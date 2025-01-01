Ce contenu n’est pas encore disponible dans votre langue.
Environment Variables
The ALTCHA Sentinel application is configured using environment variables (ENV vars).
Configuring Environment Variables
Environment variables can be set either at runtime or through the application’s administrative interface.
Setting Variables via the Application UI
The application allows you to configure environment variables through its web interface. These settings are stored in the
data/.env file.
Steps:
- Log in to the application.
- Navigate to Admin → ENV Variables.
- Add, edit, or remove variables as needed.
- Click Save to persist changes.
Setting Variables via Runtime Configuration
For deployments outside the UI (e.g., Docker, systemd, Kubernetes), you can configure environment variables directly through your runtime environment.
Refer to your deployment platform’s documentation for instructions on setting environment variables.
Secret Management Support
ALTCHA Sentinel supports secure handling of sensitive configuration values (like API keys or passwords) by reading values from mounted secret files. This is especially useful in containerized environments like Docker or Kubernetes.
To use a secret file, append
_FILE to the environment variable name. The application will read the contents of the specified file and use it as the variable’s value.
Example:
Instead of:
Use:
Ensure that the file at
/run/secrets/ALTCHA_HMAC_SECRET contains only the raw secret value.
Default Required Variables
When Sentinel starts up, it checks whether the required environment variables — such as secrets — are set. If any are missing, Sentinel automatically generates random values for them and saves them to the
/data/.env file on the persistent volume.
Although the auto-generated secrets are sufficient for most deployments, it’s recommended to configure them manually using secret management for better security and consistency. Alternatively, you can set the
SECRET_SEED variable to cryptographically generate the required secrets from a fixed seed value.
Required variables:
ALTCHA_HMAC_SECRET
CODE_CHALLENGE_SECRET
CONTEXT_DATA_KEY
EXOTDB_HMAC_SECRET
HASHING_SALT
JWT_SECRET
NODE_ID
If auto-generated secrets already exist, you’ll need to remove them from the
/data/.env file — this file overrides any globally defined environment variables. You can delete the secrets directly from the file or use the Application UI to manage them.
Supported Variables
Security & Authentication
ALTCHA_HMAC_SECRET
Secret key used for ALTCHA HMAC operations such as challenge signing. Must be at least 24 characters long.
Default: auto-generated
Required: yes
Constraints: minimum length of 24 characters
APP_IP_WHITELIST
Restricts access to the application and administrative endpoints to a comma-separated list of whitelisted IP addresses or network masks.
Default:
"" (no restrictions)
Example:
"127.0.0.1/32,::1/128,fd00::/8" to allow only localhost
CODE_CHALLENGE_SECRET
Secret key used for signing code challenges during authentication flows. Must be at least 24 characters long.
Default: auto-generated
Required: yes
Constraints: minimum length of 24 characters
JWT_ISSUER
Issuer identifier used when generating JWT tokens.
Default:
"ALTCHA_SENTINEL"
Optional
JWT_SECRET
Secret key used to sign JWT tokens. Must be at least 24 characters long.
Default: auto-generated
Required: yes
Constraints: minimum length of 24 characters
JWT_TTL
Time-to-live (TTL) for generated JWT tokens. Expressed in a human-readable duration format.
Default:
"24h"
Format: e.g.,
"1h",
"30m",
"7d"
PASSWORD_LOGIN_ENABLED
Whether password-based login is enabled.
Default:
"1"
Values:
"1" = enabled,
"0" = disabled
PASSWORD_MIN_LENGTH
The minimum length of the user-set passwords
Default:
"8"
Values: Any integer
LICENSE_JSON
License file in JSON format (provide the file contents, not the file path). The JSON file is provided as an attachment in the license purchase email. Using this option disables the call-home mechanism. Note that this variable must be updated each time the license file is updated or renewed.
Default: empty string (
"")
Optional
LICENSE_KEY
License key for the application.
Default: empty string (
"")
Optional
SECRET_SEED
The secret seed value which is used to auto-generate required secrets.
Default: empty string (
"")
Optional
Networking & Access Control
ACCESS_LOG_ANONYMIZE_IP_ADDRESS
Whether to anonymize IP addresses in access logs.
Default:
"1"
Values:
"1" = yes,
"0" = no
ACCESS_LOG_ENABLED
Whether access logging is enabled.
Default:
"1"
Values:
"1" = enabled,
"0" = disabled
ALLOWED_HOSTS
Comma-separated list of allowed hostnames. Supports wildcards like
*.example.com. If empty, all hosts are accepted.
