open-tsa/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
server/.env.example
hightrusted 2450171ce3
Initial public release 
Open TSA — Free European RFC 3161 Timestamp Authority.

- 4-tier CA hierarchy via setup-ca.sh (Root → TSA Root → Intermediate → Signing)
- Node.js service (service.js): RFC 3161 endpoint, health, info, stats,
  /now, Prometheus metrics, rate limiting, audit log, admin endpoints
- All identities and paths configurable via environment variables
- Documented in README, including reverse-proxy setup and operating notes

MIT licensed. See https://open-tsa.eu for the live service.
2026-05-15 18:29:51 +02:00

76 lines
4.4 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ──────────────────────────────────────────────────────────────
# Open TSA — Configuration Example
# ──────────────────────────────────────────────────────────────
# Copy this file to `.env` and adjust for your installation.
# Never commit the actual `.env` to version control.
# ──────────────────────────────────────────────────────────────
# ── Service binding ─────────────────────────────────────────
# The service listens on TSA_HOST:TSA_PORT.
# Default is localhost only — nginx/Apache reverse-proxies from
# the public interface. Do not bind to 0.0.0.0 in production.
TSA_HOST=127.0.0.1
TSA_PORT=3700
# ── Public-facing URL ───────────────────────────────────────
# Used in logs, health-check responses, and error messages.
# Should match the public HTTPS URL of your reverse proxy.
TSA_PUBLIC_URL=https://tsr.example.org
# ── CA hierarchy paths ──────────────────────────────────────
# Directory containing the 4-tier CA created by setup-ca.sh.
# The service only needs read access to the TSA signing tier.
CA_DIR=/opt/open-tsa/ca
TSA_CONFIG=/opt/open-tsa/ca/tsa/openssl-tsa.cnf
# ── TSA policy OID ──────────────────────────────────────────
# Your own enterprise OID (allocated by IANA) or a sub-OID under
# an existing one. Must be present in your TSA certificate's
# `certificatePolicies` extension. Do NOT reuse another
# project's OID in production.
TSA_POLICY_OID=1.3.6.1.4.1.59085.1.1
# ── Operational parameters ──────────────────────────────────
# Maximum size of an incoming TimeStampRequest in bytes.
# Real-world TSQ payloads are 200500 bytes. 64 KiB is generous.
MAX_REQUEST_SIZE=65536
# Rate limit per source IP per minute (0 = disabled).
RATE_LIMIT_PER_MINUTE=60
# ── Logging ─────────────────────────────────────────────────
# Levels: error, warn, info, debug
LOG_LEVEL=info
# Log destination: stdout (recommended with systemd/journald)
# or absolute path to log file.
LOG_DESTINATION=stdout
# ── Audit log ───────────────────────────────────────────────
# Path to the append-only audit log of issued tokens.
# One JSON line per timestamp with: timestamp, serial, hash,
# client IP, response size. Used for transparency reporting.
AUDIT_LOG=/var/log/open-tsa/audit.jsonl
# ── Metrics endpoint ────────────────────────────────────────
# Prometheus-compatible metrics on /metrics. Bound to TSA_HOST.
# Disable in environments where this would be exposed publicly.
METRICS_ENABLED=true
# ── Health endpoint ─────────────────────────────────────────
# Path of the health-check endpoint. Returns 200 + JSON with
# version, openssl version, and current load.
HEALTH_PATH=/health
# ── OpenSSL binary ──────────────────────────────────────────
# Path to the OpenSSL 3.x binary. Leave as `openssl` to use the
# system default; override if multiple versions are installed.
OPENSSL_BIN=openssl
# ── Service user / group ────────────────────────────────────
# Used by setup-ca.sh to set permissions on the TSA tier.
# The Node.js service must run under this user.
SERVICE_USER=nodejs
SERVICE_GROUP=nodejs
# ── End of configuration ────────────────────────────────────
Reference in a new issue View git blame Copy permalink