appsettings.json
appsettings.json is the core configuration file of GZCTF, which is configured by mounting into the container. This document will introduce the meaning of each field in the configuration file.
You need to restart the GZCTF service every time you update appsettings.json to make it effective.
Structure of the configuration file
Here is a complete example of configuration:
Configuration fields
ConnectionStrings
Here we can the configure the connection of the database.
Database
This field is required.
GZCTF uses PostgreSQL as the backend database and data persistence
GZCTF only supports PostgreSQL as the database, and does not support MySQL and other databases. Please fill in the correct database connection settings in the configuration file.
RedisCache
This field is optional.
GZCTF uses Redis as the cache and message queue. In the case of single instance deployment, Redis is not necessary, and GZCTF's memory cache can be used directly; in the case of multi-instance deployment, Redis is necessary as a shared cache and SignalR's Scale-Out broadcast.
In v1.0 and later, GZCTF supports using Garnet as the cache service.
Storage
This field is optional.
GZCTF supports two types of storage providers:
-
Local Disk Storage (default)
disk://path=./filespath: Optional. Path to store files locally (default:./files)
-
S3-compatible Storage (AWS S3, MinIO, DigitalOcean Spaces, etc.)
s3://accessKey=...;secretKey=...;bucket=...;region=...or use specific schemes for convenience:
aws.s3://...(equivalent tos3://...)minio.s3://...(equivalent tos3://...)
Parameters:
accessKey: Optional. Access Key IDsecretKey: Optional. Secret Access Keybucket: Bucket nameregion: Region (such asus-east-1)endpoint: Optional. Custom endpoint URL (for MinIO or other S3-compatible services)useHttp: Optional. Whether to use HTTP instead of HTTPS (default: false)forcePathStyle: Optional. Whether to use path-style URLs instead of virtual-hosted-style (default: false)
For more information, see the following links:
Logging
You can configure the logging level and scopes, besides, GZCTF also supports sending logs to Loki server.
- LogLevel: The minimal logging level per namespace.
- Loki: The configuration of Loki server.
- Enable: Enable it or not.
- EndpointUri: The URI of Loki server.
- Labels: Optional. The global log event labels.
- PropertiesAsLabels: Optional. The list of properties, which should be mapped to Loki labels.
- Credentials: Optional. Credentials, which will be used for basic auth
- Tenant: Optional. The Tenant ID used for sending logs to Loki server.
- MinimumLevel: Optional. Minimal logging level.
Available logging levels: Trace, Debug, Information, Warning, Error, Critical, None.
Telemetry
GZCTF supports metrics and distributed tracing. You can configure the providers you want to use.
-
Prometheus: Prometheus endpoint support.
- Enable: Enable it or not.
- TotalNameSuffixForCounters: Optional. Whether to include
_totalsuffix in counters or not.
-
OpenTelemetry: Exporting metrics and tracing data to OpenTelemetry.
- Enable: Enable it or not.
- Protocol:
GrpcorHttpProtobuf. - EndpointUri: The OpenTelemetry endpoint URI to push telemetry data.
-
AzureMonitor: Exporting metrics and tracing data to ApplicationInsights.
- Enable: Enable it or not.
- ConnectionString: The connection string.
-
Console: Exporting tracing data to console.
- Enable: Enable it or not.
EmailConfig
Here we can configure the information of email sending server. If you use email registration and other email features, this is required.
- SenderAddress: Email address of the sender
- SenderName: Name of the sender
- UserName: SMTP Server username
- Password: SMTP Server password
- Smtp: SMTP Server address and port
- BypassCertVerify: Whether to bypass the certificate verification of the SMTP server
Some cloud service provider may block port 465, please try port 587.
XorKey
Configure the encryption key used to encrypt the competition private keys stored in the database. It can be any string of any length.
ContainerProvider
Configure the container backend, which is required for creating containers dynamically during the game.
- Type: Type of the container backend. Can be
DockerorKubernetes. - PublicEntry: Public entry of the container backend, used to generate the competition access address that is shown to participating teams.
- PortMappingType: Port mapping type. Can be
DefaultorPlatformProxy. - EnableTrafficCapture: Enable or disable traffic capture. Only available when
PortMappingTypeis set toPlatformProxy. Captured traffic is saved to/app/files/capture.
Docker
Docker Swarm is no longer supported since v1.8.0. Please use Kubernetes for better security and scalability.
-
Uri: Docker API Server Address
- If you use local Docker, leave
Uriempty and mount/var/run/docker.sockinto the container. - If you use external Docker, set
Urito the corresponding Docker API server. External API authentication has not been implemented; this deployment method is not recommended.
- If you use local Docker, leave
-
ChallengeNetwork:
Before v1.8.0
Specify the network where the challenge container is located. If not specified, the default Docker network is used.
After v1.8.0
Treat this value as the network prefix for creating challenge networks. GZCTF automatically creates two networks for different network modes:
<ChallengeNetwork>-openfor open network mode and<ChallengeNetwork>-isolatedfor isolated network mode.You can also manually create a
<ChallengeNetwork>-customnetwork for custom network mode, and configure it according to your needs. -
UserName, Password: Docker API Basic Auth username and password, optional.
