. Memberships can not be managed for these roles.

SCIM Server

SCIM_ENABLED

Type

bool

Description

Enable SCIM subsystem

SCIM_BASE_URL

Type

string

Default

"/scim"

Description

Prefix for SCIM API endpoints

SCIM_SECRET

Type

string

Description

Secret to use to validate requests on SCIM API endpoints

SCIM_EXTERNAL_ID_AS_PRIMARY

Type

bool

Description

Use external IDs in SCIM API endpoints

SCIM_EXTERNAL_ID_VALIDATION

Type

string

Default

"^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$"

Description

Validates format of external IDs. Defaults to UUID

Email sending

Configure your local SMTP server or use one of the available providers

SMTP_HOST

Type

string

Default

"localhost"

Description

The SMTP server hostname.

SMTP_PORT

Type

int

Default

25

Description

The SMTP post.

SMTP_USER

Type

string

Description

The SMTP username.

SMTP_PASS

Type

string

Description

The SMTP password.

SMTP_FROM

Type

string

Description

The SMTP from email parameter

SMTP_TLS_INSECURE

Type

bool

Default

false

Description

Allow insecure (invalid, expired TLS certificates) connections.

SMTP_TLS_SERVER_NAME

Type

string

Actionlog

ACTIONLOG_ENABLED

Type

bool

Default

true

ACTIONLOG_DEBUG

Type

bool

Default

false

API Gateway

APIGW_ENABLED

Type

bool

Default

true

Description

Enable API Gateway

APIGW_DEBUG

Type

bool

Default

false

Description

Enable API Gateway debugging info

APIGW_LOG_ENABLED

Type

bool

Default

false

Description

Enable extra logging

APIGW_LOG_REQUEST_BODY

Type

bool

Default

false

Description

Enable incoming request body output in logs

APIGW_PROXY_ENABLE_DEBUG_LOG

Type

bool

Default

false

Description

Enable full debug log on requests / responses - warning, includes sensitive data

APIGW_PROXY_FOLLOW_REDIRECTS

Type

bool

Default

true

Description

Follow redirects on proxy requests

APIGW_PROXY_OUTBOUND_TIMEOUT

Type

time.Duration

Default

time.Second * 30

Description

Outbound request timeout

Authentication

AUTH_LOG_ENABLED

Type

bool

Description

Enable extra logging for authentication flows

AUTH_JWT_SECRET

Type

string

Default

getSecretFromEnv("jwt secret")

Description

Secret used for signing JWT tokens.

If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables. Generated secret will change if you change any of these variables.

AUTH_JWT_EXPIRY

Type

time.Duration

Default

time.Hour * 24 * 30

Description

Experation time for the auth JWT tokens.

AUTH_EXTERNAL_REDIRECT_URL

Type

string

Default

fullURL("/auth/external/{provider}/callback")

Description

Redirect URL to be sent with OAuth2 authentication request to provider

provider placeholder is replaced with the actual value when used.

Type

string

Default

getSecretFromEnv("external cookie secret")

Description

Secret used for securing cookies

If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables. Generated secret will change if you change any of these variables.

AUTH_BASE_URL

Type

string

Default

fullURL("/auth")

Description

Frontend base URL. Must be an absolute URL, with the domain. This is used for some redirects and links in auth emails.

Type

string

Default

"session"

Description

Session cookie name

Type

string

Default

pathPrefix("/auth")

Description

Session cookie path

Type

string

Default

guessHostname()

Description

Session cookie domain

Type

bool

Default

isSecure()

Description

Defaults to true when HTTPS is used. Corteza will try to guess the this setting by

AUTH_SESSION_LIFETIME

Type

time.Duration

Default

24 * time.Hour

Description

How long do we keep the temporary session

AUTH_SESSION_PERM_LIFETIME

Type

time.Duration

Default

360 * 24 * time.Hour

Description

How long do we keep the permanent session

AUTH_GARBAGE_COLLECTOR_INTERVAL

Type

time.Duration

Default

15 * time.Minute

Description

How often are expired sessions and tokens purged from the database

AUTH_REQUEST_RATE_LIMIT

Type

int

Default

60

Description

How many requests from a cerain IP address are allowed in a time window. Set to zero to disable

AUTH_REQUEST_RATE_WINDOW_LENGTH

Type

time.Duration

Default

time.Minute

Description

How many requests from a cerain IP address are allowed in a time window

AUTH_CSRF_SECRET

Type

string

Default

getSecretFromEnv("csrf secret")

Description

Secret used for securing CSRF protection

If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables. Generated secret will change if you change any of these variables.

