MeshCentral/meshcentral-config-schema.json
2020-09-28 13:28:08 -07:00

487 lines
30 KiB
JSON

{
"id": "http://info.meshcentral.com/download/meshcentral-config-schema.json",
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "MeshCentral configuration file schema",
"type": "object",
"properties": {
"settings": {
"type": "object",
"properties": {
"cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." },
"mongoDb": { "type": "string" },
"mongoDbName": { "type": "string" },
"mongoDbChangeStream": { "type": "boolean" },
"mongoDumpPath": { "type": "string" },
"WANonly": { "type": "boolean", "default": false, "description": "When enabled, only MeshCentral WAN features are enabled and agents will connect to the server using a well known DNS name." },
"LANonly": { "type": "boolean", "default": false, "description": "When enabled, only MeshCentral LAN features are enabled and agents will find the server using multicast LAN packets." },
"sessionTime": { "type": "integer" },
"sessionKey": { "type": "string" },
"sessionSameSite": { "type": "string" },
"dbEncryptKey": { "type": "string" },
"dbRecordsEncryptKey": { "type": "string", "default": null },
"dbRecordsDecryptKey": { "type": "string", "default": null },
"dbExpire": {
"type": "object",
"properties": {
"events": { "type": "integer", "default": 1728000, "description": "Amount of time in seconds that events are kept in the database." },
"powerevents": { "type": "integer", "default": 864000, "description": "Amount of time in seconds that device power events are kept in the database." },
"statsevents": { "type": "integer", "default": 2592000, "description": "Amount of time in seconds that server statistics are kept in the database." }
}
},
"port": { "type": "integer", "minimum": 1, "maximum": 65535 },
"portBind": { "type": "string", "description": "When set, bind the HTTPS main port to a specific network address." },
"aliasPort": { "type": "integer", "minimum": 1, "maximum": 65535 },
"redirPort": { "type": "integer", "minimum": 1, "maximum": 65535 },
"redirPortBind": { "type": "string", "description": "When set, bind the HTTP redirection port to a specific network address." },
"redirAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535 },
"agentPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "When set, enabled a new HTTPS server port that only accepts agent connections." },
"agentPortBind": { "type": "string", "description": "When set, binds the agent port to a specific network interface." },
"agentAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "When set, indicates the actual publically visible agent-only port. If not set, the AgentPort value is used." },
"agentAliasDNS": { "type": "string", "format": "hostname", "description": "When set, specified the DNS name used by agents to connect to the agent-only port." },
"agentPortTls": { "type": "boolean", "default": true, "description": "Indicates if the agent-only port must perform TLS, this should be set to false if TLS is performed in front of this server." },
"agentCoreDump": { "type": "boolean", "default": false, "description": "Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps." },
"agentCoreDumpUsers": { "type": "array", "description": "List of non-administrator users that have access to mesh agent crash dumps." },
"exactPorts": { "type": "boolean", "default": false },
"allowLoginToken": { "type": "boolean", "default": false },
"allowFraming": { "type": "boolean", "default": false, "description": "When enabled, the MeshCentral web site can be embedded within another website's iframe." },
"cookieIpCheck": { "type": "boolean" },
"cookieEncoding": { "type": "string", "enum": [ "hex", "base64" ], "default": "base64", "description": "Encoding format of cookies in the HTTP headers, this is typically Base64 but some reverse proxies will require HEX." },
"webRTC": { "type": "boolean", "default": false, "description": "When enabled, allows use of WebRTC to allow direct network traffic between the agent and browser." },
"nice404": { "type": "boolean", "default": true, "description": "By default, a nice looking 404 error page is displayed when needed. Set this to false to disable it." },
"clickOnce": { "type": "boolean", "default": true, "description": "By default Microsoft ClickOnce support is enabled allowing connection routing from the web site on IE browser and browsers with ClickOnce add-in." },
"selfUpdate": { "type": "boolean", "default": false, "description": "When true, this server will attempt to self-update everyday after midnight." },
"browserPing": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the browser at x seconds interval and expects a response from the browser." },
"browserPong": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the browser at x seconds interval." },
