mirror of
https://codeberg.org/yeentown/barkey.git
synced 2025-10-23 09:44:51 +00:00
25052164c0
* fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
229 lines
7 KiB
YAML
229 lines
7 KiB
YAML
#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
# Misskey configuration
|
|
#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
|
|
# ┌────────────────────────┐
|
|
#───┘ Initial Setup Password └─────────────────────────────────────────────────────
|
|
|
|
# Password to initiate setting up admin account.
|
|
# It will not be used after the initial setup is complete.
|
|
#
|
|
# Be sure to change this when you set up Misskey via the Internet.
|
|
#
|
|
# The provider of the service who sets up Misskey on behalf of the customer should
|
|
# set this value to something unique when generating the Misskey config file,
|
|
# and provide it to the customer.
|
|
setupPassword: example_password_please_change_this_or_you_will_get_hacked
|
|
|
|
# ┌─────┐
|
|
#───┘ URL └─────────────────────────────────────────────────────
|
|
|
|
# Final accessible URL seen by a user.
|
|
url: 'http://misskey.local'
|
|
|
|
# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE
|
|
# URL SETTINGS AFTER THAT!
|
|
|
|
# ┌───────────────────────┐
|
|
#───┘ Port and TLS settings └───────────────────────────────────
|
|
|
|
#
|
|
# Misskey requires a reverse proxy to support HTTPS connections.
|
|
#
|
|
# +----- https://example.tld/ ------------+
|
|
# +------+ |+-------------+ +----------------+|
|
|
# | User | ---> || Proxy (443) | ---> | Misskey (3000) ||
|
|
# +------+ |+-------------+ +----------------+|
|
|
# +---------------------------------------+
|
|
#
|
|
# You need to set up a reverse proxy. (e.g. nginx)
|
|
# An encrypted connection with HTTPS is highly recommended
|
|
# because tokens may be transferred in GET requests.
|
|
|
|
# The port that your Misskey server should listen on.
|
|
port: 61812
|
|
|
|
# ┌──────────────────────────┐
|
|
#───┘ PostgreSQL configuration └────────────────────────────────
|
|
|
|
db:
|
|
host: db
|
|
port: 5432
|
|
|
|
# Database name
|
|
db: misskey
|
|
|
|
# Auth
|
|
user: postgres
|
|
pass: postgres
|
|
|
|
# Whether disable Caching queries
|
|
#disableCache: true
|
|
|
|
# Extra Connection options
|
|
#extra:
|
|
# ssl: true
|
|
|
|
dbReplications: false
|
|
|
|
# You can configure any number of replicas here
|
|
#dbSlaves:
|
|
# -
|
|
# host:
|
|
# port:
|
|
# db:
|
|
# user:
|
|
# pass:
|
|
# -
|
|
# host:
|
|
# port:
|
|
# db:
|
|
# user:
|
|
# pass:
|
|
|
|
# ┌─────────────────────┐
|
|
#───┘ Redis configuration └─────────────────────────────────────
|
|
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
#family: 0 # 0=Both, 4=IPv4, 6=IPv6
|
|
#pass: example-pass
|
|
#prefix: example-prefix
|
|
#db: 1
|
|
|
|
#redisForPubsub:
|
|
# host: redis
|
|
# port: 6379
|
|
# #family: 0 # 0=Both, 4=IPv4, 6=IPv6
|
|
# #pass: example-pass
|
|
# #prefix: example-prefix
|
|
# #db: 1
|
|
|
|
#redisForJobQueue:
|
|
# host: redis
|
|
# port: 6379
|
|
# #family: 0 # 0=Both, 4=IPv4, 6=IPv6
|
|
# #pass: example-pass
|
|
# #prefix: example-prefix
|
|
# #db: 1
|
|
|
|
#redisForTimelines:
|
|
# host: redis
|
|
# port: 6379
|
|
# #family: 0 # 0=Both, 4=IPv4, 6=IPv6
|
|
# #pass: example-pass
|
|
# #prefix: example-prefix
|
|
# #db: 1
|
|
|
|
#redisForReactions:
|
|
# host: redis
|
|
# port: 6379
|
|
# #family: 0 # 0=Both, 4=IPv4, 6=IPv6
|
|
# #pass: example-pass
|
|
# #prefix: example-prefix
|
|
# #db: 1
|
|
|
|
# ┌───────────────────────────┐
|
|
#───┘ MeiliSearch configuration └─────────────────────────────
|
|
|
|
#meilisearch:
