Skip to content

Config Setup

Jump to bottom Edit New page
Joey edited this page Jan 28, 2014 · 61 revisions

The Config File

The config file is one of the most important files for users in the PHP-MPOS project. It can be found in the /public/include/config directory under the name global.inc.dist.php. In this form the file is inactive and will not affect the site. Until the config file has been activated by changing the name to global.inc.php the PHP-MPOS project will not load. By activating this file a user can gain access to many powerful tools for changing the settings on all pages of the site.

Configuration Options

Database Configuration

A MySQL database backend is required for MPOS. Creating a database is covered in the [Quick Start Guide] (https://github.com/MPOS/php-mpos/wiki/Quick-Start-Guide#wiki-database-setup). Additionally a base database structure is available for importation in the /sql folder by the name of 000_base_structures. Future updates to the database are provided in individual table files. nsure the database structure is imported!

Default Values:

host = 'localhost'
port = 3306
user = 'someuser'
pass = 'somepass'
name = 'mpos'

Explanations

host

  • location for the database, generally on the same server as the site port

port

  • which port accesses the database if hosted externally

user

  • database user name

pass

  • database user password

name

  • name of the database used for the project, needs to match the name of the database created

Security Configuration Options

Strict Mode

Extra security options that can help protect against a few different types of attacks.

Default Values:

strict                           =  true
strict__https_only               =  false
strict__mysql_filter             =  true
strict__verify_client            =  true
strict__verify_client_ip         =  true
strict__verify_client_useragent  =  true
strict__verify_client_sessionid  =  true
strict__verify_client_fails      =  0
strict__verify_server            =  false
strict__bind_protocol            =  'https'
strict__bind_host                =  ''
strict__bind_port                =  443

Explanations

strict

  • Whether or not to use strict mode

__https_only

  • Requires/pushes to https

__mysql_filter

  • Uses a mysqli shim to use php filters on all incoming data

__verify_client

  • Verifies the client using specified settings

__verify_client_ip

  • If the client request suddenly switches IP, trigger a failure**

__verify_client_useragent

  • If the client request suddenly switches Useragent, trigger a failure

__verify_client_sessionid

  • If the client request suddenly switches SessionID, trigger a failure

__verify_client_fails

  • Maximum number of client-side inconsistencies to accept before revoking sessions

__verify_server

  • Verifies the server is valid for this request

__bind_protocol

  • Server validate protocol; http or https

__bind_host

  • Server validate host; ie. your domain or subdomain

__bind_port

  • Server validate port; 80 / 443 / something else

Memcache Rate Limiting

Because bots/angry users can just fire away at pages or f5 us to death, we can attempt to rate limit requests using Nemcache.

Default Values:

enabled              =   true
protect_ajax         =   true
ajax_hits_additive   =   false
flush_seconds_api    =   60
rate_limit_api       =   20
flush_seconds_site   =   60
rate_limit_site      =   30
ignore_admins        =   true
error_push_page      =   array('page' => 'error', 'action' => 'ratelimit');

enabled

  • Whether or not we will try to rate limit requests

protect_ajax

  • If enabled, we will also watch the ajax calls for rate limiting and kill bad requests

ajax_hits_additive

  • If enabled, ajax hits will count towards the site counter as well as the ajax counter

flush_seconds_api

  • Number of seconds between each flush of user/ajax counter

rate_limit_api

  • Number of api requests allowed per flush_seconds_api

flush_seconds_site

  • Number of seconds between each flush of user/site counter

rate_limit_site

  • Number of site requests allowed per flush_seconds_site

ignore_admins

  • Ignores the rate limit for admins

error_push_page

  • Page/action array to push users to a specific page, look in the URL! Empty = 'You are sending too many requests too fast!' on a blank page

CSRF Protection

To help protect against CSRF, we can generate a hash that changes every minute and is unique for each user/IP and page or use, and check against that when a form is submitted.

Default Values:

enabled    =    true

enabled

  • Whether or not to generate and check for valid CSRF Tokens

E-mail Confirmations

To increase security for users, account detail changes can require an e-mail confirmation prior to performing certain actions.

Default Values:

enabled   =  true
details   =  true
withdraw  =  true
changepw  =  true

enabled

  • Whether or not to require e-mail confirmations

details

  • Require confirmation to change account details

withdraw

  • Require confirmation to manually withdraw/payout

changepw

  • Require confirmation to change password

Lock accounts after failed logins

To avoid accounts being hacked by brute force attacks, set a maximum amount of failed login or pin entry attempts before locking the account. They will need to contact site support to re-enable the account.

login  =  3
pin    =  3

login

  • Number of attempts invalid login attempts before locking

pin

  • Number of invalid pin attempts before locking
Add a custom sidebar
Clone this wiki locally