forked from ntv-one/rport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rport.example.conf
280 lines (241 loc) · 12.5 KB
/
rport.example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rport.example.config
#
# DESCRIPTION: Configuration file for the rport client
#
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
#
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
# CREATED: 10/10/2020
#======================================================================================================================
[client]
## rportd server address.
## Mandatory IP address and port divided by a colon.
server = "0.0.0.0:8080"
## list of fallback rportd servers to which the clients tries to connect
## if the above "main" server is not reachable.
#fallback_servers = ["fallback-a.example.com:9090","fallback-b.example.com:80"]
## if connected to a fallback server, try every interval to switch back to the main server.
#server_switchback_interval = '2m'
## fingerprint string to perform host-key validation against the server's public key.
## Highly recommended. Not using it is a big security risk.
## Alternatively, can also be specified via the environment variable RPORT_FINGERPRINT.
#fingerprint = "36:98:56:12:f3:dc:e5:8d:ac:96:48:23:b6:f0:42:15"
## Required client authentication credentials in the form: "<client-auth-id>:<password>".
## Alternatively, can also be specified via the environment variable RPORT_AUTH.
auth = "clientAuth1:1234"
## An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the rport server.
## Authentication can be specified inside the URL.
#proxy = "http://admin:password@my-server.com:8081"
## By default rport reads /etc/machine-id (Linux) or the ComputerSystemProduct UUID (Windows)
## to get a unique id for the client identification.
## NOTE: all history for a client is stored based on this id.
use_system_id = true
## An optional hard-coded client ID to better identify the client.
## If not set, a random id will be created that changes on every client start.
## That's why it's highly recommended to set it with a value that was generated on the first
## start or just set it on the very beginning. So on client restart all his history will be preserved.
## The server rejects connections on duplicated ids.
#id = "5616a70e-81a0-4eec-bab3-0861e3c88334"
## By default rport reads the local hostname to identify the system in a human-readable way.
use_hostname = true
## Optionally you can set a hard-coded name for the client.
## Useful if you use numeric ids to make client identification easier.
#name = "my_win_vm_1"
## An optional list of tags to give your clients attributes.
## Used for filtering clients on the server.
#tags = ['win', 'server', 'vm']
## Optional remote connections tunneled through the server, each of which come in the form:
## <local-port>
## or
## <remote-port>:<local-port>
## or
## <remote-port>:<local-interface>:<local-port>
## Examples:
## 1) remotes = ['22']
## Makes the local port 22 available on a random port of the rport server.
## 2) remotes = ['2222:127.0.0.1:22'] or shorthand
## remotes = ['2222:22']
## Makes the local SSH port 22 available on port 2222 of the rport server.
## 3) remotes = ['9999:192.168.1.1:80']
## Makes the Port 80 of 192.168.1.1 available on port 9999 of the rport server.
## sharing <remote-host>:<remote-port> from the client to the server's <local-interface>:<local-port>.
## If not set, client connects without active tunnel(s) waiting for tunnels to be initialized by the server.
## Multiple remotes must be comma separated. Using linebreaks after the comma is possible.
#remotes = [
# '3389:3389',
# '5050'
#]
## By default the rport client can create tunnels to any network address.
## This way the so-called "service forwarding" can give access to entire networks.
## You can turn service forwarding off so tunnels must end on the local machine.
#tunnel_allowed = ['127.0.0.0/8']
## Alternatively to the above, you can explicitly allow which targets a tunnel is allowed to reach.
## By default, no limits are applied
## List items can be a single IP or CIDR specification allowing to reach all ports on the target
## or an IP address or a CIDR specification and a port separated by a colon.
## Using ':<PORT>' without IP address or CIDR is a shorthand for '127.0.0.0/8:<PORT>'
## Examples:
## Only RDP on localhost can be accessed
#tunnel_allowed = ['127.0.0.0/8:3389']
## Only SSH on localhost and SSH on 192.168.1.1 can be accessed.
#tunnel_allowed = [':22','192.168.1.1:22']
## Only HTTP on localhost, and RDP to any host on the 192.168.1.0/24 network, and all ports on 192.168.1.100 can be accessed.
#tunnel_allowed = [':80','192.168.1.0/24:3389','192.168.1.100']
## There is no technical requirement to run the rport client under the root user.
## Running it as root is an unnecessary security risk.
## Rport exits with an error if started as root unless you explicitly allow it.
## Defaults to false, ignored on Windows.
#allow_root = false
## Supervision and reporting of the pending updates (patch level)
## Rport can constantly summarize pending updates and
## make that summary available on the rport server.
## On Debian/Ubuntu and SuSE Linux sudo rules are needed.
## https://oss.rport.io/docs/no16-update-status.html
## How often after the rport client has started pending updates are summarized
## Set 0 to disable.
## Supported time units: h (hours), m (minutes)
## Default: updates_interval = '4h'
#updates_interval = '4h'
