.env.example

##
# Build-time variables
##

CORE_TAG=v2.5.21
# CORE_FLAVOR=full
MODULES_TAG=v3.0.2
# MODULES_FLAVOR=full
GUARD_TAG=v1.2
PHP_VER=20220829

# PYPY_* vars take precedence over MISP's
# PYPI_REDIS_VERSION="==5.0.*"
# PYPI_LIEF_VERSION=">=0.13.1"
# PYPI_PYDEEP2_VERSION="==0.5.*"
# PYPI_PYTHON_MAGIC_VERSION="==0.4.*"
# PYPI_MISP_LIB_STIX2_VERSION="==3.0.*"
# PYPI_MAEC_VERSION="==4.1.*"
# PYPI_MIXBOX_VERSION="==1.0.*"
# PYPI_CYBOX_VERSION="==2.1.*"
# PYPI_PYMISP_VERSION="==2.5.9"
# PYPI_MISP_STIX_VERSION="==2.4.194"
PYPI_SETUPTOOLS_VERSION="==80.3.1"
PYPI_SUPERVISOR_VERSION="==4.2.5"

# CORE_COMMIT takes precedence over CORE_TAG
# CORE_COMMIT=0bba3f5
# MODULES_COMMIT takes precedence over MODULES_TAG
# MODULES_COMMIT=de69ae3
# GUARD_COMMIT takes precedence over GUARD_TAG
# GUARD_COMMIT=370b043

##
# Run-time variables
##

# CORE_RUNNING_TAG=latest
# MODULES_RUNNING_TAG=latest
# GUARD_RUNNING_TAG=latest

# Email/username for user #1, defaults to MISP's default (admin@admin.test)
ADMIN_EMAIL=admin@admin.test
# name of org #1, default to MISP's default (ORGNAME)
ADMIN_ORG=admin.test
# uuid of org #1, defaults to an automatically generated one
ADMIN_ORG_UUID=123e4567-e89b-12d3-a456-426614174000
# ⚠️ SECURITY: Generate your own secure admin key - DO NOT use this example
ADMIN_KEY=REPLACE_WITH_YOUR_SECURE_ADMIN_KEY_GENERATE_NEW_ONE
# ⚠️ SECURITY: Set a strong admin password - DO NOT use this example
ADMIN_PASSWORD=REPLACE_WITH_YOUR_SECURE_PASSWORD
# Prevent MISP Initialization from writing ADMIN_KEY and ADMIN_PASSWORD in plaintext
# Recommend uncommenting / setting to true in production or kubernetes environments where output is logged.
DISABLE_PRINTING_PLAINTEXT_CREDENTIALS=true
# ⚠️ SECURITY: Set a strong GPG passphrase - DO NOT use this example
GPG_PASSPHRASE=REPLACE_WITH_YOUR_SECURE_GPG_PASSPHRASE
# defaults to 1 (the admin user)
CRON_USER_ID=1
# defaults to 'https://localhost'
# note: if you are exposing MISP on a non-standard port (i.e., the port is part of the URL you would use to access it, e.g., https://192.168.0.1:4433) you need to include the port in the BASE_URL variable
BASE_URL=https://your-misp-instance.local
# defaults to 80 and 443, don't forget to update the base url if not the defaults one
# CORE_HTTP_PORT=
# CORE_HTTPS_PORT=
# store settings in db except those that must stay in config.php. true/false, defaults to false
ENABLE_DB_SETTINGS=true
# ⚠️ SECURITY: Generate your own 64-character encryption key - DO NOT use this example
ENCRYPTION_KEY=REPLACE_WITH_YOUR_64_CHARACTER_BASE64_ENCRYPTION_KEY_GENERATE_NEW
# enable background updates. defaults to false
ENABLE_BACKGROUND_UPDATES=true
# use a different attachments_dir. defaults to /var/www/MISP/app/files
ATTACHMENTS_DIR=/var/www/MISP/app/files

# By default, a daily synchronization is performed, but you can modify this by changing the push and pull frequency (in seconds).
# CRON_PULLALL="86400"
# CRON_PUSHALL="86400"

# defines the FQDN of the mail sub-system (defaults to 'mail')
# SMTP_FQDN=

# optional and used by the mail sub-system
SMARTHOST_ADDRESS=
SMARTHOST_PORT=
SMARTHOST_USER=
SMARTHOST_PASSWORD=
SMARTHOST_ALIASES=

