Untitled :: VC Help

Environment Variables

This is list of environment variables used in the VC Publisher.

Required Environment Variables

Environment Variable	Description
ROOT_URL	The URL on which the VC Publisher is availabe. If a proxy is used this should be the URL the proxy is accessible. The port need be included, if not default (80 or 443)
MONGO_URL	The URL where the MongoDB can be accessed (mongodb://localhost:27017/publisher), can also be used to access an externally hosted MongoDB service
ROOT_PATH	The installation directory of the VC Publisher.
PUBLIC_DATA_PATH	Folder for streaming data, datasources, databuckets and plugins, which is served by the VC Publisher. This directory can get quite large depending on the amount of data that is stored on the VC Publisher.
PRIVATE_DATA_PATH	Folder for temporary task data, job logs, is not served.
VCS_INITIAL_USER	The initial user. Used only if no other user exists. (Required on first installation.)
VCS_INITIAL_PASSWORD	The password of the initial user, only used with VCS_INITIAL_USER (Required on first installation.)

Environment Variable

Description

ROOT_URL

The URL on which the VC Publisher is availabe. If a proxy is used this should be the URL the proxy is accessible. The port need be included, if not default (80 or 443)

MONGO_URL

The URL where the MongoDB can be accessed (mongodb://localhost:27017/publisher), can also be used to access an externally hosted MongoDB service

ROOT_PATH

The installation directory of the VC Publisher.

PUBLIC_DATA_PATH

Folder for streaming data, datasources, databuckets and plugins, which is served by the VC Publisher. This directory can get quite large depending on the amount of data that is stored on the VC Publisher.

PRIVATE_DATA_PATH

Folder for temporary task data, job logs, is not served.

VCS_INITIAL_USER

The initial user. Used only if no other user exists. (Required on first installation.)

VCS_INITIAL_PASSWORD

The password of the initial user, only used with VCS_INITIAL_USER (Required on first installation.)

Optional Environment Variables

Environment Variable Description Default

Environment Variable	Description	Default
PORT	The port on which the publisher should listen to.	3003
HOST	The host address on which the publisher should listen to.	0.0.0.0
HELP_URL	The URL where the Help can be accessed.	https://help.vc.systems/{locale}/vc-publisher/{version}/
LOG_LEVEL	Can be debug, info, warn, error, silent. You can also pass an object in JSON notation where the key is the log name and the value is the level for said log `{"access":"silent"}` turns of access logging	info
LOG_DIR	The directory where log files are written into, logs are rotated daily. If not provided, logs will log to stdout	stdout
LOG_RETENTION_DAYS	The number of days to keep rotated log files. Accepts a single value (applies to all log types) or a JSON object with per-log-type retention (e.g., `{"access":1, "audit":30}`). Use -1 to retain logs indefinitely. This has no effect if LOG_DIR is not provided.	{ "access": 7, "audit": 30, "app": 30, "vcjob-runner": 30 }
TRUST_PROXY	Set to true if the publisher is behind a reverse proxy that handles SSL termination and/or forwards client IP addresses via X-Forwarded-For headers. See Fastify Documentation. Allowed options: `boolean`, `number`, `[ipRange]`	-
SSL_PFX_PATH	Path to PFX/PKCS12 certificate file for HTTPS	-
SSL_PASSPHRASE	Passphrase for encrypted SSL certificates (PFX or PEM private key files)	-
SSL_CERT_PATH	Path to SSL certificate file (PEM format). Must be used together with SSL_KEY_PATH	-
SSL_KEY_PATH	Path to SSL private key file (PEM format). Must be used together with SSL_CERT_PATH	-
SSL_CA_PATH	Path to SSL CA certificate file (PEM format) for certificate chains	-
HTTP_REDIRECT_TO_HTTPS	Redirect HTTP traffic to HTTPS (true/false). Only effective when SSL is enabled	-
HTTP_PORT	Port for HTTP server when HTTP_REDIRECT_TO_HTTPS is enabled.	80
UNSAFE_LEGACY_DATASOURCE_SEND_FILE	Allow the hosting of executable browser code (like `jsx?\|html?\|mht(ml)?`) via /datasource-data for legacy datasources only. Set to true to activate.	-
LOGIN_TOKEN_EXPIRATION	The expiration time of the login token in DAYS. If left empty, the default is used.	1 day
CORS_ORIGIN	Can be used to configure a CORS header. May be a hostname, a list of hostnames as a JSON array or `true` for *. (`foo`: one host `["foo", "bar"]`: multiple hosts)	-
PARALLEL_JOBS	Configure the number of parallel jobs. If not set, auto-calculated based on system memory and job memory limit.	floor(SystemMemory × 0.8 / (MAX_JOB_MEMORY OR 12GB))
MAX_JOB_MEMORY	Configure the maximum memory (MB) a job can use. If not set, auto-calculated to distribute 80% of system memory across parallel jobs.	floor((SystemMemory × 0.8) / PARALLEL_JOBS)
SESSION_TTL_SECONDS	Can be used to configure the maximum time a session lives in the database (only applies to sessions cookies without maxAge set).	30 days
SESSION_REMEMBERME_SECONDS	Can be used to configure the time a session is valid when the user selects rememberMe (sets maxAge on the cookie).	30 days
PUBLIC_DATASOURCE_DATA	Will set `datasource-data` hosting to public, so the URL http://publisher/datasource-data/datasourceId can be used from external Services. If not set, authentication is required.	-
NO_RESPONSE_COMPRESSION	Disables response compression for all responses (true/false).	-
UNSAFE_INLINE_STYLE_CSP	Allows ‘unsafe-inline’ for style-src-elem in Content-Security-Policy header, which is required when using VC Map versions prior to 6.3 (true/false). Has no effect when `APP_HELMET_CONFIGURATION` is also configured.	-
APP_HELMET_CONFIGURATION	Allows you to configure Helmet for app & datasource previews. See helmet.js for options. Has no effect if `NO_HELMET_SECURITY` is true.	See Default Helmet configuration.
NO_HELMET_SECURITY	Turn off helmet integration, can be enabled if a proxy already sets the relevant security headers (true/false).	-
FAILED_JOB_RETENTION_DAYS	The number of days to keep failed jobs before they are cleaned up by the background task. Set to -1 to deactivate the cleanup.	7 days