Default: empty string (
"")
Optional
X_FORWARDED_FOR_TRUSTED
Comma-separated list of trusted proxy IPs that are allowed to set the
X-Forwarded-For header.
Default: empty string (
"")
Optional
BASE_URL
Base URL used for generating absolute URLs within the application (e.g., for emails or redirects).
Default: empty string (
"")
Optional
HTTP2_CERT
TLS certificate contents used to enable HTTP/2 support.
Default: empty string (
"")
Optional
HTTP2_KEY
TLS certificate private key. Must be set together with
HTTP2_CERT.
Default: empty string (
"")
Optional
Caching
CACHE_DURATION_API_KEYS
How long to cache API keys before refreshing them.
Default:
"10s"
Format: human-readable duration (e.g.,
"5m",
"1h")
CACHE_DURATION_TRAINING_DATA
How long to cache training data before refreshing it.
Default:
"1h"
Format: human-readable duration (e.g.,
"1d")
ClickHouse
CLICKHOUSE_URL
The full connection URL to your ClickHouse server. Supports additional configuration parameters.
Default:
""
Example:
"http://user:password@localhost:8123/db_name"
Optional
CLICKHOUSE_BATCH_INTERVAL
The maximum time (in milliseconds) the client waits before flushing the batch buffer, even if it’s not full.
Default:
"1000"
Optional
CLICKHOUSE_BATCH_MAX
The maximum number of entries allowed in the batch buffer before it is flushed.
Default:
"100"
Optional
CLICKHOUSE_TLS_CA
The contents of the Certificate Authority (CA) file used to verify the server’s certificate during a TLS connection.
Default:
""
Optional
CLICKHOUSE_TLS_CERT
The contents of the client TLS certificate for mutual TLS authentication.
Default:
""
Optional
CLICKHOUSE_TLS_KEY
The contents of the private key associated with the TLS certificate.
Default:
""
Optional
Database & Snapshots
DATABASE_URL
Database connection URL.
Default:
"http://root:root@localhost:4080?bootstrap=1"
Optional
EXOTDB_DATABASE_ADDR
Address the embedded database server binds to.
Default:
":::4080"
Optional
EXOTDB_DATABASE_LOCATION
File path where the embedded database is stored.
Default:
"./db/altcha-sentinel.db"
Optional
EXOTDB_ENCRYPTION_KEY
Encryption key for the embedded database.
Using this option is generally not recommended, as it may create obstacles for recovery and debugging. Instead, use the standard volume encryption mechanism, and utilize
SNAPSHOTS_ENCRYPTION_KEY for database snapshot encryption.
Default: empty string (
"")
Optional Constraints: minimum length of 24 characters
EXOTDB_HMAC_SECRET
HMAC secret for data signatures (mainly access-logs). Must be at least 24 characters long.
Default: empty string (
"")
Optional
Constraints: minimum length of 24 characters
EXOTDB_REDIS_ADDR
Address the embedded Redis server binds to.
Default:
":::6389"
Optional
EXOTDB_REDIS_LOCATION
File path where the embedded Redis database is stored.
Default:
"./db/redis.db"
Optional
EXOTDB_ROOT_PASSWORD
Root password for the embedded database.
Default:
"root"
Optional
SNAPSHOTS_CRON_SCHEDULE
Cron schedule for automatic database snapshots. If empty, snapshotting is disabled.
Default: empty string (
"")
Optional
Format: standard cron syntax (e.g.,
"0 2 * * *")
SNAPSHOTS_DB_PREFIX
Prefix path for storing database snapshots in storage.
Default:
"altcha-sentinel-backups/db:${iso_date()}"
Optional
Note:
${iso_date()} will be replaced with the current date in ISO format
SNAPSHOTS_ENCRYPTION_KEY
Optional encryption key for database snapshots.
Default:
""
Optional
SNAPSHOTS_STORAGE_PROVIDER
Storage provider to use for snapshots.
Default:
"local"
Values:
"local",
"azure",
"s3"
SNAPSHOTS_STORAGE_LOCAL_DIR
Local directory where snapshots should be stored.
Default:
"backups"
Optional
SNAPSHOTS_STORAGE_AZURE_CONTAINER
Azure container name for storing snapshots.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_AZURE_CONNECTION_STRING
Azure connection string for snapshot storage.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_S3_BUCKET
AWS S3 bucket name for storing snapshots.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_S3_ACCESS_KEY_ID
AWS access key ID for S3 snapshot storage.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_S3_SECRET_ACCESS_KEY
AWS secret access key for S3 snapshot storage.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_S3_REGION
AWS region for S3 snapshot storage.
Default: empty string (
"")
Optional
SNAPSHOTS_STORAGE_S3_ENDPOINT
Custom endpoint URL for S3-compatible storage (e.g., MinIO).
