burp-ui/share/burpui/etc/burpui.sample.cfg

# Burp-UI configuration file
[Global]
# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'.
# If you choose 'multi', you will have to declare at lease one 'Agent' section.
# If you choose 'parallel', you need to configure the [Parallel] section.
# If you choose either 'burp1' or 'burp2', you need to configure the [Burp]
# section.
# The [Burp] section is also used with the 'parallel' backend for the restoration
# process.
# You can also use whatever custom backend you like if it is located in the
# 'plugins' directory and if it implements the right interface.
backend = burp2
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth = none"
# you can also chain multiple backends. Example: "auth = ldap,basic"
# the order will be respected unless you manually set a higher backend priority
auth = basic
# acl plugin (chainable, see 'auth' plugin option)
# list misc/acl directory to see the available backends
# default is no ACL
acl = basic
# audit logger plugin (chainable, see 'auth' plugin option)
# list the misc/audit directory to see the available backends
# default is no audit log
audit = basic
# list of paths to look for external plugins
plugins = none

[UI]
# refresh interval of the pages in seconds
refresh = 180
# refresh interval of the live-monitoring page in seconds
liverefresh = 30
# list of labels to ignore (you can use regex)
ignore_labels = "color:.*", "custom:.*"
# format label using sed-like syntax
format_labels = "s/^os:\s*//"
# default strip leading path value for file restorations
default_strip = 0

[Production]
# storage backend for session and cache
# may be either 'default' or 'redis'
storage = default
# session database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/0
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
session = default
# cache database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/1
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
cache = default
# redis server to connect to
redis = localhost:6379
# whether to use celery or not
# may also be a broker url like: redis://localhost:6379/0
# if set to "true", the broker url defaults to:
# redis://<redis_host>:<redis_port>/2
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
celery = false
# database url to store some persistent data
# none or a connect string supported by SQLAlchemy:
# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls
# example: sqlite:////var/lib/burpui/store.db
database = none
# whether to rate limit the API or not
# may also be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/3
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# Note: the limiter only applies to the API routes
limiter = false
# limiter ratio
# see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string
ratio = 60/minute
# you can change the prefix if you are behind a reverse-proxy under a custom
# root path. For example: /burpui
# You can also configure your reverse-proxy to announce the prefix through the
# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in
# favour of the one announced by your reverse-proxy
prefix = none
# ProxyFix
# number of reverse-proxy to trust in order to retrieve some HTTP headers
# All the details can be found here:
# https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix
num_proxies = 0
# alternatively, you can specify your own ProxyFix args.
# The default is: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}"
# if num_proxies > 0, else it defaults to ProxyFix defaults
proxy_fix_args = "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}"

[WebSocket]
## This section contains WebSocket server specific options.
# whether to enable websocket or not
enabled = true
# whether to embed the websocket server or not
# if set to "true", you should have only *one* gunicorn worker
# see here for details:
# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server
embedded = false
# what broker to use to interact between websocket servers
# may be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/4
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# set this to none to disable the broker
broker = redis
# if you choose to run a dedicated websocket server (with embedded = false)
# you can specify here the websocket url. You'll need to double quote your
# string though.
# example:
# url = "document.domain + ':5001'"
url = none
# whether to enable verbose websocket server logs or not (for development)
debug = false

[Security]
## This section contains some security options. Make sure you understand the
## security implications before changing these.
# list of 'root' paths allowed when sourcing files in the configuration.
# Set this to 'none' if you don't want any restrictions, keeping in mind this
# can lead to accessing sensible files. Defaults to '/etc/burp'.
# Note: you can have several paths separated by comas.
# Example: /etc/burp,/etc/burp.d
includes = /etc/burp
# if files already included in config do not respect the above restriction, we
# prune them
enforce = false
# enable certificates revocation
revoke = true
# remember_cookie duration in days
cookietime = 14
# number of days of inactivity before invalidating a session (suppose your
# browser is open for days/months, your session will never expire, unless you
# set this to a positive value)
# if set to 0 sessions will last forever
# Note: this requires the use of a database to work
sessiontime = 5
# whether to use a secure cookie for https or not. If set to false, cookies
# won't have the 'secure' flag.
# This setting is only useful when HTTPS is detected
scookie = true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret = random

