Documentation
¶
Overview ¶
Package config loads the websec0 configuration from defaults, an optional YAML file, environment variables prefixed with WEBSEC0_, and CLI flags.
Precedence (lowest to highest): defaults < YAML < env < flags.
Env variables use double underscores to denote key nesting:
WEBSEC0_SERVER__LISTEN=":9090" // → server.listen WEBSEC0_SCANNER__PER_CHECK_TIMEOUT=5s // → scanner.per_check_timeout
Index ¶
Constants ¶
const EnvPrefix = "WEBSEC0_"
EnvPrefix is the env-var prefix used for configuration overrides.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Config ¶
type Config struct {
Server ServerConfig `koanf:"server"`
Scanner ScannerConfig `koanf:"scanner"`
Storage StorageConfig `koanf:"storage"`
RateLimit RateLimitConfig `koanf:"ratelimit"`
Security SecurityConfig `koanf:"security"`
Reports ReportsConfig `koanf:"reports"`
Logging LoggingConfig `koanf:"logging"`
Legal LegalConfig `koanf:"legal"`
}
Config is the typed configuration tree. It mirrors the YAML schema documented in SPECIFICATIONS.md §4.6.
func Load ¶
func Load(opts LoadOptions) (*Config, error)
Load assembles a *Config from defaults, file, env, and flags in order.
type LegalConfig ¶
type LegalConfig struct {
ContactEmail string `koanf:"contact_email"`
}
LegalConfig holds operator-facing contact info surfaced on the /about and /legal/* pages and via GET /api/v1/instance. Self-hosters override ContactEmail to point at their own privacy / abuse / security inbox.
type LoadOptions ¶
type LoadOptions struct {
// ConfigPath, if non-empty, points at a YAML file. A missing file is
// silently ignored so the binary works without config on a fresh install.
ConfigPath string
// Flags is an already-parsed pflag.FlagSet whose long-name keys (using
// dots, e.g. "server.listen") override env and YAML values. May be nil.
Flags *pflag.FlagSet
}
LoadOptions controls Load behaviour.
type LoggingConfig ¶
type PerIPLimit ¶
type PerTargetLimit ¶
type RateLimitConfig ¶
type RateLimitConfig struct {
PerIP PerIPLimit `koanf:"per_ip"`
PerTarget PerTargetLimit `koanf:"per_target"`
}
type RedisConfig ¶
type RedisConfig struct {
URL string `koanf:"url"`
}
type ReportsConfig ¶
type ScannerConfig ¶
type ScannerConfig struct {
MaxConcurrentScans int `koanf:"max_concurrent_scans"`
MaxConcurrentChecksPerScan int `koanf:"max_concurrent_checks_per_scan"`
PerCheckTimeout time.Duration `koanf:"per_check_timeout"`
PerScanTimeout time.Duration `koanf:"per_scan_timeout"`
UserAgent string `koanf:"user_agent"`
}
type SecurityConfig ¶
type SecurityConfig struct {
RefusePrivateRanges bool `koanf:"refuse_private_ranges"`
RefuseLoopback bool `koanf:"refuse_loopback"`
RefuseCGNAT bool `koanf:"refuse_cgnat"`
RefuseLinkLocal bool `koanf:"refuse_link_local"`
// RefuseMetadata is a separate hard-toggle from RefusePrivateRanges:
// disabling metadata blocking on a cloud host is essentially a
// pre-authorised IAM-credential heist, so we keep it default-true
// and log a WARN at startup if it's flipped off.
RefuseMetadata bool `koanf:"refuse_metadata"`
DomainBlocklist []string `koanf:"domain_blocklist"`
AllowedCIDRs []string `koanf:"allowed_cidrs"`
AllowedHosts []string `koanf:"allowed_hosts"`
}
type ServerConfig ¶
type StorageConfig ¶
type StorageConfig struct {
Backend string `koanf:"backend"` // memory | ristretto | redis
TTL time.Duration `koanf:"ttl"`
Redis RedisConfig `koanf:"redis"`
}
Source Files