Parameter Description⚓︎
AttentionParameter Description
- Before modifying the configuration file, please ensure to stop the JumpServer service.
1 Core parameter description⚓︎
- update parameters in config.txt
vi /opt/jumpserver/config/config.txt
- Core component parameters following:
parametere name | Deafult | option | Description |
---|---|---|---|
SECRET_KEY | '' | - | Key used for encrypting and decrypting sensitive fields |
BOOTSTRAP_TOKEN | '' | - | Token used by components for registering with the Core component service |
DEBUG | false | true false |
Mode for Debug,Output more information when API errors occur during page requests |
DEBUG_DEV | false | true false |
Mode for debut deveploy,Enable running log display more additional information |
LOG_LEVEL | DEBUG | DEBUG INFO WARNING ERROR CRITICAL |
logging lever |
LOG_DIR | /data/jumpserver/core/logs | - | Volume of logs |
DB_ENGINE | mysql | - | Database Engin |
DB_NAME | jumpserver | - | Name of database |
DB_HOST | 127.0.0.1 | - | IP address of database |
DB_PORT | 3306 | - | Service port of database |
DB_USER | root | - | Account of database access |
DB_PASSWORD | '' | - | Password for database asscess |
DB_USE_SSL | false | true false |
Enabling SSL for database access |
REDIS_HOST | 127.0.0.1 | - | IP address of Reids |
REDIS_PORT | 6379 | - | Service port of Redis |
REDIS_PASSWORD | '' | - | Password for Redis access |
REDIS_USE_SSL | false | true false |
Enabling SSL for Redis access |
REDIS_SSL_KEY | null | - | Redis SSL Key |
REDIS_SSL_CERT | null | - | Redis SSL Certification |
REDIS_SSL_CA | null | - | Redis SSL CA Certification |
REDIS_SSL_REQUIRED | 'none' | - | Is it necessary to use Redis SSL certificate? Redis SSL |
REDIS_SENTINEL_HOSTS | '' | - | IP ddress of Redis sentinels, Multiple ip can be separated with ' |
REDIS_SENTINEL_PASSWORD | '' | - | Password of Redis sentinel |
REDIS_SENTINEL_SOCKET_TIMEOUT | '' | - | Socket timeout for Redis sentinel |
REDIS_DB_CELERY | 3 | 0-15 | Numbering of Redis library,used by Celery task |
REDIS_DB_CACHE | 4 | 0-15 | Numbering of Redis library,used by cache |
REDIS_DB_SESSION | 5 | 0-15 | Numbering of Redis library,used by ser session |
REDIS_DB_WS | 6 | - | Numbering of Redis library,used by WebSocket |
TOKEN_EXPIRATION | 3600 * 24(s) | - | The expiration period of user tokens created through the API # if it be set with Null or 0, the default value is 3600 |
DEFAULT_EXPIRED_YEARS | 70(year) | - | The default expiration period of create resources,eg. ruler of authentication : # Modification is not permitted |
SESSION_COOKIE_DOMAIN | null | - | Domain of user's Session Cookie ,eg.:fit2cloud.com |
CSRF_COOKIE_DOMAIN | null | - | Domain of User's CSRF Cookie ,it defaults to being consistent with SESSION_COOKIE_DOMAIN |
SESSION_COOKIE_NAME_PREFIX | jms_ | - | The prefix of user's Session Cookie # If the SESSION_COOKIE_DOMAIN is configured, the value before '.' will be used as the default value,eg. fit2cloud |
SESSION_COOKIE_AGE | 3600 * 24(s) | - | The period of validity of Session Cookie |
SESSION_EXPIRE_AT_BROWSER_CLOSE | false | true false |
The period of validity of Session after closing the browser |
CONNECTION_TOKEN_EXPIRATION | 5 * 60 | >= 5 * 60 | The connection token can only be used once within its validity period |
CONNECTION_TOKEN_EXPIRATION_MAX | 3600 * 24 * 30(s) | - | The connection token can be used repeately within its validity period |
CONNECTION_TOKEN_REUSABLE | false | true false |
if ConnectionToken can be used repeately |
AUTH_CUSTOM | false | true false |
Enable authentication defined by user |
AUTH_CUSTOM_FILE_MD5 | '' | - | MD5 hash value of the custom user authentication file |
MFA_CUSTOM | false | true false |
Enable custom MFA authentication |
MFA_CUSTOM_FILE_MD5 | '' | - | MD5 hash value of the custom MFA authentication file |
AUTH_TEMP_TOKEN | false | true false |
Enable function of temporary password |
LOGIN_REDIRECT_TO_BACKEND | '' | Directly redirecting to the internal login page OpenID CAS SAML2 OAuth2 provider name (system setting) |
After enabling third-party authentication, skip the countdown and redirect directly to the authentication service page,eg. OpenID |
LOGIN_REDIRECT_MSG_ENABLED | true | true false |