[Experimental]
## This section contains some experimental features that have not been deeply
## tested yet
# enable zip64 feature. Python doc says:
# « ZIP64 extensions are disabled by default because the default zip and unzip
# commands on Unix (the InfoZIP utilities) don’t support these extensions. »
zip64 = true
# disable server initiated restoration if `bconfcli` file contains
# `server_can_restore = 0`
noserverrestore = false

# burp backend specific options
[Burp]
# burp status address (can only be '127.0.0.1' or '::1')
# DEPRECATED
#bhost = ::1
# burp status port
# DEPRECATED
#bport = 4972
# burp binary
burpbin = /usr/sbin/burp
# vss_strip binary
stripbin = /usr/bin/vss_strip
# burp client configuration file used for the restoration
bconfcli = /etc/burp/burp.conf
# burp server configuration file used for the setting page
bconfsrv = /etc/burp/burp-server.conf
# temporary directory to use for restoration
tmpdir = /tmp/bui
# how many time to wait for the monitor to answer (in seconds)
timeout = 15
# since burp-2.1.10, timestamps have local offsets, if we detect a burp-server
# version greater than 2.1.10 we'll suppose every backup was made with that
# version. If this is not the case, you may end-up with wrongly computed backup
# dates in the clients overview. For that reason, you can enable the
# 'deep_inspection' option which will check every backup logs in order to
# find out which server version was used.
# The drawback is this process requires some extra work that may slow-down
# burp-ui.
deep_inspection = false

# parallel backend specific options
[Parallel]
# address of the monitor pool
host = ::1
# port of the monitor pool
port = 11111
# how many time to wait for the monitor pool to answer (in seconds)
timeout = 15
# monitor pool password
password = password123456
# enable SSL
ssl = true
# number of operations to process concurrently
# the value should not exceed the pool size you set in the bui-monitor.cfg file
concurrency = 2
# time to wait at startup, mainly used by the bui-agent
# the bui-monitor must be started before your agent, but since it needs to
# initialize its workers first you may need to wait a bit for it to be available
init_wait = 15

# Basic audit backend options
[BASIC:AUDIT]
# Backend priority. Higher is first
priority = 100
# debug level (CRITICAL, ERROR, WARNING, INFO, DEBUG)
# the default is the same as your global application level
level = WARNING
# path to a file to log into
logfile = none
# maximum logfile size
max_bytes = 30 * 1024 * 1024
# number of files to keep
rotate = 5

## ldapauth specific options
#[LDAP:AUTH]
## Backend priority. Higher is first
#priority = 50
## LDAP host
#host = 127.0.0.1
## LDAP port
#port = 389
## Encryption type to LDAP server (none, ssl or tls)
## - try tls if unsure, otherwise ssl on port 636
#encryption = ssl
## specifies if the server certificate must be validated, values can be:
##  - none (certificates are ignored)
##  - optional (not required, but validated if provided)
##  - required (required and validated)
#validate = none
## the file containing the certificates of the certification authorities
#cafile = none
## Attribute to use when searching the LDAP repository
##searchattr = sAMAccountName
#searchattr = uid
## LDAP filter to find users in the LDAP repository
##  - {0} will be replaced by the search attribute
##  - {1} will be replaced by the login name
##filter = (&({0}={1})(burpui=1))
##filter = (&({0}={1})(|(userAccountControl=512)(userAccountControl=66048)))
## LDAP base (quotes are mandatory)
#base = "ou=users,dc=example,dc=com"
## Binddn to list existing users (quotes are mandatory)
#binddn = "cn=admin,dc=example,dc=com"
## Bindpw to list existing users
#bindpw = Sup3rS3cr3tPa$$w0rd

## basicauth specific options
## Note: in case you leave this section commented, the default login/password
## is admin/admin
#[BASIC:AUTH]
## Backend priority. Higher is first
#priority = 100
#admin = password
#user1 = otherpassword

## localauth specific options
## Note: if not running as root, then burp-ui must be run as group 'shadow' to
## allow PAM to work
#[LOCAL:AUTH]
## Backend priority. Higher is first
#priority = 0
## List of local users allowed to login. If you don't set this setting, users
## with uid greater than limit will be able to login
#users = user1,user2
## Minimum uid that will be allowed to login
#limit = 1000

## acl engine global options
#[ACL]
## Enable extended matching rules (enabled by default)
## If the rule is a string like 'user1 = desk*', it will match any client that
## matches 'desk*' no mater what agent it is attached to.
## If it is a coma separated list of strings like 'user1 = desk*,laptop*' it
## will match the first matching rule no mater what agent it is attached to.
## If it is a dict like:
## user1 = '{"agents": ["srv*", "www*"], "clients": ["desk*", "laptop*"]}'
## It will also validate against the agent name.
#extended = true
## If you don't explicitly specify ro/rw grants, what should we assume?
#assume_rw = true
## Enable 'legacy' behavior
## Since v0.6.0, if you don't specify the agents name explicitly, users will be
## granted on every agents where a client matches user's ACL. If you enable the
## 'legacy' behavior, you will need to specify the agents explicitly.
## Note: enabling this option will also disable the extended mode
#legacy = false
## The inheritance order maters, it means depending the order you choose,
## the ACL engine won't handle the grants the same way.
## By default, ACL inherited by groups will have lower priority, unless you
## choose otherwise
#inverse_inheritance = false
## If you specify agents and clients separately, should we link them implicitly?
## For instance, '{"agents": ["agent1", "agent2"], "clients": ["client1", "client2"]}'
## will become: '{"agents": {"agent1": ["client1", "client2"], "agent2": ["client1", "client2"]}}'
#implicit_link = true

## basicacl specific options
## Note: in case you leave this section commented, the user 'admin' will have
## access to all clients whereas other users will only see the client that have
## the same name
#[BASIC:ACL]
## Backend priority. Higher is first
#priority = 100
## List of administrators
#admin = user1,user2
## List of moderators. Users listed here will inherit the grants of the
## 'virtual' user '@moderator'
#+moderator = user5,user6
#@moderator = '{"agents":{"ro":["agent1"]}}'
## NOTE: if you are running single-agent mode, you should specify the ro/rw
## rights of the moderators using this special 'local' agent name:
## NOTE: this is the default when running single-agent mode if you don't
## specify anything else
##@moderator = '{"agents": {"rw": "local"}}'
## Please note the double-quotes and single-quotes on the following lines are
## mandatory!
## You can also overwrite the default behavior by specifying which clients a
## user can access
## Suppose you are running single-agent mode (the default), you only need to
## specify a list of clients a user can access:
#user3 = '{"clients": {"ro": ["prod*"], "rw": ["dev*", "test1"]}}'
## In case you are not in a single mode, you can also specify which clients
## a user can access on a specific Agent
#user4 = '{"agents": {"agent1": ["client6", "client7"], "agent2": ["client8"]}}'
## You can define read-only and/or read-write grants using:
#user5 = '{"agents": {"www*": {"ro": ["desk*"], "rw": ["desk1"]}}}'
## Finally, you can define groups using the syntax "@groupname" and adding
## members using "+groupname". Note: groups can inherit groups!
#@group1 = '{"agents": {"ro": ["*"]}}'
#@group2 = '{"clients": {"rw": ["dev*"]}}'
#+group1 = @group2
#+group2 = user5
## As a result, user5 will be granted the following rights:
## '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}}
## You can also explicitly exclude some clients from a rule:
## '{"agents": {"agent1": {"rw": ["client.*"], "exclude": ["client.win*"]}}}'
## With the above rule, every client named "client.something" will be considered
## "rw" on "agent1" except those starting with "client.win".
## Finally, you can specify per rule evaluation order. The default being:
## 1) exclude rules 2) rw 3) ro
## With the default evaluation order, the following rule:
## '{"agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
## will consider "client.specific.test" as "rw", whereas with the following
## '{"order": ["ro", "rw"], "agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
## "client.specific.test" will match "ro" first and hence won't be considered "rw"

## If you set backend to 'multi', add at least one section like this per
## bui-agent
#[Agent:agent1]
## bui-agent address
#host = ::1
## bui-agent port
#port = 10000
## bui-agent password
#password = azerty
## enable SSL
#ssl = true

#[Agent:agent2]
## bui-agent address
#host = 192.168.2.1
## bui-agent port
#port = 10000
## bui-agent password
#password = ytreza
## enable SSL
#ssl = true