Faraday Server Configuration Reference¶

Faraday Server v5.19.0 — Complete server.ini and runtime settings reference.

Configuration Architecture¶

Faraday uses a two-tier configuration system:

INI-based (server.ini) — Static settings loaded at server startup. Changes require a server restart. Managed by editing the file directly.
Database-backed (Settings API) — Dynamic settings stored in the PostgreSQL configuration table as JSON. Managed via faraday-manage settings or the REST API. Most changes take effect without restart.

Configuration Precedence¶

Settings are resolved in this order (highest priority first):

Priority	Source	Scope
1	Command-line arguments (`--port`, `--bind_address`)	Server startup only
2	Environment variables (`FARADAY_HOME`, `PGSQL_*`)	Docker primarily
3	User config: `~/.faraday/config/server.ini`	All INI settings
4	Package default: `faraday/server/default.ini`	Fallback for INI
5	Hard-coded defaults in Python	Lowest priority

File Locations¶

Path	Purpose
`~/.faraday/config/server.ini`	User configuration (primary)
`faraday/server/default.ini`	Package defaults (do not edit)
`~/.faraday/logs/`	Server, audit, Celery, and Alembic logs
`~/.faraday/session/`	Filesystem-based session storage
`~/.faraday/storage/`	Uploaded report and evidence storage
`~/.faraday/uploaded_reports/`	Temporary report upload directory
`~/.faraday/openapi/faraday_swagger.json`	Generated OpenAPI specification

All paths are relative to $FARADAY_HOME/.faraday/. The FARADAY_HOME environment variable defaults to /home/faraday (if it exists) or the current user's home directory.

INI-Based Settings (`server.ini`)¶

`[faraday_server]` Section¶

Core server behavior settings.

Setting	Type	Default	Docker Default	Description
`port`	Integer	`5985`	`5985`	TCP port the server listens on.
`bind_address`	String	`localhost`	`0.0.0.0`	IP address the server binds to. Use `0.0.0.0` for all interfaces.
`secret_key`	String	Auto-generated	Auto-generated	Flask session signing key. Changing it logs out all users.
`session_timeout`	Float	`12` (hours)	`24` (hours)	Web UI session duration before requiring re-login.
`api_token_expiration`	Integer	`43200` (12h)	`604800` (7d)	API token lifetime in seconds.
`agent_registration_secret`	String	Auto-generated	Auto-generated	TOTP secret for agent registration.
`agent_token_expiration`	Integer	`60` (1 min)	`60`	Agent token lifetime in seconds.
`debug`	Boolean	`false`	`false`	Enable debug mode. Increases log verbosity. Do not use in production.
`delete_report_after_process`	Boolean	`true`	`true`	Remove uploaded report files after processing.
`celery_enabled`	Boolean	`true`	`true`	Enable Celery background task queue.
`celery_broker_url`	String	`redis://127.0.0.1:6379/0`	`redis`	Celery message broker URL. Supports `redis://`, `rediss://`, `amqp://`, `amqps://`.
`celery_backend_url`	String	`redis://127.0.0.1:6379/0`	`redis`	Celery result backend URL. Same format as broker URL.
`max_task_message_size`	Integer	`5242880` (5 MB)	`5242880`	Maximum Celery task message size in bytes.
`socketio_ping_interval`	Integer	`60`	`60`	WebSocket ping interval in seconds.
`socketio_ping_timeout`	Integer	`220`	`220`	WebSocket ping timeout in seconds. Increase for high-latency networks.
`socketio_logger`	Boolean	`false`	`false`	Enable SocketIO debug logging.
`idle_session_timeout`	Integer	`0` (disabled)	`0`	Auto-logout after inactivity in seconds. `0` disables.
`celery_queue_prefix`	String	(none)	(none)	Redis key prefix for Celery queues. Useful for multi-instance deployments sharing a broker.

Default Value Differences

The Docker template (docker/server.ini) ships with different defaults than the package default.ini for api_token_expiration (7 days vs 12 hours) and session_timeout (24h vs 12h). Be aware of which defaults apply to your installation method.