"agentsInRam": { "type": "boolean", "default": false, "description": "Loads all agent binaries in RAM for faster agent updates." },
"agentPing": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the agent at x seconds interval and expects a response from the agent." },
"agentPong": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the agent at x seconds interval." },
"orphanAgentUser": { "type": "string", "default": null, "description": "If an agent attempts to connect to a unknown device group, automatically create a new device group and grant access to the specified user. Example: admin" },
"agentIdleTimeout": { "type": "integer", "minimum": 1 },
"compression": { "type": "boolean", "default": true, "description": "Enables GZIP compression for web requests." },
"wscompression": { "type": "boolean", "default": false, "description": "Enables server-side, websocket per-message deflate compression." },
"agentwscompression": { "type": "boolean", "default": true, "description": "Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work." },
"meshErrorLogPath": { "type": "string" },
"npmPath": { "type": "string" },
"npmProxy": { "type": "string", "format": "uri" },
"allowHighQualityDesktop": { "type": "boolean", "default": true },
"desktopMultiplex": { "type": "boolean", "default": false },
"userAllowedIP": { "type": [ "string", "array" ] },
"userBlockedIP": { "type": [ "string", "array" ] },
"agentAllowedIP": { "type": [ "string", "array" ] },
"agentBlockedIP": { "type": [ "string", "array" ] },
"authLog": { "type": "string", "default": null, "description": "File path and name of the authentication log to be created. This log can be parsed by Fail2ban." },
"manageAllDeviceGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"manageCrossDomain": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"localDiscovery": {
"type": "object",
"description": "When this server is in LAN mode, you may discover this server using a multicast discovery tool. When discovery happens, the name and info fields are sent back to the discovery tool.",
"additionalProperties": false,
"properties": {
"name": { "type": "string" },
"info": { "type": "string" },
"key": { "type": "string", "description": "When set, encrypts all LAN discovery traffic to agents and tools using this key. This is only useful in LAN/Hybrid mode when agents and tools user multicast to find the server." }
},
"required": [ "name", "info" ]
},
"tlsOffload": { "type": [ "string", "boolean" ], "default": false },
"trustedProxy": { "type": "string" },
"mpsPort": { "type": "integer", "minimum": 1, "maximum": 65535 },
"mpsPortBind": { "type": "string" },
"mpsAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535 },
"mpsAliasHost": { "type": "string" },
"mpsTlsOffload": { "type": "boolean", "default": false },
"no2FactorAuth": { "type": "boolean" },
"log": { "type": "string" },
"syslog": { "type": "string" },
"syslogauth": { "type": "string" },
"syslogjson": { "type": "string" },
"webrtcConfig": {
"type": "object",
"properties": {
"iceServers": { "type": "array", "uniqueItems": true, "items": { "type": "object", "properties": { "urls": { "type": "string" } }, "required": [ "urls" ] } }
},
"required": [ "iceServers" ]
},
"autoBackup": {
"type": "object",
"properties": {
"backupIntervalHours": { "type": "integer" },
"keepLastDaysBackup": { "type": "integer" },
"zipPassword": { "type": "string" },
"backupPath": { "type": "string" },
"googleDrive": {
"type": "object",
"description": "Enabled automated upload of the server backups to a Google Drive account, once enabled you need to go in \"My Server\" tab as administrator to associate the account.",
"properties": {
"folderName": { "type": "integer", "default": "MeshCentral-Backups", "description": "The name of the folder to create in the Google Drive account." },
"maxFiles": { "type": "string", "default": null, "description": "The maximum number of files to keep in the Google Drive folder, older files will be removed if needed." }
}
},
"webDAV": {
"type": "object",
"description": "Enabled automated upload of the server backups to a WebDAV account.",
"properties": {
"url": { "type": "string", "description": "WebDAV account URL." },
"username": { "type": "string", "description": "WebDAV account username." },
"password": { "type": "string", "description": "WebDAV account password." },
"folderName": { "type": "integer", "default": "MeshCentral-Backups", "description": "The name of the folder to create in the WebDAV account." },
"maxFiles": { "type": "string", "default": null, "description": "The maximum number of files to keep in the WebDAV folder, older files will be removed if needed." }
}
}
}
},
"redirects": { "type": "object" },
"maxInvalidLogin": {