Enable the countdown page for third-party redirection |
SYSLOG_ADDR | '' | - | Ip address of SysLog service |
SYSLOG_FACILITY | user | - | SysLog FACILITY |
SYSLOG_SOCKTYPE | 2 | - | SysLog SockType |
PERM_EXPIRED_CHECK_PERIODIC | 60 * 60(s) | - | Validate expired asset authorization rules and the cycle of expiring user authorization trees |
LANGUAGE_CODE | zh | zh en ja |
Setting of Language |
TIME_ZONE | Asia/Shanghai | - | Setting of TimeZone |
SESSION_COOKIE_SECURE | false | true false |
Enable security mode for user Session Cookie,after enabling, only allow sending with the HTTPS protocol |
CSRF_COOKIE_SECURE | false | true false |
Security mode for user CSRF Token,after enabling, only allow sending with the HTTPS |
REFERER_CHECK_ENABLED | false | true false |
Enable REFERER verification |
CSRF_TRUSTED_ORIGINS | - | - | CSRF Same-Origin Trust, with multiple addresses separated by ','(comma) |
SESSION_ENGINE | cache | - | The engine of user Session |
SESSION_SAVE_EVERY_REQUEST | true | true false |
Each request must preserve the user's session |
SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE | false | true false |
Force session expiration when the browser is closed |
SERVER_REPLAY_STORAGE | {} | - | Replay storage of server side eg: { 'TYPE': 's3', 'BUCKET': '', 'ACCESS_KEY': '', 'SECRET_KEY': '', 'ENDPOINT': '' } # The component uploads recordings to the Core service, which then automatically uploads them to the configured object storage service |
CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED | true | true false |
Security mode for password change plans It can not change password itself with the parameter enabled; It can change password itself with the parameter disable; eg root change the password for root |
SECURITY_VIEW_AUTH_NEED_MFA | true | true false |
It neet to check with MFA |
SECURITY_DATA_CRYPTO_ALGO | aes(GMSSL_ENABLED=false) gm(GMSSL_ENABLED=true) |
aes_ecb aes_gcm aes gm_sm4_ecb gm |
algorithm of data encryption algorithm |
GMSSL_ENABLED | false | true false |
Eable National Cryptography Algorithm(Algorithm of data encryption) SECURITY_DATA_CRYPTO_ALGO GMSSL_ENABLED # If configured simultaneously, prioritize the use with SECURITY_DATA_CRYPTO_ALGO |
OPERATE_LOG_ELASTICSEARCH_CONFIG | {} | - | Configuration for storing "Field Changes" in operation logs using Elasticsearch eg: { "INDEX": "", "HOSTS": "", "OTHER": "", "IGNORE_VERIFY_CERTS": "", "INDEX_BY_DATE": "", "DOC_TYPE": "" } |
MAGNUS_ORACLE_PORTS | 30000-30030 | - | Port number range of Magnus connecting Oracle |
APPLET_DOWNLOAD_HOST | '' | - | Address for Applet and other Software downloading |
FTP_FILE_MAX_STORE | 100(M) | - | FTP 文件 |
The backpup threshold of file upload and download with FTP in megabytes (MB). When the value is less than or equal to zero, no files will be backed up |
2 KoKo parameter description⚓︎
- KoKo parameters following:
Parameter name | default | option | Description |
---|---|---|---|
NAME | hostname | - | Host name |
CORE_HOST | http://127.0.0.1:8080 | - | URL of Jumpserver Host,API register request will use it setting |
BOOTSTRAP_TOKEN | '' | - | Pre-shared secret key, please ensure consistency with the JumpServer configuration file |
BIND_HOST | 0.0.0.0 | - | Bounded IP at system startup |
SSHD_PORT | 2222 | - | The port number being monitored with SSH |
HTTPD_PORT | 5000 | - | The port number being monitored with HTTP/WS |
ACCESS_KEY | '' | - | The project's ACCESS KEY will automatically register and be saved to a file |
ACCESS_KEY_FILE | data/keys/.access_key | - | Path of ACCESS KEY saved, after register, it will be saved to that file default |
LOG_LEVEL | DEBUG | DEBUG INFO WARNING ERROR CRITICAL |
Log lever |
SSH_TIMEOUT | 15 | - | Connection timeout setting for SSH (the unit is in 'seconds') # If user's server has enabled the 'useDNS' parameter, login times might exceed 15 seconds, it need to modify this parameter |
LANGUAGE_CODE | zh | zh en ja |
System Language setting |
UPLOAD_FAILED_REPLAY_ON_START | true | true false |
During startup, will any unuploaded video files be uploaded? |
SFTP_SHOW_HIDDEN_FILE | false | true false |
Will hidden files be displayed during SFTP operations? |
REUSE_CONNECTION | true | true false |
Will the SSH connection be reused for the same user? |
