Rev 1345 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1207 | daniel-mar | 1 | |
2 | Overview of all config.inc.php settings |
||
3 | ======================================= |
||
4 | |||
1208 | daniel-mar | 5 | The file **userdata/baseconfig/config.inc.php** contains various settings |
1207 | daniel-mar | 6 | which are essential to connect to your database and other |
7 | things that should be known before the database connection |
||
8 | is opened. |
||
9 | Other settings are stored in the database (table "config") |
||
10 | and can be accessed using the admin login area. |
||
11 | |||
12 | The setup assistant (/setup/) will lead you through |
||
1208 | daniel-mar | 13 | the creation of the most important settings of **config.inc.php**. |
1207 | daniel-mar | 14 | |
15 | Below you will find a list of all possible config settings |
||
16 | of the default OIDplus installation/plugins. |
||
17 | Please note that a plugin can define any key. |
||
18 | |||
19 | |||
20 | (1) Config settings provided by the setup assistant |
||
21 | --------------------------------------------------- |
||
22 | |||
1209 | daniel-mar | 23 | ### CONFIG_VERSION |
1208 | daniel-mar | 24 | |
1207 | daniel-mar | 25 | OIDplus::baseConfig()->setValue('CONFIG_VERSION', 2.1); |
26 | |||
27 | Always set to 2.1 in the latest format. |
||
28 | |||
1209 | daniel-mar | 29 | ### ADMIN_PASSWORD |
1208 | daniel-mar | 30 | |
1207 | daniel-mar | 31 | OIDplus::baseConfig()->setValue('ADMIN_PASSWORD', '<BCrypt hash, or base64 encoded SHA3-512 hash>'); |
32 | |||
33 | If you want to have multiple valid administrator passwords |
||
34 | (e.g. if you want multiple users), then this value can |
||
35 | also be an array containing hashes. |
||
36 | |||
1209 | daniel-mar | 37 | ### DATABASE_PLUGIN |
1208 | daniel-mar | 38 | |
1207 | daniel-mar | 39 | OIDplus::baseConfig()->setValue('DATABASE_PLUGIN', ''); |
40 | |||
41 | Valid values: see plugins (setup/). |
||
42 | |||
1209 | daniel-mar | 43 | ### OCI_CONN_STR |
1208 | daniel-mar | 44 | |
1207 | daniel-mar | 45 | OIDplus::baseConfig()->setValue('OCI_CONN_STR', 'localhost/orcl'); |
46 | |||
1209 | daniel-mar | 47 | ### OCI_* |
1208 | daniel-mar | 48 | |
1207 | daniel-mar | 49 | Can be a Oracle connection string/TNS or a hostname like. |
50 | |||
51 | OIDplus::baseConfig()->setValue('OCI_USERNAME', 'hr'); |
||
52 | OIDplus::baseConfig()->setValue('OCI_PASSWORD', 'oracle'); |
||
53 | |||
54 | Used by the Oracle database plugin. |
||
55 | |||
1209 | daniel-mar | 56 | ### ODBC_* |
1208 | daniel-mar | 57 | |
1207 | daniel-mar | 58 | OIDplus::baseConfig()->setValue('ODBC_DSN', 'DRIVER={SQL Server};SERVER=localhost;DATABASE=oidplus;CHARSET=UTF8'); |
59 | OIDplus::baseConfig()->setValue('ODBC_USERNAME', 'sa'); |
||
60 | OIDplus::baseConfig()->setValue('ODBC_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
61 | |||
62 | Used by the ODBC database plugin. |
||
63 | |||
1233 | daniel-mar | 64 | Username and password are not required if you want to use SQL Server Integrated Security, |
65 | or if the DBMS does not require credentials (e.g. a File DB). |
||
66 | |||
1207 | daniel-mar | 67 | The base64 encoding protects your password from being read if someone |
68 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
69 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
70 | |||
1209 | daniel-mar | 71 | ### PDO_* |
1208 | daniel-mar | 72 | |
1207 | daniel-mar | 73 | OIDplus::baseConfig()->setValue('PDO_DSN', 'pgsql:host=localhost;dbname=oidplus'); |
74 | OIDplus::baseConfig()->setValue('PDO_USERNAME', 'postgres'); |
||
75 | OIDplus::baseConfig()->setValue('PDO_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
76 | |||
77 | Used by the PDO datbase plugin. |
||
78 | |||
1233 | daniel-mar | 79 | Username and password are not required if you want to use SQL Server Integrated Security, |
80 | or if the DBMS does not require credentials (e.g. a File DB). |
||
81 | |||
1207 | daniel-mar | 82 | The base64 encoding protects your password from being read if someone |
83 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
84 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
85 | |||
1233 | daniel-mar | 86 | ### ADO_* |
87 | |||
88 | OIDplus::baseConfig()->setValue('ADO_CONNECTION_STRING', 'Provider=MSOLEDBSQL;Data Source=LOCALHOST\SQLEXPRESS;Initial Catalog=oidplus;Integrated Security=SSPI'); |
||
89 | |||
90 | Used by the ADO datbase plugin. |
||
91 | |||
92 | ### SQLSRV_* |
||
93 | |||
94 | OIDplus::baseConfig()->setValue('SQLSRV_SERVER', 'localhost\oidplus'); |
||
95 | OIDplus::baseConfig()->setValue('SQLSRV_USERNAME', ''); |