"type": "object",
"additionalProperties": false,
"properties": {
"time": { "type": "integer" },
"count": { "type": "integer" },
"coolofftime": { "type": "integer" }
}
},
"plugins": {
"type": "object",
"properties": { "enabled": { "type": "boolean" } },
"required": [ "enabled" ]
}
}
},
"domaindefaults": { "$ref": "#/properties/domains/items" },
"domains": {
"type": "object",
"items": {
"type": "object",
"properties": {
"siteStyle": { "type": "integer", "default": 1, "description": "Valid numbers are 1 and 2, changes the style of the login page and some secondary pages." },
"title": { "type": "string", "default": "MeshCentral", "description": "The title of this web site. All web pages will have this title." },
"title2": { "type": "string", "default": null, "description": "Secondary title text that is placed on the upper right on the title on many web pages." },
"titlePicture": { "type": "string", "default": null, "description": "Web site .png logo file that is 450x66 in size placed in meshcentral-data that is used on the top of many pages." },
"loginPicture": { "type": "string", "default": null, "description": "Web site .png logo file placed in meshcentral-data that used on the login page when sitestyle is 2." },
"userQuota": { "type": "integer" },
"meshQuota": { "type": "integer" },
"minify": { "type": "boolean", "default": false, "description": "When enabled, the server will send reduced sided web pages." },
"newAccounts": { "type": "boolean" },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"userNameIsEmail": { "type": "boolean", "default": false, "description": "When enabled, the username of each account is also the email address of the account." },
"newAccountEmailDomains": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"newAccountsRights": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"welcomeText": { "type": "string", "description": "Text that will be shown on the login screen." },
"welcomePicture": { "type": "string", "description": "Name of the PNG or JPEG file that will be shown on the login screen. Put this file in the meshcentral-data folder and place the file name here." },
"hide": { "type": "integer" },
"footer": { "type": "string" },
"certUrl": {
"type": "string",
"format": "uri",
"description": "https url when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like NGINX is used in front of MeshCentral."
},
"myServer": {
"type": "object",
"additionalProperties": false,
"properties": {
"Backup": { "type": "boolean", "default": true, "description": "Allows administrators to backup the server from the My Server tab." },
"Restore": { "type": "boolean", "default": true, "description": "Allows administrators to restore the server from the My Server tab." },
"Upgrade": { "type": "boolean", "default": true, "description": "Allows administrators to update the server from the My Server tab." },
"ShowLog": { "type": "boolean", "default": true, "description": "Allows administrators to see the server crash log the server from the My Server tab." },
"Console": { "type": "boolean", "default": true, "description": "Allows administrators to access the server console from the My Server tab." },
"Trace": { "type": "boolean", "default": true, "description": "Allows administrators to access the server trace tab from from the My Server tab." }
}
},
"passwordRequirements": {
"type": "object",
"properties": {
"min": { "type": "integer", "description": "Minimum number of characters allowed for the account password." },
"max": { "type": "integer", "description": "Maximum number of characters allowed for the account password." },
"upper": { "type": "integer", "description": "Minimum number of upper case characters required in the password." },
"lower": { "type": "integer", "description": "Minimum number of lower case characters required in the password." },
"numeric": { "type": "integer", "description": "Minimum number of numeric characters required in the password." },
"nonalpha": { "type": "integer", "description": "Minimum number of non-alpha-numeric characters required in the password." },
"reset": { "type": "integer", "description": "Number of days after which the user is required to change the account password." },
"force2factor": { "type": "boolean", "description": "Requires that all accounts setup 2FA." },
"skip2factor": { "type": "string", "description": "IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24" },
"oldPasswordBan": { "type": "integer", "description": "Number of old passwords the server should remember and not allow the user to switch back to." },
"banCommonPasswords": { "type": "boolean", "description": "Uses WildLeek to block use of the 10000 most commonly used passwords." }
}
},