Kubernetes
- Namespace: Kubernetes namespace used to create challenge instances. The default value is
gzctf-challenges. - ConfigPath: Kubernetes configuration file path used to connect to the cluster. The default value is
kube-config.yaml. - AllowCIDR: CIDR whitelist that is allowed to access Pods.
- DNS: Custom DNS server list.
To use the default behavior, put the cluster connection configuration into the kube-config.yaml file and mount it to the /app directory. Do not change this configuration if you are not familiar with the behavior of the experimental features.
Make sure to change the server field in the kube-config.yaml file so that it points to the API server address of the cluster. The default address is usually https://127.0.0.1:6443, and it must be updated to the actual address of your cluster.
Before v1.8.0
To enforce basic network isolation, GZCTF creates a NetworkPolicy named gzctf-policy in the challenge namespace to restrict access. GZCTF automatically detects whether this NetworkPolicy already exists. If it does, it will not be created again, so you can customize the network policy by creating or editing this NetworkPolicy.
After v1.8.0
GZCTF creates two NetworkPolicies named gzctf-network-open and gzctf-network-isolated in the challenge namespace to restrict access for open and isolated network modes respectively. GZCTF automatically maintains these NetworkPolicies, so do not modify or delete them manually.
You can customize the network policy by creating additional NetworkPolicies in the same namespace. You can select target Pods by using the following labels:
gzctf.gzti.me/TeamId: Select specific teamsgzctf.gzti.me/UserId: Select specific usersgzctf.gzti.me/ChallengeId: Select specific challengesgzctf.gzti.me/NetworkMode: Select specific network modes (open,isolated,custom)
RequestLogging
Enable/Disable request logging, if enabled, detailed information of each request will be appended to the log. Static file requests are not included in the output here.
This configuration item will record specific request information, which can significantly impact the log file size and platform concurrency performance. Please enable it only during debugging.
DisableRateLimit
Enable/Disable request rate limit, if enabled, the request rate of each IP and API will be limited according to the preset rules.
This feature is the fundamental to the security of GZCTF, take your own risk when disabling it.
In most cases, there is no situation where users can reach the rate limit. If you encounter frequent triggering of the rate limit and abnormal IP information in the backend logs (such as a large number of requests from the same IP), please check the trusted proxy configurations.
With this configuration enabled, GZCTF can use minimal resources to block malicious requests that exceed normal requests by dozens of times, ensuring the platform’s stable operation.
RegistryConfig
This configuration item is about to be deprecated, please use the Registries field to define it.
Registries
Here we can configure the username and password of the Docker Registry, which is used to pull the container image for dynamic container during the game.
You can customize the configuration of other registries according to the above format. The UserName and Password fields are required.
Please make sure that the password does not contain special characters (such as ":@ etc., but _ can be used), otherwise it may cause template injection problems and make Secret not work properly.
CaptchaConfig
Configure the CAPTCHA used for user registration, account recovery and login, optional.
- Provider: CAPTCHA provider, can be
None,HashPoworCloudflareTurnstile - SiteKey: CAPTCHA Sitekey
- SecretKey: CAPTCHA Secretkey
To ensure security and avoid malicious registration and email consumption, it is strongly recommended to enable the CAPTCHA function.
It is recommended to use the CloudflareTurnstile CAPTCHA provider, related documentation.
HashPow
Configure the HashPow captcha related information, optional.
Secure context: This feature is available only in secure contexts (HTTPS).
- Difficulty: Difficulty of HashPow captcha, used to specify the number of leading zeros in the hash bits. The available range is from 8 to 48.
GoogleRecaptcha
This feature is deprecated and will be removed in v1.2.2 due to the lack of maintenance of upstream dependency.
Please use the CloudflareTurnstile CAPTCHA provider instead.
Configure the Google Recaptcha v3 related information, optional.
- VerifyAPIAddress: Google Recaptcha verify API address
- RecaptchaThreshold: Google Recaptcha threshold, used to determine whether the captcha is effective
ForwardedOptions
Here we can configure the reverse proxy, which is used to get the real IP address, optional.
- ForwardedHeaders: Enum for ForwardedHeaders in reverse proxy, please use
7as the default value. For more details, see ForwardedHeaders Enum - ForwardLimit: Limit the number of proxy hops allowed, the default is
1 - ForwardedForHeaderName: The name of the reverse proxy IP address header
- KnownIPNetworks: List of trusted networks for reverse proxy, represented by CIDR.
- KnownProxies: List of trusted proxies for reverse proxy, represented by IP addresses or domain names.
If you want to ignore the trust list of reverse proxies and allow any IP address to access, please refer to the solution for forwarding Linux and non-IIS reverse proxies, and set the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED to true.
For other fields, please refer to the official documentation: Configure ASP.NET Core to work with proxy servers and load balancers and ForwardedHeadersOptions class
Kestrel
Kestrel is the built-in web server used by GZCTF.
With this configuration, you can control the behavior of Kestrel, such as specifying the HTTP protocol, modifying the request size limit, and more.
For other configurable fields, please refer to the properties of the KestrelServerOptions class in the official documentation: KestrelServerOptions class