Commercial-Only Settings¶

The following settings appear in the documentation but are only available in Faraday Professional / Corporate editions. They are not present in the community edition config.py:

Setting	Description
`redis_session_storage`	Redis server address for session storage.
`notifications_enabled`	Enable/disable notification system.
`websocket_server_fqdn`	FQDN for WebSocket real-time updates.
`secure_cookies`	Require HTTPS for session cookies.
`forwarded_for_index`	`X-Forwarded-For` header index for proxy setups.
`bulk_create_workers`	Worker processes for bulk creation (deprecated).
`celery_max_tasks_per_child`	Tasks per worker before restart.
`elk_enabled`	Enable ELK stack integration (INI-based).
`elk_url`	Elasticsearch server URL.
`elk_port`	Elasticsearch port.

Celery Broker URL Processing¶

When setting celery_broker_url or celery_backend_url, the server applies this logic:

If the value contains no colon (e.g., redis), it is treated as a hostname and expanded to redis://HOSTNAME:6379/0.
If the value contains a colon, it checks for a recognized scheme (redis, rediss, amqp, amqps). If found, it is used as-is.
Otherwise, redis:// is prepended.

Examples:

# All equivalent for a Redis broker on "myredis" host:
celery_broker_url = myredis
celery_broker_url = redis://myredis:6379/0

# RabbitMQ broker:
celery_broker_url = amqp://user:pass@rabbitmq:5672/vhost

# Redis with TLS:
celery_broker_url = rediss://redis-host:6380/0

`[database]` Section¶

Setting	Type	Default	Description
`connection_string`	String	(none)	Required. PostgreSQL connection string.

Format:

postgresql+psycopg2://USERNAME:PASSWORD@HOST[:PORT]/DATABASE

Examples:

[database]
# Local PostgreSQL
connection_string = postgresql+psycopg2://faraday_postgresql:secret@localhost/faraday

# Remote PostgreSQL on custom port
connection_string = postgresql+psycopg2://faraday:P@ssw0rd@db.example.com:5433/faraday_prod

# Docker (set via PGSQL_* environment variables)
connection_string = postgresql+psycopg2://postgres:postgres@db/faraday

SQLAlchemy Connection Pool¶

The server configures the SQLAlchemy connection pool with these fixed values:

Parameter	Value	Description
`pool_pre_ping`	`True`	Tests connections before reuse (detects stale connections).
`poolclass`	`QueuePool`	Thread-safe connection pooling.
`pool_size`	`20`	Base number of persistent connections.
`max_overflow`	`20`	Additional connections allowed beyond `pool_size`.
`pool_timeout`	`60`	Seconds to wait for an available connection before error.

Maximum simultaneous database connections: pool_size + max_overflow = 40.

`[storage]` Section¶

Setting	Type	Default	Description
`path`	String	`~/.faraday/storage`	Directory for uploaded reports and evidence files.

`[logger]` Section¶

Setting	Type	Default	Description
`use_rfc5424_formatter`	Boolean	`false`	Use RFC 5424 syslog format for log output. Useful for external log aggregation.

Log File Locations¶

Log File	Path	Rotation
Server log	`~/.faraday/logs/faraday-server.log`	5 MB, 5 backups
Audit log	`~/.faraday/logs/audit.log`	5 MB, 5 backups
Celery log	`~/.faraday/logs/celery.log`	5 MB, 5 backups
Alembic (migration) log	`~/.faraday/logs/alembic.log`	5 MB, 5 backups

`[limiter]` Section¶

Setting	Type	Default	Description
`enabled`	Boolean	`false`	Enable login rate limiting.
`login_limit`	String	`10/minutes`	Maximum login attempts per time period. Format: `N/period` (e.g., `5/minutes`, `100/hour`).

`[gitlab_integration]` Section¶

Commercial Feature

This section is only recognized by commercial editions. The community edition config.py silently ignores unknown sections.

Setting	Type	Description
`ssl_cert_path`	String	Path to SSL certificate for self-signed GitLab connections.