AUTH_CSRF_ENABLED

Type

bool

Default

true

Description

Enable CSRF protection

AUTH_CSRF_FIELD_NAME

Type

string

Default

"same-site-authenticity-token"

Description

Form field name used for CSRF protection

Type

string

Default

"same-site-authenticity-token"

Description

Cookie name used for CSRF protection

AUTH_DEFAULT_CLIENT

Type

string

Default

"corteza-webapp"

Description

Handle for OAuth2 client used for automatic redirect from /auth/oauth2/go endpoint.

This simplifies configuration for OAuth2 flow for Corteza Web applications as it removes the need to suply redirection URL and client ID (oauth2/go endpoint does that internally)

AUTH_ASSETS_PATH

Type

string

Default

""

Description

Path to js, css, images and template source files

When corteza starts, if path exists it tries to load template files from it. If not it uses statically embedded files.

When empty path is set (default value), embedded files are used.

AUTH_DEVELOPMENT_MODE

Type

bool

Description

When enabled, corteza reloads template before every execution. Enable this for debugging or when developing auth templates.

Should be disabled in production where templates do not change between server restarts.

Connection to Corredor

CORREDOR_ENABLED

Type

bool

Default

false

Description

Enable/disable Corredor integration

CORREDOR_ADDR

Type

string

Default

"localhost:50051"

Description

Hostname and port of the Corredor gRPC server.

CORREDOR_MAX_BACKOFF_DELAY

Type

time.Duration

Default

time.Minute

Description

Max delay for backoff on connection.

CORREDOR_MAX_RECEIVE_MESSAGE_SIZE

Type

int

Default

2 << 23

Description

Max message size that can be recived.

CORREDOR_DEFAULT_EXEC_TIMEOUT

Type

time.Duration

Default

time.Minute

CORREDOR_LIST_TIMEOUT

Type

time.Duration

Default

time.Second * 2

CORREDOR_LIST_REFRESH

Type

time.Duration

Default

time.Second * 5

CORREDOR_RUN_AS_ENABLED

Type

bool

Default

true

CORREDOR_CLIENT_CERTIFICATES_ENABLED

Type

bool

Default

false

CORREDOR_CLIENT_CERTIFICATES_PATH

Type

string

Default

"/certs/corredor/client"

CORREDOR_CLIENT_CERTIFICATES_CA

Type

string

Default

"ca.crt"

CORREDOR_CLIENT_CERTIFICATES_PRIVATE

Type

string

Default

"private.key"

CORREDOR_CLIENT_CERTIFICATES_PUBLIC

Type

string

Default

"public.crt"

CORREDOR_CLIENT_CERTIFICATES_SERVER_NAME

Type

string

Environment

ENVIRONMENT

Type

string

Default

"production"

Events and scheduler

EVENTBUS_SCHEDULER_ENABLED

Type

bool

Default

true

Description

Enable eventbus sheduler.

EVENTBUS_SCHEDULER_INTERVAL

Type

time.Duration

Default

time.Minute

Description

Set time interval for eventbus scheduler.

federation

FEDERATION_ENABLED

Type

bool

Default

false

Description

Federation enabled on system, it toggles rest API endpoints, possibility to map modules in Compose and sync itself

FEDERATION_LABEL

Type

string

Default

"Federation label"

Description

Federation label

FEDERATION_HOST

Type

string

Default

"local.cortezaproject.org"