Default: empty string (
"")
Optional
PostgreSQL
POSTGRES_URL
PostgreSQL connection URL. To enable TLS/SSL, add
?sslmode=require, or
?sslmode=no-verify to skip CA verification.
Default: empty string (
"")
Example:
"postgresql://user:password@localhost:5432/altcha_sentinel"
Optional
POSTGRES_CONNECT_TIMEOUT
Timeout for PostgreSQL connections in milliseconds.
Default:
"3000"
Optional
POSTGRES_IDLE_TIMEOUT
Close connections after the idle timeout in milliseconds. Set to 0 to disable auto-disconnection.
Default:
"10000"
Optional
POSTGRES_MAX_CONNECTIONS
Maximum number of open connections in the pool.
Default:
"10"
Optional
POSTGRES_MIN_CONNECTIONS
Minimum number of open connections in the pool.
Default:
"0"
Optional
POSTGRES_SSL_CA
CA certificate contents for the TLS/SSL connection.
Default: empty string (
"")
Optional
POSTGRES_SSL_CERT
Client certificate contents for the TLS/SSL connection.
Default: empty string (
"")
Optional
POSTGRES_SSL_KEY
Private key contents for the TLS/SSL connection.
Default: empty string (
"")
Optional
Redis
When connecting to Redis or other Redis-compatible caches, choose one of the following options. Do not combine them:
REDIS_URLfor single-instance Redis or serverless deployments — the most common choice.
REDIS_CLUSTER_URLfor Redis Cluster deployments.
REDIS_SENTINEL_HOSTSfor Redis Sentinel deployments.
REDIS_URL
Redis connection URL.
Default:
"redis://root:root@localhost:6389"
Optional
REDIS_CLUSTER_URL
Redis Cluster only — list of connection URLs for configuration endpoints or cluster nodes (e.g.
redis://..., comma-separated).
Default: empty string (
"")
Optional
REDIS_COMMAND_TIMEOUT
Timeout for Redis commands, in milliseconds.
Default:
"1000"
Optional
REDIS_CONNECT_TIMEOUT
Timeout for establishing Redis connections, in milliseconds.
Default:
"3000"
Optional
REDIS_MAX_RETRIES
Maximum number of retry attempts for Redis operations.
Default:
"2"
Optional
REDIS_KEY_PREFIX
Prefix applied to all Redis keys.
Default: empty string (
"")
Optional
REDIS_SENTINEL_HOSTS
Redis Sentinel — list of Sentinel endpoints in
host:port format (comma-separated).
Default: empty string (
"")
Optional
REDIS_SENTINEL_MASTER_NAME
Redis Sentinel — name of the monitored master.
Default: empty string (
"")
Optional
REDIS_SENTINEL_AUTH
Redis Sentinel — authentication credentials for connecting to the Sentinel endpoints.
Default: empty string (
"")
Optional
REDIS_SENTINEL_REDIS_AUTH
Redis Sentinel — authentication credentials for connecting to Redis nodes via Sentinel.
Default: empty string (
"")
Optional
REDIS_SENTINEL_TLS
Redis Sentinel — TLS to Sentinel endpoints.
Default:
"0"
Values:
"1" = enabled,
"0" = disabled
REDIS_SENTINEL_REDIS_TLS
Redis Sentinel — TLS to Redis nodes via Sentinel.
Default:
"0"
Values:
"1" = enabled,
"0" = disabled
Rate Limiting & Protection
FLOOD_RATE_LIMIT
Rate limit for flood protection, expressed as requests per duration (e.g.,
"100/1m").
Default:
"100/1m"
Format:
"requests/duration" (e.g.,
"50/30s")
FLOOD_RATE_LIMIT_KEY
Key used for rate limiting. Typically
"ip".
Default:
"ip"
Optional
Geolocation & Risk Detection
CLOUDFLARE_IP_COUNTRY_ENABLED
If set to a truthy value, the Cloudflare’s
CF-IPCountry HTTP header will be used for IP geo location.
Default: empty string (
"")
Optional
HIGH_RISK_COUNTRIES_EXCLUDE
Comma-separated list of country codes to exclude from high-risk classification. Refer to the Data Sources documentation for more details.
Default: empty string (
"")
Optional
Example:
"us,ru,il"
IP_API_COM_TOKEN
API token for the ip-api.com service, used for geolocation lookups.
Default: empty string (
"")
Optional
IPINFO_IO_TOKEN
API token for the ipinfo.io service, used for geolocation lookups.