||
96 | OIDplus::baseConfig()->setValue('SQLSRV_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
97 | OIDplus::baseConfig()->setValue('SQLSRV_DATABASE', 'oidplus'); |
||
98 | OIDplus::baseConfig()->setValue('SQLSRV_OPTIONS', array()); |
||
99 | |||
100 | Used by the SQLSRV datbase plugin. |
||
101 | |||
102 | SQLSRV_OPTIONS can be filled with various connection info options |
||
103 | (see PHP documentation for sqlsrv_connect). |
||
104 | The following fields will be automatically filled if they are not explicitly overridden: |
||
105 | - `UID` will be filled with `SQLSRV_USERNAME` |
||
106 | - `PWD` will be filled with `SQLSRV_PASSWORD` |
||
107 | - `Database` will be filled with `SQLSRV_DATABASE` |
||
108 | - `CharacterSet` will be filled with `"UTF-8"` |
||
109 | |||
110 | Username and password are not required if you want to use SQL Server Integrated Security, |
||
111 | or if the DBMS does not require credentials (e.g. a File DB). |
||
112 | |||
113 | The base64 encoding protects your password from being read if someone |
||
114 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
115 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
116 | |||
1209 | daniel-mar | 117 | ### MYSQL_* |
1208 | daniel-mar | 118 | |
1207 | daniel-mar | 119 | OIDplus::baseConfig()->setValue('MYSQL_HOST', 'localhost:3306'); |
120 | |||
121 | The hostname to connect to. Port (:3306) is optional. |
||
122 | |||
123 | OIDplus::baseConfig()->setValue('MYSQL_SOCKET', ''); |
||
124 | |||
125 | In case you connect via MySQL through a socket, use this setting. |
||
126 | (It is currently not included in setup/ and needs to be set manually). |
||
127 | |||
128 | OIDplus::baseConfig()->setValue('MYSQL_USERNAME', 'root'); |
||
129 | OIDplus::baseConfig()->setValue('MYSQL_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
130 | OIDplus::baseConfig()->setValue('MYSQL_DATABASE', 'oidplus'); |
||
131 | |||
132 | Used by the MySQL database plugin. |
||
133 | |||
134 | The base64 encoding protects your password from being read if someone |
||
135 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
136 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
137 | |||
1209 | daniel-mar | 138 | ### PGSQL_* |
1208 | daniel-mar | 139 | |
1207 | daniel-mar | 140 | OIDplus::baseConfig()->setValue('PGSQL_HOST', 'localhost:5432'); |
141 | OIDplus::baseConfig()->setValue('PGSQL_SOCKET', ''); |
||
142 | OIDplus::baseConfig()->setValue('PGSQL_USERNAME', 'postgres'); |
||
143 | OIDplus::baseConfig()->setValue('PGSQL_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
144 | OIDplus::baseConfig()->setValue('PGSQL_DATABASE', 'oidplus'); |
||
145 | |||
146 | Used by the PgSQL databse plugin. |
||
147 | |||
148 | The hostname to connect to. Port (:5432) is optional. |
||
149 | |||
150 | In case you connect via PostgreSQL through a socket, use this setting. |
||
151 | (It is currently not included in setup/ and needs to be set manually). |
||
152 | |||
153 | The base64 encoding protects your password from being read if someone |
||
154 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
155 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
156 | |||
1209 | daniel-mar | 157 | ### SQLITE3_* |
1208 | daniel-mar | 158 | |
1207 | daniel-mar | 159 | OIDplus::baseConfig()->setValue('SQLITE3_FILE', 'userdata/database/oidplus.db'); |
160 | OIDplus::baseConfig()->setValue('SQLITE3_ENCRYPTION', ''); |
||
161 | |||
162 | Attention: This file must be located in a location that is not world-readable/downloadable! |
||
163 | |||
164 | The encryption is optional. |
||
165 | |||
1209 | daniel-mar | 166 | ### TABLENAME_PREFIX |
1208 | daniel-mar | 167 | |
1207 | daniel-mar | 168 | OIDplus::baseConfig()->setValue('TABLENAME_PREFIX', 'oidplus_'); |
169 | |||
170 | Every table has this prefix, e.g. oidplus_config. |
||
171 | |||
1209 | daniel-mar | 172 | ### SERVER_SECRET |
1208 | daniel-mar | 173 | |
1207 | daniel-mar | 174 | OIDplus::baseConfig()->setValue('SERVER_SECRET', 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'); |
175 | |||
176 | It is very very important that you choose a long sequence of |
||
177 | random characters. OIDplus uses this secret for various |
||
178 | security related purposes. If someone accidently received this secret, |
||
179 | please change the sequence. |
||
180 | |||
1209 | daniel-mar | 181 | ### CAPTCHA_PLUGIN |
1208 | daniel-mar | 182 | |
1207 | daniel-mar | 183 | OIDplus::baseConfig()->setValue('CAPTCHA_PLUGIN', 'None'); |
184 | |||
185 | Alternative Values (installed plugins) |
||
1209 | daniel-mar | 186 | - `reCAPTCHA` |
187 | - `hCaptcha` |