ASSET_LOAD_POLICY | all | - | When set to 'all' the user asset cache enables local search pagination; By default, assets are loaded asynchronously, and async search pagination is utilized |
ZIP_MAX_SIZE | 1024M | - | File downlaod with Web Sftp ,the max value support by ZIP (the unit is in 'M') |
ZIP_TMP_PATH | /tmp | - | File download with Web Sftp,the temporary path of file zipped |
CLIENT_ALIVE_INTERVAL | 30 | 30 0 |
After the user SSH logs into KoKo, KoKo sends a heartbeat interval to the SSH Client. The default interval is 30; setting it to 0 means no heartbeat is sent, ensuring the user's login connection remains uninterrupted |
RETRY_ALIVE_COUNT_MAX | 3 | - | After login an asset, KoKo attempts to send heartbeat packets to the asset with a default retry count of 3 in case of errors. # When the network is unstable, consider increasing the retry count |
SHARE_ROOM_TYPE | local | local redis |
The methods used for session monitoring and sharing |
REDIS_HOST | 127.0.0.1 | - | The host IP of Reids |
REDIS_PORT | 6379 | - | Port number of Redis |
REDIS_PASSWORD | '' | - | Password of Redis |
REDIS_DB_ROOM | 0 | - | Library index of Redis that be selected |
ENABLE_LOCAL_PORT_FORWARD | true | true false |
Is local forwarding enabled? (Currently, this is only effective for VScode Remote SSH) |
ENABLE_VSCODE_SUPPORT | true | true false |
Is remote development support for VScode's Remote SSH enabled? # Precondition: ENABLE_LOCAL_PORT_FORWARD must be enabled |
3 Lion parameter description⚓︎
- Lion parameters following:
Parameter Name | Default | option | Description |
---|---|---|---|
NAME | hostname | - | Host name |
CORE_HOST | http://127.0.0.1:8080 | - | URL of Jumpserver Host,API register request will use it setting |
BOOTSTRAP_TOKEN | '' | - | Pre-shared secret key, please ensure consistency with the JumpServer configuration file |
BIND_HOST | 0.0.0.0 | - | Bounded IP at system startup |
HTTPD_PORT | 8081 | - | The port number being monitored with HTTPD |
GUA_HOST | 127.0.0.1 | - | URL of Guacd component |
GUA_PORT | 4822 | - | Port number of Guacd component |
LOG_LEVEL | DEBUG | DEBUG INFO WARNING ERROR CRITICAL |
Log Lever |
SHARE_ROOM_TYPE | local | local redis |
The methods used for session monitoring and sharing |
REDIS_HOST | 127.0.0.1 | - | IP address of Reids |
REDIS_PORT | 6379 | - | Port number of Redis |
REDIS_PASSWORD | '' | - | Password of Redis access |
REDIS_DB_ROOM | 0 | - | Library index of Redis that be selected |
JUMPSERVER_DISABLE_ALL_COPY_PASTE | false | true false |
Global setting for disable uploads and downloads |
JUMPSERVER_DISABLE_ALL_UPLOAD_DOWNLOAD | false | true false |
Global setting for disable clipboard for copy and paste |
JUMPSERVER_REMOTE_APP_UPLOAD_DOWNLOAD_ENABLE | false | true false |
Enable uplaod and download for Remote App |
JUMPSERVER_REMOTE_APP_COPY_PASTE_ENABLE | false | true false |
Enable clipboard for copy and paste for Remote app |
JUMPSERVER_COLOR_DEPTH | 32 | Low color 16-bit True Color 24-bit True Color 32-bit |
Color Depth |
JUMPSERVER_DPI | 120 | 120 160 240 |
The number of pixels per inch in the image's |
JUMPSERVER_DISABLE_AUDIO | false | true false |
Disable Audio |
JUMPSERVER_ENABLE_WALLPAPER | false | true false |
Enable wallpaper |
JUMPSERVER_ENABLE_THEMING | false | true false |
Enable theme |
JUMPSERVER_ENABLE_FONT_SMOOTHING | false | true false |
Enable font smoothing |
JUMPSERVER_ENABLE_FULL_WINDOW_DRAG | false | true false |
Render all content when dragging windows |
JUMPSERVER_ENABLE_DESKTOP_COMPOSITION | false | true false |
Enable transparent windows and graphical effects such as shadows |
JUMPSERVER_ENABLE_MENU_ANIMATIONS | false | true false |
Enable menu toggle animation |
JUMPSERVER_DISABLE_BITMAP_CACHING | true | true false |
Disable the built-in bitmap caching feature for RDP |
JUMPSERVER_DISABLE_OFFSCREEN_CACHING | true | true false |
Disable caching of screen areas that are currently not visible in the client |
JUMPSERVER_DISABLE_GLYPH_CACHING | true | true false |
Disable font caching in RDP sessions |
JUMPSERVER_CLEAN_DRIVE_SCHEDULE_TIME | 1 0 |
- | Interval for scheduled cleaning of mounted disk files (The unit is hour) ,if it's set to 0, it will not been cleaned |