Config Setup

The Config File

The config file is one of the most important files for users in the PHP-MPOS project. It can be found in the /public/include/config directory under the name global.inc.dist.php. In this form the file is inactive and will not affect the site. Until the config file has been activated by changing the name to global.inc.php the PHP-MPOS project will not load. By activating this file a user can gain access to many powerful tools for changing the settings on all pages of the site.

Configuration Options

Algorithm

Underlying coin algorithm that you are mining on. Set this to whatever your coin needs, sha256d or scrypt.

Default Values:

algorithm    =    'scrypt'

algorithm

• SHA coins like Bitcoin or Scrypt based coins like Litecoin

TX Fees

The coin daemon applies transaction fees to young coins. Since we are unable to find out what the exact fee was we set a default value here which is applied to both manual and auto payouts. If this is not set, no fee is applied in the transactions history but the user might still see them when the coins arrive. You can set two different transaction fees for manual and auto payouts.

Default Values:

txfee_auto     =  0.1
txfee_manual   =  0.1

txfee_auto

• Setting for auto payout TX fee

txfee_manual

• Setting for auto payout TX fee

Database Configuration

A MySQL database backend is required for MPOS. Creating a database is covered in the [Quick Start Guide] (https://github.com/MPOS/php-mpos/wiki/Quick-Start-Guide#wiki-database-setup). Additionally a base database structure is available for importation in the /sql folder by the name of 000_base_structures. Future updates to the database are provided in individual table files. nsure the database structure is imported!

Default Values:

host = 'localhost'
port = 3306
user = 'someuser'
pass = 'somepass'
name = 'mpos'

Explanations

host

• location for the database, generally on the same server as the site port

port

• which port accesses the database if hosted externally

user

• database user name

pass

• database user password

name

• name of the database used for the project, needs to match the name of the database created

Local Wallet RPC

MPOS uses the RPC backend to fetch transactions, blocks and various other things. They need to match your coind RPC configuration.

Default Values:

type      =  'http'
host      =  'localhost:19334'
username  =  'testnet'
password  =  'testnet'

type

• RPC connection type

host

• RPC host

username

• RPC username

password

• RPC password

Liquid assets / cold wallet

Running pools, especially those with active fees, will build up a good amount of liquid assets that can be used by pool operators. If you wish to automatically send your assets to a offline wallet, set your account address, reserves and thresholds here.

Default Values:

addresss   =  empty
reserve    =  50
threshold  =  25

addresss

• The address of the wallet to the address you'd like to receive the coins in

reserve

• The amount you'd like to remain in the wallet. Recommended is at least 1 block value

threshold

• The amount of coins you'd like to send per batch minimum. Once exceeded, this is sent to the offline wallet address specified.

Getting Started

This is displayed on GettingStarted Page to make it more dynamic

Default Values:

coinname    =  'Litecoin'
coinurl     =  'http://www.litecoin.org'
stratumurl  =  ''
stratumport =  '3333'

Ticker API

MPOS will try to fetch the current exchange rates from this API URL/target. Currently btc-e and coinchoose are supported in MPOS. If you want to remove the trade header just set currency to an empty string.

btc-e.com
  url       =  `https://btc-e.com`
  target    =  `/api/2/ltc_usd/ticker`
  currency  =  `USD`

coinchoose.com
  url       =  `http://www.coinchoose.com`
  target    =  `/api.php`
  currency  =  `BTC`

cryptsy.com
  url       =  `http://pubapi.cryptsy.com`
  currency  =  `BTC`
  target    =  `/api.php?method=marketdata`

Security Configuration Options

Strict Mode

Extra security options that can help protect against a few different types of attacks.

Default Values:

strict                           =  true
strict__https_only               =  false
strict__mysql_filter             =  true
strict__verify_client            =  true
strict__verify_client_ip         =  true
strict__verify_client_useragent  =  true
strict__verify_client_sessionid  =  true
strict__verify_client_fails      =  0
strict__verify_server            =  false
strict__bind_protocol            =  'https'
strict__bind_host                =  ''
strict__bind_port                =  443

Explanations

strict

• Whether or not to use strict mode

__https_only

• Requires/pushes to https

__mysql_filter

• Uses a mysqli shim to use php filters on all incoming data

__verify_client

• Verifies the client using specified settings

__verify_client_ip

• If the client request suddenly switches IP, trigger a failure**

__verify_client_useragent

• If the client request suddenly switches Useragent, trigger a failure

__verify_client_sessionid

• If the client request suddenly switches SessionID, trigger a failure

__verify_client_fails

• Maximum number of client-side inconsistencies to accept before revoking sessions

__verify_server

• Verifies the server is valid for this request

__bind_protocol

• Server validate protocol; http or https

__bind_host

• Server validate host; ie. your domain or subdomain

__bind_port

• Server validate port; 80 / 443 / something else

Memcache Rate Limiting

Because bots/angry users can just fire away at pages or f5 us to death, we can attempt to rate limit requests using Nemcache.

Default Values:

enabled              =   true
protect_ajax         =   true
ajax_hits_additive   =   false
flush_seconds_api    =   60
rate_limit_api       =   20
flush_seconds_site   =   60
rate_limit_site      =   30
ignore_admins        =   true
error_push_page      =   array('page' => 'error', 'action' => 'ratelimit');

enabled

• Whether or not we will try to rate limit requests

protect_ajax

• If enabled, we will also watch the ajax calls for rate limiting and kill bad requests

ajax_hits_additive

• If enabled, ajax hits will count towards the site counter as well as the ajax counter

flush_seconds_api

• Number of seconds between each flush of user/ajax counter

rate_limit_api

• Number of api requests allowed per flush_seconds_api

flush_seconds_site

• Number of seconds between each flush of user/site counter

rate_limit_site

• Number of site requests allowed per flush_seconds_site

ignore_admins

• Ignores the rate limit for admins

error_push_page

• Page/action array to push users to a specific page, look in the URL! Empty = 'You are sending too many requests too fast!' on a blank page

CSRF Protection

To help protect against CSRF, we can generate a hash that changes every minute and is unique for each user/IP and page or use, and check against that when a form is submitted.

Default Values:

enabled    =    true

enabled

• Whether or not to generate and check for valid CSRF Tokens

E-mail Confirmations

To increase security for users, account detail changes can require an e-mail confirmation prior to performing certain actions.

Default Values:

enabled   =  true
details   =  true
withdraw  =  true
changepw  =  true

enabled

• Whether or not to require e-mail confirmations

details

• Require confirmation to change account details

withdraw

• Require confirmation to manually withdraw/payout

changepw

• Require confirmation to change password

Lock accounts after failed logins

To avoid accounts being hacked by brute force attacks, set a maximum amount of failed login or pin entry attempts before locking the account. They will need to contact site support to re-enable the account.

login  =  3
pin    =  3

login

• Number of attempts invalid login attempts before locking

pin

• Number of invalid pin attempts before locking