##############################################################
# Kopano Web SETTINGS

# Site's host name.
# Full qualified host name. If set, kweb provides HTTP/HTTPS for this host
# including automatic ACME CA TLS and Content Security Policy generation. If not
# set (the default), kweb is available under all names and does not try to
# obtain a certificate via ACME.
#hostname=

# ACME CA email.
# To allow automatic TLS via ACME, the CA needs an email address. Provide your
# email address here to enable automatic TLS via ACME. If tls_acme_email and
# hostname are set, kweb will automatically manage TLS certificates unless
# explictly disabled by other settings.
#tls_acme_email =

# ACME CA subscriber agreement.
# Set to `yes` to accept the CA's subscriber agreement. If this is `no` or
# not set and kweb is otherwise configured to use ACME, kweb will log the link
# to the CA's subscriber agreement and then exit. You have to change this
# setting to `yes` to use automatic TLS via ACME.
#tls_acme_agree = no

# ACME CA server directory.
# URL to the certificate authority's ACME server directory. Default is to use
# Let's Encrypt (https://acme-v02.api.letsencrypt.org/directory).
#tls_acme_ca = https://acme-v02.api.letsencrypt.org/directory

# HTTP Strict Transport Security.
# Value for HTTP Strict Transport Security response header. Default to
# `max-age=31536000;` and is only used if hostname is set. Set explicitly to
# empty to disable.
#hsts=max-age=31536000;

# Bind address to bind the listeners.
# This setting defines where to bind kweb http listeners. By default kweb binds
# to all interfaces/ips since it needs to be available from external.
#bind=0.0.0.0

# Web root folder.
# Full path to the web root. All files below that folder are served by kweb and
# the path is used as base for otherwise relative paths.
# Default: `/usr/share/kopano-kweb/www`
#web_root = /usr/share/kopano-kweb/www

# Port for HTTPS listener.
# When TLS is enabled, kweb will serve the TLS listener on this port. Defaults
# to 9443 if `hostname` is not set and `443` otherwise.
#https_port = 443

# Port for HTTP listener.
# When TLS is disabled, kweb will serve the listener on this port. Defaults to
# 9080 if `hostname` is not set and `80` otherwise.
#http_port = 80

# HTTP/2 support.
# Set to `yes` to enable HTTP/2 support on all TLS listeners. HTTP/2 is enabled
# by default. Set to `no` to disable.
#http2 = yes

# QUIC support.
# Experimental support for QUIC. Set to `true` to enable. Default is `no`.
#quic = no

###############################################################
# Log settings

# HTTP request log file (access log in combined format).
# Full path to log file where to log HTTP requests. Not set by default which
# means requests are not logged.
#request_log_file = /var/log/kopano-kweb/access.log

###############################################################
# TLS settings

# TLS support.
# Support encrypted listeners and automatic TLS certificate creation when set
# to `yes`. Set to `no` to disable all TLS and listen on plain HTTP.
#tls = yes

# TLS certificate bundle.
# Path to a TLS certificate bundle (concatenation of the server's  certificate
# followed by the CA's certificate chain). If set, the TLS listener will use
# that certificate instead of trying automatic TLS.
#tls_cert =

# TLS private key.
# Path to the server's private key file which matches the certificate bundle. It
# must match the certificate in tls_cert.
#tls_key =

# TLS protocols.
# Minimal and maximal TLS protocol versions to be offered. Defaults to TLS 1.2
# and TLS 1.3 (`tls1.2 tls1.3`).
#tls_protocols = tls1.2 tls1.3

# TLS self sign.
# By default kweb creates self signed TLS certificates on startup on if ACME is
# not possible due to missing settings. If set to `yes`, ACME is disabled and a
# self signed certificate will always be created. Default: `no`.
#tls_always_self_sign = no

# TLS must stable.
# Enables must stable for certificates managed by kweb. If this is set to `yes`
# and kweb requests certificates via ACME, those certificates will require that
# the OSCP information is stapled with the response. Defaults to `no`.
#tls_must_staple = no

###############################################################
# App settings

# Default top level redirect.
# When set, top level requests `/` will redirect to the configured value.
# Not set by default.
#default_redirect =

# Legacy support.
# To make integration into existing environments easier kwebd can act as a
# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g.
# in Apache or Nginx. Set the address to the legacy web server here. Not set by
# default.
#legacy_reverse_proxy = 127.0.0.1:8000

###############################################################
# Limiting settings

# Rate limit tate.
# Limits Excessive access to services. Requests will be terminated with an error
# 429 (Too Many Requests) and X-RateLimit-RetryAfter is added.
# Format "rate burst unit", Defaults to "100 200 minute".
#ratelimit_rate = "100 200 minute"

# Rate limit whitelist.
# Your trusted IPs (comma separated). Defines the CIDR IP range you don't want
# to  perform rate limit. Defaults to `127.0.0.1/8`.
#ratelimit_whitelist = 127.0.0.1/8