The Userify baseconfig.cfg Format

base_config.cfg is a plain-text JSON text file that is created and updated by Userify that serves a primary function of loading the encrypted main config object (config::config) from your storage repository (i.e., NFS mount, S3, EBS, etc.) base_config.cfg is designed to simply maintain the minimum security credentials to establish the next phase of startup. If base_config.cfg has not yet been created, Userify prompts for configuration. Because base_config.cfg contains sensitive configuration data, it is accessible by root only but it is designed (and pretty-printed) to serve as a human-readable backup of how the server was configured.

Base Config Settings

There are a few server functions that occur before the server loads its configuration, especially if the server is unconfigured (in order to start the web-based configuration tour). Note: changing these settings may make your Userify service unstartable.

skip_listener_80, skip_listener_443

Defaults to false. When enabled, HTTP(s) servers will not be started on port 80 and 443, respectively, and you can use HA Proxy or a similar web server to redirect requests to port 8120 and static requests to /opt/userify-server/web/. (The port 80 server always issues a redirect to HTTPS.) The 443 server will serve locally-generated self-signed TLS certificates until signed certificates are pasted into the web console. (See TLS Certificate HOWTO for details.) New in 4.2

skip_listener_8120

Defaults to false. When enabled, HTTP services are served on port 8120. This insecure listener (HTTP server) is intended to be front-ended by a WAF or HTTPS proxy server. PLEASE NOTE: serving data insecurely via HTTP over 8120 is only for front-ending with a external or localhost load balancer (such as ELB or HA-Proxy) because TLS termination at the node will prevent IP addresses from being passed through by the proxy on HTTP headers. Support for the new HAProxy PROXY protocol is planned to allow client-side IP addresses to be passed inside the TCP stream and allow TLS termination at the node (via 443) instead of the load balancer. New in 4.2.

insecure_listener_port

Defaults to 8120 and can be overridden by this baseconfig setting or on the fly by appending a new port number on the command line. Multi-processor servers can start a single instance of the userify server for each processor and set each to listen on a separate insecurelistener_port, and use a load balancing such as HA Proxy (recommended) or nginx in front, with static files being read from /opt/userify-server/web/. This is the recommended method for performance and security. New in 4.2

insecure_listener_host

Defaults to "127.0.0.1" (localhost). Utilized for external load balancers for the high-scalability option pack. New in 4.2

sa_username, sa_password

Systems administrator username for logging into the management console. The password can be reset by pasting (in plain text) a new password, which will be automatically re-hashed (with bcrypt) on the next server startup.

bucket_name, s3endpoint, etc

If S3 bucket storage is in use, these provide the paths. (Instance roles are utilized instead if available.)

filesystem_path

Where local data can be stored if S3 is not in use. On horizontally scalable systems, this can safely be an NFS, iSCSI, or similar shared storage mount, as long as the mounted filesystem respects POSIX file locking conventions.

crypto_key

The crypto key is the encryption key used to protect all data. As explained during system configuration, be sure to back it up in a safe place; without it, all server data is irrecoverable. Backing up the base_config.cfg file is sufficient.

MFA disable

Create a file containing the list of usernames to disable MFA for: sudo nano /opt/userify-server/disable_mfa.txt and add each username (one per line) that you wish to disable MFA server. Then, just sudo pkill userify-server to restart and disable MFA for those user accounts. (The file will be removed after processing).