appsettings.json
is the core configuration file of GZCTF, which is configured by mounting into the container. This document will introduce the meaning of each field in the configuration file.
You need to restart the GZCTF service every time you update appsettings.json
to make it effective.
Here is a complete example of configuration:
Here we can the configure the connection of the database. Database
is required, and RedisCache
is optional.
GZCTF uses PostgreSQL as the backend database and data persistence, and Redis as the cache and message queue. In the case of single instance deployment, Redis is not necessary, and GZCTF's memory cache can be used directly; in the case of multi-instance deployment, Redis is necessary as a shared cache and SignalR's Scale-Out broadcast.
GZCTF only supports PostgreSQL as the database, and does not support MySQL and other databases. Please fill in the correct database connection settings in the configuration file.
You can configure the logging level and scopes, besides, GZCTF also supports sending logs to Loki server.
LogLevel: The minimal logging level per namespace.
Loki: The configuration of Loki server.
Available logging levels: Trace, Debug, Information, Warning, Error, Critical, None.
GZCTF supports metrics and distributed tracing. You can configure the providers you want to use.
Prometheus: Prometheus endpoint support.
/metrics
endpoint listens on. If this is configured, additional manual configuration of Kestrel.Endpoints
is required to make the server listen to the specified port normally._total
suffix in counters or not.OpenTelemetry: Exporting metrics and tracing data to OpenTelemetry.
Grpc
or HttpProtobuf
.AzureMonitor: Exporting metrics and tracing data to ApplicationInsights.
Console: Exporting tracing data to console.
Here we can configure the information of email sending server. If you use email registration and other email features, this is required.
Some cloud service provider may block port 465, please try port 587.
Here we can configure the encryption key for encrypting the private key of the competition in the database. It can string of any length.
Heer we can configure the container backend which is required for creating containers dynamically during the game.
Docker
or Kubernetes
。Default
or PlatformProxy
。PortMappingType
is configured as PlatformProxy
. Captured traffic will be saved to /app/files/capture
.Since Docker Swarm is no longer an active project, security features are far behind k8s, and it is not recommended.
Uri: Docker API Server Address
/var/run/docker.sock
into the container.ChallengeNetwork: Specify the network where the challenge container is located. If not specified, the default network will be used.
UserName, Password: Docker API Basic Auth username and password, optional.
gzctf-challenges
kube-config.yaml
To use the default behavior, please put the cluster connection configuration into the kube-config.yaml
file and mount it to the /app
directory. Do not change it if you don't understand the behavior of the experimental function.
Please note that you need to change the server
field in the kube-config.yaml
file to point to the API Server address of the cluster. The default address of the cluster is generally https://127.0.0.1:6443
, which needs to be changed to the actual address of the cluster.
In order to meet the network policy, GZCTF will create a NetworkPolicy named gzctf-policy
in the Namespace of the challenge to restrict access. GZCTF will automatically detect whether this NetworkPolicy already exists. If it exists, it will not be created again, so you can customize the network policy by creating or editing this NetworkPolicy.
Enable/Disable request logging, if enabled, detailed information of each request will be appended to the log. Static file requests are not included in the output here.
Enable/Disable request rate limit, if enabled, the request rate of each IP and API will be limited according to the preset rules.
Here we can configure the username and password of the Docker Registry, which is used to pull the container image for dynamic container during the game.
https://
prefix is not requiredPlease make sure that the password does not contain special characters (such as ":@
etc., but _
can be used), otherwise it may cause template injection problems and make Secret
not work properly.
Configure the Captcha used for user registration, account recovery and login, optional.
None
, GoogleRecaptcha
or CloudflareTurnstile
Configure the Google Recaptcha v3 related information, optional.
Here we can configure the reverse proxy, which is used to get the real IP address, optional.
7
as the default value. For more details, see ForwardedHeaders Enum1
If you want to ignore the trust list of reverse proxies and allow any IP address to access, please refer to the solution for forwarding Linux and non-IIS reverse proxies, and set the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED
to true
.
For other fields, please refer to the official documentation: Configure ASP.NET Core to work with proxy servers and load balancers and ForwardedHeadersOptions class
Kestrel is the built-in web server used by GZCTF. With this configuration, you can control the behavior of Kestrel, such as specifying the HTTP protocol, modifying the request size limit, and more.
KestrelServerOptions
class in the official documentation: KestrelServerOptions class