Skip to content

Parameter Description⚓︎

AttentionParameter Description

  • Before modifying the configuration file, please ensure to stop the JumpServer service.

1 Core parameter description⚓︎

  • update parameters in config.txt
vi /opt/jumpserver/config/config.txt
  • Core component parameters following:
parametere name Deafult option Description
SECRET_KEY '' - Key used for encrypting and decrypting sensitive fields
BOOTSTRAP_TOKEN '' - Token used by components for registering with the Core component service
DEBUG false true
false
Mode for Debug,Output more information when API errors occur during page requests
DEBUG_DEV false true
false
Mode for debut deveploy,Enable running log display more additional information
LOG_LEVEL DEBUG DEBUG
INFO
WARNING
ERROR
CRITICAL
logging lever
LOG_DIR /data/jumpserver/core/logs - Volume of logs
DB_ENGINE mysql - Database Engin
DB_NAME jumpserver - Name of database
DB_HOST 127.0.0.1 - IP address of database
DB_PORT 3306 - Service port of database
DB_USER root - Account of database access
DB_PASSWORD '' - Password for database asscess
DB_USE_SSL false true
false
Enabling SSL for database access
REDIS_HOST 127.0.0.1 - IP address of Reids
REDIS_PORT 6379 - Service port of Redis
REDIS_PASSWORD '' - Password for Redis access
REDIS_USE_SSL false true
false
Enabling SSL for Redis access
REDIS_SSL_KEY null - Redis SSL Key
REDIS_SSL_CERT null - Redis SSL Certification
REDIS_SSL_CA null - Redis SSL CA Certification
REDIS_SSL_REQUIRED 'none' - Is it necessary to use Redis SSL certificate? Redis SSL
REDIS_SENTINEL_HOSTS '' - IP ddress of Redis sentinels, Multiple ip can be separated with '
REDIS_SENTINEL_PASSWORD '' - Password of Redis sentinel
REDIS_SENTINEL_SOCKET_TIMEOUT '' - Socket timeout for Redis sentinel
REDIS_DB_CELERY 3 0-15 Numbering of Redis library,used by Celery task
REDIS_DB_CACHE 4 0-15 Numbering of Redis library,used by cache
REDIS_DB_SESSION 5 0-15 Numbering of Redis library,used by ser session
REDIS_DB_WS 6 - Numbering of Redis library,used by WebSocket
TOKEN_EXPIRATION 3600 * 24(s) - The expiration period of user tokens created through the API
# if it be set with Null or 0, the default value is 3600
DEFAULT_EXPIRED_YEARS 70(year) - The default expiration period of create resources,eg. ruler of authentication :
# Modification is not permitted
SESSION_COOKIE_DOMAIN null - Domain of user's Session Cookie ,eg.:fit2cloud.com
CSRF_COOKIE_DOMAIN null - Domain of User's CSRF Cookie ,it defaults to being consistent with SESSION_COOKIE_DOMAIN
SESSION_COOKIE_NAME_PREFIX jms_ - The prefix of user's Session Cookie
# If the SESSION_COOKIE_DOMAIN is configured, the value before '.' will be used as the default value,eg. fit2cloud
SESSION_COOKIE_AGE 3600 * 24(s) - The period of validity of Session Cookie
SESSION_EXPIRE_AT_BROWSER_CLOSE false true
false
The period of validity of Session after closing the browser
CONNECTION_TOKEN_EXPIRATION 5 * 60 >= 5 * 60 The connection token can only be used once within its validity period
CONNECTION_TOKEN_EXPIRATION_MAX 3600 * 24 * 30(s) - The connection token can be used repeately within its validity period
CONNECTION_TOKEN_REUSABLE false true
false
if ConnectionToken can be used repeately
AUTH_CUSTOM false true
false
Enable authentication defined by user
AUTH_CUSTOM_FILE_MD5 '' - MD5 hash value of the custom user authentication file
MFA_CUSTOM false true
false
Enable custom MFA authentication
MFA_CUSTOM_FILE_MD5 '' - MD5 hash value of the custom MFA authentication file
AUTH_TEMP_TOKEN false true
false
Enable function of temporary password
LOGIN_REDIRECT_TO_BACKEND '' Directly redirecting to the internal login page
OpenID
CAS
SAML2
OAuth2 provider name (system setting)
After enabling third-party authentication, skip the countdown and redirect directly to the authentication service page,eg. OpenID
LOGIN_REDIRECT_MSG_ENABLED true true
false
Enable the countdown page for third-party redirection
SYSLOG_ADDR '' - Ip address of SysLog service
SYSLOG_FACILITY user - SysLog FACILITY
SYSLOG_SOCKTYPE 2 - SysLog SockType
PERM_EXPIRED_CHECK_PERIODIC 60 * 60(s) - Validate expired asset authorization rules and the cycle of expiring user authorization trees
LANGUAGE_CODE zh zh
en
ja
Setting of Language
TIME_ZONE Asia/Shanghai - Setting of TimeZone
SESSION_COOKIE_SECURE false true
false
Enable security mode for user Session Cookie,after enabling, only allow sending with the HTTPS protocol
CSRF_COOKIE_SECURE false true
false
Security mode for user CSRF Token,after enabling, only allow sending with the HTTPS
REFERER_CHECK_ENABLED false true
false
Enable REFERER verification
CSRF_TRUSTED_ORIGINS - - CSRF Same-Origin Trust, with multiple addresses separated by ','(comma)
SESSION_ENGINE cache - The engine of user Session
SESSION_SAVE_EVERY_REQUEST true true
false
Each request must preserve the user's session
SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE false true
false
Force session expiration when the browser is closed
SERVER_REPLAY_STORAGE {} - Replay storage of server side
eg:
{
'TYPE': 's3',
'BUCKET': '',
'ACCESS_KEY': '',
'SECRET_KEY': '',
'ENDPOINT': ''
}
# The component uploads recordings to the Core service, which then automatically uploads them to the configured object storage service
CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED true true
false
Security mode for password change plans
It can not change password itself with the parameter enabled;
It can change password itself with the parameter disable;
eg root change the password for root
SECURITY_VIEW_AUTH_NEED_MFA true true
false
It neet to check with MFA
SECURITY_DATA_CRYPTO_ALGO aes(GMSSL_ENABLED=false)
gm(GMSSL_ENABLED=true)
aes_ecb
aes_gcm
aes
gm_sm4_ecb
gm
algorithm of data encryption algorithm
GMSSL_ENABLED false true
false
Eable National Cryptography Algorithm(Algorithm of data encryption)
SECURITY_DATA_CRYPTO_ALGO
GMSSL_ENABLED
# If configured simultaneously, prioritize the use with SECURITY_DATA_CRYPTO_ALGO
OPERATE_LOG_ELASTICSEARCH_CONFIG {} - Configuration for storing "Field Changes" in operation logs using Elasticsearch
eg:
{
"INDEX": "",
"HOSTS": "",
"OTHER": "",
"IGNORE_VERIFY_CERTS": "",
"INDEX_BY_DATE": "",
"DOC_TYPE": ""
}
MAGNUS_ORACLE_PORTS 30000-30030 - Port number range of Magnus connecting Oracle
APPLET_DOWNLOAD_HOST '' - Address for Applet and other Software downloading
FTP_FILE_MAX_STORE 100(M) - FTP 文件
The backpup threshold of file upload and download with FTP in megabytes (MB). When the value is less than or equal to zero, no files will be backed up