||
188 | - `ViaThinkSoft Client Challenge` |
||
1207 | daniel-mar | 189 | |
1209 | daniel-mar | 190 | Please note that the value is case-sensitive. |
1207 | daniel-mar | 191 | |
1209 | daniel-mar | 192 | ### RECAPTCHA_VERSION |
193 | |||
1207 | daniel-mar | 194 | OIDplus::baseConfig()->setValue('RECAPTCHA_VERSION', \ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_CHECKBOX); |
195 | |||
196 | Possible values: |
||
197 | - `\ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_CHECKBOX` |
||
198 | - `\ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_INVISIBLE` |
||
199 | - `\ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V3` |
||
200 | |||
1209 | daniel-mar | 201 | ### RECAPTCHA_ENABLED |
1207 | daniel-mar | 202 | |
203 | OIDplus::baseConfig()->setValue('RECAPTCHA_ENABLED', true); |
||
204 | |||
205 | Deprecated! |
||
206 | - `RECAPTCHA_ENABLED=true` becomes `CAPTCHA_PLUGIN=reCAPTCHA` |
||
207 | - `RECAPTCHA_ENABLED=false` becomes `CAPTCHA_PLUGIN=None` |
||
208 | |||
1209 | daniel-mar | 209 | ### RECAPTCHA_* |
1207 | daniel-mar | 210 | |
211 | OIDplus::baseConfig()->setValue('RECAPTCHA_PUBLIC', ''); |
||
212 | OIDplus::baseConfig()->setValue('RECAPTCHA_PRIVATE', ''); |
||
213 | |||
1209 | daniel-mar | 214 | Only used if `CAPTCHA_PLUGIN=reCAPTCHA`. |
1207 | daniel-mar | 215 | |
1209 | daniel-mar | 216 | ### HCAPTCHA_* |
1208 | daniel-mar | 217 | |
1207 | daniel-mar | 218 | OIDplus::baseConfig()->setValue('HCAPTCHA_SITEKEY', ''); |
219 | OIDplus::baseConfig()->setValue('HCAPTCHA_SECRET', ''); |
||
220 | |||
221 | Only used if `CAPTCHA_PLUGIN=hCaptcha`. |
||
222 | |||
1209 | daniel-mar | 223 | ### VTS_CAPTCHA_* |
1208 | daniel-mar | 224 | |
225 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_COMPLEXITY', 50000); |
||
226 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_AUTOSOLVE', true); |
||
227 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/); |
||
228 | |||
229 | Only used if `CAPTCHA_PLUGIN=ViaThinkSoft Client Challenge`. |
||
230 | |||
1209 | daniel-mar | 231 | ### ENFORCE_SSL |
1208 | daniel-mar | 232 | |
1207 | daniel-mar | 233 | OIDplus::baseConfig()->setValue('ENFORCE_SSL', OIDplus::ENFORCE_SSL_AUTO); |
234 | |||
235 | Values are: |
||
236 | - `OIDplus::ENFORCE_SSL_NO` (0) = (off) |
||
237 | - `OIDplus::ENFORCE_SSL_YES` (1) = (on) |
||
238 | - `OIDplus::ENFORCE_SSL_AUTO` (2) = (auto detect SSL) |
||
239 | |||
240 | |||
241 | (2) System limitations |
||
242 | ---------------------- |
||
243 | |||
244 | The system limitations are defined and documented in includes/oidplus_limits.inc.php |
||
245 | and can be overwritten by config.inc.php. |
||
246 | |||
1209 | daniel-mar | 247 | ### LIMITS_MAX_ID_LENGTH |
1208 | daniel-mar | 248 | |
1207 | daniel-mar | 249 | OIDplus::baseConfig()->setValue('LIMITS_MAX_ID_LENGTH', 255); |
250 | |||
251 | Example: OID 2.999.123.456 has a length of 13 characters in dot notation. |
||
252 | OIDplus adds the prefix "oid:" in front of every OID, |
||
253 | so the overal length of the ID would be 17. |
||
254 | |||
255 | Default value: 255 digits (OIDs 251 digits) |
||
256 | |||
257 | Which value is realistic? In the oid-info.com database (April 2020), the OID with the greatest size is 65 characters (dot notation) |
||
258 | |||
259 | Maximum value: OIDs may only have a size of max 251 characters in dot notation. |
||
260 | Reason: The field defintion of *_objects.oid is defined as varchar(255), |
||
261 | and the OID will have the prefix 'oid:' (4 bytes). |
||
262 | You can increase the limit by changing the field definition in the database. |
||
263 | |||
1209 | daniel-mar | 264 | ### LIMITS_MAX_OID_ASN1_ID_LEN |
1208 | daniel-mar | 265 | |
1207 | daniel-mar | 266 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_ASN1_ID_LEN', 255); |
267 | |||
268 | Default value: 255 characters |
||
269 | |||
270 | Maximum value: 255, as defined in the database fields *_asn1id.name |
||
271 | You can change the database field definition if you really need more. |
||
272 | |||
1209 | daniel-mar | 273 | ### LIMITS_MAX_OID_UNICODE_LABEL_LEN |
1208 | daniel-mar | 274 | |
1207 | daniel-mar | 275 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_UNICODE_LABEL_LEN', 255); |
276 | |||
277 | Default value: 255 bytes (UTF-8 encoded!) |
||
278 | |||
279 | Maximum value: 255, as defined in the database fields *_iri.name |
||
280 | You can change the database field definition if you really need more. |
||
281 | |||
282 | |||
283 | (3) "Hidden"/undocumented config settings |
||
284 | ----------------------------------------- |
||
285 | |||
1209 | daniel-mar | 286 | ### OFFLINE_MODE |
