257 lines
12 KiB
Plaintext
257 lines
12 KiB
Plaintext
# =============================================================================
|
||
# Sub2API Docker Environment Configuration
|
||
# =============================================================================
|
||
# Copy this file to .env and modify as needed:
|
||
# cp .env.example .env
|
||
# nano .env
|
||
#
|
||
# Then start with: docker-compose up -d
|
||
# =============================================================================
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Server Configuration
|
||
# -----------------------------------------------------------------------------
|
||
# Bind address for host port mapping
|
||
BIND_HOST=0.0.0.0
|
||
|
||
# Server port (exposed on host)
|
||
SERVER_PORT=8080
|
||
|
||
# Server mode: release or debug
|
||
SERVER_MODE=release
|
||
|
||
# Global max request body size in bytes (default: 100MB)
|
||
# 全局最大请求体大小(字节,默认 100MB)
|
||
# Applies to all requests, especially important for h2c first request memory protection
|
||
# 适用于所有请求,对 h2c 第一请求的内存保护尤为重要
|
||
SERVER_MAX_REQUEST_BODY_SIZE=104857600
|
||
|
||
# Enable HTTP/2 Cleartext (h2c) for client connections
|
||
# 启用 HTTP/2 Cleartext (h2c) 客户端连接
|
||
SERVER_H2C_ENABLED=true
|
||
# H2C max concurrent streams (default: 50)
|
||
# H2C 最大并发流数量(默认 50)
|
||
SERVER_H2C_MAX_CONCURRENT_STREAMS=50
|
||
# H2C idle timeout in seconds (default: 75)
|
||
# H2C 空闲超时时间(秒,默认 75)
|
||
SERVER_H2C_IDLE_TIMEOUT=75
|
||
# H2C max read frame size in bytes (default: 1048576 = 1MB)
|
||
# H2C 最大帧大小(字节,默认 1048576 = 1MB)
|
||
SERVER_H2C_MAX_READ_FRAME_SIZE=1048576
|
||
# H2C max upload buffer per connection in bytes (default: 2097152 = 2MB)
|
||
# H2C 每个连接的最大上传缓冲区(字节,默认 2097152 = 2MB)
|
||
SERVER_H2C_MAX_UPLOAD_BUFFER_PER_CONNECTION=2097152
|
||
# H2C max upload buffer per stream in bytes (default: 524288 = 512KB)
|
||
# H2C 每个流的最大上传缓冲区(字节,默认 524288 = 512KB)
|
||
SERVER_H2C_MAX_UPLOAD_BUFFER_PER_STREAM=524288
|
||
|
||
# 运行模式: standard (默认) 或 simple (内部自用)
|
||
# standard: 完整 SaaS 功能,包含计费/余额校验;simple: 隐藏 SaaS 功能并跳过计费/余额校验
|
||
RUN_MODE=standard
|
||
|
||
# Timezone
|
||
TZ=Asia/Shanghai
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# PostgreSQL Configuration (REQUIRED)