"auth": { "type": "string", "default": null, "enum": [null, "sspi", "ldap"], "description": "Type of user authentication to use, this can be SSPI on Windows or LDAP. If not set, username/password is used." },
"ldapUserKey": { "type": "string" },
"ldapUserName": { "type": "string" },
"ldapUserEmail": { "type": "string" },
"ldapUserRealName": { "type": "string" },
"ldapUserPhoneNumber": { "type": "string" },
"ldapOptions": { "type": "object", "description": "LDAP options passed to ldapauth-fork" },
"agentInviteCodes": { "type": "boolean", "default": false, "description": "Enabled a feature where you can set one or more invitation codes in a device group. You can then give a invitation link to users who can use it to download the agent." },
"agentNoProxy": { "type": "boolean", "default": false, "description": "When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system" },
"agentTag": {
"type": "object",
"description": "This section is used to indicate if parts of the meshagent.tag file should be used to set server-side device properties.",
"additionalProperties": false,
"properties": {
"ServerName": { "type": "integer", "default": 0, "description": "Action taken if one of the lines in meshagent.tag contains ~ServerName:name. 0=Ignore, 1=Set." },
"ServerDesc": { "type": "integer", "default": 0, "description": "Action taken if one of the lines in meshagent.tag contains ~ServerDesc:desc. 0=Ignore, 1=Set, 2=SetIfEmpty." },
"ServerTags": { "type": "integer", "default": 0, "description": "Action taken if one of the lines in meshagent.tag contains ~ServerTags:tag1,tag2,tag3. 0=Ignore, 1=Set, 2=SetIfEmpty, 3=Append." }
}
},
"geoLocation": { "type": "boolean", "default": false, "description": "Enables the geo-location feature and device location map in the user interface, this feature is not being worked on." },
"novnc": { "type": "boolean", "default": true, "description": "When enabled, activates the built-in web-based noVNC client." },
"mstsc": { "type": "boolean", "default": false, "description": "When enabled, activates the built-in web-based RDP client." },
"maxGuestSessionSharingTime": { "type": "integer", "default": 60, "minimum": 1, "maximum": 5760, "description": "Maximum amount of time in minutes that a remote desktop session can be shared with a guest." },
"webEmailsPath": { "type": "string", "description": "Path where to find custom email templates for this domain." },
"customUI": { "type": "object" },
"consentMessages": {
"type": "object",
"description": "This section is used to customize user consent prompts, these show up when asking if a remote session is allowed or not.",
"additionalProperties": false,
"properties": {
"Title": { "type": "string" },
"Desktop": { "type": "string" },
"Terminal": { "type": "string" },
"Files": { "type": "string" }
}
},
"notificationMessages": {
"type": "object",
"additionalProperties": false,
"description": "This section is user to customize user notifications when a remote desktop, terminal or file session is connected to a remote system.",
"properties": {
"Title": { "type": "string" },
"Desktop": { "type": "string" },
"Terminal": { "type": "string" },
"Files": { "type": "string" }
}
},
"userAllowedIP": { "type": "string" },
"userBlockedIP": { "type": "string" },
"agentAllowedIP": { "type": "string" },
"agentBlockedIP": { "type": "string" },
"userSessionIdleTimeout": { "type": "integer" },
"userConsentFlags": { "type": "integer" },
"urlSwitching": { "type": "boolean" },
"desktopPrivacyBarText": { "type": "string" },
"limits": {
"type": "object",
"additionalProperties": false,
"properties": {
"MaxDevices": { "type": "integer" },
"MaxUserAccounts": { "type": "integer" },
"MaxUserSessions": { "type": "integer" },
"MaxAgentSessions": { "type": "integer" },
"MaxSingleUserSessions": { "type": "integer" }
}
},
"amtAcmActivation": {
"type": "object",
"additionalProperties": false,
"properties": {
"log": { "type": "string" },
"certs": {
"type": "object",
"additionalProperties": {
"type": "object",
"additionalProperties": false,
"properties": {
"certfiles": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"keyfile": { "type": "string" }
},
"required": [ "certfiles", "keyfile" ]
}
}
},
"required": [ "certs" ]
},
"redirects": {
"type": "object",
"additionalProperties": { "type": "string" }
},
"yubikey": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": { "type": "string" },
"secret": { "type": "string" },
"proxy": { "type": "string", "format": "uri" }
},
"required": [ "id", "secret" ]
},
"httpHeaders": { "type": "object", "additionalProperties": { "type": "string" } },
"agentConfig": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"sessionRecording": {
"type": "object",
"additionalProperties": false,
"properties": {
"filepath": { "type": "string" },