1208 | daniel-mar | 287 | |
1207 | daniel-mar | 288 | OIDplus::baseConfig()->setValue('OFFLINE_MODE', false); |
289 | |||
290 | If set to true, OIDplus will not contact other servers. No system registration, |
||
291 | no hCaptcha, no reCAPTCHA, no system updates, etc. |
||
292 | |||
1209 | daniel-mar | 293 | ### OIDINFO_API_URL |
1208 | daniel-mar | 294 | |
1207 | daniel-mar | 295 | OIDplus::baseConfig()->setValue('OIDINFO_API_URL', '<url>'); |
296 | |||
297 | Currently only internal use for development utilities (dev/). |
||
298 | The API to oid-info.com is currently not public. |
||
299 | |||
1209 | daniel-mar | 300 | ### REGISTRATION_HIDE_SYSTEM |
1208 | daniel-mar | 301 | |
1207 | daniel-mar | 302 | OIDplus::baseConfig()->setValue('REGISTRATION_HIDE_SYSTEM', true); |
303 | |||
304 | Set this if you have a clone of a productive system and you want |
||
305 | to avoid that the clone registers at the ViaThinkSoft directory |
||
306 | (which would overwrite the URL of the productive system and reveal |
||
307 | the URL of your testing system) |
||
308 | |||
1209 | daniel-mar | 309 | ### MYSQL_FORCE_MYSQLND_SUPPLEMENT |
1208 | daniel-mar | 310 | |
1207 | daniel-mar | 311 | OIDplus::baseConfig()->setValue('MYSQL_FORCE_MYSQLND_SUPPLEMENT', false); |
312 | |||
313 | The MySQLi plugin contains a supplement code to handle |
||
314 | prepared statements on servers which do not have the MySQLnd extension |
||
315 | installed. Set this flag to force the supplement to be used, |
||
316 | even if MySQLnd is available. (For testing purposes only) |
||
317 | |||
1209 | daniel-mar | 318 | ### QUERY_LOGFILE |
1208 | daniel-mar | 319 | |
1207 | daniel-mar | 320 | OIDplus::baseConfig()->setValue('QUERY_LOGFILE', ''); |
321 | |||
322 | Set this setting to a filename where all queries including timestamps would be written. |
||
323 | This is used for performance analysis. |
||
324 | Please choose a directory that cannot be accessed by world-wide. |
||
325 | |||
1316 | daniel-mar | 326 | Note: Writing to "/tmp/..." might be redirected to "/tmp/systemd-private-*/tmp/..." by the system. |
327 | |||
1209 | daniel-mar | 328 | ### OBJECT_CACHING |
1208 | daniel-mar | 329 | |
1207 | daniel-mar | 330 | OIDplus::baseConfig()->setValue('OBJECT_CACHING', true); |
331 | |||
332 | Object caching reads all objects in the memory. This increases performance |
||
333 | performance but also increases memory usage on large databases. |
||
334 | |||
1209 | daniel-mar | 335 | ### FORCE_DBMS_SLANG |
1208 | daniel-mar | 336 | |
1207 | daniel-mar | 337 | OIDplus::baseConfig()->setValue('FORCE_DBMS_SLANG', ''); |
338 | |||
339 | Currently valid values: |
||
340 | - `access` |
||
1235 | daniel-mar | 341 | - `firebird` |
1207 | daniel-mar | 342 | - `mssql` |
343 | - `mysql` |
||
344 | - `oracle` |
||
345 | - `pgsql` |
||
346 | - `sqlite` |
||
347 | |||
1209 | daniel-mar | 348 | ### PREPARED_STATEMENTS_EMULATION |
1207 | daniel-mar | 349 | |
350 | OIDplus::baseConfig()->setValue('PREPARED_STATEMENTS_EMULATION', 'auto'); |
||
351 | |||
352 | Currently only for ODBC database plugin. |
||
1209 | daniel-mar | 353 | - `auto` = Auto detect if prepared statements should be emulated |
354 | - `on` = Always emulate prepared statements |
||
355 | - `off` = Never emulate prepared statements |
||
1207 | daniel-mar | 356 | |
1209 | daniel-mar | 357 | ### MINIFY_CSS |
1207 | daniel-mar | 358 | |
359 | OIDplus::baseConfig()->setValue('MINIFY_CSS', true); |
||
360 | |||
361 | This enables the compression of CSS definitions. |
||
362 | - Compressed approx: 220 KB |
||
363 | - Uncompressed approx: 224 KB |
||
364 | |||
1209 | daniel-mar | 365 | ### MINIFY_JS |
1207 | daniel-mar | 366 | |
367 | OIDplus::baseConfig()->setValue('MINIFY_JS', true); |
||
368 | |||
369 | This enables the compression of JavaScript code. |
||
370 | Please only disable this, if you want to debug |
||
371 | the code! You should not disable it on a productive |
||
372 | system, because otherwise the JavaScript code |
||
373 | would be several Megabytes large. |
||
374 | - Compressed approx: 1133 KB |
||
375 | - Unompressed approx: 2761 KB |
||
376 | |||
1209 | daniel-mar | 377 | ### DISABLE_PLUGIN_* |
1207 | daniel-mar | 378 | |
379 | OIDplus::baseConfig()->setValue('DISABLE_PLUGIN_...', true); |
||
380 | |||
381 | This gives you the possibility to disable a plugin without |
||
382 | requiring it to be removed from the file system. |
||
383 | (Removing a plugin from the file system can result in various |
||
384 | problems, e.g. they can be re-added during a SVN/software update.) |
||
