Signchain Docs

Home>Developer Guides>Advanced Configuration

Advanced Configuration

The Advanced Configuration guide provides insights on optimizing and customizing your Signchain self-hosted vault setup, allowing you to leverage powerful configuration options for enhanced security, performance, and integration flexibility. Follow these steps to get the most out of your deployment.

Prerequisites

Before implementing advanced configurations, ensure you have:

  • Access to the environment variables and configurations used in your Signchain Vault setup
  • Knowledge of Docker and server configuration (for self-hosted setups)
  • An active subscription plan if additional features require it

Configuring Environment Variables

To enable additional layers of security and customization, you can set environment variables in your .env file. Here are some essential variables to consider:

Vault Security

  • VAULT_KEY
    Configure this with your vault keys, as obtained from the Signchain Dashboard. It is essential for securely accessing and managing private keys in your infrastructure.

  • VAULT_AUTH_SECRET_KEY
    A unique shared secret used to prevent unauthorized access to vault functions. This key should be stored securely and only shared with trusted services within your infrastructure.

MongoDB Configuration

  • VAULT_STORAGE_BACKEND
    Set this to mongo to configure MongoDB as the storage backend for the vault.

  • VAULT_MONGO_URL
    Specify the MongoDB connection string. This connection should ideally be secured and accessible only within your private network or VPN.

Scaling Your Vault

If your application has high transaction or request volumes, consider the following:

  • Load Balancing
    For large deployments, using a load balancer such as Traefik can help distribute traffic across multiple instances. This setup improves availability and performance under high load conditions.

  • Horizontal Scaling
    Deploy additional vault instances in a distributed setup to manage increased requests. Each instance should be configured to use the same MongoDB backend for consistent data access.

Audit Logging

To enhance traceability, you can enable audit logs to track access to sensitive operations. Implement audit logging by:

  1. Setting up server logs to capture each request.
  2. Using middleware within your backend application to log interactions with the Signchain API.

Note: Audit logs should be securely stored and reviewed periodically.

Customizing API Endpoints

While using Signchain’s default endpoints is convenient, you may wish to configure custom URLs and routing. To do this, set your custom base URL:

  1. VAULT_BASE_URL
    Override the default https://signchain.net URL with your own if using a private reverse proxy.

  2. Rate Limiting
    Set up rate limiting rules within your reverse proxy (e.g., Traefik) to control traffic, especially if your vault has open internet access.

Integrating with CI/CD Pipelines

To automate your vault’s deployment, you can add the following steps to your CI/CD pipeline:

  1. Environment Variables
    Add environment variables in your CI/CD configuration to securely inject sensitive keys into your deployment.

  2. Docker Image Management
    Pull the latest Signchain vault Docker image in each deployment cycle:

    docker pull ghcr.io/grexie/signchain-vault:latest

  3. Testing with Mock Data
    Use test data within your CI/CD environment to verify that configurations and endpoints are functioning as expected before pushing to production.

Advanced Security Best Practices

Enhance your vault’s security by implementing the following:

  • Rotate Keys Periodically
    Update VAULT_AUTH_SECRET_KEY and VAULT_KEY at regular intervals to mitigate potential security risks.

  • Enable IP Whitelisting
    Restrict access to your vault to trusted IP addresses, ensuring that only authorized services can interact with the vault API.

  • Use a VPN
    For sensitive setups, place your vault within a VPN to control access and add another layer of security.

For more details on individual configurations, please consult the API Reference and ensure your setup aligns with best practices for maintaining a robust and secure environment with Signchain.