Database-Backed Settings¶

These settings are stored in the PostgreSQL configuration table and managed via:

CLI: faraday-manage settings -a list|show|update|clear <name>
API: GET/PUT /_api/v3/settings/<name>

Changes take effect without a server restart (some may trigger a thread restart via SIGUSR1 internally).

SMTP Settings¶

Setting name: smtp

Field	Type	Default	Description
`enabled`	Boolean	`false`	Enable SMTP email delivery.
`username`	String	`""`	SMTP authentication username.
`password`	String	`""`	SMTP authentication password.
`host`	String	`""`	SMTP server hostname.
`port`	Integer	`25`	SMTP server port (25, 465, 587).
`sender`	Email	`user@example.com`	From address for outgoing emails.
`ssl`	Boolean	`false`	Use SSL/TLS for SMTP connection.

Configure via CLI:

faraday-manage settings -a update smtp --data '{
  "enabled": true,
  "host": "smtp.example.com",
  "port": 587,
  "ssl": true,
  "username": "notifications@example.com",
  "password": "secret",
  "sender": "faraday@example.com"
}'

ELK Settings¶

Setting name: elk

Field	Type	Default	Description
`enabled`	Boolean	`false`	Enable Elasticsearch integration.
`username`	String	`""`	Elasticsearch authentication username.
`password`	String	`""`	Elasticsearch authentication password.
`host`	String	`""`	Elasticsearch server URL.
`port`	Integer	`9200`	Elasticsearch port.
`ignore_ssl`	Boolean	`false`	Skip SSL certificate verification.

Community vs Commercial

In the community edition, ELK is configured via the database-backed settings system above. Commercial editions may also support INI-based elk_enabled, elk_url, elk_port in the [faraday_server] section.

Dashboard Settings¶

Setting name: dashboard

Field	Type	Default	Description
`show_vulns_by_price`	Boolean	`false`	Display vulnerabilities by price on the dashboard.

Reports Settings¶

Setting name: reports

Field	Type	Default	Description
`custom_plugins_folder`	String	`""`	Path to a directory containing custom report plugins. Must be a valid directory.

Query Limits Settings¶

Setting name: query_limits

Field	Type	Default	Description
`vuln_query_limit`	Integer	`0`	Maximum vulnerabilities returned per query. `0` = unlimited.

Managing Settings via CLI¶

# List all configurable settings
faraday-manage settings -a list

# Show current value of a setting
faraday-manage settings -a show smtp

# Update a setting
faraday-manage settings -a update smtp --data '{"enabled": true, "host": "smtp.example.com"}'

# Clear a setting (reset to defaults)
faraday-manage settings -a clear smtp

Environment Variables¶

Core Variables¶

Variable	Default	Description
`FARADAY_HOME`	`/home/faraday` or `~/`	Root directory for Faraday data. All paths (`~/.faraday/`) are relative to this.
`FARADAY_LOG_QUERY`	(unset)	When set (any value), enables SQLAlchemy query echo logging. Debug only.
`FARADAY_DISABLE_LOGS`	(unset)	When set, disables file-based logging.
`FARADAY_DATABASE_NAME`	`faraday`	Database name used by `faraday-manage initdb`.
`FARADAY_DATABASE_USER`	`faraday_postgresql`	Database user used by `faraday-manage initdb`.
`FULL_API_DOC`	(unset)	When set, includes HEAD and OPTIONS methods in OpenAPI docs.

Docker-Only Variables¶

These are used by the Docker entrypoint script (docker/entrypoint.sh):

Variable	Required	Default	Description
`PGSQL_USER`	Yes*	—	PostgreSQL username.
`PGSQL_PASSWD`	Yes*	—	PostgreSQL password.
`PGSQL_HOST`	Yes*	—	PostgreSQL hostname.
`PGSQL_DBNAME`	Yes*	—	PostgreSQL database name.
`REDIS_SERVER`	No	—	Redis hostname. Sets `redis_session_storage` in `server.ini`.
`FARADAY_PASSWORD`	No	Random 13-char	Initial admin password. If not set, a random password is generated and printed to stdout.
`FQDN`	No	—	Fully qualified domain name for OpenAPI swagger config.

