e-mail

Strongbox configuration: List of Configuration Variables


Strongbox Configuration File

The following variables can be found in cgi-bin/sblogin/config.pl

Warnings and suggestions

  • We suggest making a back up copy of the config.pl file before making any changes.
  • We also suggest making only small changes, such as changing “3” to “4”. If you make a large change, like changing “3” to “12”, you will probably be unhappy with the results.
  • This is a perl file, if it has syntax errors Strongbox won’t work, if you have shell access you may want to test syntax:
 $ perl -c config.pl
 config.pl syntax OK

Standard Variables

banned_countries:: Login attempts from these countries will fail. Please note that Country detection is not always reliable or 100% accurate.

session_time Session Time in days, default: 0.2

host: Should automatically be set and should not need any change. IF it needs to be manually set for some reason, it should be set to the domain name, usually without the “www”. (Ex: “comglobalit.com”)

email_addresses: Email addresses Strongbox will send notices to if a username is suspended or if there is other suspicious activity. See Notification Emails

notifyof: These are the status codes that Strongbox will send notices of. See Notification Emails

max_notices_per_day: This tells the Strongbox security system the maximum number of emails it should send in a single day.

htpfiles: Perl array with locations to Authentication Sources. It can reference multiple databases and/or password files. See Authentication Methods.

image_login: Whether or not to use the turing image. See Turing Image

invincible_users: The usernames listed here can NOT get suspended. Use this feature with extreme caution. Do NOT use this to have several people pretend to be the same user with admin privileges. See Strongbox Admin Users

invincible_ips:. Analogous to invincible_users. Use this feature with extreme caution.

ignored_ips: Don’t count these IPs against users. Useful to avoid suspending users because of “login tests” from third parties (despite our recommendation of not doing them, see Helping Customers Who Have Trouble Logging In)

goodpage: Your default main members’ URI, typically this will be “/members/”

one_session_per_user: If set, only one person can use any given user name at any given time. If a second login is attempted, it logs out the first session.

check_proxies: Whether or not to use the proxy check feature to reduce brute force attacks.

cookies_only: For temporary use before the wildcard is set up. Using cookies instead of Newtons (wildcards).

allowembedvideo: Allow the use of deprecated embedded video tags; Reduces security slightly.

loginpage: Page displayed for user to login. Normally should not be changed.

errpage: URL to send them to if they enter a bad password.

badimagepage: Page displayed if user does not enter the turing image correctly. Normally should not be set.

ip_block_log: Used for firewall plug-in script.

badimage_log: Used for firewall plug-in script.

attemptsperhour: Total number of times a user can enter the wrong user name/password combination without getting their account suspended. (actually per _3_ hour period)

uniqsubsperhour: Total number of IP ranges to suspend a user name. This may be adjusted for proxies. (actually per _3_ hour period)

uniqcountriesperhour: Total number of countries to suspend a user name. This may be adjusted for proxies. (actually per _3_ hour period)

totallogins: Total number of successful logins to suspend a user name. This may be adjusted for proxies. (actually per _3_ hour period)

uniqorgnames: Total number of different ISPs to suspend a user name. This may be adjusted for proxies. (actually per _3_ hour period)

attempts_2d: Total number of times a user must enter the wrong user name/password combination to get their account suspended. (actually per 48 hour (2 day) period)

uniqsubs_2d: Total number of IP ranges to suspend a user name. This may be adjusted for proxies. (actually per 48 hour (2 day) period)

totallogins_2d: Total number of successful logins allowed per user name. This may be adjusted for proxies. (actually per 48 hour (2 day) period)

uniqcountries_2d: Total number of countries to suspend a user name. This may be adjusted for proxies. (actually per 48 hour (2 day) period)

uniqorgnames_2d: Total number of different ISPs allowed per user name. This may be adjusted for proxies. (actually per 48 hour (2 day) period)

uniqstildisable: Total number of times a user name can get suspended for unique IPs before getting disabled.

uniqcountriestildisable: Total number of times a user name can get suspended for unique countries before getting disabled.

key: Random string set the same for different sites that need to use the Handoff feature. See Handoff

logfile: Log used internally by Strongbox to track login attempts. Should not be changed.

turinglog: Used for debugging Turing Image feature. Should not normally be changed.

sessionfiles: Directory for Strongbox internal session database. Should not normally be changed.

mailpgm: Normally set automatically. This is the path to the sendmail program.

recchk: How far back Strongbox checks the login history. Should not normally be changed, except on possibly extremely busy or extremely slow sites.

reclen: Internal variable used by Strongbox to indicate the log format in use. (Length of each line in its log).

ignoresitemask: Deprecated feature for using multiple sites with one Strongbox installation.

il_data: Variable used by Strongbox relating to Turing Image. Should not normally be changed.

Old Variables

apache_escape: Set for Windows servers to accommodate filename restrictions (We don’t support Windows since long time ago, see Strongbox Requirements).

md5_htcookie: Set for Windows servers to accommodate file name restrictions (We don’t support Windows since long time ago, see Strongbox Requirements).

checkpasswd: Tells whether passwords are stored in a file, a database, or remote server. See Authentication Methods.

avs_deny_string: Used for authenticating against a remote server to indicate how the remote server will respond for a negative response.

avs_approve_string: Used for authenticating against a remote server to indicate how the remote server will respond for a positive response. site_id:Deprecated.

mysql_db: Setting for MYSQL authentication. See Authentication Methods

mysql_user: Setting for MYSQL authentication. See Authentication Methods

mysql_password: Setting for MYSQL authentication. See Authentication Methods

mysql_host: Setting for MYSQL authentication. See Authentication Methods

mysql_table: Setting for MYSQL authentication. See Authentication Methods

mysql_ckuser: Setting for MYSQL authentication. See Authentication Methods

mysql_ckpass: Setting for MYSQL authentication. See Authentication Methods

mysql_crypted: Setting for MYSQL authentication. See Authentication Methods

mysql_where: Setting for MYSQL authentication. See Authentication Methods

mysql_order: Setting for MYSQL authentication. See Authentication Methods

mysql_memberlevel: Setting for MYSQL authentication. See Authentication Methods

mysql_query: Setting for MYSQL authentication. See Authentication Methods

download_rm: Deprecated variable for use with the old video .cgi. Should not be set for new installations using video2.cgi.

nometavids: Deprecated variable for use with the old video .cgi. Should not be set for new installations using video2.cgi.

forcedownloadvids: Deprecated variable for use with the old video .cgi. Should not be set for new installations using video2.cgi.