Configuration Configuration

Table of Contents

Server configuration

Create config file

The configuration file is public_html/config/config.php. After installation it does not exist - create a copy from config.php.dist.

Settings

The configurarion file is a php file returning a hash.

šŸ“Œ Example:

<?php

return [

    "apiurl" => "https://mfaserver.example.com/api/",
    "frontendurl" => "https://mfaserver.example.com/",

    "userfield" => "REMOTE_USER",

    "languages" => [ 
        "de" => "de-de",
        "en" => "en-en", 
    ],
    "ttl" => 60*60*24 * 0.5, // 12 h
    
    "pdo" => [
        "db" => [
            'dsn' => 'sqlite:'.__DIR__.'/../data/mfaserver.sqlite3',
        ],
    ],

    "positivelists"=>[
        "ipranges" => [
            // "10.0.0.0-10.255.255.255",
            // "172.16.0.0-172.31.255.255",
            // "192.168.0.0-192.168.255.255",
        ],
    ],
    "interactive-mfa" => 60*60*24 * 28,

    "methods" => [
        "totp" => [
            "enabled" => true,
        ],
        "email" => [
            "enabled" => true,
            "from" => "admin@example.com",
        ],
        "sms" => [],
    ],

];

Keys in alphabetic order:

Key Type Description
apiurl string url of your installation to the api that will be transmitted to webapps.
frontendurl string url of your installation
interactive-mfa int force interactive mfa after given time and ignore positive lists
langauges array list of languages (inactive so far; German only)
methods hash Supported / enabled totp methods; it contains an enabled flag.
pdo hash Database connection; Default is a DSN of a sqlite database (it will be created automatically)
ā€˜positivelistsā€™ hash Settings for positive lists to skip the challenge
ttl int Time in seconds before the next mfa challenge will be shown. 60*60*24 * 0.5, is a half day (12 h)
userfield string key in $_SERVER to find a logged in user. With it you can protect the admin with Basic auth or SSO. Default: ā€œREMOTE_USERā€.

Languages

If you translate the texts of public_html/config/lang/* into another language it can be activated to be shown on the top right.

You can extend the hash of visible labels (as keys) and the filenames of the language files

Syntax:

Key Type Description
<Label> string basename of the language file (without extension .php)

If a user switches the language it will be stored in a cookie.

MFA methods

So far 2 methods are implemented.

  • TOTP - A changing code every 30 sec (time based one time password).
  • Email - Enter a code sent to your email address

Each method has its own subkey. Below it is a key "enabled" which can be set to false to disable an existing mehod.

There can be other keys that are method specific.

email
Key Type Description
from string sender address to send emails with verification code to the user

Remark

To use email you need an installed mailing service (Postfix, Sendmail etc.) and you need a proper DNS configuration that sent emails are not marked as spam. Otherwise you should set 'enabled' => false,

PDO

Define database connection. The key "db" is given to abstract database class. See Database connection config šŸŒ https://www.axel-hahn.de/docs/php-abstract-dbo/Classes/pdo_db.class.php.html.

Positivelists

In the config below the key ā€œpositivelistsā€ is allowed the key ā€œiprangesā€ only.

Below ā€œiprangesā€ is a list of strings containing ranges of ip addresses.

    "positivelists"=>[
        "ipranges" => [
            // "10.0.0.0-10.255.255.255",
            // "172.16.0.0-172.31.255.255",
            // "192.168.0.0-192.168.255.255",
        ],
    ],

Syntax of an ip range in the list:

  • <from>-<to> - a starting ip address, a minus and a finishing ip address.
  • <ip>\<mask> - an ip address with a network mask