Description

Host that is used during node pairing, also included in invitation

FEDERATION_SYNC_STRUCTURE_MONITOR_INTERVAL

Type

time.Duration

Default

time.Minute * 2

Description

Delay in seconds for structure sync

FEDERATION_SYNC_STRUCTURE_PAGE_SIZE

Type

int

Default

1

Description

Bulk size in fetching for structure sync

FEDERATION_SYNC_DATA_MONITOR_INTERVAL

Type

time.Duration

Default

time.Second * 60

Description

Delay in seconds for data sync

FEDERATION_SYNC_DATA_PAGE_SIZE

Type

int

Default

100

Description

Bulk size in fetching for data sync

Limits

LIMIT_SYSTEM_USERS

Type

int

Description

Maximum number of valid (not deleted, not suspended) users

locale

LOCALE_LANGUAGES

Type

string

Default

"en"

Description

List of compa delimited languages (language tags) to enable. In case when an enabled language can not be loaded, error is logged.

When loading language configurations (config.xml) from the configured path(s).

LOCALE_PATH

Type

string

Description

One or more paths to locale config and translation files, separated by colon

LOCALE_QUERY_STRING_PARAM

Type

string

Default

"lng"

Description

Name of the query string parameter used to pass the language tag (it overrides Accept-Language header). Set it to empty string to disable detection from the query string. This parameter is ignored if only one language is enabled

LOCALE_RESOURCE_TRANSLATIONS_ENABLED

Type

bool

Description

When enabled, Corteza all

LOCALE_LOG

Type

bool

Description

Log locale related events and actions

LOCALE_DEVELOPMENT_MODE

Type

bool

Description

When enabled, Corteza reloads language files on every request Enable this for debugging or developing.

log

LOG_DEBUG

Type

bool

Description

Disables JSON format for logging and enables more human-readable output with colors.

Disable for production.

LOG_LEVEL

Type

string

Default

"warn"

Description

Minimum logging level. If set to "warn", Levels warn, error, dpanic panic and fatal will be logged.

Recommended value for production: warn

Possible values: debug, info, warn, error, dpanic, panic, fatal

LOG_FILTER

Type

string

Description

Log filtering rules by level and name (log-level:log-namespace). Please note that level (LOG_LEVEL) is applied before filter and it affects the final output!

Leave unset for production.

Example: warn+:* :auth,workflow. Log warnings, errors, panic, fatals. Everything from auth and workflow is logged.

See more examples and documentation here: https://github.com/moul/zapfilter

LOG_INCLUDE_CALLER

Type

bool

Default

false

Description

Set to true to see where the logging was called from.

Disable for production.

LOG_STACKTRACE_LEVEL

Type

string

Default

"dpanic"

Description

Include stack-trace when logging at a specified level or below. Disable for production.

Possible values: debug, info, warn, error, dpanic, panic, fatal

Messaging queue

MESSAGEBUS_ENABLED

Type

bool

Default

true

Description

Enable messagebus

MESSAGEBUS_LOG_ENABLED

Type

bool

Default

false

Description

Enable extra logging for messagebus watchers

Monitoring

MONITOR_INTERVAL

Type

time.Duration

Default

300 * time.Second

Description

Output (log) interval for monitoring.

Object (file) storage

The MinIO integration allows you to replace local storage with cloud storage. When configured, STORAGE_PATH is not needed.

STORAGE_PATH

Type

string

Default

"var/store"

Description

Location where uploaded files are stored.

MINIO_ENDPOINT

Type

string

MINIO_SECURE

Type

bool

Default

true

MINIO_ACCESS_KEY

Type

string

MINIO_SECRET_KEY

Type

string

MINIO_SSEC_KEY

Type

string

MINIO_BUCKET

Type

string

MINIO_BUCKET_SEP

Type

string

Default

"/"

Description

Used between MINIO_BUCKET and the service name (e.g system). Ignored if MINIO_BUCKET is not set. Required in latest versions of min.io since "/" is not accepted anymore in bucket names.

MINIO_STRICT

Type

bool

Default

false

Provisioning

Provisioning allows you to configure a Corteza instance when deployed. It occurs automatically after the Corteza server starts.

