Configuration
Configuration for Dokku Pro is contained in the /etc/default/dokku-pro file.
The contents are configured in the format key=value as shown below:
API_JWT_ACCESSSECRET=asdfghjklzxc
API_JWT_REFRESHSECRET=qwertyuiopzxcvbnmas
ROOT_TOKEN=password
LICENSE_KEY=CONTENTS_OF_LICENSE_KEY
The configuration keys and potential values are described below.
General
DATABASE_LOCATION
- Type: string
- Default:
/var/lib/dokku/data/pro/db - Description: A full path to the dokku-pro database location. All parent directories should exist, or dokku-pro will fail to start.
LOG_TTL
- Default:
10080(7 days) - Description: Number of minutes to store log messages for
- Type: int minutes
API
API_JWT_ACCESSSECRET
- default: empty string
- description: An access secret value for use with the jwt token
- required: true
- type: string
API_JWT_REFRESHSECRET
- default: empty string
- description: An access secret value for use with the jwt token
- required: true
- type: string
Apps
APPS_FILTER
New as of 1.2
- default: empty list
- description: A list of apps to filter from showing in the admin and api for cosmetic reasons.
- required: false
- type: list of strings (comma-delimited)
Auth
ROOT_TOKEN
- default: empty string
- description: A token to use for basic auth login, disables auth otherwise
- required: true
- type: string
ROOT_USERNAME
New as of 1.2
If this value is changed and team management is enabled, the username must be manually added to the global admin team.
- default:
root - description: The username to use as the "root" system user.
- required: true
- type: string
Reverse proxy authentication
See the reverse proxy authentication feature documentation for the security model and per-proxy setup.
REVERSE_PROXY_AUTH_ENABLED
New as of 1.4.0
- default:
false - description: Whether to trust a reverse proxy to authenticate users via a request header. When disabled, the header is ignored.
- required: false
- type: bool
REVERSE_PROXY_AUTH_HEADER
New as of 1.4.0
- default:
X-WEBAUTH-USER - description: The request header to read the authenticated username from.
- required: false
- type: string
REVERSE_PROXY_AUTH_TRUSTED_PROXIES
New as of 1.4.0
- default: empty list
- description: IP addresses or CIDR ranges of the proxies allowed to set the identity
header, matched against the request's immediate peer. A single
*trusts any source. When empty, the header is never trusted, so the feature is inert even when enabled. - required: false
- type: list of strings (comma-delimited)
REVERSE_PROXY_AUTH_AUTO_REGISTRATION
New as of 1.4.0
- default:
false - description: Whether to auto-create a passwordless user the first time an unknown but valid username arrives in the trusted header. When disabled, unknown users are rejected.
- required: false
- type: bool
REVERSE_PROXY_AUTH_REGISTRATION_TEAM
New as of 1.4.0
- default: empty string
- description: A team an auto-registered user is added to as a member at creation. The team must already exist or registration fails. Users are only added on creation, never on subsequent logins.
- required: false
- type: string
REVERSE_PROXY_AUTH_STRIP_EMAIL_DOMAIN
New as of 1.4.0
- default:
false - description: Whether to strip a trailing
@domainfrom the header value, mapping an email such asalice@example.comto the usernamealice. Case is preserved. - required: false
- type: bool
License
LICENSE_KEY
- default: empty string
- description: License key for the service
- type: string
LICENSE_KEY_FILE
- default: empty string
- description: Path to file containing license key
- type: string
Server
SERVER_GIT_ENABLED
New as of 1.3.1
- default:
true - description: Whether the built-in git http server is enabled. When disabled,
the git routes are not registered and requests to
/@gitpaths return the standard 404 page without a basic auth challenge. - type: bool
SERVER_GIT_PUSH_URL_BASE
New as of 1.3.1
- default: empty string
- description: A base URL used to build the git push URL shown for each app,
e.g.
https://git.example.com/@git. The app name is appended to this value (trailing slashes are stripped) and the result is exposed as thepush_urlattribute on app objects and displayed on the app detail page. Useful when the git server is reached through a different hostname or proxy than the dashboard. When empty, the UI derives the push URL from the browser location. - type: string
SERVER_LOGIN_MESSAGE
New as of 1.3.1
- default: empty string
- description: A plain-text message shown as a banner on the sign-in screen, used to signal site status or tell people how to authenticate. Line breaks are preserved and the value is served without authentication so the UI can display it before login. When empty, no banner is shown.
- type: string
SERVER_PUBLIC_URL
- default:
https://admin.dokku.me - description: The domain name to use for your dokku pro installation, including schema. Used by the CLI to construct urls to the app.
- type: string
SERVER_READ_TIMEOUT
- default:
10 - description: The maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.
- type: int seconds
SERVER_WRITE_TIMEOUT
- default:
20 - description: The maximum duration before timing out writes of the response.It is reset whenever a new request's header is read. Like ReadTimeout, it does not let Handlers make decisions on a per-request basis. A zero or negative value means there will be no timeout.
- type: int seconds
SERVER_NETWORK
- default:
tcp - description: The local network address to listen to.
- options: [
tcp,tcp4,tcp6] - type: string
PORT
- default:
5000 - description: The port to listen on
- type: int
PUBLIC_URL
- default:
https://admin.dokku.me - description: The base URL at which Dokku Pro is hosted at. This base URL will be used by Dokku Pro to construct URLs in the CLI, such as generating password reset links.
- type: string