385 | Replace "..." with the main PHP class of the plugin you want to disable. |
||
386 | The namespace must be included. |
||
387 | Example: |
||
388 | `"DISABLE_PLUGIN_ViaThinkSoft\OIDplus\OIDplusLoggerPluginUserdataLogfile"` |
||
389 | disables the plugin "logger/300_userdata_logfile". |
||
390 | |||
1209 | daniel-mar | 391 | ### DISABLE_AJAX_TRANSACTIONS |
1208 | daniel-mar | 392 | |
1207 | daniel-mar | 393 | OIDplus::baseConfig()->setValue('DISABLE_AJAX_TRANSACTIONS', false); |
394 | |||
395 | This will disable the usage of database transactions in ajax.php |
||
396 | Do only use this if you have severe problems with the system running. |
||
397 | It might result in inconsistent data e.g. if you update an OID |
||
398 | and an error occurs in the middle of that process. |
||
399 | |||
1296 | daniel-mar | 400 | ### DISABLE_REST_TRANSACTIONS |
401 | |||
402 | OIDplus::baseConfig()->setValue('DISABLE_REST_TRANSACTIONS', false); |
||
403 | |||
404 | This will disable the usage of database transactions in rest/* calls. |
||
405 | Do only use this if you have severe problems with the system running. |
||
406 | It might result in inconsistent data e.g. if you update an OID |
||
407 | and an error occurs in the middle of that process. |
||
408 | |||
1209 | daniel-mar | 409 | ### CANONICAL_SYSTEM_URL |
1208 | daniel-mar | 410 | |
1207 | daniel-mar | 411 | OIDplus::baseConfig()->setValue('CANONICAL_SYSTEM_URL', ''); |
412 | |||
413 | Setting this value to a system URL will override the absolute system URL detection. |
||
414 | It has the following effects: |
||
415 | 1. The "canonical" metatag will use this explicit system URL |
||
416 | instead of the one the PHP script is detecting. |
||
417 | (This is important to avoid duplicate content at search indexes) |
||
418 | 2. CLI WHOIS and other CLI (Command-line-interface) tools |
||
419 | will use this address when they need to output an URL. |
||
420 | Otherwise, the CLI tools would need to use the last known |
||
421 | URL that was detected when a webpage visitor has last visited the |
||
422 | page. |
||
423 | 3. While most resources (images, CSS files, scripts, etc.) are loaded |
||
424 | via relative URLs, sometimes an absolute URL is required |
||
425 | (e.g., if an email is sent with an activation link). |
||
426 | The explicit absolute system URL will then be used rather |
||
427 | than the automatically detected one. |
||
428 | Note that setting an absolute system URL can be very useful if |
||
429 | OIDplus runs on a system (which detects itself as "X"), |
||
430 | while the canonical URL "Y" is a reverse-proxy. |
||
431 | |||
1209 | daniel-mar | 432 | ### DEBUG |
1207 | daniel-mar | 433 | |
434 | OIDplus::baseConfig()->setValue('DEBUG', false); |
||
435 | |||
436 | Enables some special checks for plugins (e.g. a self-test for auth plugins). |
||
437 | It is highly recommended that you enable DEBUG if you are developing |
||
438 | plugins! |
||
439 | It is recommended to disable this switch in productive systems, |
||
440 | because the self-tests decrease the performance. |
||
441 | However, after installing a new plugin, you might want to enable |
||
442 | it for a few minutes, to make sure the plugin is working correctly. |
||
443 | |||
1209 | daniel-mar | 444 | ### COOKIE_SAMESITE_POLICY |
1208 | daniel-mar | 445 | |
1207 | daniel-mar | 446 | OIDplus::baseConfig()->setValue('COOKIE_SAMESITE_POLICY', 'Strict'); |
447 | |||
448 | Defined which "SameSite" policy should be used for the cookies OIDplus uses. |
||
449 | Can be "None", "Lax" or "Strict". |
||
450 | "Strict" is the most secure setting. |
||
451 | "Lax" allows that people stay logged in if they follow a link pointing |
||
452 | to your OIDplus installation. |
||
453 | "None" is not recommended and is deprecated by modern web browsers. |
||
454 | However, OIDplus itself provides an Anti-CSRF mechanism, so you should be |
||
455 | still safe. |
||
456 | |||
1209 | daniel-mar | 457 | ### COOKIE_DOMAIN |
1208 | daniel-mar | 458 | |
1373 | daniel-mar | 459 | OIDplus::baseConfig()->setValue('COOKIE_DOMAIN', ''); |
1207 | daniel-mar | 460 | |
1373 | daniel-mar | 461 | If set, the "cookieDomain" setting will be set. |
462 | Value '' (empty string) means that only the current domain or subdomain is allowed. |
||
463 | Value '(auto)' means that the current domain or subdomain as well as all its sub(sub)domains are allowed. |
||
464 | Any other value means that the entered domain or subdomain as well as all its sub(sub)domains are allowed. |
||
1207 | daniel-mar | 465 | |
1373 | daniel-mar | 466 | HIGHLY RECOMMEND TO SET THIS VALUE TO '' (EMPTY STRING). |