|
||
# -----------------------------------------------------------------------------
|
||
POSTGRES_USER=sub2api
|
||
POSTGRES_PASSWORD=change_this_secure_password
|
||
POSTGRES_DB=sub2api
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Redis Configuration
|
||
# -----------------------------------------------------------------------------
|
||
# Leave empty for no password (default for local development)
|
||
REDIS_PASSWORD=
|
||
REDIS_DB=0
|
||
REDIS_ENABLE_TLS=false
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Admin Account
|
||
# -----------------------------------------------------------------------------
|
||
# Email for the admin account
|
||
ADMIN_EMAIL=admin@sub2api.local
|
||
|
||
# Password for admin account
|
||
# Leave empty to auto-generate (will be shown in logs on first run)
|
||
ADMIN_PASSWORD=
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# JWT Configuration
|
||
# -----------------------------------------------------------------------------
|
||
# IMPORTANT: Set a fixed JWT_SECRET to prevent login sessions from being
|
||
# invalidated after container restarts. If left empty, a random secret will
|
||
# be generated on each startup, causing all users to be logged out.
|
||
# Generate a secure secret: openssl rand -hex 32
|
||
JWT_SECRET=
|
||
JWT_EXPIRE_HOUR=24
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# TOTP (2FA) Configuration
|
||
# TOTP(双因素认证)配置
|
||
# -----------------------------------------------------------------------------
|
||
# IMPORTANT: Set a fixed encryption key for TOTP secrets. If left empty, a
|
||
# random key will be generated on each startup, causing all existing TOTP
|
||
# configurations to become invalid (users won't be able to login with 2FA).
|
||
# Generate a secure key: openssl rand -hex 32
|
||
# 重要:设置固定的 TOTP 加密密钥。如果留空,每次启动将生成随机密钥,
|
||
# 导致现有的 TOTP 配置失效(用户无法使用双因素认证登录)。
|
||
TOTP_ENCRYPTION_KEY=
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Configuration File (Optional)
|
||
# -----------------------------------------------------------------------------
|
||
# Path to custom config file (relative to docker-compose.yml directory)
|
||
# Copy config.example.yaml to config.yaml and modify as needed
|
||
# Leave unset to use default ./config.yaml
|
||
#CONFIG_FILE=./config.yaml
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Rate Limiting (Optional)
|
||
# 速率限制(可选)
|
||
# -----------------------------------------------------------------------------
|
||
# Cooldown time (in minutes) when upstream returns 529 (overloaded)
|
||
# 上游返回 529(过载)时的冷却时间(分钟)
|
||
RATE_LIMIT_OVERLOAD_COOLDOWN_MINUTES=10
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Gateway Scheduling (Optional)
|
||
# 调度缓存与受控回源配置(缓存就绪且命中时不读 DB)
|
||
# -----------------------------------------------------------------------------
|
||
# 粘性会话最大排队长度
|
||
GATEWAY_SCHEDULING_STICKY_SESSION_MAX_WAITING=3
|
||
# 粘性会话等待超时(时间段,例如 45s)
|
||
GATEWAY_SCHEDULING_STICKY_SESSION_WAIT_TIMEOUT=120s
|
||
# 兜底排队等待超时(时间段,例如 30s)
|
||
GATEWAY_SCHEDULING_FALLBACK_WAIT_TIMEOUT=30s
|
||
# 兜底最大排队长度
|
||
GATEWAY_SCHEDULING_FALLBACK_MAX_WAITING=100
|
||
# 启用调度批量负载计算
|
||
GATEWAY_SCHEDULING_LOAD_BATCH_ENABLED=true
|
||
# 并发槽位清理周期(时间段,例如 30s)
|
||
GATEWAY_SCHEDULING_SLOT_CLEANUP_INTERVAL=30s
|
||
# 是否允许受控回源到 DB(默认 true,保持现有行为)
|
||
GATEWAY_SCHEDULING_DB_FALLBACK_ENABLED=true
|
||
# 受控回源超时(秒),0 表示不额外收紧超时
|
||
GATEWAY_SCHEDULING_DB_FALLBACK_TIMEOUT_SECONDS=0
|
||
# 受控回源限流(实例级 QPS),0 表示不限制
|
||
GATEWAY_SCHEDULING_DB_FALLBACK_MAX_QPS=0
|
||
# outbox 轮询周期(秒)
|
||
GATEWAY_SCHEDULING_OUTBOX_POLL_INTERVAL_SECONDS=1
|
||
# outbox 滞后告警阈值(秒)
|
||
GATEWAY_SCHEDULING_OUTBOX_LAG_WARN_SECONDS=5
|
||
# outbox 触发强制重建阈值(秒)
|
||
GATEWAY_SCHEDULING_OUTBOX_LAG_REBUILD_SECONDS=10
|
||
# outbox 连续滞后触发次数
|
||
GATEWAY_SCHEDULING_OUTBOX_LAG_REBUILD_FAILURES=3
|
||
# outbox 积压触发重建阈值(行数)
|
||
GATEWAY_SCHEDULING_OUTBOX_BACKLOG_REBUILD_ROWS=10000
|
||
# 全量重建周期(秒)
|
||
GATEWAY_SCHEDULING_FULL_REBUILD_INTERVAL_SECONDS=300
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Dashboard Aggregation (Optional)
|
||
# -----------------------------------------------------------------------------
|
||
# Enable aggregation job
|
||
# 启用仪表盘预聚合
|
||
DASHBOARD_AGGREGATION_ENABLED=true
|
||
# Refresh interval (seconds)
|
||
# 刷新间隔(秒)
|
||
DASHBOARD_AGGREGATION_INTERVAL_SECONDS=60
|
||
# Lookback window (seconds)
|
||
# 回看窗口(秒)
|
||
DASHBOARD_AGGREGATION_LOOKBACK_SECONDS=120
|
||
# Allow manual backfill
|
