e241b99d22
All checks were successful
check / check (push) Successful in 1m50s
Signatures are per-URL, so the whitelist should only support exact host matches. Remove the suffix/wildcard matching that allowed patterns like '.example.com' to bypass signature requirements for entire domain trees. Leading dots in existing config entries are now stripped, so '.example.com' becomes 'example.com' as an exact match (backwards-compatible normalisation).
37 lines
918 B
YAML
37 lines
918 B
YAML
# Pixa Example Configuration
|
|
|
|
# Server settings
|
|
port: 8080
|
|
debug: false
|
|
maintenance_mode: false
|
|
|
|
# Data directory for SQLite database and cache files
|
|
state_dir: ./data
|
|
|
|
# Image proxy settings
|
|
# HMAC signing key for URL signatures (leave empty to require whitelist for all requests)
|
|
# Generate with: openssl rand -base64 32
|
|
signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
|
|
|
|
# Hosts that don't require signatures (exact match only)
|
|
whitelist_hosts:
|
|
- s3.sneak.cloud
|
|
- static.sneak.cloud
|
|
- sneak.berlin
|
|
- github.com
|
|
- user-images.githubusercontent.com
|
|
|
|
# Allow HTTP upstream (only for testing, always use HTTPS in production)
|
|
allow_http: false
|
|
|
|
# Maximum concurrent connections per upstream host (default: 20)
|
|
upstream_connections_per_host: 20
|
|
|
|
# Sentry error reporting (optional)
|
|
sentry_dsn: ""
|
|
|
|
# Metrics endpoint authentication (optional)
|
|
# metrics:
|
|
# username: "admin"
|
|
# password: "secret"
|