Docker install
InterDiode provides Docker/OCI images that are available in its Docker repository. It is possible to always use the latest stable tag or to use another service that handles updating Docker images.
This guide explains the setup based on docker-compose, but the installation of docker-compose itself is out of scope of this documentation. To do this, please follow the official install instructions.
If you want to use the built-in air gap protocol using UDP packets, you are responsible to inject the MAC address in the ARP cache of the host machine, before using the integrated air gap protocol. This must be done on the host machine, not in the Docker container.
Docker-compose file
Here are the Docker-compose files for the black and red instances.
compose-black.env
ADMIN_EMAIL=admin@0.0.0.0
# Logged errors are sent to this email address.
ALLOW_LOCAL_USERS=true
# Activate the local user database ('true'/'false').
ALLOW_USER_CREATION=true
# Allow users to create their account themselves when the local database is activated, or the automatic creation of missing users when a HTTP header is used ('true'/'false').
DAILY_UPKEEP=true
# Activate the launch of daily upkeep tasks ('true'/'false').
DATABASE_URL='postgresql://username:password@127.0.0.1:5432/database?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=./id_tools/tox/localhost.crt&ssl_keyfile=./id_tools/tox/localhost.key&ssl_ca_certs=./id_tools/tox/CA.crt'
# URL of the database: postgresql://interdiode:interdiode@db.interdiode.fr:5432/interdiode_db?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt
DATA_ROOT=./django_data
# Directory where all data will be stored (uploaded or temporary files, …). If you change it, you must run the 'interdiode-ctl configuration apply' command again.
DEFAULT_GITHUB_BEARER_TOKEN=''
# GitHub authentication token used by default.
DEFAULT_READTHEDOCS_BEARER_TOKEN=''
# ReadTheDocs authentication token used by default.
DEFAULT_X_BEARER_TOKEN=''
# X (Twitter) authentication token used by default.
DOWNLOAD_FILE_ANALYZER=''
# Dotted path of a Python function to analyze downloaded files.
EMAIL_FROM=webmaster@0.0.0.0
# Email address for automated correspondence from the site managers. This address is used in the From: header of outgoing emails and can take any format valid in the chosen email sending protocol.
EMAIL_HOST_URL=smtp://localhost:9025
# SMTP server for sending admin emails.
# smtp+tls://account@example.com:password@smtp.example.com:587/
EXPORT_FILE_ANALYZER=''
# Dotted path of a Python function to analyze exported files.
FILE_UPLOAD_MAX_MEMORY_SIZE=10000000000
# Max size in bytes of POST request, must be large enough for uploading files like Vagrant boxes. Do not forget to also configure your reverse proxy accordingly.
GIT_ALLOW_LFS=true
# Allow git-lfs usage when git-lfs installed ('true'/'false').
GIT_EXEC_PATH=git
# Path of the 'git' executable.
GNUPG_PATH=gpg
# Path of the gpg binary.
GROUP_DISABLED_ATTRIBUTES=''
# Comma-separated list of group attributes that cannot be changed. Add 'name' to disable manual group creation/deletion or 'permissions' to disallow permissions changes.
HEADLESS_CHROME_PATH='/Users/flanker/Library/Caches/ms-playwright/chromium-1208/chrome-mac-arm64/Google Chrome for Testing.app/Contents/MacOS/Google Chrome for Testing'
# Path of the 'chrome' executable.
HIDDEN_CSS_SELECTORS=''
# When downloading HTML pages as PDFs, mark these CSS selectors (one per line) as not displayed.
HTTP_REMOTE_GROUPS_HEADER=''
# Set the list of groups in this HTTP header, common value being "HTTP_X_FORWARDED_GROUPS". Note: the HTTP_ prefix is automatically added, just set X_FORWARDED_GROUPS in the reverse-proxy configuration. Leave empty to disable automatic group assignment. Groups must be comma-separated.
HTTP_REMOTE_USER_HEADER=''
# Set it if the reverse-proxy authenticates users, a common value being "HTTP_REMOTE_USER". Note: the HTTP_ prefix is automatically added, just set REMOTE_USER in the reverse-proxy configuration. Leave empty to disable this authentication method.