# optional comma separated list of IDs of syncservers (e.g. SYNCSERVERS=1)
# For this to work ADMIN_KEY must be set, or AUTOGEN_ADMIN_KEY must be true (default)
SYNCSERVERS=
# note: if you have more than one syncserver, you need to update docker-compose.yml
SYNCSERVERS_1_URL=
SYNCSERVERS_1_NAME=
SYNCSERVERS_1_UUID=
SYNCSERVERS_1_KEY=
# pull rules are JSON encoded (and escaped) dictionaries
# Example: only pull events where the analysis is complete
# 	SYNCSERVERS_1_PULL_RULES='{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}'
SYNCSERVERS_1_PULL_RULES=

# optional and used to set mysql db and credentials
# MYSQL_HOST=
# MYSQL_PORT=
# MYSQL_USER=
# MYSQL_PASSWORD=
# MYSQL_ROOT_PASSWORD=
# MYSQL_DATABASE=

# optional and used to set redis
# REDIS_HOST=
# REDIS_PORT=
# remember to escape special character '$', e.g., 'test1%<$1323>' becomes 'test1%<$$1323>'
# REDIS_PASSWORD=
# Enable passwordless Redis connection (defaults to false for security)
# ENABLE_REDIS_EMPTY_PASSWORD=false

# These variables allows overriding some MISP email values.
# They all default to ADMIN_EMAIL.

# MISP.email, used for notifications. Also used
# for GnuPG.email and GPG autogeneration.
# MISP_EMAIL=

# MISP.contact, the e-mail address that
# MISP should include as a contact address
# for the instance's support team.
# MISP_CONTACT=

# Enable GPG autogeneration (default true)
# AUTOCONF_GPG=true

# Enable admin (user #1) API key autogeneration
# if ADMIN_KEY is not set above (default true)
# AUTOGEN_ADMIN_KEY=true

# Disable IPv6 completely
# DISABLE_IPV6=true

# Disable SSL redirect
# DISABLE_SSL_REDIRECT=true

# Disable CA refresh
# DISABLE_CA_REFRESH=true

# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
# OIDC_ENABLE=true
# OIDC_PROVIDER_URL=
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_ROLES_PROPERTY="roles"
# OIDC_ROLES_MAPPING="{\"admin\": 1}"
# OIDC_DEFAULT_ORG=
# OIDC_LOGOUT_URL=
# OIDC_SCOPES="[\"profile\", \"email\"]"
# OIDC_MIXEDAUTH=true
# OIDC_CODE_CHALLENGE_METHOD=S256

# Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189
# NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component, 
#	users should not be able to control the HTTP header configured in LDAP_APACHE_ENV 
#	(e.g. REMOTE_USER), this means you must not allow direct access to MISP.
# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
# APACHESECUREAUTH_LDAP_ENABLE=true
# APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER"
# APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller"
# APACHESECUREAUTH_LDAP_STARTTLS=true
# APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
# APACHESECUREAUTH_LDAP_READER_PASSWORD="password"
# APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net"
# APACHESECUREAUTH_LDAP_SEARCH_FILTER=""
# APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid"
# APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
# APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3"
# APACHESECUREAUTH_LDAP_DEFAULT_ORG="1"
# APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]"
# APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3"
# APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1"
# APACHESECUREAUTH_LDAP_OPT_REFERRALS=false

# Enable LDAP (using the MISP plugin native) authentication, according to https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth
# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
# LDAPAUTH_ENABLE=true
# LDAPAUTH_LDAPSERVER="ldap://your_domain_controller"
# LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net"
# LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net"
# LDAPAUTH_LDAPREADERPASSWORD="password"
# LDAPAUTH_LDAPSEARCHFILTER=""
# LDAPAUTH_LDAPSEARCHATTRIBUTE="mail"
# LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]"
# LDAPAUTH_LDAPNETWORKTIMEOUT="-1"
# LDAPAUTH_LDAPPROTOCOL="3"
# LDAPAUTH_LDAPALLOWREFERRALS=true
# LDAPAUTH_STARTTLS=false
# LDAPAUTH_MIXEDAUTH=true
# LDAPAUTH_LDAPDEFAULTORGID="1"
# LDAPAUTH_LDAPDEFAULTROLEID="3"
# LDAPAUTH_UPDATEUSER=true
# LDAPAUTH_DEBUG=false
# LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW"
# LDAPAUTH_LDAPTLSCUSTOMCACERT=false
# LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER"
# LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2"

# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
# AAD_ENABLE=true
# AAD_CLIENT_ID=
# AAD_TENANT_ID=
# AAD_CLIENT_SECRET=
# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
# AAD_PROVIDER="https://login.microsoftonline.com/"
# AAD_PROVIDER_USER="https://graph.microsoft.com/"
# AAD_MISP_USER="Misp Users"
# AAD_MISP_ORGADMIN="Misp Org Admins"
# AAD_MISP_SITEADMIN="Misp Site Admins"
# AAD_CHECK_GROUPS=false