|
|
# host: meilisearch
|
|
# port: 7700
|
|
# apiKey: ''
|
|
# ssl: true
|
|
# index: ''
|
|
|
|
# ┌───────────────┐
|
|
#───┘ ID generation └───────────────────────────────────────────
|
|
|
|
# You can select the ID generation method.
|
|
# You don't usually need to change this setting, but you can
|
|
# change it according to your preferences.
|
|
|
|
# Available methods:
|
|
# aid ... Short, Millisecond accuracy
|
|
# aidx ... Millisecond accuracy
|
|
# meid ... Similar to ObjectID, Millisecond accuracy
|
|
# ulid ... Millisecond accuracy
|
|
# objectid ... This is left for backward compatibility
|
|
|
|
# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE
|
|
# ID SETTINGS AFTER THAT!
|
|
|
|
id: 'aidx'
|
|
|
|
# ┌────────────────┐
|
|
#───┘ Error tracking └──────────────────────────────────────────
|
|
|
|
# Sentry is available for error tracking.
|
|
# See the Sentry documentation for more details on options.
|
|
|
|
#sentryForBackend:
|
|
# enableNodeProfiling: true
|
|
# options:
|
|
# dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0'
|
|
|
|
#sentryForFrontend:
|
|
# options:
|
|
# dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0'
|
|
|
|
# ┌─────────────────────┐
|
|
#───┘ Other configuration └─────────────────────────────────────
|
|
|
|
# Whether disable HSTS
|
|
#disableHsts: true
|
|
|
|
# Number of worker processes
|
|
#clusterLimit: 1
|
|
|
|
# Job concurrency per worker
|
|
# deliverJobConcurrency: 128
|
|
# inboxJobConcurrency: 16
|
|
|
|
# Job rate limiter
|
|
# deliverJobPerSec: 128
|
|
# inboxJobPerSec: 32
|
|
|
|
# Job attempts
|
|
# deliverJobMaxAttempts: 12
|
|
# inboxJobMaxAttempts: 8
|
|
|
|
# IP address family used for outgoing request (ipv4, ipv6 or dual)
|
|
#outgoingAddressFamily: ipv4
|
|
|
|
# Proxy for HTTP/HTTPS
|
|
#proxy: http://127.0.0.1:3128
|
|
|
|
proxyBypassHosts:
|
|
- api.deepl.com
|
|
- api-free.deepl.com
|
|
- www.recaptcha.net
|
|
- hcaptcha.com
|
|
- challenges.cloudflare.com
|
|
|
|
# Proxy for SMTP/SMTPS
|
|
#proxySmtp: http://127.0.0.1:3128 # use HTTP/1.1 CONNECT
|
|
#proxySmtp: socks4://127.0.0.1:1080 # use SOCKS4
|
|
#proxySmtp: socks5://127.0.0.1:1080 # use SOCKS5
|
|
|
|
# Media Proxy
|
|
#mediaProxy: https://example.com/proxy
|
|
|
|
# Proxy remote files (default: true)
|
|
proxyRemoteFiles: true
|
|
|
|
# Sign to ActivityPub GET request (default: true)
|
|
signToActivityPubGet: true
|
|
|
|
allowedPrivateNetworks: [
|
|
'127.0.0.1/32'
|
|
]
|
|
|
|
# Disable automatic redirect for ActivityPub object lookup. (default: false)
|
|
# This is a strong defense against potential impersonation attacks if the viewer instance has inadequate validation.
|
|
# However it will make it impossible for other instances to lookup third-party user and notes through your URL.
|
|
#disallowExternalApRedirect: true
|
|
|
|
# Upload or download file size limits (bytes)
|
|
#maxFileSize: 262144000
|