"index": { "type": "boolean", "default": false },
"maxRecordings": { "type": "integer" },
"maxRecordingSizeMegabytes": { "type": "integer" },
"protocols": { "type": "array", "uniqueItems": true, "items": { "type": "integer" } }
},
"required": [ "protocols" ]
},
"authStrategies": {
"type": "object",
"additionalProperties": false,
"properties": {
"twitter": {
"type": "object",
"additionalProperties": false,
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"clientid": { "type": "string" },
"clientsecret": { "type": "string" }
},
"required": [ "clientid", "clientsecret" ]
},
"google": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"clientid": { "type": "string" },
"clientsecret": { "type": "string" }
},
"required": [ "clientid", "clientsecret" ]
},
"github": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"clientid": { "type": "string" },
"clientsecret": { "type": "string" }
},
"required": [ "clientid", "clientsecret" ]
},
"reddit": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"clientid": { "type": "string" },
"clientsecret": { "type": "string" }
},
"required": [ "clientid", "clientsecret" ]
},
"azure": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"clientid": { "type": "string" },
"clientsecret": { "type": "string" },
"tenantid": { "type": "string" }
},
"required": [ "clientid", "clientsecret", "tenantid" ]
},
"jumpcloud": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"entityid": { "type": "string" },
"idpurl": { "type": "string", "format": "uri" },
"cert": { "type": "string" }
},
"required": [ "entityid", "idpurl", "cert" ]
},
"saml": {
"type": "object",
"properties": {
"callbackurl": { "type": "string", "format": "uri" },
"disableRequestedAuthnContext": { "type": "boolean" },
"newAccounts": { "type": "boolean", "default": false },
"newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"newAccountsRights": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
"entityid": { "type": "string" },
"idpurl": { "type": "string", "format": "uri" },
"cert": { "type": "string" }
},
"required": [ "entityid", "idpurl", "cert" ]
}
}
}
}
}
},
"letsEncrypt": {
"title" : "Built-in Let's Encrypt support",
"description": "If your server has a proper DNS name and it public facing on the Internet with a public facing HTTP server on port 80, you can get a free TLS certificate.",
"type": "object",
"additionalProperties": false,
"properties": {
"email": { "type": "string", "format": "email", "description": "Email address of the administrator of this server. Make sure this is a valid email address otherwise the certificate request will fail." },
"names": { "type": "string" },
"production": { "type": "boolean", "default": false, "description": "By default a test certificate will be obtained from Let's Encrypt. Always start by getting a test certificate and make sure that works before setting this to true and obtaining a production certificaite. Making too many bad requests for a production certificate will get you banned for a long period of time." }
},
"required": [ "email", "names" ]
},
"peers": {
"title" : "Server peering",
"description": "Setup peer server for load-balancing between many servers.",
"type": "object",
"minProperties": 1,
"propertyNames": { "pattern": "^[A-Za-z_][A-Za-z0-9_]*$" },
"additionalProperties": false,
"properties": {
"serverId": { "type": "string" },
"servers": {
"type": "object",
"additionalProperties": {
"type": "object",
"properties": { "url": { "type": "string", "format": "uri" } },
"required": [ "url" ]
}
}
},
"required": [ "serverId", "servers" ]
},
"smtp": {
"title" : "Email server",
"description": "Connects MeshCentral to a email server, allows MeshCentral to send email messages for 2FA or user notification.",
"type": "object",
"properties": {
"host": { "type": "string", "format": "hostname" },
"port": { "type": "integer", "minimum": 1, "maximum": 65535 },
"from": { "type": "string", "format": "email" },
"tls": { "type": "boolean" },
"tlscertcheck": { "type": "boolean" },
"tlsstrict": { "type": "boolean" }
},
"required": [ "host", "port", "from", "tls" ]
},
"sms": {
"title" : "SMS provider",
"description": "Connects MeshCentral to a SMS text messaging provider, allows MeshCentral to send SMS messages for 2FA or user notification.",
"oneOf": [
{
"type": "object",
"properties": {
"provider": { "type": "string", "enum": [ "twilio" ] },
"sid": { "type": "string" },
"auth": { "type": "string" },
"from": { "type": "string" }
},
"required": [ "provider", "sid", "auth", "from" ]
},
{
"type": "object",
"properties": {
"provider": { "type": "string", "enum": [ "plivo" ] },
"id": { "type": "string" },
"token": { "type": "string" },
"from": { "type": "string" }
},
"required": [ "provider", "id", "token", "from" ]
}
]
}
},
"required": [ "settings", "domains" ]
}