Configuration Options
Xylok reads configuration data from /etc/xylok.conf. After any configuration changes, the configuration should be reloaded by running:
sudo systemctl restart xylok
The most common options are covered below. Other configuration items may appear in your configuration, but should generally only be changed at the direction of Xylok support. A more complete list of Xylok settings can be found by running /opt/xylok/xylok settings.
DATABASE_PASSWORD: Password to use to connect to the database for the default “postgres” user. This defaults to a generated password when Xylok is first installed and is unique to your installation. If changed, ensure the Postgres database is updated as well.DEBUG: If True, shows stack traces in error messages to assist with contact Xylok Support. Publicly available installs may wish to disable this for security reasons.HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. Useful is running Xylok behind a reverse proxy which is already terminating HTTPS.HTTP_PORT: Port to listen for HTTP connections on.HTTPS_PORT: Port to listen for HTTPS connections on. If changed from the default 443, automatic redirects from HTTP to HTTPS will no longer work correctly.ALLOWED_DOMAINS: A comma-separated list of domains which this server will respond to and generate HTTPS certificates for. All entries will be treated as Go regexp regular expression, using the regexp.Match function. Regardless of this setting, “host less” requests are always allowed to allow internal requests to work. If not given or blank, all domains will be allowed.USE_SMTP: If True, will enable password recovery via email. Use the EMAIL_* options below to configure connection settings:EMAIL_FROM: email address to use for “From” header in emailsEMAIL_HOST: SMTP server to connect to.EMAIL_PORT: Port number on SMTP server to use.EMAIL_HOST_USER: Username on SMTP server.EMAIL_HOST_PASSWORD: Password on SMTP server.
WORKER_COUNT: For systems with adequate RAM, increasing this may improve performance in some instances. Alternatively, it may be reduced if needed, although it’s recommended to not go below 2 workers.ENABLE_UNREADY_VERSIONS: If enabled, will allow the use of benchmark versions that Xylok has not finalized testing commands for. Enabling this may result in scripts that do not work properly.CONTROL_SET: Defaults tormfrev4', using the NIST 800-53 rev 4 control set. May be swapped tormfrev5` to use Rev 5, although the S6 MAD has not been updated yet.
Xylok offers several configuration options to optionally lock down the containers further. First, CPU and memory limits can be imposed. Memory follow the values for the Docker flag --memory, and impose a strict upper limit on the memory that specific container can consume. CPU limits follow the values for the Docker flag --cpu-shares, ranging from 0 to 1024, where 1024 is “100%” of the available CPU and anything less is a proportion of 100%. The exact variable names in the xylok.conf file are below, along with any specific recommendations. More details can be found in the Security article.
LIMIT_MEM: Not recommended to go below 2048MbLIMIT_CPU: Limiting CPU will have some of the largest impact on Xylok’s performance, so this should be kept as high as reasonable.BIND_IP: IP of interface for Xylok to listen on. If not given, Xylok will bind to all interfaces.BANNER: If set, Xylok will require the user to read and agree to the banner specified. To include newlines, use type\nSESSION_LENGTH: Maximum user session length in seconds. If 0, sessions expire at the end of the browser session. Defaults to 2 weeks.SESSION_EXPIRE_AT_BROWSER_CLOSE: Terminate session when user closes their browser window.
Xylok can optionally support login via Active Directory, for more details please see Active Directory Login.