Default: empty string (
"")
Optional
IPINFO_IO_LITE_ENABLED
If set to a truthy value, the Lite API endpoint (
https://api.ipinfo.io/lite) will be used.
Default: empty string (
"")
Optional
IPINFO_IO_MMDB_DOWNLOAD_SCHEDULE
Specifies the CRON-style schedule for automatically downloading the ipinfo.io MMDB database. Set this value to an empty string to disable automatic downloads.
Default:
"0 0 * * *"
Optional
IPINFO_IO_MMDB_DOWNLOAD_URL
URL to download the MMDB database (e.g.,
https://ipinfo.io/data/ipinfo_lite.mmdb.gz?token=...). Required for local mode.
Default: empty string (
"")
Optional
IPSTACK_COM_TOKEN
API token for the ipstack.com service, used for geolocation lookups.
Default: empty string (
"")
Optional
IP_HEADERS_SECRET
Secret used to validate incoming IP headers.
Default: empty string (
"")
Optional
EMAIL_LIST_DISPOSABLE_SCHEDULE
Specifies the CRON-style schedule for automatically downloading the list of disposable email domains. Set this value to an empty string to disable automatic downloads.
Default:
"0 0 * * *"
Optional
EMAIL_LIST_DISPOSABLE
URL to a TXT file containing a list of disposable email domains.
Default:
"https://raw.githubusercontent.com/disposable/disposable-email-domains/master/domains.txt"
Optional
MAXMIND_ACCOUNT_ID
Your MaxMind Account ID.
Default: empty string (
"")
Optional
MAXMIND_LICENSE_KEY
Your MaxMind License Key.
Default: empty string (
"")
Optional
MAXMIND_DOWNLOAD_URL
Download URL for the binary database in
.tar.gz format.
Default: empty string (
"https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz")
Optional
MAXMIND_DOWNLOAD_SCHEDULE
MaxMind MMDB database update cron schedule.
Default:
"0 0 * * *"
Optional
PHISHING_LIST_SCHEDULE
Specifies the CRON-style schedule for automatically downloading the list of phishing URLs. Set this value to an empty string to disable automatic downloads.
Default:
"0 */12 * * *"
Optional
PHISHING_LIST_URL
URL to a CSV (TXT) file containing a list of phishing URLs.
Default:
"https://data.phishtank.com/data/online-valid.csv"
Optional
Spam Handling
DELETE_SPAM_SUBMISSIONS_IN
Duration after which spam submissions are automatically deleted.
Default:
"14d"
Format: human-readable duration (e.g.,
"7d",
"24h")
Application Configuration
DATA_DIR
Directory where application data is stored.
Default:
/data
Optional
DEFAULT_ACCOUNT_NAME
Name of the default account created on initial setup.
Default:
"Default Account"
Optional
DEFAULT_ROOT_PASSWORD
Default root password for initial setup.
Default:
"root"
Optional
NODE_ID
Unique identifier for this node in a cluster.
Default: auto-generated
Optional
NODE_NAME
Descriptive name for this node in a cluster.
Default: empty string (
"")
Optional
PORT
Port the application listens on.
Default:
"8080"
Optional
USER_AGENT
The User-Agent header used for external HTTP requests.
Default:
"altcha-sentinel/{version}"
Optional
TZ
Application timezone. Defaults to system timezone.
Default: system timezone
Optional
Logging
LOG_LEVEL
Application log level.
Default:
"info"
Values:
"debug",
"fatal",
"error",
"info",
"silent",
"trace",
"warn"
LOG_FORMAT
Log output format.
Default:
"json"
Values:
"json" or
"plain"
REQUEST_LOGS_TTL
Time-to-live for request logs.
Default:
"72h"
Format: human-readable duration (e.g.,
"24h")
Monitoring
MONITORING_HTTP_CREDENTIALS
HTTP basic auth credentials for monitoring endpoints.
Default: empty string (
"")
Optional
MONITORING_IP_WHITELIST
Comma-separated list of IP ranges allowed to access monitoring endpoints.
Default:
"10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1/32,::1/128,fd00::/8,100.64.0.0/10"
Optional
OpenTelemetry
Enable OpenTelemetry by configuring the
OTEL_EXPORTER_OTLP_ENDPOINT variable.
OTEL_EXPORTER_OTLP_ENDPOINT
The URL of the OpenTelemetry collector (e.g.,
https://localhost:4318).
Default: empty string (
"")
Optional
OTEL_EXPORTER_OTLP_HEADERS
Custom headers to include in OTLP requests (e.g.,
api-key=key,other-config-value=value).
Default: empty string (
"")
Optional
OTEL_EXPORTER_OTLP_TIMEOUT
The timeout value for all outgoing data in milliseconds.
