Skip to content

Configuration

Configuration for Dokku Pro is contained in the /etc/default/dokku-pro file. The contents are configured in the format key=value as shown below:

API_JWT_ACCESSSECRET=asdfghjklzxc
API_JWT_REFRESHSECRET=qwertyuiopzxcvbnmas
ROOT_TOKEN=password
LICENSE_KEY=CONTENTS_OF_LICENSE_KEY

The configuration keys and potential values are described below.

General

DATABASE_LOCATION

  • Type: string
  • Default: /var/lib/dokku/data/pro/db
  • Description: A full path to the dokku-pro database location. All parent directories should exist, or dokku-pro will fail to start.

LOG_TTL

  • Default: 10080 (7 days)
  • Description: Number of minutes to store log messages for
  • Type: int minutes

API

API_JWT_ACCESSSECRET

  • default: empty string
  • description: An access secret value for use with the jwt token
  • required: true
  • type: string

API_JWT_REFRESHSECRET

  • default: empty string
  • description: An access secret value for use with the jwt token
  • required: true
  • type: string

Apps

APPS_FILTER

New as of 1.2

  • default: empty list
  • description: A list of apps to filter from showing in the admin and api for cosmetic reasons.
  • required: false
  • type: list of strings (comma-delimited)

Auth

ROOT_TOKEN

  • default: empty string
  • description: A token to use for basic auth login, disables auth otherwise
  • required: true
  • type: string

ROOT_USERNAME

New as of 1.2

If this value is changed and team management is enabled, the username must be manually added to the global admin team.

  • default: root
  • description: The username to use as the "root" system user.
  • required: true
  • type: string

Reverse proxy authentication

See the reverse proxy authentication feature documentation for the security model and per-proxy setup.

REVERSE_PROXY_AUTH_ENABLED

New as of 1.4.0

  • default: false
  • description: Whether to trust a reverse proxy to authenticate users via a request header. When disabled, the header is ignored.
  • required: false
  • type: bool

REVERSE_PROXY_AUTH_HEADER

New as of 1.4.0

  • default: X-WEBAUTH-USER
  • description: The request header to read the authenticated username from.
  • required: false
  • type: string

REVERSE_PROXY_AUTH_TRUSTED_PROXIES

New as of 1.4.0

  • default: empty list
  • description: IP addresses or CIDR ranges of the proxies allowed to set the identity header, matched against the request's immediate peer. A single * trusts any source. When empty, the header is never trusted, so the feature is inert even when enabled.
  • required: false
  • type: list of strings (comma-delimited)

REVERSE_PROXY_AUTH_AUTO_REGISTRATION

New as of 1.4.0

  • default: false
  • description: Whether to auto-create a passwordless user the first time an unknown but valid username arrives in the trusted header. When disabled, unknown users are rejected.
  • required: false
  • type: bool

REVERSE_PROXY_AUTH_REGISTRATION_TEAM

New as of 1.4.0

  • default: empty string
  • description: A team an auto-registered user is added to as a member at creation. The team must already exist or registration fails. Users are only added on creation, never on subsequent logins.
  • required: false
  • type: string

REVERSE_PROXY_AUTH_STRIP_EMAIL_DOMAIN

New as of 1.4.0

  • default: false
  • description: Whether to strip a trailing @domain from the header value, mapping an email such as alice@example.com to the username alice. Case is preserved.
  • required: false
  • type: bool

License

LICENSE_KEY

  • default: empty string
  • description: License key for the service
  • type: string

LICENSE_KEY_FILE

  • default: empty string
  • description: Path to file containing license key
  • type: string

Server

SERVER_GIT_ENABLED

New as of 1.3.1

  • default: true
  • description: Whether the built-in git http server is enabled. When disabled, the git routes are not registered and requests to /@git paths return the standard 404 page without a basic auth challenge.
  • type: bool

SERVER_GIT_PUSH_URL_BASE

New as of 1.3.1

  • default: empty string
  • description: A base URL used to build the git push URL shown for each app, e.g. https://git.example.com/@git. The app name is appended to this value (trailing slashes are stripped) and the result is exposed as the push_url attribute on app objects and displayed on the app detail page. Useful when the git server is reached through a different hostname or proxy than the dashboard. When empty, the UI derives the push URL from the browser location.
  • type: string

SERVER_LOGIN_MESSAGE

New as of 1.3.1

  • default: empty string
  • description: A plain-text message shown as a banner on the sign-in screen, used to signal site status or tell people how to authenticate. Line breaks are preserved and the value is served without authentication so the UI can display it before login. When empty, no banner is shown.
  • type: string

SERVER_PUBLIC_URL

  • default: https://admin.dokku.me
  • description: The domain name to use for your dokku pro installation, including schema. Used by the CLI to construct urls to the app.
  • type: string

SERVER_READ_TIMEOUT

  • default: 10
  • description: The maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.
  • type: int seconds

SERVER_WRITE_TIMEOUT

  • default: 20
  • description: The maximum duration before timing out writes of the response.It is reset whenever a new request's header is read. Like ReadTimeout, it does not let Handlers make decisions on a per-request basis. A zero or negative value means there will be no timeout.
  • type: int seconds

SERVER_NETWORK

  • default: tcp
  • description: The local network address to listen to.
  • options: [tcp, tcp4, tcp6]
  • type: string

PORT

  • default: 5000
  • description: The port to listen on
  • type: int

PUBLIC_URL

  • default: https://admin.dokku.me
  • description: The base URL at which Dokku Pro is hosted at. This base URL will be used by Dokku Pro to construct URLs in the CLI, such as generating password reset links.
  • type: string