467 | Be very careful if you change this value! If the value was set to '' (empty string), |
||
468 | then the visitors might have a cookie on their system that allows only this domain (Chrome shows this as domain "example.com"). |
||
469 | If you change the setting to a different value, then the users will receive a subdomain cookie (Chrome shows this as domain ".example.com"). |
||
470 | Since the web-browser will prefer the domain-only cookie (without dot prefix) over the subdomain cookie (with dot prefix), |
||
471 | your users will always get the old cookie, therefore cannot login anymore! |
||
472 | |||
1209 | daniel-mar | 473 | ### COOKIE_PATH |
1208 | daniel-mar | 474 | |
1373 | daniel-mar | 475 | OIDplus::baseConfig()->setValue('COOKIE_PATH', '(auto)'); |
1207 | daniel-mar | 476 | |
477 | Can be used to increase security by setting an explicit pathname in the cookies. |
||
478 | Set to '/' to allow all paths. |
||
479 | Set to '(auto)' to automatically detect the path based on the absolute canonical path. |
||
480 | Note: If supported, you can use Apache's "ProxyPassReverseCookiePath" to translate |
||
481 | the cookie path in a reverse-proxy setting. |
||
482 | |||
1345 | daniel-mar | 483 | ### XFF_TRUSTED_PROXIES |
484 | |||
485 | OIDplus::baseConfig()->setValue('XFF_TRUSTED_PROXIES', []); |
||
486 | |||
487 | Contains the IP addresses of proxies of which the value |
||
488 | `HTTP_X_FORWARDED_FOR` is trusted in order to determine the IP address |
||
489 | of the real web-visitor. Otherwise `REMOTE_ADDR` will be used to |
||
490 | determine the address of the web-visitor. |
||
491 | Please note: If you have multiple proxies, then the second-level-proxy |
||
492 | must trust the third-level-proxy and so on. |
||
493 | OIDplus only verifies the address of its direct communication partner, |
||
494 | i.e. the proxy that will identify itself through `REMOTE_ADDR`. |
||
495 | |||
1209 | daniel-mar | 496 | ### RA_PASSWORD_PEPPER |
1208 | daniel-mar | 497 | |
1233 | daniel-mar | 498 | OIDplus::baseConfig()->setValue('RA_PASSWORD_PEPPER', ''); |
1207 | daniel-mar | 499 | |
500 | The pepper is stored inside the base configuration file |
||
501 | It prevents that an attacker with SQL write rights can |
||
502 | create accounts. |
||
1208 | daniel-mar | 503 | |
1207 | daniel-mar | 504 | ATTENTION!!! If a pepper is used, then the |
505 | hashes are bound to that pepper. If you change the pepper, |
||
506 | then ALL passwords of RAs become INVALID! |
||
507 | |||
1209 | daniel-mar | 508 | ### RA_PASSWORD_PEPPER_ALGO |
1208 | daniel-mar | 509 | |
1233 | daniel-mar | 510 | OIDplus::baseConfig()->setValue('RA_PASSWORD_PEPPER_ALGO', 'sha512'); |
1207 | daniel-mar | 511 | |
512 | The pepper is stored inside the base configuration file |
||
513 | It prevents that an attacker with SQL write rights can |
||
514 | create accounts. |
||
515 | ATTENTION!!! If a pepper is used, then the |
||
516 | hashes are bound to that pepper. If you change the pepper, |
||
517 | then ALL passwords of RAs become INVALID! |
||
518 | |||
1209 | daniel-mar | 519 | ### DEFAULT_LANGUAGE |
1208 | daniel-mar | 520 | |
1207 | daniel-mar | 521 | OIDplus::baseConfig()->setValue('DEFAULT_LANGUAGE', 'enus'); |
522 | |||
523 | Default language of the system. This is the language |
||
524 | a new visitor will see if no "lang=" parameter is used |
||
525 | and no cookie is set. |
||
526 | Must be a valid language in the plugins directory. |
||
527 | Currently available: |
||
528 | - `enus` = English USA (default) |
||
529 | - `dede` = German Germany |
||
530 | |||
531 | (4) LDAP settings |
||
532 | ----------------- |
||
533 | |||
534 | (see also document ldap_installation.md) |
||
535 | |||
1209 | daniel-mar | 536 | ### LDAP_ENABLED |
1208 | daniel-mar | 537 | |
1207 | daniel-mar | 538 | OIDplus::baseConfig()->setValue('LDAP_ENABLED', true); |
539 | |||
540 | Set to true if you want to enable that users can log-in using LDAP / ActiveDirectory. |
||
541 | |||
1209 | daniel-mar | 542 | ### LDAP_NUM_DOMAINS |
1208 | daniel-mar | 543 | |
1207 | daniel-mar | 544 | OIDplus::baseConfig()->setValue('LDAP_NUM_DOMAINS', 1); |
545 | |||
546 | Contains the number of domains/servers which are used. |
||
547 | For 2nd, 3rd, 4th, ... domain use the fields LDAP_xxx__2, LDAP_xxx__3, ... |
||
548 | e.g. LDAP_SERVER__2 |
||
549 | LDAP_PORT__2 |
||
550 | LDAP_BASE_DN__2 |
||
551 | ... |
||
552 | |||
1209 | daniel-mar | 553 | ### LDAP_SERVER |
1208 | daniel-mar | 554 | |
1207 | daniel-mar | 555 | OIDplus::baseConfig()->setValue('LDAP_SERVER', 'ldap://server1.contoso.local'); |