Default:
"10000"
Optional
OTEL_SERVICE_NAME
The logical name of the service that will appear in traces and logs (defaults to
altcha-sentinel).
Default:
"altcha-sentinel"
Optional
Single Sign-On (SSO)
These variables accept configuration strings for their respective identity providers. The format depends on the provider.
SSO_AZURE
Azure OIDC SSO configuration.
Default: empty string (
"")
Optional
SSO_GOOGLE
Google OIDC SSO configuration.
Default: empty string (
"")
Optional
SSO_KEYCLOAK
Keycloak OIDC SSO configuration.
Default: empty string (
"")
Optional
SSO_LDAP
LDAP SSO configuration.
Default: empty string (
"")
Optional
SSO_OKTA
Okta OIDC SSO configuration.
Default: empty string (
"")
Optional
SMTP / Email
EML_BODY_LIMIT
The maximum body size limit for the
POST /v1/eml endpoint.
Default: 5MB (
"5MB")
SMTP_URL
URL for the SMTP server used to send outgoing emails.
Default: empty string (
"")
Optional
File Storage
STORAGE_PROVIDER
Storage provider to use for file storage.
Default:
"local"
Values:
"local",
"azure",
"s3"
STORAGE_LOCAL_DIR
Local directory where uploaded files are stored.
Default:
"uploads"
Optional
STORAGE_AZURE_CONTAINER
Azure container name for file storage.
Default: empty string (
"")
Optional
STORAGE_AZURE_CONNECTION_STRING
Azure connection string for file storage.
Default: empty string (
"")
Optional
STORAGE_S3_BUCKET
AWS S3 bucket name for file storage.
Default: empty string (
"")
Optional
STORAGE_S3_ACCESS_KEY_ID
AWS access key ID for S3 file storage.
Default: empty string (
"")
Optional
STORAGE_S3_SECRET_ACCESS_KEY
AWS secret access key for S3 file storage.
Default: empty string (
"")
Optional
STORAGE_S3_REGION
AWS region for S3 file storage.
Default: empty string (
"")
Optional
STORAGE_S3_ENDPOINT
Custom endpoint URL for S3-compatible file storage (e.g., MinIO).
Default: empty string (
"")
Optional
AI Providers
AI_PROVIDER
The name of the AI provider.
Default: empty string (
"")
Values:
"anthropic",
"azure",
"google",
"mistral",
"ollama",
"openai"
Optional
AI_PROVIDER_MODEL
The name of the model to use.
Default: empty string (
"")
Optional
AI_PROVIDER_OPTIONS
Extra configuration options for the AI provider encoded as JSON.
Default: empty string (
"")
Optional
AI_PROVIDER_REQUEST_OPTIONS
Extra parameters to be sent in the API request encoded as JSON.
Default: empty string (
"")
Optional
Threat Intelligence
THREATS_ENABLED
Whether threat intelligence is enabled.
Default:
"1"
Values:
"1" = enabled,
"0" = disabled
THREATS_BOT_LIMIT
Rate limit for threats of kind
bot, optionally with an
expire parameter.
Default: empty string (
"")
Optional
THREATS_MALICIOUS_LIMIT
Rate limit for threats of kind
malicious, optionally with an
expire parameter.
Default:
"10/5m(expire=48h)"
Optional
THREATS_PROBE_LIMIT
Rate limit for threats of kind
probe, optionally with an
expire parameter.
Default:
"2/5m(expire=48h)"
Optional
THREATS_PROXY_LIMIT
Rate limit for threats of kind
proxy, optionally with an
expire parameter.
Default: empty string (
"")
Optional
THREATS_TOR_LIMIT
Rate limit for threats of kind
tor, optionally with an
expire parameter.
Default: empty string (
"")
Optional
Miscellaneous
ANONYMIZE_IP_ADDRESS
Whether to generally anonymize IP addresses.
Default:
"1"
Values:
"1" = yes,
"0" = no
INSPECT_ROUTE_ENABLED
Whether the route GET /v1/inspect is enabled.
Default:
"1"
Values:
"1" = yes,
"0" = no
HASHING_SALT
Random hashing salt used for IP and EDK hashing.
CONTAINER_MEMORY_LIMIT_MB
Manual override for the application’s memory limit. If not set, the limit is automatically detected from the container configuration, or defaults to a minimum of 2 GB.
Example:
"4096" (4GB)
Required Variables
The following environment variables are required for the application to function:
ALTCHA_HMAC_SECRET
CODE_CHALLENGE_SECRET
JWT_SECRET
NODE_ID
For first-time setup, these will be automatically generated if not provided.