We recommend you to keep provisioning enabled as it simplifies version updates by updating the database and updating settings.

If you’re doing local development or some debugging, you can disable this.

PROVISION_ALWAYS

Type

bool

Default

true

Description

Controls if provision should run when the server starts.

PROVISION_PATH

Type

string

Default

"provision/*"

Description

Colon seperated paths to config files for provisioning.

Seeder

SEEDER_LOG_ENABLED

Type

bool

Description

Enable extra logging // fixme add some more description

Sentry monitoring

These parameters help in the development and testing process. When you are deploying to production, these should be disabled to improve performance and reduce storage usage.

You should configure external services such as Sentry or ELK to keep track of logs and error reports.

SENTRY_DSN

Type

string

Description

Set to enable Sentry client.

SENTRY_DEBUG

Type

bool

Description

Print out debugging information.

SENTRY_ATTACH_STACKTRACE

Type

bool

Default

true

Description

Attach stacktraces

SENTRY_SAMPLE_RATE

Type

float32

Description

Sample rate for event submission (0.0 - 1.0. defaults to 1.0)

SENTRY_MAX_BREADCRUMBS

Type

int

Default

0

Description

Maximum number of bredcrumbs.

SENTRY_SERVERNAME

Type

string

Description

Set reported Server name.

SENTRY_RELEASE

Type

string

Default

version.Version

Description

Set reported Release.

SENTRY_DIST

Type

string

Description

Set reported distribution.

SENTRY_ENVIRONMENT

Type

string

Description

Set reported environment.

Rendering engine

TEMPLATE_RENDERER_GOTENBERG_ADDRESS

Type

string

Default

""

Description

Gotenberg rendering container address.

TEMPLATE_RENDERER_GOTENBERG_ENABLED

Type

bool

Default

false

Description

Is Gotenberg rendering container enabled.

Data store (database) upgrade

UPGRADE_DEBUG

Type

bool

Default

false

Description

Enable/disable debug logging. To enable debug logging set UPGRADE_DEBUG=true.

UPGRADE_ALWAYS

Type

bool

Default

true

Description

Controls if the upgradable systems should be upgraded when the server starts.

Delay system startup

You can configure these options to defer API execution until another external (HTTP) service is up and running.

[ TIP ]

Delaying API execution can come in handy in complex setups where execution order is important.

WAIT_FOR

Type

time.Duration

Default

0

Description

Delays API startup for the amount of time specified (10s, 2m…​). This delay happens before service (WAIT_FOR_SERVICES) probing.

WAIT_FOR_STATUS_PAGE

Type

bool

Default

true

Description

Show temporary status web page.

WAIT_FOR_SERVICES

Type

string

Description

Space delimited list of hosts and/or URLs to probe. Host format: host or host:443 (port will default to 80).

Services are probed in parallel.

WAIT_FOR_SERVICES_TIMEOUT

Type

time.Duration

Default

time.Minute

Description

Max time for each service probe.

WAIT_FOR_SERVICES_PROBE_TIMEOUT

Type

time.Duration

Default

time.Second * 30

Description

Timeout for each service probe.

WAIT_FOR_SERVICES_PROBE_INTERVAL

Type

time.Duration

Default

time.Second * 5

Description

Interval between service probes.

Websocket server

WEBSOCKET_LOG_ENABLED

Type

bool

Description

Enable extra logging for authentication flows

WEBSOCKET_TIMEOUT

Type

time.Duration

Default

15 * time.Second

Description

Time before WsServer gets timed out.

WEBSOCKET_PING_TIMEOUT

Type

time.Duration

Default

120 * time.Second

WEBSOCKET_PING_PERIOD

Type

time.Duration

Default

((120 * time.Second) * 9) / 10

Workflow

WORKFLOW_REGISTER

Type

bool

Default

true

Description

Registers enabled and valid workflows and executes them when triggered

WORKFLOW_EXEC_DEBUG

Type

bool

Default

false

Description

Enables verbose logging for workflow execution

WORKFLOW_CALL_STACK_SIZE

Type

int

Default

16

Description

Defines the maximum call stack size between workflows