PORT

The port on which the publisher should listen to.

3003

HOST

The host address on which the publisher should listen to.

0.0.0.0

HELP_URL

The URL where the Help can be accessed.

https://help.vc.systems/{locale}/vc-publisher/{version}/

LOG_LEVEL

Can be debug, info, warn, error, silent. You can also pass an object in JSON notation where the key is the log name and the value is the level for said log {"access":"silent"} turns of access logging

info

LOG_DIR

The directory where log files are written into, logs are rotated daily. If not provided, logs will log to stdout

stdout

LOG_RETENTION_DAYS

The number of days to keep rotated log files. Accepts a single value (applies to all log types) or a JSON object with per-log-type retention (e.g., {"access":1, "audit":30}). Use -1 to retain logs indefinitely. This has no effect if LOG_DIR is not provided.

{ "access": 7, "audit": 30, "app": 30, "vcjob-runner": 30 }

TRUST_PROXY

Set to true if the publisher is behind a reverse proxy that handles SSL termination and/or forwards client IP addresses via X-Forwarded-For headers. See Fastify Documentation. Allowed options: boolean, number, [ipRange]

SSL_PFX_PATH

Path to PFX/PKCS12 certificate file for HTTPS

SSL_PASSPHRASE

Passphrase for encrypted SSL certificates (PFX or PEM private key files)

SSL_CERT_PATH

Path to SSL certificate file (PEM format). Must be used together with SSL_KEY_PATH

SSL_KEY_PATH

Path to SSL private key file (PEM format). Must be used together with SSL_CERT_PATH

SSL_CA_PATH

Path to SSL CA certificate file (PEM format) for certificate chains

HTTP_REDIRECT_TO_HTTPS

Redirect HTTP traffic to HTTPS (true/false). Only effective when SSL is enabled

HTTP_PORT

Port for HTTP server when HTTP_REDIRECT_TO_HTTPS is enabled.

UNSAFE_LEGACY_DATASOURCE_SEND_FILE

Allow the hosting of executable browser code (like jsx?|html?|mht(ml)?) via /datasource-data for legacy datasources only. Set to true to activate.

LOGIN_TOKEN_EXPIRATION

The expiration time of the login token in DAYS. If left empty, the default is used.