556 | |||
557 | The LDAP server of your company. |
||
558 | |||
1209 | daniel-mar | 559 | ### LDAP_PORT |
1208 | daniel-mar | 560 | |
1207 | daniel-mar | 561 | OIDplus::baseConfig()->setValue('LDAP_PORT', 389); |
562 | |||
563 | The port of the LDAP server. |
||
564 | |||
1209 | daniel-mar | 565 | ### LDAP_BASE_DN |
1208 | daniel-mar | 566 | |
1207 | daniel-mar | 567 | OIDplus::baseConfig()->setValue('LDAP_BASE_DN', 'DC=CONTOSO,DC=local'); |
568 | |||
569 | The base Distinguished Name (DN) of your directory. |
||
570 | |||
1209 | daniel-mar | 571 | ### LDAP_UPN_SUFFIX |
1208 | daniel-mar | 572 | |
1207 | daniel-mar | 573 | OIDplus::baseConfig()->setValue('LDAP_UPN_SUFFIX', '@contoso.local'); |
574 | |||
575 | The UPN suffix of this domain. |
||
576 | |||
1209 | daniel-mar | 577 | ### LDAP_AUTHENTICATE_UPN |
1208 | daniel-mar | 578 | |
1207 | daniel-mar | 579 | OIDplus::baseConfig()->setValue('LDAP_AUTHENTICATE_UPN', true); |
580 | |||
581 | In the login mask, the users will log in using the UPN ("principal name") e.g. username@contoso.local, |
||
582 | and in OIDplus, a RA account with an email equal to the UPN will be created. |
||
583 | |||
1209 | daniel-mar | 584 | ### LDAP_AUTHENTICATE_EMAIL |
1208 | daniel-mar | 585 | |
1207 | daniel-mar | 586 | OIDplus::baseConfig()->setValue('LDAP_AUTHENTICATE_EMAIL', false); |
587 | |||
588 | In the login mask, the users will log in using the UPN ("principal name") e.g. username@contoso.local, |
||
589 | and in OIDplus, a RA account with an email equal to the "E-Mail-Address" field of the user in the directory will be created. |
||
590 | Note: If you did not set an email address to the user in the LDAP/ActiveDirectory, then the login will not be possible, |
||
591 | except if LDAP_AUTHENTICATE_UPN is additionally enabled. |
||
592 | Attention: Depending on your domain configuration, users might be able to change their own data, |
||
593 | e.g. email address. If this is the case, you must not enable this setting, otherwise, |
||
594 | users could authenticate with any address! |
||
595 | |||
1209 | daniel-mar | 596 | ### LDAP_ADMIN_GROUP |
1208 | daniel-mar | 597 | |
1207 | daniel-mar | 598 | OIDplus::baseConfig()->setValue('LDAP_ADMIN_GROUP', ''); |
599 | |||
600 | If set to an empty string, the OIDplus administrator account cannot be accessed using LDAP authentication. |
||
601 | Otherwise, the user will be authenticated as administrator, if the LDAP user is a |
||
602 | member of the group specified in this setting. |
||
603 | Example values: |
||
604 | - `CN=Administrators,CN=Builtin,DC=CONTOSO,DC=local` |
||
605 | makes every domain administrator also an OIDplus administrator |
||
606 | - `CN=OIDplus Administrators,CN=Users,DC=CONTOSO,DC=local` |
||
607 | makes every user of the group (OIDplus Administrators) to OIDplus administrators |
||
608 | |||
1209 | daniel-mar | 609 | ### LDAP_RA_GROUP |
1207 | daniel-mar | 610 | |
611 | OIDplus::baseConfig()->setValue('LDAP_RA_GROUP', ''); |
||
612 | |||
613 | If set to an empty string, every LDAP user can authenticate as RA, depending |
||
614 | on whether `LDAP_AUTHENTICATE_UPN` and/or `LDAP_AUTHENTICATE_EMAIL` is set. |
||
615 | Otherwise, the LDAP users must be a member of the group specified in this setting. |
||
616 | |||
617 | |||
618 | (5) Google OAuth2 settings |
||
619 | -------------------------- |
||
620 | |||
621 | (see also document google_oauth2_installation.md) |
||
622 | |||
1209 | daniel-mar | 623 | ### GOOGLE_OAUTH2_* |
1208 | daniel-mar | 624 | |
1207 | daniel-mar | 625 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_ENABLED', true); |
626 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_CLIENT_ID', '..............apps.googleusercontent.com'); |
||
627 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_CLIENT_SECRET', '.............'); |
||
628 | |||
629 | |||
630 | (6) Facebook OAuth2 settings |
||
631 | ---------------------------- |
||
632 | |||
633 | (see also document facebook_oauth2_installation.md) |
||
634 | |||
1209 | daniel-mar | 635 | ### FACEBOOK_OAUTH2_* |
1208 | daniel-mar | 636 | |
1207 | daniel-mar | 637 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_ENABLED', true); |
638 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_CLIENT_ID', '.............'); // Your App ID |
||
639 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_CLIENT_SECRET', '.............'); // Your App Secret |
||
640 | |||
641 | |||
642 | (7) JWT authentication settings |
||
643 | ------------------------------- |
||
644 | |||
645 | If a web request contains the field "OIDPLUS_AUTH_JWT" containing a signed JWT token, |
