Configuration
Beta Offering
Web Modeler Self-Managed is currently offered as an alpha feature with limited availability for enterprise customers only. It is not recommended for production use and there is no maintenance service guaranteed. Special terms & conditions apply. However, we encourage you to provide feedback via your designated support channel or by contacting us.
The different components of Web Modeler Self-Managed can be configured using environment variables. Each component's variables are described below.
- For a working example configuration showing how the components are correctly wired together, see the Docker Compose file for Web Modeler.
- If you are using the Camunda 8 Helm chart to set up Web Modeler, read more about the different configuration options in the chart's README file.
Configuration of the restapi component
Database
Web Modeler requires a PostgreSQL database as persistent data storage (other database systems are currently not supported.)
| Environment variable | Description | Example value |
|---|---|---|
RESTAPI_DB_HOST | Database host name | postgres.example.com |
RESTAPI_DB_PORT | Database port | 5432 |
RESTAPI_DB_NAME | Database name | modeler-db |
RESTAPI_DB_USER | Database user name | modeler-user |
RESTAPI_DB_PASSWORD | Database user password | *** |
SMTP / email
Web Modeler requires an SMTP server to send notification emails to users.
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
RESTAPI_MAIL_HOST | SMTP server host name | smtp.example.com | - |
RESTAPI_MAIL_PORT | SMTP server port | 587 | - |
RESTAPI_MAIL_USER | [optional] SMTP user name | modeler-user | - |
RESTAPI_MAIL_PASSWORD | [optional] SMTP user password | *** | - |
RESTAPI_MAIL_ENABLE_TLS | Enforce TLS encryption for SMTP connections (using STARTTLS). | true | true |
RESTAPI_MAIL_FROM_ADDRESS | Email address used as the sender of emails sent by Web Modeler. | noreply@example.com | - |
RESTAPI_MAIL_FROM_NAME | [optional] Name displayed as the sender of emails sent by Web Modeler. | Camunda | Camunda |
RESTAPI_SERVER_URL | URL at which users access Web Modeler in the browser (used to construct links in notification emails). | https://modeler.example.com | - |
WebSocket
The restapi component sends certain events (e.g. "file updated", "comment added") to the WebSocket server.
| Environment variable | Description | Example value |
|---|---|---|
RESTAPI_PUSHER_HOST | Internal host name of the WebSocket server. | modeler-websockets |
RESTAPI_PUSHER_PORT | Internal port number of the WebSocket server. | 8060 |
RESTAPI_PUSHER_APP_ID | must be the same as PUSHER_APP_ID | web-modeler |
RESTAPI_PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** |
RESTAPI_PUSHER_SECRET | must be the same as PUSHER_APP_SECRET | *** |
Identity / Keycloak
Web Modeler integrates with Identity and Keycloak for authentication and authorization (using OAuth 2.0 + OpenID Connect) as well as user management.
| Environment variable | Description | Example value |
|---|---|---|
RESTAPI_OAUTH2_TOKEN_ISSUER | URL of the token issuer (used for JWT validation). | https://keycloak.example.com/auth/realms/camunda-platform |
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL | [optional] Internal URL used to request Keycloak's OpenID Provider Configuration; if not set, RESTAPI_OAUTH2_TOKEN_ISSUER is used. | http://keycloak:8080/auth/realms/camunda-platform |
RESTAPI_IDENTITY_BASE_URL | Internal base URL of the Identity API (used to fetch user data). | http://identity:8080 |
Configuration of the webapp component
General
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
SERVER_URL | URL at which users access Web Modeler in the browser. Note: To use a sub path for Web Modeler, just include the path in the URL. | https://modeler.example.com,https://example.com/modeler | - |
SERVER_HTTPS_ONLY | Enforce the usage of HTTPS when users access Web Modeler (by redirecting from http:// to https://). | true | false |
RESTAPI_HOST | Internal host name of the restapi application. | modeler-restapi | - |
RESTAPI_PORT | Internal port number on which the restapi serves the regular API endpoints. | 8081 | 8081 |
RESTAPI_MANAGEMENT_PORT | Internal port number on which the restapi serves the management API endpoints. | 8091 | 8091 |
Identity / Keycloak
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
OAUTH2_CLIENT_ID | Client ID of the Web Modeler application configured in Identity; must be set to web-modeler. | web-modeler | - |
OAUTH2_TOKEN_AUDIENCE | Expected token audience (used for JWT validation); must be set to web-modeler. | web-modeler | - |
OAUTH2_TOKEN_ISSUER | URL of the token issuer (used for JWT validation). | https://keycloak.example.com/auth/realms/camunda-platform | - |
KEYCLOAK_BASE_URL | Base URL of the Keycloak instance. | https://keycloak.example.com | - |
KEYCLOAK_CONTEXT_PATH | [optional] Context path Keycloak serves resources on. Note: With Keycloak 17, the default path was changed from /auth to /. | / | /auth |
KEYCLOAK_REALM | Keycloak realm used for Camunda. | camunda-platform | - |
KEYCLOAK_JWKS_URL | Internal URL used to request Keycloak's JSON Web Key Set (for JWT verification). | http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs | - |
IDENTITY_BASE_URL | Internal base URL of the Identity API (used to fetch user data). | http://identity:8080 | - |
WebSocket
The webapp component sends certain events (e.g. "user opened diagram", "user left diagram") to the WebSocket server and can also react to such events (e.g. show a notification in the UI that a user left the diagram).
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
PUSHER_HOST | Internal host name of the WebSocket server. | modeler-websockets | - |
PUSHER_PORT | Internal port number of the WebSocket server. | 8060 | - |
PUSHER_APP_ID | must be the same as PUSHER_APP_ID | web-modeler | - |
PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** | - |
PUSHER_SECRET | must be the same as PUSHER_APP_SECRET | *** | - |
CLIENT_PUSHER_HOST | External host name on which the Web Modeler client accesses the WebSocket server from the browser. | ws.example.com | - |
CLIENT_PUSHER_PORT | External port number on which the Web Modeler client accesses the WebSocket server from the browser. | 443 | - |
CLIENT_PUSHER_PATH | [optional] must be the same as PUSHER_APP_PATH | /modeler-ws | / |
CLIENT_PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** | - |
CLIENT_PUSHER_FORCE_TLS | Enable TLS encryption for WebSocket connections initiated by the browser. | true | false |
Configuration of the websocket component
The WebSocket server shipped with Web Modeler Self-Managed is based on the laravel-websockets open source package and implements the Pusher Channels Protocol.
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
PUSHER_APP_ID | ID of the single application/tenant configured for Web Modeler. | web-modeler | - |
PUSHER_APP_KEY | A unique key used for authentication. Provide a random alphanumeric string of at least 20 characters. | *** | - |
PUSHER_APP_SECRET | A unique secret used for authentication. Provide a random alphanumeric string of at least 20 characters. | *** | - |
PUSHER_APP_PATH | [optional] Base path of the WebSocket endpoint. Can be used to expose the endpoint on a sub path instead of the domain root (e.g. https://example.com/modeler-ws). | /modeler-ws | / |
Notes on host names and port numbers
- Internal refers to host names and port numbers that are only used inside a Docker Compose network or Kubernetes cluster for backend-to-backend communication.
- External refers to host names and port numbers that are exposed to the outside and can be reached from a web browser.