Skip to content

Configuration

Jump to bottom
Jacob Skiba edited this page May 10, 2017 · 3 revisions

The following configuration options are set in the root of Sleepy Puppy.

config-default.py is the default configuration used by Sleepy Puppy.

## Default Configuration File
import os

_basedir = os.path.abspath(os.path.dirname(__file__))

DEBUG = True

# Security configuration settings
SECRET_KEY = os.getenv('secret_key', 'ThiSISMYDARKSECRET!@#')
CSRF_ENABLED = True
CSRF_SESSION_KEY = os.getenv('csrf_session_key', 'ThiSISMYDARKSECRET!@#')

# Database configuration settings
SQLALCHEMY_DATABASE_URI = os.getenv('sleepypuppy_db', 'sqlite:////tmp/sleepy-db.db')

# Screenshot storage configuration settings
UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'uploads')
UPLOAD_SCREENSHOTS_TO_S3 = False
S3_BUCKET = ""
S3_FILES_PREFIX = "sleepypuppy"

# Log configuration settings
LOG_LEVEL = "DEBUG"
LOG_FILE = "sleepypuppy.log"

# Callback configuration settings for JS captures
HOSTNAME = '127.0.0.1:8000'
# for getting the JS file.
CALLBACK_HOSTNAME = HOSTNAME
# http for local dev, https for deploy
CALLBACK_PROTOCOL = 'http'

# Email server configuration
# SES Options:
EMAILS_USE_SES = True
SES_REGION = 'us-east-1'

# SMTP Options:
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_SENDER = os.getenv('sender', 'monterey@saasmail.netflix.com')
# Uncomment if your SMTP server requires authentication
# MAIL_USE_TLS = False
# MAIL_USE_SSL = False
# MAIL_USERNAME = 'you'
# MAIL_PASSWORD = 'your-password'

# Captures will only be logged from the following list of domains
# By default, it will allow all domains if list is empty
ALLOWED_DOMAINS = []

Security Configuration

The following directives are used to control your application key and CSRF key. You should change these keys before deploying in production.

SECRET_KEY = os.getenv('secret_key', 'ThiSISMYDEEPDARKSECRET!@#')

CSRF_ENABLED = True
CSRF_SESSION_KEY = os.getenv('csrf_session_key', 'ThiSISMYDARKDARKDARKSECRET!@#')

Database Configuration

Sleepy Puppy uses SQLAlchemy for object relational mapping. The Database URI can be set as an environmental variable. The Database URI is set in the following directive in config-default.py:

# Database setup
SQLALCHEMY_DATABASE_URI = os.getenv('sleepypuppy_db', 'sqlite:////tmp/sleepypuppy-db.db')

The config-default.py file is currently set to use SQLite as the DBMS. I suggest you use a more robust database management system, such as MySQL.

An example MySQL string for Amazon RDS may look like the following:

# Database setup
SQLALCHEMY_DATABASE_URI = 'mysql://sleepydb:super_password@sleepy.blahblah.us-west-1.rds.amazonaws.com:3306/sleepy'

If you change your database URI, you will need to recreate the DB tables by running:

python manage.py drop_db
python manage.py setup_sleepy_puppy

S3 and Storage Configuration

By default all screenshots will be stored in the 'uploads' folder in the root directory of Sleepy Puppy.

UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'uploads')

You can also leverage S3 to store screenshots (recommended):

UPLOAD_SCREENSHOTS_TO_S3 = True
S3_BUCKET = mutestbucket.foobar.net
S3_FILES_PREFIX = "sleepypuppy"

Log configuration

You can change the debug level to INFO, WARNING, ERROR, CRITICAL depending on your needs.

LOG_LEVEL = "DEBUG"
LOG_FILE = "sleepypuppy.log"

Callback Settings

If you are using Sleepy Puppy locally, ensure your callback protocol is set to HTTP. If you are using Sleepy Puppy in a production like deployment, you must specify either the FQDN or Public IP address for JS callbacks.

HOSTNAME = 'sleepypuppy.mycompany.com' # for getting the JS file.
CALLBACK_HOSTNAME = HOSTNAME
CALLBACK_PROTOCOL = 'https' # http for local dev, https for deploy

Email Configuration

If your application is deployed in AES, consider using SES for email notifications:

# SES Options:
EMAILS_USE_SES = True
SES_REGION = 'us-east-1'

Alternatively, you can use a local or remote SMTP server:

# SMTP Options:
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_SENDER =  os.getenv('sender', 'sleepypuppy@domain.com')
#MAIL_USE_TLS = False
#MAIL_USE_SSL = False
#MAIL_USERNAME = 'you'
#MAIL_PASSWORD = 'your-password'

Allowed Domains

If you want to limit captures for certain domains, you can create a whitelist here. This may be helpful if you are spraying Payloads in a large number of applications and want to limit Sleepy Puppy's scope.

# Captures will only be logged from the following list of domains
# By default, it will allow all domains if list is empty
ALLOWED_DOMAINS = []
Clone this wiki locally