Mirrors/cobalt
1
0
Fork 0
mirror of https://github.com/wukko/cobalt.git synced 2024-11-15 12:50:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

docs/protect-an-instance: add api keys configuration

Browse source
This commit is contained in:
wukko 2024-10-20 19:51:35 +06:00
parent a81a19de68
commit 9790179e29
No known key found for this signature in database
GPG key ID: 3E30B3F26C7B4AA2
1 changed files with 51 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
docs/protect-an-instance.md
View file

@ -13,7 +13,7 @@ all you need is a free cloudflare account to get started.
cloudflare dashboard interface might change over time, but basics should stay the same.
> [!CAUTION]
> [!WARNING]
> never share the turnstile secret key, always keep it private. if accidentally exposed, rotate it in widget settings.
1. open [the cloudflare dashboard](https://dash.cloudflare.com/) and log into your account
@ -97,3 +97,53 @@ environment:
TURNSTILE_SECRET: "2x0000000000000000000000000000000AA" # use your key
JWT_SECRET: "bgBmF4efNCKPirDqTc4FMmbX8P22I31oCj5R1zDiDi5sy8CWPnfLUct7rk5RlZUS" # create a new secret, NEVER use this one
```
4. restart the docker container.
## configure api keys
if you want to use your instance outside of web interface, you'll need an api key!
> [!NOTE]
> this tutorial assumes that you'll keep your keys file locally, on the instance server.
> if you wish to upload your file to a remote location,
> replace the value for `API_KEYS_URL` with a direct url to the file.
> [!WARNING]
> when storing keys file remotely, make sure that it's not publicly accessible
> and that link to it is either authenticated (via query) or impossible to guess.
>
> if api keys leak, you'll have to update/remove all UUIDs to revoke them.
1. create a `keys.json` file following [the schema and example here](/docs//run-an-instance.md#api-key-file-format).
2. expose the `keys.json` to the docker container:
```yml
volumes:
- ./keys.json:/keys.json:ro # ro - read-only
```
3. add a path to the keys file to container environment:
```yml
environment:
# ... other variables here ...
API_KEY_URL: "file:///keys.json"
```
4. restart the docker container.
## limit access to an instance with api keys but no turnstile
by default, api keys are additional, meaning that they're not *required*,
but work alongside with turnstile or no auth (regular ip hash rate limiting).
to always require auth (via keys or turnstile, if configured), set `API_AUTH_REQUIRED` to 1:
```yml
environment:
# ... other variables here ...
API_AUTH_REQUIRED: 1
```
- if both keys and turnstile are enabled, then nothing will change.
- if only keys are configured, then all requests without a valid api key will be refused.
### why not make keys exclusive by default?
keys may be useful for going around rate limiting,
while keeping the rest of api rate limited, with no turnstile in place.