2 KoKo parameter description⚓︎

  • KoKo parameters following:
Parameter name default option Description
NAME hostname - Host name
CORE_HOST http://127.0.0.1:8080 - URL of Jumpserver Host,API register request will use it setting
BOOTSTRAP_TOKEN '' - Pre-shared secret key, please ensure consistency with the JumpServer configuration file
BIND_HOST 0.0.0.0 - Bounded IP at system startup
SSHD_PORT 2222 - The port number being monitored with SSH
HTTPD_PORT 5000 - The port number being monitored with HTTP/WS
ACCESS_KEY '' - The project's ACCESS KEY will automatically register and be saved to a file
ACCESS_KEY_FILE data/keys/.access_key - Path of ACCESS KEY saved, after register, it will be saved to that file default
LOG_LEVEL DEBUG DEBUG
INFO
WARNING
ERROR
CRITICAL
Log lever
SSH_TIMEOUT 15 - Connection timeout setting for SSH (the unit is in 'seconds')
# If user's server has enabled the 'useDNS' parameter, login times might exceed 15 seconds, it need to modify this parameter
LANGUAGE_CODE zh zh
en
ja
System Language setting
UPLOAD_FAILED_REPLAY_ON_START true true
false
During startup, will any unuploaded video files be uploaded?
SFTP_SHOW_HIDDEN_FILE false true
false
Will hidden files be displayed during SFTP operations?
REUSE_CONNECTION true true
false
Will the SSH connection be reused for the same user?
ASSET_LOAD_POLICY all - When set to 'all' the user asset cache enables local search pagination; By default, assets are loaded asynchronously, and async search pagination is utilized
ZIP_MAX_SIZE 1024M - File downlaod with Web Sftp ,the max value support by ZIP (the unit is in 'M')
ZIP_TMP_PATH /tmp - File download with Web Sftp,the temporary path of file zipped
CLIENT_ALIVE_INTERVAL 30 30
0
After the user SSH logs into KoKo, KoKo sends a heartbeat interval to the SSH Client. The default interval is 30; setting it to 0 means no heartbeat is sent, ensuring the user's login connection remains uninterrupted
RETRY_ALIVE_COUNT_MAX 3 - After login an asset, KoKo attempts to send heartbeat packets to the asset with a default retry count of 3 in case of errors.
# When the network is unstable, consider increasing the retry count
SHARE_ROOM_TYPE local local
redis
The methods used for session monitoring and sharing
REDIS_HOST 127.0.0.1 - The host IP of Reids
REDIS_PORT 6379 - Port number of Redis
REDIS_PASSWORD '' - Password of Redis
REDIS_DB_ROOM 0 - Library index of Redis that be selected
ENABLE_LOCAL_PORT_FORWARD true true
false
Is local forwarding enabled? (Currently, this is only effective for VScode Remote SSH)
ENABLE_VSCODE_SUPPORT true true
false
Is remote development support for VScode's Remote SSH enabled?
# Precondition: ENABLE_LOCAL_PORT_FORWARD must be enabled

