136 lines
5.9 KiB
PHP
136 lines
5.9 KiB
PHP
<?php
|
|
/**
|
|
* Strict is a set of extra security options can use that when enabled can help protect against
|
|
* a few different types of attacks.
|
|
*
|
|
* You must have Memcache enabled and configured & Memcache anti-dos configured to use this!
|
|
*
|
|
* Check -> Memcache configuration
|
|
* Check -> Memcache anti resource-dos
|
|
*
|
|
* Options Default Explanation
|
|
* ------- + ------- + -----------
|
|
* strict : true : Whether or not to use strict mode
|
|
* __https_only : false : Requires/pushes to https
|
|
* __mysql_filter : true : Uses a mysqli shim to use php filters on all incoming data
|
|
* __verify_client : true : Verifies the client using specified settings
|
|
* __verify_client_ip : true : If the client request suddenly switches IP, trigger a failure
|
|
* __verify_client_useragent : true : If the client request suddenly switches Useragent, trigger a failure
|
|
* __verify_client_sessionid : true : If the client request suddenly switches SessionID, trigger a failure
|
|
* __verify_client_fails : 0 : Maximum number of client-side inconsistencies to accept before revoking sessions
|
|
* __verify_server : false : Verifies the server is valid for this request
|
|
* __bind_protocol : https : Server validate protocol; http or https
|
|
* __bind_host : '' : Server validate host; ie. your domain or subdomain
|
|
* __bind_port : 443 : Server validate port; 80 / 443 / something else
|
|
**/
|
|
$config['strict'] = true;
|
|
$config['strict__https_only'] = false;
|
|
$config['strict__mysql_filter'] = true;
|
|
$config['strict__verify_client'] = true;
|
|
$config['strict__verify_client_ip'] = true;
|
|
$config['strict__verify_client_useragent'] = true;
|
|
$config['strict__verify_client_sessionid'] = true;
|
|
$config['strict__verify_client_fails'] = 0;
|
|
$config['strict__verify_server'] = false;
|
|
$config['strict__bind_protocol'] = 'https';
|
|
$config['strict__bind_host'] = '';
|
|
$config['strict__bind_port'] = 443;
|
|
|
|
/**
|
|
* Memcache anti resource-dos protection / request rate limiting
|
|
*
|
|
* Explanation:
|
|
* Because bots/angry users can just fire away at pages or f5 us to death, we can attempt to rate limit requests
|
|
* using memcache - now shares data with session manager.
|
|
*
|
|
* Options:
|
|
* enabled = Whether or not we will try to rate limit requests
|
|
* protect_ajax = If enabled, we will also watch the ajax calls for rate limiting and kill bad requests
|
|
* ajax_hits_additive = If enabled, ajax hits will count towards the site counter as well as the ajax counter
|
|
* flush_seconds_api = Number of seconds between each flush of user/ajax counter
|
|
* rate_limit_api = Number of api requests allowed per flush_seconds_api
|
|
* flush_seconds_site = Number of seconds between each flush of user/site counter
|
|
* rate_limit_site = Number of site requests allowed per flush_seconds_site
|
|
* ignore_admins = Ignores the rate limit for admins
|
|
* error_push_page = Page/action array to push users to a specific page, look in the URL!
|
|
* Empty = 'You are sending too many requests too fast!' on a blank page
|
|
* Default:
|
|
* enabled = true
|
|
* protect_ajax = true
|
|
* ajax_hits_additive = false
|
|
* flush_seconds_api = 60
|
|
* rate_limit_api = 20
|
|
* flush_seconds_site = 60
|
|
* rate_limit_site = 30
|
|
* ignore_admins = true
|
|
* error_push_page = array('page' => 'error', 'action' => 'ratelimit');
|
|
*/
|
|
$config['mc_antidos']['enabled'] = true;
|
|
$config['mc_antidos']['protect_ajax'] = true;
|
|
$config['mc_antidos']['ajax_hits_additive'] = false;
|
|
$config['mc_antidos']['flush_seconds_api'] = 60;
|
|
$config['mc_antidos']['rate_limit_api'] = 20;
|
|
$config['mc_antidos']['flush_seconds_site'] = 60;
|
|
$config['mc_antidos']['rate_limit_site'] = 30;
|
|
$config['mc_antidos']['ignore_admins'] = true;
|
|
$config['mc_antidos']['error_push_page'] = array('page' => 'error', 'action' => 'ratelimit');
|
|
|
|
/**
|
|
* CSRF protection config
|
|
*
|
|
* Explanation:
|
|
* To help protect against CSRF, we can generate a hash that changes every minute
|
|
* and is unique for each user/IP and page or use, and check against that when a
|
|
* form is submitted.
|
|
*
|
|
* Options:
|
|
* enabled = Whether or not we will generate/check for valid CSRF tokens
|
|
* Default:
|
|
* enabled = true
|
|
*/
|
|
$config['csrf']['enabled'] = true;
|
|
|
|
/**
|
|
* E-mail confirmations for user actions
|
|
*
|
|
* Explanation:
|
|
* To increase security for users, account detail changes can require
|
|
* an e-mail confirmation prior to performing certain actions.
|
|
*
|
|
* Options:
|
|
* enabled : Whether or not to require e-mail confirmations
|
|
* details : Require confirmation to change account details
|
|
* withdraw : Require confirmation to manually withdraw/payout
|
|
* changepw : Require confirmation to change password
|
|
*
|
|
* Default:
|
|
* enabled = true
|
|
* details = true
|
|
* withdraw = true
|
|
* changepw = true
|
|
*/
|
|
$config['twofactor']['enabled'] = true;
|
|
$config['twofactor']['options']['details'] = true;
|
|
$config['twofactor']['options']['withdraw'] = true;
|
|
$config['twofactor']['options']['changepw'] = true;
|
|
|
|
/**
|
|
* Lock account after maximum failed logins
|
|
*
|
|
* Explanation:
|
|
* To avoid accounts being hacked by brute force attacks,
|
|
* set a maximum amount of failed login or pin entry attempts before locking
|
|
* the account. They will need to contact site support to re-enable the account.
|
|
*
|
|
* This also applies for invalid PIN entries, which is covered by the pin option.
|
|
*
|
|
* Workers are not affected by this lockout, mining will continue as usual.
|
|
*
|
|
* Default:
|
|
* login = 3
|
|
* pin = 3
|
|
**/
|
|
$config['maxfailed']['login'] = 3;
|
|
$config['maxfailed']['pin'] = 3;
|
|
|
|
?>
|