HTTP_SSL_CA_CERTS=''
# CA certificates bundle used for HTTPS requests.
HTTP_SSL_CERTFILE=''
# SSL certificate file, used by the HTTP server.
HTTP_SSL_CIPHERS=''
# SSL Cipher suite to use, in the format of an OpenSSL cipher list.
HTTP_SSL_KEYFILE=''
# SSL key file, used by the HTTP server.
IMPORT_FILE_ANALYZER=''
# Dotted path of a Python function to analyze imported files.
INTERDIODE_MODE=black
# InterDiode mode ('black' on internet or 'red' on intranet).
INTERDIODE_PLUGINS=''
# List of plugins
KEEP_HAIRGAP_SIZE=10000000000
# Total size of finished transfers before removing data. The more reliable is your transfer method, the lower you can set this value.
KEEP_SOURCE_ACTION_COUNT=100
# Number of actions to keep for each source. Older actions will be removed, assuming that data have been transfered.Deleted actions and data must also be older than the 'prune_retention' delay.
LANGUAGE=en-us
# Default language, default to en-us.
LICENSE_KEY=''
# Activate more functions of InterDiode.
LISTEN_ADDRESS=0.0.0.0:8000
# Address listen by your web server (like 127.0.0.1:8000 or :8000).
LOG_DIRECTORY=''
# Write all local logs to this directory.
LOG_LEVEL=warn
# Log level (one of 'debug', 'info', 'warn', 'error' or 'critical').
LOG_REMOTE_ACCESS=false
# If true, log of HTTP connections are also sent to syslog/logd ('true'/'false')..
LOG_REMOTE_URL=''
# Send logs to the syslog service.
# Examples: syslog+tcp://localhost:514/user, syslog:///local7 or syslog:///dev/log/daemon.
LOG_SLOW_QUERY_DURATION_IN_S=10.0
# Log slow queries that take more than this time (in seconds).
MAIN_STORAGE_DIR=django_data/files/
# Directory for uploaded or downloaded media. Set absolute path of the main storage directory. Use s3:https://access-key:secret-key@domain.name:port/bucket for S3 storage.
PURGE_RETENTION_DAYS=30
# Retention delay (in days) before actually cleaning old data from the database.
REDIS_URL='rediss://:password@127.0.0.1:6379/1?ssl_check_hostname=true&ssl_certfile=./id_tools/tox/localhost.crt&ssl_keyfile=./id_tools/tox/localhost.key&ssl_ca_certs=./id_tools/tox/CA.crt'
# Redis database URL. Example: rediss://:interdiode@redis.interdiode.fr:6379/1?ssl_check_hostname=true&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt
RED_DESTINATION_IP=''
# IP address of your red-side InterDiode server.
RED_DESTINATION_MAC=''
# MAC address of your red-side InterDiode server.
RED_DESTINATION_PORT=15124
# Port number of your red-side InterDiode server.
REMOTE_USER_DEFAULT_GROUPS=Users
# Comma-separated list of group names to add to new users that are authenticated by HTTP header, if groups are not specified in another HTTP header.
REQUIRE_NEW_USER_VALIDATION=true
# Require new users to be validated by an administrator ('true'/'false').
RUN_DATA_DIR=django_data/run/
# Directory for process ID (pid) files.
S3_REGION=''
# S3 storage regions, when S3 storage is used for downloaded or uploaded media.
SENTRY_DSN=''
# Sentry DSN (see https://sentry.io/) used for reporting errors.
SERVER_BASE_URL=http://0.0.0.0:8000/
# Public URL of your InterDiode instance.
# Default to "http://{listen_address}/" but should be different if you use a reverse proxy like Apache or Nginx. Example: https://black.interdiode.fr/.