3 Lion parameter description⚓︎

  • Lion parameters following:
Parameter Name Default option Description
NAME hostname - Host name
CORE_HOST http://127.0.0.1:8080 - URL of Jumpserver Host,API register request will use it setting
BOOTSTRAP_TOKEN '' - Pre-shared secret key, please ensure consistency with the JumpServer configuration file
BIND_HOST 0.0.0.0 - Bounded IP at system startup
HTTPD_PORT 8081 - The port number being monitored with HTTPD
GUA_HOST 127.0.0.1 - URL of Guacd component
GUA_PORT 4822 - Port number of Guacd component
LOG_LEVEL DEBUG DEBUG
INFO
WARNING
ERROR
CRITICAL
Log Lever
SHARE_ROOM_TYPE local local
redis
The methods used for session monitoring and sharing
REDIS_HOST 127.0.0.1 - IP address of Reids
REDIS_PORT 6379 - Port number of Redis
REDIS_PASSWORD '' - Password of Redis access
REDIS_DB_ROOM 0 - Library index of Redis that be selected
JUMPSERVER_DISABLE_ALL_COPY_PASTE false true
false
Global setting for disable uploads and downloads
JUMPSERVER_DISABLE_ALL_UPLOAD_DOWNLOAD false true
false
Global setting for disable clipboard for copy and paste
JUMPSERVER_REMOTE_APP_UPLOAD_DOWNLOAD_ENABLE false true
false
Enable uplaod and download for Remote App
JUMPSERVER_REMOTE_APP_COPY_PASTE_ENABLE false true
false
Enable clipboard for copy and paste for Remote app
JUMPSERVER_COLOR_DEPTH 32 Low color 16-bit
True Color 24-bit
True Color 32-bit
Color Depth
JUMPSERVER_DPI 120 120
160
240
The number of pixels per inch in the image's
JUMPSERVER_DISABLE_AUDIO false true
false
Disable Audio
JUMPSERVER_ENABLE_WALLPAPER false true
false
Enable wallpaper
JUMPSERVER_ENABLE_THEMING false true
false
Enable theme
JUMPSERVER_ENABLE_FONT_SMOOTHING false true
false
Enable font smoothing
JUMPSERVER_ENABLE_FULL_WINDOW_DRAG false true
false
Render all content when dragging windows
JUMPSERVER_ENABLE_DESKTOP_COMPOSITION false true
false
Enable transparent windows and graphical effects such as shadows
JUMPSERVER_ENABLE_MENU_ANIMATIONS false true
false
Enable menu toggle animation
JUMPSERVER_DISABLE_BITMAP_CACHING true true
false
Disable the built-in bitmap caching feature for RDP
JUMPSERVER_DISABLE_OFFSCREEN_CACHING true true
false
Disable caching of screen areas that are currently not visible in the client
JUMPSERVER_DISABLE_GLYPH_CACHING true true
false
Disable font caching in RDP sessions
JUMPSERVER_CLEAN_DRIVE_SCHEDULE_TIME 1
0
- Interval for scheduled cleaning of mounted disk files (The unit is hour) ,if it's set to 0, it will not been cleaned