* Required only on first run (when server.ini does not yet exist).

Internal Variables (Set Automatically)¶

Variable	Set By	Purpose
`FARADAY_MANAGE_RUNNING`	`faraday-manage`	Set to `"1"` during manage commands; suppresses logging.
`PYTHONUNBUFFERED`	Dockerfile	Set to `1` for unbuffered Python output in containers.

Flask Application Settings¶

These are configured internally by app.py and cannot be changed via server.ini:

Setting	Value	Description
`SESSION_TYPE`	`filesystem`	Session backend (filesystem-based).
`SESSION_COOKIE_NAME`	`faraday_session_2`	Browser cookie name.
`SESSION_COOKIE_SAMESITE`	`Lax`	Cookie SameSite policy.
`SECURITY_PASSWORD_SCHEMES`	`['bcrypt']`	Password hashing algorithm.
`SECURITY_TOKEN_AUTHENTICATION_HEADER`	`Authorization`	API token header name.
`SECURITY_URL_PREFIX`	`/_api`	Security endpoint prefix.
`SQLALCHEMY_TRACK_MODIFICATIONS`	`False`	Disabled for performance.

Command-Line Arguments¶

The faraday-server command accepts these startup arguments:

Argument	Description
`--port PORT`	Override `server.ini` port.
`--bind_address ADDR`	Override `server.ini` bind address.
`--debug`	Enable debug mode (overrides `server.ini`).
`--nodeps`	Skip dependency checks.
`--no-setup`	Skip setup environment.
`--with-workers`	Start Celery workers alongside the server.
`--with-workers-gevent`	Start Celery workers in gevent mode.
`--workers-queue QUEUE`	Celery queue name (default: `celery`).
`--workers-concurrency N`	Worker concurrency (default: CPU count - 1).
`--workers-loglevel LEVEL`	Worker log level (default: `WARNING`, or `DEBUG` if `debug=true`).
`--update_stats`	Update host/workspace statistics on startup.
`--version`	Show version and exit.

Minimal Configuration Example¶

A minimal server.ini for a bare-metal installation:

[faraday_server]
port = 5985
bind_address = 127.0.0.1

[database]
connection_string = postgresql+psycopg2://faraday_postgresql:YOUR_PASSWORD@localhost/faraday

[storage]
path = /home/faraday/.faraday/storage

Production Configuration Example¶

A production server.ini with security hardening:

[faraday_server]
port = 5985
bind_address = 127.0.0.1
session_timeout = 8
api_token_expiration = 86400
idle_session_timeout = 1800
debug = false
delete_report_after_process = true
celery_enabled = true
celery_broker_url = redis://redis.internal:6379/0
celery_backend_url = redis://redis.internal:6379/0

[database]
connection_string = postgresql+psycopg2://faraday:STRONG_PASSWORD@db.internal:5432/faraday_prod

[storage]
path = /data/faraday/storage

[limiter]
enabled = true
login_limit = 5/minutes

[logger]
use_rfc5424_formatter = true

Troubleshooting¶

Server won't start — "Address already in use"¶

Another process is using port 5985. Check with:

lsof -i :5985

Change the port in server.ini or stop the conflicting process.

Sessions expire too quickly¶

Check both session_timeout (overall session lifetime in hours) and idle_session_timeout (inactivity timeout in seconds). Set idle_session_timeout = 0 to disable idle timeout.

Celery workers not processing tasks¶

Verify Redis/RabbitMQ is running and accessible.
Check that celery_enabled = true in server.ini.
Verify celery_broker_url resolves to the correct broker.
Check ~/.faraday/logs/celery.log for errors.

Secret key changed — all users logged out¶

The secret_key is auto-generated on first run and stored in server.ini. If the file is deleted or regenerated, all existing sessions become invalid. Back up your server.ini before reinstalling.

Database connection pool exhaustion¶

If you see "QueuePool limit" errors, the server has exhausted its 40 connection limit (pool_size=20 + max_overflow=20). This can occur with many concurrent users. The pool settings are hard-coded and require a code change to modify.