# Enable the use of a Proxy server (MISP-Guard or external)
# PROXY_ENABLE=true
# PROXY_HOST=
# PROXY_PORT=
# PROXY_METHOD=
# PROXY_USER=
# PROXY_PASSWORD=

## MISP-Guard
# Configure rules in ./guard/config.json.
# Requires restart of misp-guard container after changes.

# Toggle to enable MISP-Guard container (optional)
# COMPOSE_PROFILES=misp-guard
# If you enable MISP-Guard, you must also configure MISP to use it as a proxy:
# PROXY_PORT must match GUARD_PORT

# MISP-Guard runtime flags (optional)
# GUARD_PORT=8888
# mitmdump misp-guard runtime arguments (space separated, no quotes)
# GUARD_ARGS=--ssl-insecure -v

# Enable debugging
# ALWAYS SET THIS TO 0 IN PRODUCTION
# 0 - Debug off (default)
# 1 - Debug on
# 2 - Debug on + SQL dump
# DEBUG=

# FastCGI configuration on nginx
# FASTCGI_READ_TIMEOUT=300s
# FASTCGI_SEND_TIMEOUT=300s
# FASTCGI_CONNECT_TIMEOUT=300s
# Where to listen to PHP-FPM status. Can be a port or a ip:port. If not set the status page will not be shown.
# Do not expose this page in public networks.
# FASTCGI_STATUS_LISTEN=""

# PHP FPM configuration

## Basic PHP settings
# Maximum memory a PHP script can use.
# PHP_MEMORY_LIMIT=2048M
# Maximum execution time for a PHP script in seconds.
# PHP_MAX_EXECUTION_TIME=300
# Maximum file upload size for PHP scripts.
# PHP_UPLOAD_MAX_FILESIZE=50M
# Maximum size for POST data sent to PHP.
# PHP_POST_MAX_SIZE=50M
# Maximum time PHP spends parsing input data in seconds.
# PHP_MAX_INPUT_TIME=300
# Maximum number of file to upload per request.
# PHP_MAX_FILE_UPLOADS=50

## PHP FPM pool setup
# Maximum number of php-fpm processes, limits the number of simultaneous requests.
# PHP_FCGI_CHILDREN=5
# Number of processes created on startup.
# PHP_FCGI_START_SERVERS=2
# The desired number of idle server processes.
# PHP_FCGI_SPARE_SERVERS=1
# The number of requests each process should execute before respawning. "0" means endless request processing.
# PHP_FCGI_MAX_REQUESTS=0

## Additional PHP settings
# Timeout (in minutes) for user session inactivity before it expires.
# PHP_SESSION_TIMEOUT=60
# Session cookie validity period in minutes.
# PHP_SESSION_COOKIE_TIMEOUT=10080
# Default PHP configurations.
# PHP_SESSION_DEFAULTS=php
# Automatically regenerate session ID on each request.
# PHP_SESSION_AUTO_REGENERATE=false
# Check user agent on each request for security.
# PHP_SESSION_CHECK_AGENT=false
# Only send session cookies over HTTPS.
# PHP_SESSION_COOKIE_SECURE=true
# Domain for session cookie validity (leave empty for current domain).
# PHP_SESSION_COOKIE_DOMAIN=
# SameSite policy for cookies ("Lax" allows top-level navigation).
# PHP_SESSION_COOKIE_SAMESITE=Lax

# MariaSQL/MySQL (InnoDB) configuration
# INNODB_BUFFER_POOL_SIZE=2048M
# INNODB_CHANGE_BUFFERING=none
# INNODB_IO_CAPACITY=1000
# INNODB_IO_CAPACITY_MAX=2000
# INNODB_LOG_FILE_SIZE=600M
# INNODB_READ_IO_THREADS=16
# INNODB_STATS_PERSISTENT=ON
# INNODB_WRITE_IO_THREADS=4

# Whether to enable processing of the X-Forwarded-For header (default to false)
# NGINX_X_FORWARDED_FOR=true
# Comma separated list of trusted IP addresses
# NGINX_SET_REAL_IP_FROM=127.0.0.1

# Security Settings
# Maximum time (in seconds) for HSTS (HTTP Strict Transport Security), ensures HTTPS is used.
# HSTS_MAX_AGE=

# X-Frame-Options policy configuration: controls whether the site can be embedded in frames or iframes.
# Options: DENY, SAMEORIGIN, ALLOW-FROM <URL> Default: SAMEORIGIN
# X_FRAME_OPTIONS=

# NGINX maximum allowed size of the client request body.
# NGINX_CLIENT_MAX_BODY_SIZE=50M

# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS.
# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport"
# CONTENT_SECURITY_POLICY=