||
# 允许手动回填
|
||
DASHBOARD_AGGREGATION_BACKFILL_ENABLED=false
|
||
# Backfill max range (days)
|
||
# 回填最大跨度(天)
|
||
DASHBOARD_AGGREGATION_BACKFILL_MAX_DAYS=31
|
||
# Recompute recent N days on startup
|
||
# 启动时重算最近 N 天
|
||
DASHBOARD_AGGREGATION_RECOMPUTE_DAYS=2
|
||
# Retention windows (days)
|
||
# 保留窗口(天)
|
||
DASHBOARD_AGGREGATION_RETENTION_USAGE_LOGS_DAYS=90
|
||
DASHBOARD_AGGREGATION_RETENTION_HOURLY_DAYS=180
|
||
DASHBOARD_AGGREGATION_RETENTION_DAILY_DAYS=730
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Security Configuration
|
||
# -----------------------------------------------------------------------------
|
||
# URL Allowlist Configuration
|
||
# 启用 URL 白名单验证(false 则跳过白名单检查,仅做基本格式校验)
|
||
SECURITY_URL_ALLOWLIST_ENABLED=false
|
||
|
||
# 关闭白名单时,是否允许 http:// URL(默认 false,只允许 https://)
|
||
# ⚠️ 警告:允许 HTTP 存在安全风险(明文传输),仅建议在开发/测试环境或可信内网中使用
|
||
# Allow insecure HTTP URLs when allowlist is disabled (default: false, requires https)
|
||
# ⚠️ WARNING: Allowing HTTP has security risks (plaintext transmission)
|
||
# Only recommended for dev/test environments or trusted networks
|
||
SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP=true
|
||
|
||
# 是否允许本地/私有 IP 地址用于上游/定价/CRS(仅在可信网络中使用)
|
||
# Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
|
||
SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=true
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Gemini OAuth (OPTIONAL, required only for Gemini OAuth accounts)
|
||
# -----------------------------------------------------------------------------
|
||
# Sub2API supports TWO Gemini OAuth modes:
|
||
#
|
||
# 1. Code Assist OAuth (需要 GCP project_id)
|
||
# - Uses: cloudcode-pa.googleapis.com (Code Assist API)
|
||
# - Auto scopes: cloud-platform + userinfo.email + userinfo.profile
|
||
# - OAuth Client: Can use built-in Gemini CLI client (留空即可)
|
||
# - Requires: Google Cloud Platform project with Code Assist enabled
|
||
#
|
||
# 2. AI Studio OAuth (不需要 project_id)
|
||
# - Uses: generativelanguage.googleapis.com (AI Studio API)
|
||
# - Default scopes: generative-language
|
||
# - OAuth Client: Requires your own OAuth 2.0 Client (内置 Gemini CLI client 不能申请 generative-language scope)
|
||
# - Requires: Create OAuth 2.0 Client in GCP Console + OAuth consent screen
|
||
# - Setup Guide: https://ai.google.dev/gemini-api/docs/oauth
|
||
# - ⚠️ IMPORTANT: OAuth Client 必须发布为正式版本 (Production)
|
||
# Testing 模式限制: 只能添加 100 个测试用户, refresh token 7 天后过期
|
||
# 发布步骤: GCP Console → OAuth consent screen → PUBLISH APP
|
||
#
|
||
# Configuration:
|
||
# Leave empty to use the built-in Gemini CLI OAuth client (Code Assist OAuth only).
|
||
# To enable AI Studio OAuth, set your own OAuth client ID/secret here.
|
||
GEMINI_OAUTH_CLIENT_ID=
|
||
GEMINI_OAUTH_CLIENT_SECRET=
|
||
# Optional; leave empty to auto-select scopes based on oauth_type
|
||
GEMINI_OAUTH_SCOPES=
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Gemini Quota Policy (OPTIONAL, local simulation)
|
||
# -----------------------------------------------------------------------------
|
||
# JSON overrides for local quota simulation (Code Assist only).
|
||
# Example:
|
||
# GEMINI_QUOTA_POLICY={"tiers":{"LEGACY":{"pro_rpd":50,"flash_rpd":1500,"cooldown_minutes":30},"PRO":{"pro_rpd":1500,"flash_rpd":4000,"cooldown_minutes":5},"ULTRA":{"pro_rpd":2000,"flash_rpd":0,"cooldown_minutes":5}}}
|
||
GEMINI_QUOTA_POLICY=
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Ops Monitoring Configuration (运维监控配置)
|
||
# -----------------------------------------------------------------------------
|
||
# Enable ops monitoring features (background jobs and APIs)
|
||
# 是否启用运维监控功能(后台任务和接口)
|
||
# Set to false to hide ops menu in sidebar and disable all ops features
|
||
# 设置为 false 可在左侧栏隐藏运维监控菜单并禁用所有运维监控功能
|
||
OPS_ENABLED=true
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Update Configuration (在线更新配置)
|
||
# -----------------------------------------------------------------------------
|
||
# Proxy URL for accessing GitHub (used for online updates and pricing data)
|
||
# 用于访问 GitHub 的代理地址(用于在线更新和定价数据获取)
|
||
# Supports: http, https, socks5, socks5h
|
||
# Examples:
|
||
# HTTP proxy: http://127.0.0.1:7890
|
||
# SOCKS5 proxy: socks5://127.0.0.1:1080
|
||
# With authentication: http://user:pass@proxy.example.com:8080
|
||
# Leave empty for direct connection (recommended for overseas servers)
|
||
# 留空表示直连(适用于海外服务器)
|
||
UPDATE_PROXY_URL=
|