SHARED_TRANSFER_KEY=secret_key
# Secret shared between black and red instances for authenticating transfers.
SSH_PATH=ssh
# Path of the 'ssh' executable.
TIME_ZONE=Europe/Paris
# Default to Europe/Paris.
TRANSFER_DIR=django_data/transfers/
# Storage path for export/import operations.
TRANSFER_EXPORT_CHECKSUMS=true
# Verify the SHA3 checksum of all exported files ('true'/'false').
TRANSFER_IMPORT_CHECKSUMS=true
# Verify the SHA3 checksum before importing files ('true'/'false').
TRANSFER_INTERVAL=5
# Time to wait (in seconds) between two UDP or TCP transfers.
TRANSFER_KEEP_CORRUPTED_IMPORTS=false
# Do not delete corrupted import data, e.g. for post-mortem analysis ('true'/'false').
TRANSFER_KEEP_COUNT=100
# Number of finished transfers to keep when removing data. The more reliable is your transfer method, the lower you can set this value.
TRANSFER_KEEP_FAILED_IMPORTS=false
# Do not delete failed imports, e.g. for post-mortem analysis ('true'/'false').
TRANSFER_KEEP_IMPORTS=false
# Do not delete successfully imported exports ('true'/'false').
TRANSFER_KEEP_TRANSFERS=false
# Do not automatically remove network-transferred data ('true'/'false').
TRANSFER_MODE=udp
# Transfer method: UDP, TCP or manually transfer files.
UDP_TRANSFER_ERROR_CHUNK_SIZE=''
# Size of redundancy blocks of UDP transfers.
UDP_TRANSFER_REDUNDANCY=6.0
# Redundancy factor of UDP transfers.
UDP_TRANSFER_TIMEOUT_S=''
# Transfer timeout, in seconds, of UDP transfers.
USB_SOURCE_CONFIG_DIR=''
# Configuration directory for registered devices.
USER_DISABLED_ATTRIBUTES=''
# Comma-separated list of user attributes that user cannot change.
# Add 'username' to disable manual user creation/deletion, 'password' to disallow password changes.
# Other attributes are 'is_active', 'is_superuser', 'groups', 'user_permissions', 'first_name', 'last_name',
# 'email', 'black_username', 'black_email'.
USE_AUTHORIZATION_TOKEN=true
# Allow users to authenticate with their API token ('true'/'false').
USE_HTTP_BASIC_AUTH=true
# Allow HTTP basic auth using the local user database ('true'/'false').
WORKER_PROCESSES=2
# Number of processes for background tasks
http_proxy=''
# HTTP proxy for all HTTP requests, like [user:passwd@]proxy.server:port
compose-red.env
ADMIN_EMAIL=admin@0.0.0.0
# Logged errors are sent to this email address.
ALLOW_LOCAL_USERS=true
# Activate the local user database ('true'/'false').
ALLOW_USER_CREATION=true
# Allow users to create their account themselves when the local database is activated, or the automatic creation of missing users when a HTTP header is used ('true'/'false').
DAILY_UPKEEP=true
# Activate the launch of daily upkeep tasks ('true'/'false').
DATABASE_URL='postgresql://username:password@127.0.0.1:5432/database?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=./id_tools/tox/localhost.crt&ssl_keyfile=./id_tools/tox/localhost.key&ssl_ca_certs=./id_tools/tox/CA.crt'
# URL of the database: postgresql://interdiode:interdiode@db.interdiode.fr:5432/interdiode_db?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt
DATA_ROOT=./django_data
# Directory where all data will be stored (uploaded or temporary files, …). If you change it, you must run the 'interdiode-ctl configuration apply' command again.
DEFAULT_GITHUB_BEARER_TOKEN=''
# GitHub authentication token used by default.
DEFAULT_READTHEDOCS_BEARER_TOKEN=''
# ReadTheDocs authentication token used by default.
DEFAULT_X_BEARER_TOKEN=''
# X (Twitter) authentication token used by default.
DOWNLOAD_FILE_ANALYZER=''
# Dotted path of a Python function to analyze downloaded files.
EMAIL_FROM=webmaster@0.0.0.0
# Email address for automated correspondence from the site managers. This address is used in the From: header of outgoing emails and can take any format valid in the chosen email sending protocol.