1 day

CORS_ORIGIN

Can be used to configure a CORS header. May be a hostname, a list of hostnames as a JSON array or true for *. (foo: one host ["foo", "bar"]: multiple hosts)

PARALLEL_JOBS

Configure the number of parallel jobs. If not set, auto-calculated based on system memory and job memory limit.

floor(SystemMemory × 0.8 / (MAX_JOB_MEMORY OR 12GB))

MAX_JOB_MEMORY

Configure the maximum memory (MB) a job can use. If not set, auto-calculated to distribute 80% of system memory across parallel jobs.

floor((SystemMemory × 0.8) / PARALLEL_JOBS)

SESSION_TTL_SECONDS

Can be used to configure the maximum time a session lives in the database (only applies to sessions cookies without maxAge set).

30 days

SESSION_REMEMBERME_SECONDS

Can be used to configure the time a session is valid when the user selects rememberMe (sets maxAge on the cookie).

30 days

PUBLIC_DATASOURCE_DATA

Will set datasource-data hosting to public, so the URL http://publisher/datasource-data/datasourceId can be used from external Services. If not set, authentication is required.

NO_RESPONSE_COMPRESSION

Disables response compression for all responses (true/false).

UNSAFE_INLINE_STYLE_CSP

Allows ‘unsafe-inline’ for style-src-elem in Content-Security-Policy header, which is required when using VC Map versions prior to 6.3 (true/false). Has no effect when APP_HELMET_CONFIGURATION is also configured.

APP_HELMET_CONFIGURATION

Allows you to configure Helmet for app & datasource previews. See helmet.js for options. Has no effect if NO_HELMET_SECURITY is true.

See Default Helmet configuration.

NO_HELMET_SECURITY

Turn off helmet integration, can be enabled if a proxy already sets the relevant security headers (true/false).

FAILED_JOB_RETENTION_DAYS

The number of days to keep failed jobs before they are cleaned up by the background task. Set to -1 to deactivate the cleanup.

7 days

Default Helmet configuration

Below is the default Helmet configuration used when APP_HELMET_CONFIGURATION is not set on the map-preview, app-preview and app-edit routes. This configuration is used to set secure defaults for the Content-Security-Policy header, which can be further customized by setting APP_HELMET_CONFIGURATION.

If you set APP_HELMET_CONFIGURATION, the default configuration will be completely overridden, so you need to include all directives you want to use in your custom configuration.

Default configuration:

{
  "enableCSPNonces": true,
  "contentSecurityPolicy": {
    "directives": {
      "scriptSrc": ["'self'", "'wasm-unsafe-eval'", "'unsafe-eval'"],
      "workerSrc": ["'self'", "blob:", "data:"],
      "styleSrc": ["'self'", "data:"],
      "styleSrcAttr": ["'unsafe-inline'"],
      "imgSrc": ["'self'", "data:", "https:", "blob:", "http:"],
      "connectSrc": [
        "'self'",
        "wss:",
        "https:",
        "data:",
        "http:",
        "ws:",
        "blob:"
      ],
      "upgradeInsecureRequests": null,
      "blockAllMixedContent": []
    }
  },
  "referrerPolicy": {
    "policy": "strict-origin-when-cross-origin"
  }
}

If you need to allow inline styles for style elements (using the UNSAFE_INLINE_STYLE_CSP), include the styleSrcElem array:

{
  "enableCSPNonces": true,
  "contentSecurityPolicy": {
    "directives": {
      "scriptSrc": ["'self'", "'wasm-unsafe-eval'", "'unsafe-eval'"],
      "workerSrc": ["'self'", "blob:", "data:"],
      "styleSrc": ["'self'", "data:"],
      "styleSrcAttr": ["'unsafe-inline'"],
      "styleSrcElem": ["'self'", "data:", "'unsafe-inline'"],
      "imgSrc": ["'self'", "data:", "https:", "blob:", "http:"],
      "connectSrc": [
        "'self'",
        "wss:",
        "https:",
        "data:",
        "http:",
        "ws:",
        "blob:"
      ],
      "upgradeInsecureRequests": null,
      "blockAllMixedContent": []
    }
  },
  "referrerPolicy": {
    "policy": "strict-origin-when-cross-origin"
  }
}