-
Notifications
You must be signed in to change notification settings - Fork 11
/
config.cfg
133 lines (124 loc) · 4.22 KB
/
config.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case certainly will error out and you will need to define the listening interface
# for example: ip = "127.0.0.1", instead of "0.0.0.0"
ip = "203.0.113.5"
debug = false
# Directory to store the certificate data
cert_dir = "certs"
# TLS Filters and upstream checks
# Checks upstream domain for existence of a subdomain before acquiring a certificate for it.
# Disabled by default to make sure we catch any flipped subdomains, set this to true for stealth.
tls_upstream_check = false
# Filtering regexes for subdomains that we certainly do not want to get certificates for.
# regex filter are used to remove noise or to only match on a certain domains ex ^(?!this\.is\.a\.subdomain)[a-zA-Z0-9.-]+\.(com)
#
# tls_filters = [
# "ns1|ns2|www|mail|owa|ssl|webmail|smtp|secure|wap|confluence|blah",
# ]
tls_filters = [
"first_regex",
"second_regex",
"third_regex"
]
[ns]
# Nameserver port
port = "53"
# Protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both4"
# Default domain used for CNAME targets, SOA records etc.
default_domain = "example.com"
# List of domains that we answer for
domains = [
"somethingelse.tld",
"anotherone.tld",
]
# IP address to use in the DNS responses. Should point to the publicly accessible IP of the server
# Should often be the same as the IP in the general section
ns_response_ip = "203.0.113.5"
# Nameserver name used in SOA records
nsname = "ns.example.com"
# Admin email for SOA records, note that @ is replaced by a dot
nsadmin = "admin.example.com"
records = [
# Any static records go here in zone file format
"ns.example.com. A 203.0.113.5",
# You need to keep the NS records here as well as the A record it points to
"ns.example.com. NS ns.example.com.",
]
# TTL for the responses
ttl = 1
debug = false
# HTTPd configuration
[httpd]
# Port to listen fo plaintext HTTP
http_port = "80"
# Port to listen for HTTPS
https_port = "443"
# Directory path to store injection templates
injection_template_filepath = "/path/to/templates"
# Injection filter regexes for HTTP requests
injection_filters = [
"first_regex",
"second_regex",
"third_regex"
]
# Regexes for request uri elements that we want to inject, mapping to template files.
# when using template files, a keyword CERTAINLY_UPSTREAM will be replaced with the
# upstream response body content. Certainly also generates an unique id for each request
# and replaces keyword CERTAINLY_HASH with it. This is useful for tracking requests.
#
# Certainly has a custom endpoint /callback/ that should be used for any callback requests
# that should be answered with HTTP 204 instead of the default functionality of doing a
# 307 temporary redirect to the upstream server.
[httpd_injection_templates]
# Examples for matching JS and CSS in request URI and injecting templates
# ".js$" = "javascript.tmpl"
# ".css$" = "css.tmpl"
# Rewrite rules for HTTP requests, we don't want to brick the intertubes
[rewrites]
"example.com" = "realtarget.tld"
[notification]
# Enable slack integration
slack = true
# Slack bot token
slack_token = "xob...."
# List of slack channels to send notifications to
# everything gets sent to default channel unless overwritten by specific channel
slack_default_channel = "C01...."
slack_http_channel = ""
slack_dns_channel = ""
slack_smtp_channel = ""
slack_imap_channel = ""
# Enable notifications for HTTP
http = true
# Regex filters to apply on the raw HTTP requests, to filter out spammy requests like scanners
http_filters = [
"first_regex",
"second_regex",
"third_regex"
]
# Enable notifications for DNS
dns = false
# Regex filters to apply on the DNS questions
dns_filters = [
"first_regex",
"second_regex"
]
# Enable notifications for SMTP
smtp = true
# regex filters to apply on the SMTP questions
smtp_filters = []
# Enable notifications for IMAP
imap = true
# Regex filters to apply on the IMAP questions
imap_filters = []
[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "info"
# possible values: stdout, file
logtype = "file"
# file path for logfile
logfile = "/path/to/install/certainly/certainly.log"
# format, either "json" or "text"
logformat = "json"