Docs
Configuration

Configuration

This topic describes the configuration options in the config.txt file.

The default location of the file is: /opt/jumpserver/config/config.txt

Note

After changing any configuration, run jmsctl restart to apply the changes.

SECRET_KEY

Default: (A randomly generated 48-character)

Used to encrypt sensitive information, such as asset account passwords.

Keep the SECRET_KEY same as the old environment during migration. Do not share it with anyone.

BOOTSTRAP_TOKEN

Default: (A randomly generated 24-character)

Used for registration of components such as KoKo, Lion, Magnus, etc.

Keep the BOOTSTRAP_TOKEN same as the old environment during migration. Do not share it with anyone.

DEBUG

Default: false

Debug mode shows detailed error pages with full tracebacks and environment info when exceptions occur.

Never enable DEBUG in the production environment for a long time.

DEBUG_DEV

Default: false

Debug Dev mode shows more detailed information in log files.

Never enable DEBUG_DEV in the production environment for a long time.

DEBUG_ANSIBLE

Default: false

Debug Ansible mode shows more detailed information during task execution.

Never enable DEBUG_ANSIBLE in the production environment for a long time.

LOG_LEVEL

Default: ERROR

Control the display of log information at different levels.

  • DEBUG: Low level system information for debugging purposes.
  • INFO: General system information.
  • WARNING: Information describing a minor problem that has occurred.
  • ERROR: Information describing a major problem that has occurred.
  • CRITICAL: Information describing a critical problem that has occurred.

DB_ENGINE

Default: postgresql

Specifies the backend database engine for JumpServer.

  • postgresql: Use PostgreSQL as the database.
  • mysql: Use MySQL or MariaDB as the database.
  • vastbase: Use Vastbase as the database.

DB_HOST

Default: postgresql

The hostname or IP address of the database server. Defaults to the built-in "jms_postgresql" container.

DB_PORT

Default: 5432

The port number of the database server.

DB_NAME

Default: jumpserver

The name of the database to use.

DB_USER

Default: postgres

The username used to connect to the database.

DB_PASSWORD

Default: (A randomly generated 26-character)

The password used to connect to the database.

DB_USE_SSL

Default: false

Use SSL for the database connection. Supported only with the mysql database engine.

The SSL certificate should be placed at /data/jumpserver/core/data/certs/db_ca.pem.

REDIS_HOST

Default: redis

The hostname or IP address of the redis server. Defaults to the built-in "jms_redis" container.

REDIS_PORT

Default: 6379

The port number of the redis server.

REDIS_PASSWORD

Default: A randomly generated 26-character

The password used to connect to the redis server.

REDIS_USE_SSL

Default: false

Use SSL for the Redis connection. If enabled, you need to prepare the following files in advance and place them in the following directory:

  • Redis SSL private key file:

    • /data/jumpserver/core/data/certs/redis_client.key

  • Redis SSL certificate file:

    • /data/jumpserver/core/data/certs/redis_client.crt

  • Redis SSL CA certificate file (prefer .crt format, .pem as an alternative):

    • /data/jumpserver/core/data/certs/redis_ca.crt
    • /data/jumpserver/core/data/certs/redis_ca.pem

REDIS_MAX_CONNECTIONS

Default: 100

The maximum number of connections to the redis server.

REDIS_SENTINEL_HOSTS

Default: (empty)

The Sentinel nodes for redis sentinel mode.

The format is: ServiceName/host1:port1,host2:port2,host3:port3

REDIS_SENTINEL_PASSWORD

Default: (empty)

The password used to connect to the redis sentinel nodes.

REDIS_SENTINEL_SOCKET_TIMEOUT

Default: None

Specifies the read timeout for redis sentinel connections, in seconds. The default is none, which means no timeout.

REDIS_DB_CELERY

Default: 3

Redis database index used to store celery tasks.

REDIS_DB_CACHE

Default: 4

Redis database index used for caching.

REDIS_DB_SESSION

Default: 5

Redis database index used to store user sessions.

REDIS_DB_WS

Default: 6

Redis database index used for websocket connections.

X_FRAME_OPTIONS

Default: SAMEORIGIN

Used to prevent the page from being embedded in third-party sites and to protect users from clickjacking attacks.

  • SAMEORIGIN: Allows the page to be displayed in a frame on the same origin.
  • DENY: Prevents the page from being displayed in a frame, regardless of the site attempting to do so.

TOKEN_EXPIRATION

Default: 3600 (in seconds)

The validity period of the bearer token for creating a user through the API, in seconds.

USER_DEFAULT_EXPIRED_DAYS

Default: 25550 (in days)

Default expiration period (in days) for a user. When creating a user, the "Date expired" is automatically calculated based on this setting.

ASSET_PERMISSION_DEFAULT_EXPIRED_DAYS

Default: 25550 (in days)

Default expiration period (in days) for an authorization. When an authorization is created, the "Date expired" is automatically calculated based on this value.

SESSION_COOKIE_DOMAIN

Default: None

The domain to use for session cookies. Set this to a string such as "example.com" for cross-domain cookies, or use None for a standard domain cookie.

SESSION_COOKIE_AGE

Default: 86400 (in seconds)

The age of session cookies, in seconds. The default is 24 hours (86400 seconds).

CONNECTION_TOKEN_ONETIME_EXPIRATION

Default: 300 (in seconds)

The validity period of a one-time connection token, in seconds. The default is 5 minutes (300 seconds).

CONNECTION_TOKEN_REUSABLE

default: false

Whether to enable reusable connection tokens. The default is false, meaning that each token can only be used once. If set to true, the token can be used multiple times within the validity period.

CONNECTION_TOKEN_REUSABLE_EXPIRATION

Default: 2592000 (in seconds)

The validity period of a reusable connection token, in seconds. The default is 30 days (2592000 seconds).

FACE_RECOGNITION_ENABLED

enterprise

Default: false

Whether to enable face recognition for user authentication. The facial recognition feature supports the following scenarios:

  • MFA authentication during user login.
  • Secondary authentication when logging in to an asset.
  • Online facial recognition detection after logging in to an asset.

SECURITY_VIEW_AUTH_NEED_MFA

recommended

Default: true

By default, MFA verification is mandatory when administrators view an asset account’s secret.

For more information about configuring the MFA verification validity period, see MFA verify TTL.

LicenseEnable HTTPS