||
646 | an automatic one-time login is performed in order to execute commands. |
||
647 | This feature is used in the plugins "Automated AJAX calls" for admins and RAs. |
||
648 | With these switches you can disable this feature. |
||
649 | |||
1209 | daniel-mar | 650 | ### JWT_ALLOW_AJAX_ADMIN |
1208 | daniel-mar | 651 | |
1207 | daniel-mar | 652 | OIDplus::baseConfig()->setValue('JWT_ALLOW_AJAX_ADMIN', true); |
653 | |||
654 | Allow JWT tokens that were created using the admin-plugin |
||
655 | "Automated AJAX calls". |
||
656 | |||
1209 | daniel-mar | 657 | ### JWT_ALLOW_AJAX_USER |
1208 | daniel-mar | 658 | |
1207 | daniel-mar | 659 | OIDplus::baseConfig()->setValue('JWT_ALLOW_AJAX_USER', true); |
660 | |||
661 | Allow JWT tokens that were created using the RA-plugin |
||
662 | "Automated AJAX calls". |
||
1208 | daniel-mar | 663 | |
1265 | daniel-mar | 664 | ### JWT_ALLOW_REST_ADMIN |
665 | |||
666 | OIDplus::baseConfig()->setValue('JWT_ALLOW_REST_ADMIN', true); |
||
667 | |||
668 | Allow JWT tokens that were created using the admin-plugin |
||
669 | "REST API". |
||
670 | |||
671 | ### JWT_ALLOW_REST_USER |
||
672 | |||
673 | OIDplus::baseConfig()->setValue('JWT_ALLOW_REST_USER', true); |
||
674 | |||
675 | Allow JWT tokens that were created using the RA-plugin |
||
676 | "REST API". |
||
677 | |||
1209 | daniel-mar | 678 | ### JWT_ALLOW_LOGIN_ADMIN |
1208 | daniel-mar | 679 | |
1207 | daniel-mar | 680 | OIDplus::baseConfig()->setValue('JWT_ALLOW_LOGIN_ADMIN', true); |
681 | |||
1305 | daniel-mar | 682 | Allow browser logins for the administrator account. |
1208 | daniel-mar | 683 | |
1209 | daniel-mar | 684 | ### JWT_ALLOW_LOGIN_USER |
1207 | daniel-mar | 685 | |
686 | OIDplus::baseConfig()->setValue('JWT_ALLOW_LOGIN_USER', true); |
||
687 | |||
1305 | daniel-mar | 688 | Allow browser logins for a RA. |
1208 | daniel-mar | 689 | |
1300 | daniel-mar | 690 | ### JWT_ALLOW_MANUAL_ADMIN and JWT_ALLOW_MANUAL_ADMIN_USER |
1207 | daniel-mar | 691 | |
1300 | daniel-mar | 692 | OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_ADMIN', false); |
693 | OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_USER', false); |
||
694 | |||
1207 | daniel-mar | 695 | Allow JWT tokens which were manually created "by hand". |
696 | These can have any content you like, but they must |
||
1305 | daniel-mar | 697 | contain the claim `OIDplusAuthContentStoreJWT::CLAIM_GENERATOR` with value `OIDplusAuthContentStoreJWT::JWT_GENERATOR_MANUAL`. |
1208 | daniel-mar | 698 | |
1209 | daniel-mar | 699 | ### JWT_TTL_LOGIN_USER |
1207 | daniel-mar | 700 | |
1312 | daniel-mar | 701 | OIDplus::baseConfig()->setValue('JWT_TTL_LOGIN_USER', 30*24*60*60); |
1207 | daniel-mar | 702 | |
1305 | daniel-mar | 703 | How many seconds will a login JWT token be valid? |
1207 | daniel-mar | 704 | (RA login) |
1208 | daniel-mar | 705 | |
1209 | daniel-mar | 706 | ### JWT_TTL_LOGIN_ADMIN |
1208 | daniel-mar | 707 | |
1312 | daniel-mar | 708 | OIDplus::baseConfig()->setValue('JWT_TTL_LOGIN_ADMIN', 30*24*60*60); |
1207 | daniel-mar | 709 | |
1305 | daniel-mar | 710 | How many seconds will a login JWT token be valid? |
1207 | daniel-mar | 711 | (Administrator login) |
712 | |||
1312 | daniel-mar | 713 | ### JWT_FIXED_IP_USER |
1207 | daniel-mar | 714 | |
1312 | daniel-mar | 715 | OIDplus::baseConfig()->setValue('JWT_FIXED_IP_USER', false); |
716 | |||
717 | Should the login session only be valid for the same IP address used during |
||
718 | the first login? If set to true, users need to login again if their IP address |
||
719 | changes. This is secure against session hijacking / cookie stealing. (RA login) |
||
720 | |||
721 | ### JWT_FIXED_IP_ADMIN |
||
722 | |||
723 | OIDplus::baseConfig()->setValue('JWT_FIXED_IP_ADMIN', false); |
||
724 | |||
725 | Should the login session only be valid for the same IP address used during |
||
726 | the first login? If set to true, users need to login again if their IP address |
||
727 | changes. This is secure against session hijacking / cookie stealing. (Administrator login) |
||
728 | |||
729 | |||
1207 | daniel-mar | 730 | (8) Third-party plugins |
731 | ----------------------- |
||
732 | |||
1209 | daniel-mar | 733 | ### FrdlWeb RDAP plugin |
1208 | daniel-mar | 734 | |
1207 | daniel-mar | 735 | OIDplus::baseConfig()->setValue('RDAP_CACHE_ENABLED', false ); |
736 | OIDplus::baseConfig()->setValue('RDAP_CACHE_DIRECTORY', OIDplus::localpath().'userdata/cache/' ); |
||
737 | OIDplus::baseConfig()->setValue('RDAP_BASE_URI', OIDplus::webpath() ); |
||
738 | OIDplus::baseConfig()->setValue('RDAP_CACHE_EXPIRES', 60 * 3 ); |