7. Environment Variables
STIG Manager is configured via its Environment Variables:
Variable |
Description |
Affects |
|---|---|---|
STIGMAN_API_ADDRESS |
Default
0.0.0.0The IP address on which the the API server will listen
|
API |
STIGMAN_API_MAX_JSON_BODY |
Default
5242880The maximum size in bytes of the request body when Content-Type is application/json
|
API |
STIGMAN_API_MAX_UPLOAD |
Default
1073741824The maximum size in bytes of the file uploaded with Content-Type multipart/form-data
|
API |
STIGMAN_API_PORT |
Default
54000The TCP port on which the server will listen
|
API |
STIGMAN_CLASSIFICATION |
Default
USets the classification banner, if any. Available values:
NONE U CUI C S TS SCI |
API, Client |
STIGMAN_CLIENT_API_BASE |
Default
./apiThe base URL for Client requests to the API relative to the sever root at /
|
Client |
STIGMAN_CLIENT_DIRECTORY |
Default
./clientsThe location of the web client files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the client is located at ../../clients relative to the API directory.
|
API, Client |
STIGMAN_CLIENT_DISABLED |
Default
falseWhether to not serve the reference web client
|
Client |
STIGMAN_CLIENT_EXTRA_SCOPES |
No default
A space separated list of OAuth2 scopes to request in addition to
stig-manager:stig stig-manager:stig:read stig-manager:collection stig-manager:user stig-manager:user:read stig-manager:op. Some OIDC providers (Okta) generate a refresh token only if the scope offline_access is requested |
Client |
STIGMAN_CLIENT_ID |
Default
stig-managerThe OIDC clientId of the web client
|
Client |
STIGMAN_CLIENT_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERClient override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the client when fetching metadata. |
Client |
STIGMAN_CLIENT_SCOPE_PREFIX |
No default
String used as a prefix for each scope when authenticating to the OIDC Provider. Some providers (Azure AD) expect scope requests in the format
api://<application_id>/<scope>, where api://<application_id>/ is the required prefix. |
Client |
STIGMAN_CLIENT_REFRESH_DISABLED |
Default
falseWhether the web client should use a provided refresh token to update the access token
|
Client |
STIGMAN_CLIENT_WELCOME_IMAGE |
No default
The URL of an image hosted elsewhere that will be rendered in the Home tab Welcome widget. The STIGMan app does not serve the image itself, only the reference to it. The URL should be in relation to and accessible from the client’s browser. The image will be scaled to a max width or height of 125 pixels - If no alternate image is specified, the seal of the Department of the Navy (the project sponsor) will be displayed.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_LINK |
No default
Value of an optional link that will follow the Welcome message in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_MESSAGE |
No default
Text that will be displayed in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_TITLE |
Default
SupportThe tile that will be displayed for the custom Home tab Welcome message.
|
Client Appearance |
STIGMAN_DB_HOST |
Default
localhostThe database hostname or IP from to the API server
|
API |
STIGMAN_DB_MAX_CONNECTIONS |
Default
25The maximum size of the database connection pool
|
API |
STIGMAN_DB_PASSWORD |
No default
The password used to login to the database
|
API |
STIGMAN_DB_PORT |
Default
3306The database TCP port relative to the API server
|
API |
STIGMAN_DB_SCHEMA |
Default
stigmanThe schema where the STIG Manager object are found
|
API |
STIGMAN_DB_TLS_CA_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded CA certificate used to sign the database TLS certificate. Setting this variable enables TLS connections to the database.
|
API |
STIGMAN_DB_TLS_CERT_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_KEY_FILE. |
API |
STIGMAN_DB_TLS_KEY_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_CERT_FILE. |
API |
STIGMAN_DB_USER |
Default
stigmanThe user account used to login to the database
|
API |
STIGMAN_DOCS_DIRECTORY |
Default
./docsThe location of the documentation files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the docs are located at ../../docs/_build/html relative to the API directory.
|
API, documentation |
STIGMAN_DOCS_DISABLED |
Default
falseWhether to not serve the project Documentation. NOTE: If you choose to serve the Client from the API container but not the Documentation, the links do the Docs on the home page will not work.
|
Documentation |
STIGMAN_EXPERIMENTAL_APPDATA |
Default
falseSet to
true to enable the experimental AppData import/export API endpoints and User Interface. |
API, Client |
STIGMAN_LOG_LEVEL |
Default
3Controls the granularity of the generated log output, from 1 to 4. Each level is inclusive of the ones before it. Level 1 will log only errors, level 2 includes warnings, level 3 includes status and transaction logs, and level 4 includes debug-level logs
|
API |
STIGMAN_LOG_MODE |
Default
combinedControls whether the logs will create one “combined” log entry for http requests that includes both the request and response information; or two separate log entries, one for the request and one for the response, that can be correlated via a generated Request GUID in each entry
|
API |
STIGMAN_JWT_ASSERTION_CLAIM |
Default
jtiThe access token claim whose value is the OIDC provider’s Assertion ID. Updates to this value trigger the API to update a User’s
lastClaims property. The claim MUST be a top-level claim and cannot be nested. |
API |
STIGMAN_JWT_EMAIL_CLAIM |
Default
emailThe access token claim whose value is the user’s email address
|
API, Client |
STIGMAN_JWT_NAME_CLAIM |
Default
nameThe access token claim whose value is the user’s full name
|
API, Client |
STIGMAN_JWT_PRIVILEGES_CLAIM |
Default
realm_access.rolesThe access token claim whose value is the user’s privileges
|
API, Client |
STIGMAN_JWT_SCOPE_CLAIM |
Default
scopeThe access token claim whose value is the user’s scopes. Some OIDC Providers (Okta, Azure AD) use the claim
scp to enumerate scopes |
API, Client |
STIGMAN_JWT_SERVICENAME_CLAIM |
Default
clientIdThe access token claim whose value is the user’s client
|
API, Client |
STIGMAN_JWT_USERNAME_CLAIM |
Default
preferred_usernameThe access token claim whose value is the user’s username
|
API, Client |
STIGMAN_OIDC_PROVIDER |
Default
http://localhost:8080/auth/realms/stigmanThe base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended when fetching metadata. |
API, Client |
STIGMAN_SWAGGER_ENABLED |
Default
falseWhether to enable the SwaggerUI SPA at /api-docs
|
API |
STIGMAN_SWAGGER_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERSwaggerUI override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the SwaggerUI when fetching metadata. |
API |
STIGMAN_SWAGGER_REDIRECT |
Default
http://localhost:54000/api-docs/oauth2-redirect.htmlThe redirect URL sent by SwaggerUI to the OIDC provider when authorizing
|
API |
STIGMAN_SWAGGER_SERVER |
Default
http://localhost:54000/apiThe API server URL relative to the SwaggerUI
|
API |
Variable |
Description |
Affects |
|---|---|---|
NODE_EXTRA_CA_CERTS |
[your CA certificate file path] Set this Node.js environment variable to direct Node to accept CA certificates you have provided, in addition to its built-in CA certs. |
Node.js, API |