## An optional param to define a local directory path to store internal data.
## By default, "/var/lib/rport" is used on Linux or 'C:\Program Files\rport' on Windows.
## On Linux you must create this directory because an unprivileged user
## don't have the right to create a directory in /var/lib.
## Ideally this directory is the homedir of the rport user and has been created along with the user.
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
#data_dir = "/var/lib/rport"
## An optional param specifying the local interface to be used for connecting to the server.
#bind_interface = "eth0"
[connection]
## An optional keepalive interval. You must specify a time with a unit, for example '30s' or '2m'.
## Defaults to '0s' (disabled)
keep_alive = '30s'
## Maximum number of times to retry before exiting. Defaults to unlimited (-1)
#max_retry_count = 10
## Maximum wait time before retrying after a disconnection. Defaults to 5 minutes
max_retry_interval = '5m'
## Optionally set the 'Host' header. Defaults to the host found in the server url
#hostname = "myvm1.lan"
## Other custom headers in the form "HeaderName: HeaderContent"
#headers = ['User-Agent: test1', 'Authorization: Basic XXXXXX']
[logging]
## Specifies log file path for global logging.
## Not setting "log_file" turns logging off.
#log_file = 'C:\Program Files\rport\rport.log'
log_file = "/var/log/rport/rport.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'error'
log_level = "error"
[remote-commands]
## Enable or disable execution of remote commands sent by server.
## Defaults: true
#enabled = true
## Limit the maximum length of the command or script output that is sent back to server.
## Applies to the stdout and stderr separately.
## If exceeded {send_back_limit} bytes are sent.
## Defaults: 4M
#send_back_limit = 4194304
## Allow commands matching the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {deny}.
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
## Deny commands matching one of the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {allow}.
## With the below default filter only single commands are allowed.
## Defaults: ['(\||<|>|;|,|\n|&)']
#deny = ['(\||<|>|;|,|\n|&)']
## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
## Defaults: ['allow','deny']
##
## order: ['allow','deny']
## First, all allow directives are evaluated; at least one must match, or the command is rejected.
## Next, all deny directives are evaluated. If any matches, the command is rejected.
## Last, any commands which do not match an allow or a deny directive are denied by default.
## Example:
## allow: ['^/usr/bin/.*']
## deny: ['^/usr/bin/zip']
## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used.
##
## order: ['deny','allow']
## First, all deny directives are evaluated; if any match,
## the command is denied UNLESS it also matches an allow directive.
## Any command which do not match any allow or deny directives are permitted.
## Example:
## deny: ['.*']
## allow: ['zip$']
## All commands are denied except those ending in zip.
##
#order = ['allow','deny']
[remote-scripts]
## Enable or disable execution of remote scripts sent by server.
## Defaults: false
#enabled = false
[monitoring]
## The rport client can collect and report performance data of the operating system.
## https://oss.rport.io/docs/no17-monitoring.html
## Monitoring is enabled by default
enabled = true
## How often (seconds) monitoring data should be collected.
## A value below 60 seconds will be overwritten by the hard-coded default of 60 seconds.
#interval = 60
## RPort monitors the fill level of almost all volumes or mount points.
## Change the below defaults to include or exclude volumes or mount points from the monitoring.
#fs_type_include = ['ext3','ext4','xfs','jfs','ntfs','btrfs','hfs','apfs','exfat','smbfs','nfs']
## List of excluded mount points or device letters
## Example:
# fs_path_exclude = ['/mnt/*','h:']
#fs_path_exclude = []
## Having fs_path_exclude_recurse = false the specified path
## must match a mountpoint or it will be ignored
## Having fs_path_exclude_recurse = true the specified path
## can be any folder and all mountpoints underneath will be excluded
#fs_path_exclude_recurse = false
## To avoid monitoring of so-called mount binds,
## mount points are identified by the path and device name.
## Mountpoints pointing to the same device are ignored.
## What appears first in /proc/self/mountinfo is considered as the original.
## Applies only to Linux
#fs_identify_mountpoints_by_device = true
## RPort monitors all running processes
## Process monitoring is enabled by default
pm_enabled = true
## Monitor kernel tasks identified by process group 0
#pm_enable_kerneltask_monitoring = true
## The process list is sorted by PID descending. Only the top N processes are monitored.
#pm_max_number_monitored_processes = 500
## Monitor the bandwidth usage of the following maximum two network cards:
## 'net_lan' and 'net_wan'.
## You must specify the device name and the maximum speed in Megabits.
## On Windows use 'Get-Netadapter' to discover adapter names.
## Examples:
## net_lan = [ 'eth0' , '1000' ]
## net_wan = ['Ethernet0', '1000']
#net_lan = ['', '1000']
#net_wan = ['', '1000']
[interpreter-aliases]
## For fast and unified script execution with different interpreters and shells,
## you can specify aliases. Instead of providing the full path to the shell,
## sending the alias is sufficient.
## Examples:
# pwsh7 = 'C:\Program Files\PowerShell\7\pwsh.exe'
# bash = 'C:\Program Files\Git\bin\bash.exe'
[file-reception]
## Receive files pushed by the server, enabled by default
# enabled = true
## The rport client will reject writing files to any of the following folders and its subfolders.
## https://oss.rport.io/docs/no18-file-upload.html
## Wildcards (glob) are supported.
## Linux defaults
# protected = ['/bin', '/sbin', '/boot', '/usr/bin', '/usr/sbin', '/dev', '/lib*', '/run']
## Windows defaults
# protected = ['C:\Windows\', 'C:\ProgramData']