EMAIL_HOST_URL=smtp://localhost:9025
# SMTP server for sending admin emails.
# smtp+tls://account@example.com:password@smtp.example.com:587/
EXPORT_FILE_ANALYZER=''
# Dotted path of a Python function to analyze exported files.
FILE_UPLOAD_MAX_MEMORY_SIZE=10000000000
# Max size in bytes of POST request, must be large enough for uploading files like Vagrant boxes. Do not forget to also configure your reverse proxy accordingly.
GIT_ALLOW_LFS=true
# Allow git-lfs usage when git-lfs installed ('true'/'false').
GIT_EXEC_PATH=git
# Path of the 'git' executable.
GNUPG_PATH=gpg
# Path of the gpg binary.
GROUP_DISABLED_ATTRIBUTES=''
# Comma-separated list of group attributes that cannot be changed. Add 'name' to disable manual group creation/deletion or 'permissions' to disallow permissions changes.
HEADLESS_CHROME_PATH='/Users/flanker/Library/Caches/ms-playwright/chromium-1208/chrome-mac-arm64/Google Chrome for Testing.app/Contents/MacOS/Google Chrome for Testing'
# Path of the 'chrome' executable.
HIDDEN_CSS_SELECTORS=''
# When downloading HTML pages as PDFs, mark these CSS selectors (one per line) as not displayed.
HTTP_REMOTE_GROUPS_HEADER=''
# Set the list of groups in this HTTP header, common value being "HTTP_X_FORWARDED_GROUPS". Note: the HTTP_ prefix is automatically added, just set X_FORWARDED_GROUPS in the reverse-proxy configuration. Leave empty to disable automatic group assignment. Groups must be comma-separated.
HTTP_REMOTE_USER_HEADER=''
# Set it if the reverse-proxy authenticates users, a common value being "HTTP_REMOTE_USER". Note: the HTTP_ prefix is automatically added, just set REMOTE_USER in the reverse-proxy configuration. Leave empty to disable this authentication method.
HTTP_SSL_CA_CERTS=''
# CA certificates bundle used for HTTPS requests.
HTTP_SSL_CERTFILE=''
# SSL certificate file, used by the HTTP server.
HTTP_SSL_CIPHERS=''
# SSL Cipher suite to use, in the format of an OpenSSL cipher list.
HTTP_SSL_KEYFILE=''
# SSL key file, used by the HTTP server.
IMPORT_FILE_ANALYZER=''
# Dotted path of a Python function to analyze imported files.
INTERDIODE_MODE=black
# InterDiode mode ('black' on internet or 'red' on intranet).
INTERDIODE_PLUGINS=''
# List of plugins
KEEP_HAIRGAP_SIZE=10000000000
# Total size of finished transfers before removing data. The more reliable is your transfer method, the lower you can set this value.
KEEP_SOURCE_ACTION_COUNT=100
# Number of actions to keep for each source. Older actions will be removed, assuming that data have been transfered.Deleted actions and data must also be older than the 'prune_retention' delay.
LANGUAGE=en-us
# Default language, default to en-us.
LICENSE_KEY=''
# Activate more functions of InterDiode.
LISTEN_ADDRESS=0.0.0.0:8000
# Address listen by your web server (like 127.0.0.1:8000 or :8000).
LOG_DIRECTORY=''
# Write all local logs to this directory.
LOG_LEVEL=warn
# Log level (one of 'debug', 'info', 'warn', 'error' or 'critical').
LOG_REMOTE_ACCESS=false
# If true, log of HTTP connections are also sent to syslog/logd ('true'/'false')..
LOG_REMOTE_URL=''
# Send logs to the syslog service.
# Examples: syslog+tcp://localhost:514/user, syslog:///local7 or syslog:///dev/log/daemon.
LOG_SLOW_QUERY_DURATION_IN_S=10.0
# Log slow queries that take more than this time (in seconds).
MAIN_STORAGE_DIR=django_data/files/
# Directory for uploaded or downloaded media. Set absolute path of the main storage directory. Use s3:https://access-key:secret-key@domain.name:port/bucket for S3 storage.
PURGE_RETENTION_DAYS=30
# Retention delay (in days) before actually cleaning old data from the database.
REDIS_URL='rediss://:password@127.0.0.1:6379/1?ssl_check_hostname=true&ssl_certfile=./id_tools/tox/localhost.crt&ssl_keyfile=./id_tools/tox/localhost.key&ssl_ca_certs=./id_tools/tox/CA.crt'
# Redis database URL. Example: rediss://:interdiode@redis.interdiode.fr:6379/1?ssl_check_hostname=true&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt
RED_DESTINATION_IP=''
# IP address of your red-side InterDiode server.
RED_DESTINATION_MAC=''
# MAC address of your red-side InterDiode server.
RED_DESTINATION_PORT=15124
# Port number of your red-side InterDiode server.
REMOTE_USER_DEFAULT_GROUPS=Users
# Comma-separated list of group names to add to new users that are authenticated by HTTP header, if groups are not specified in another HTTP header.
REQUIRE_NEW_USER_VALIDATION=true
# Require new users to be validated by an administrator ('true'/'false').
RUN_DATA_DIR=django_data/run/
# Directory for process ID (pid) files.
S3_REGION=''
# S3 storage regions, when S3 storage is used for downloaded or uploaded media.
SENTRY_DSN=''
# Sentry DSN (see https://sentry.io/) used for reporting errors.
SERVER_BASE_URL=http://0.0.0.0:8000/
# Public URL of your InterDiode instance.
# Default to "http://{listen_address}/" but should be different if you use a reverse proxy like Apache or Nginx. Example: https://black.interdiode.fr/.
SHARED_TRANSFER_KEY=secret_key
# Secret shared between black and red instances for authenticating transfers.
SSH_PATH=ssh
# Path of the 'ssh' executable.
TIME_ZONE=Europe/Paris
# Default to Europe/Paris.
TRANSFER_DIR=django_data/transfers/
# Storage path for export/import operations.
TRANSFER_EXPORT_CHECKSUMS=true
# Verify the SHA3 checksum of all exported files ('true'/'false').
TRANSFER_IMPORT_CHECKSUMS=true
# Verify the SHA3 checksum before importing files ('true'/'false').
TRANSFER_INTERVAL=5
# Time to wait (in seconds) between two UDP or TCP transfers.
TRANSFER_KEEP_CORRUPTED_IMPORTS=false
# Do not delete corrupted import data, e.g. for post-mortem analysis ('true'/'false').
TRANSFER_KEEP_COUNT=100
# Number of finished transfers to keep when removing data. The more reliable is your transfer method, the lower you can set this value.
TRANSFER_KEEP_FAILED_IMPORTS=false
# Do not delete failed imports, e.g. for post-mortem analysis ('true'/'false').
TRANSFER_KEEP_IMPORTS=false
# Do not delete successfully imported exports ('true'/'false').
TRANSFER_KEEP_TRANSFERS=false
# Do not automatically remove network-transferred data ('true'/'false').
TRANSFER_MODE=udp
# Transfer method: UDP, TCP or manually transfer files.
UDP_TRANSFER_ERROR_CHUNK_SIZE=''
# Size of redundancy blocks of UDP transfers.
UDP_TRANSFER_REDUNDANCY=6.0
# Redundancy factor of UDP transfers.
UDP_TRANSFER_TIMEOUT_S=''
# Transfer timeout, in seconds, of UDP transfers.
USB_SOURCE_CONFIG_DIR=''
# Configuration directory for registered devices.
USER_DISABLED_ATTRIBUTES=''
# Comma-separated list of user attributes that user cannot change.
# Add 'username' to disable manual user creation/deletion, 'password' to disallow password changes.
# Other attributes are 'is_active', 'is_superuser', 'groups', 'user_permissions', 'first_name', 'last_name',
# 'email', 'black_username', 'black_email'.
USE_AUTHORIZATION_TOKEN=true
# Allow users to authenticate with their API token ('true'/'false').
USE_HTTP_BASIC_AUTH=true
# Allow HTTP basic auth using the local user database ('true'/'false').
WORKER_PROCESSES=2
# Number of processes for background tasks
http_proxy=''
# HTTP proxy for all HTTP requests, like [user:passwd@]proxy.server:port
Environment
Black side-only parameters:
Red side-only parameters:
For this demonstration, most settings are common to both instances: