Вы находитесь на странице: 1из 69



-2i3i/r/ 4/ &o.2i5ur-r/ 2olo'i"/$ -. -#-&!/1.&o.2 -1.LOCATIE$ /etc/apache2/apache2.conf -1.Co.2i5ur-6i/ -#-&!/1.&o.2$ # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://httpd.apache.org/docs/2.2/ for detailed information about # the directives and /usr/share/doc/apache2-common/R A!" .!ebian.g# about # !ebian specific hints. # # # Summar$ of ho% the Apache 2 configuration %or&s in !ebian: # The Apache 2 %eb server configuration in !ebian is 'uite different to # upstream(s suggested %a$ to configure the %eb server. This is because !ebian(s # default Apache2 installation attempts to ma&e adding and removing modules) # virtual hosts) and e*tra configuration directives as fle*ible as possible) in # order to ma&e automating the changes and administering the server as eas$ as # possible. # # # # # # # # # # # # # # # # # It is split into several files forming the configuration hierarch$ outlined belo%) all located in the /etc/apache2/ director$: /etc/apache2/ +-- apache2.conf + ,-- ports.conf +-- mods-enabled + +-- -.load + ,-- -.conf +-- conf.d + ,-- ,-- sites-enabled ,-- -

- apache2.conf is the main configuration file .this file/. It puts the pieces together b$ including all remaining configuration files %hen starting up the 1

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%eb server. In order to avoid conflicts %ith bac&up files) the Include directive is adapted to ignore files that: - do not begin %ith a letter or number - contain a character that is neither letter nor number nor 0-:. - contain .dp&g 1et %e strongl$ suggest that all configuration files either end %ith a .conf or .load suffi* in the file name. The ne*t !ebian release %ill ignore files not ending %ith .conf .or .load for mods-enabled/. - ports.conf is al%a$s included from the main configuration file. It is supposed to determine listening ports for incoming connections) and %hich of these ports are used for name based virtual hosts. - 2onfiguration files in the mods-enabled/ and sites-enabled/ directories contain particular configuration snippets %hich manage modules or virtual host configurations) respectivel$. The$ are activated b$ s$mlin&ing available configuration files from their respective --available/ counterparts. These should be managed b$ using our helpers a2enmod/a2dismod) a2ensite/a2dissite. See their respective man pages for detailed information. - 2onfiguration files in the conf.d director$ are either provided b$ other pac&ages or ma$ be added b$ the local administrator. 3ocal additions should start %ith local- or end %ith .local.conf to avoid name clashes. All files in conf.d are considered .e*cluding the e*ceptions noted above/ b$ the Apache 2 %eb server. - The binar$ is called apache2. !ue to the use of environment variables) in the default configuration) apache2 needs to be started/stopped %ith /etc/init.d/apache2 or apache2ctl. 2alling /usr/bin/apache2 directl$ %ill not %or& %ith the default configuration.

# 4lobal configuration # # # # # # # #

ServerRoot: The top of the director$ tree under %hich the server(s configuration) error) and log files are &ept. 56T 7 If $ou intend to place this on an 58S .or other%ise net%or&/ mounted files$stem then please read the 3oc&8ile documentation .available at 9:R3:http://httpd.apache.org/docs/2.2/mod/mpm0common.html#loc&file;/< 2

# $ou %ill save $ourself a lot of trouble. # # !o 56T add a slash at the end of the director$ path. # #ServerRoot =/etc/apache2= # # The accept seriali#ation loc& file ":ST > ST6R ! 65 A 362A3 !IS?. # 3oc&8ile @AABA2C 0362?0!IRD/accept.loc& # # Bid8ile: The file in %hich the server should record its process # identification number %hen it starts. # This needs to be set in /etc/apache2/envvars # Bid8ile @AABA2C 0BI!08I3 D # # Timeout: The number of seconds before receives and sends time out. # Timeout EFF # # ?eepAlive: Ghether or not to allo% persistent connections .more than # one re'uest per connection/. Set to =6ff= to deactivate. # ?eepAlive 6n # # "a*?eepAliveRe'uests: The ma*imum number of re'uests to allo% # during a persistent connection. Set to F to allo% an unlimited amount. # Ge recommend $ou leave this number high) for ma*imum performance. # "a*?eepAliveRe'uests HFF # # ?eepAliveTimeout: 5umber of seconds to %ait for the ne*t re'uest from the # same client on the same connection. # ?eepAliveTimeout I ## ## Server-Bool Si#e Regulation ."B" specific/ ## # prefor& "B" 3

# StartServers: number of server processes to start # "inSpareServers: minimum number of server processes %hich are &ept spare # "a*SpareServers: ma*imum number of server processes %hich are &ept spare # "a*2lients: ma*imum number of server processes allo%ed to start # "a*Re'uestsBer2hild: ma*imum number of re'uests a server process serves 9If"odule mpm0prefor&0module; StartServers I "inSpareServers I "a*SpareServers HF "a*2lients HIF "a*Re'uestsBer2hild F 9/If"odule; # %or&er "B" # StartServers: initial number of server processes to start # "inSpareThreads: minimum number of %or&er threads %hich are &ept spare # "a*SpareThreads: ma*imum number of %or&er threads %hich are &ept spare # Thread3imit: ThreadsBer2hild can be changed to this ma*imum value during a # graceful restart. Thread3imit can onl$ be changed b$ stopping # and starting Apache. # ThreadsBer2hild: constant number of %or&er threads in each server process # "a*2lients: ma*imum number of simultaneous client connections # "a*Re'uestsBer2hild: ma*imum number of re'uests a server process serves 9If"odule mpm0%or&er0module; StartServers 2 "inSpareThreads 2I "a*SpareThreads JI Thread3imit KL ThreadsBer2hild 2I "a*2lients HIF "a*Re'uestsBer2hild F 9/If"odule; # event "B" # StartServers: initial number of server processes to start # "inSpareThreads: minimum number of %or&er threads %hich are &ept spare # "a*SpareThreads: ma*imum number of %or&er threads %hich are &ept spare # ThreadsBer2hild: constant number of %or&er threads in each server process # "a*2lients: ma*imum number of simultaneous client connections # "a*Re'uestsBer2hild: ma*imum number of re'uests a server process serves 9If"odule mpm0event0module; StartServers 2 "inSpareThreads 2I "a*SpareThreads JI Thread3imit KL ThreadsBer2hild 2I "a*2lients HIF 4

"a*Re'uestsBer2hild F 9/If"odule; # These need to be set in /etc/apache2/envvars :ser @AABA2C 0R:50:S RD 4roup @AABA2C 0R:504R6:BD # # Access8ile5ame: The name of the file to loo& for in each director$ # for additional configuration directives. See also the Allo%6verride # directive. # Access8ile5ame .htaccess # # The follo%ing lines prevent .htaccess and .htpass%d files from being # vie%ed b$ Geb clients. # 98iles M =NO.ht=; 6rder allo%)den$ !en$ from all Satisf$ all 9/8iles; # # !efaultT$pe is the default "I" t$pe the server %ill use for a document # if it cannot other%ise determine one) such as from filename e*tensions. # If $our server contains mostl$ te*t or CT"3 documents) =te*t/plain= is # a good value. If most of $our content is binar$) such as applications # or images) $ou ma$ %ant to use =application/octet-stream= instead to # &eep bro%sers from tr$ing to displa$ binar$ files as though the$ are # te*t. # # It is also possible to omit an$ default "I" t$pe and let the # client(s bro%ser guess an appropriate action instead. T$picall$ the # bro%ser %ill decide based on the file(s e*tension then. In cases # %here no good assumption can be made) letting the default "I" t$pe # unset is suggested instead of forcing the bro%ser to accept # incorrect metadata. # !efaultT$pe 5one

# # Costname3oo&ups: 3og the names of clients or Pust their IB addresses # e.g.) %%%.apache.org .on/ or 2FL.K2.H2Q.HE2 .off/. 5

# The default is off because it(d be overall better for the net if people # had to &no%ingl$ turn this feature on) since enabling it means that # each client re'uest %ill result in AT 3 AST one loo&up re'uest to the # nameserver. # Costname3oo&ups 6ff # rror3og: The location of the error log file. # If $ou do not specif$ an rror3og directive %ithin a 9RirtualCost; # container) error messages relating to that virtual host %ill be # logged here. If $ou -do- define an error logfile for a 9RirtualCost; # container) that host(s errors %ill be logged there and not here. # rror3og @AABA2C 03640!IRD/error.log # # 3og3evel: 2ontrol the number of messages logged to the error0log. # Bossible values include: debug) info) notice) %arn) error) crit) # alert) emerg. # 3og3evel %arn # Include module configuration: Include mods-enabled/-.load Include mods-enabled/-.conf # Include list of ports to listen on and %hich to use for name based vhosts Include ports.conf # # The follo%ing directives define some format nic&names for use %ith # a 2ustom3og directive .see belo%/. # If $ou are behind a reverse pro*$) $ou might %ant to change Sh into SAT8or%arded-8orDi # 3og8ormat =Sv:Sp Sh Sl Su St O=SrO= S;s S6 O=SARefererDiO= O=SA:serAgentDiO== vhost0combined 3og8ormat =Sh Sl Su St O=SrO= S;s S6 O=SARefererDiO= O=SA:ser-AgentDiO== combined 3og8ormat =Sh Sl Su St O=SrO= S;s S6= common 3og8ormat =SARefererDi -; S:= referer 3og8ormat =SA:ser-agentDi= agent # Include of directories ignores editors( and dp&g(s bac&up files) # see the comments above for details. # Include generic snippets of statements 6

Include conf.d/ # Include the virtual host configurations: Include sites-enabled/ 9If"odule mod0evasive2F.c; !6SCashTableSi#e EFQJ !6SBage2ount I !6SSite2ount IF !6SBageInterval H !6SSiteInterval H !6S>loc&ingBeriod KF !6S mail5otif$ iulica.iliesUgmail.com !6S3og!ir /var/log/mod0evasive # !6SGhitelist H2J.F.F.H 9/If"odule; (. 777-4/2-ul" (1.LOCATIE$ /etc/apache2/sites-enabled/FFF-default (1.Co.2i5ur-6i/ 777-4/2-ul"$ 9RirtualCost -:VF; ServerAdmin %ebmasterUlocalhost Server5ame %%%.e*ample.com !ocumentRoot /var/%%% 9!irector$ /; 6ptions 8ollo%S$m3in&s Allo%6verride 5one 9/!irector$;

9!irector$ /var/%%%/; !irector$Inde* inde*cici.html inde*.php 6ptions 8ollo%S$m3in&s Allo%6verride 5one Re%rite ngine on Re%rite2ond SAR W: ST0" TC6!D N.TRA2 +TRA2?+6BTI65S/ #Re%rite2ond SACTTB0C6STD NcissbO.ro@ X6RY #Re%riteRule N..-/@ =httpO:O/O/%%%O.cissbO.roO/@H= XRZEFH)3Y Re%riteRule N..-/@ - X8Y

6rder allo%)den$ allo% from all 9/!irector$; ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ 9!irector$ =/usr/lib/cgi-bin=; Allo%6verride 5one 6ptions [ *ec24I [S$m3in&sIf6%ner"atch 6rder allo%)den$ Allo% from all 9/!irector$; 9!irector$ /var/%%%/%ebali#er/; !irector$Inde* inde*.html 6rder allo%)den$ Allo% from H2J.F.F.H/2L !en$ from all 9/!irector$; rror3og @AABA2C 03640!IRD/error.log # Bossible values include: debug) info) notice) %arn) error) crit) # alert) emerg. 3og3evel %arn 2ustom3og @AABA2C 03640!IRD/access.log combined 9/RirtualCost;

9RirtualCost -:LLE; ServerAdmin %ebmasterUlocalhost Server5ame %%%.e*ample.org !ocumentRoot /var/%%%/ilies 9!irector$ /; 6ptions 8ollo%S$m3in&s Allo%6verride Auth2onfig Auth5ame =2ont pentru clientii "AB5. I586R"ATII S:B3I" 5TAR 3A 26"BARTI" 5T:3 A!3 STAR:2HFE2HE= AuthT$pe >asic Auth:ser8ile /home/secure/.htpass Auth4roup8ile /dev/null re'uire user clientmapn 9/!irector$; 9!irector$ =/var/%%%/ilies/=; !irector$Inde* inde*.php 6ptions 8ollo%S$m3in&s Allo%6verride Auth2onfig 8

Auth5ame =2ont pentru clientii "AB5. I586R"ATII S:B3I" 5TAR 3A 26"BARTI" 5T:3 A!3. STAR:2HFE2HE= AuthT$pe >asic Auth:ser8ile /home/secure/.htpass Auth4roup8ile /dev/null re'uire user clientmapn 9/!irector$; ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ 9!irector$ =/usr/lib/cgi-bin=; Allo%6verride 5one 6ptions [ *ec24I [S$m3in&sIf6%ner"atch 6rder allo%)den$ Allo% from all 9/!irector$; 9!irector$ /var/%%%/ilies/claroline/tmp/; 6rder allo%)den$ Allo% from H2J.F.F.H/2L # Allo% from all !en$ from all 9/!irector$; 9!irector$ /var/%%%/ilies/claroline/claroline/admin/; order Allo%)!en$ Allo% from H2J.F.F.H/2L !en$ from all 9/!irector$; rror3og /var/log/apache2/error.log # Bossible values include: debug) info) notice) %arn) error) crit) # alert) emerg. 3og3evel %arn 2ustom3og /var/log/apache2/access.log =combined= SS3 ngine on SS32ertificate8ile /etc/ssl/crtilies/%%%.cissb.ro.crt SS32ertificate?e$8ile /etc/ssl/crtilies/%%%.cissb.ro.&e$ SS32ertificate2hain8ile /etc/ssl/crtilies/%%%.cissb.ro.crt 9/RirtualCost; &. '/&uri"8 &1.LOCATIE$ /etc/apache2/conf.d/securit$ &1.Co.2i5ur-6i/ '/&uri"8$ # !isable access to the entire file s$stem e*cept for the directories that # are e*plicitl$ allo%ed later. 9

# # This currentl$ brea&s the configurations that come %ith some %eb application # !ebian pac&ages. # #9!irector$ /; # Allo%6verride 5one # 6rder !en$)Allo% # !en$ from all #9/!irector$; # 2hanging the follo%ing options %ill not reall$ affect the securit$ of the # server) but might ma&e attac&s slightl$ more difficult in some cases. # # ServerTo&ens # This directive configures %hat $ou return as the Server CTTB response # Ceader. The default is (8ull( %hich sends information about the 6S-T$pe # and compiled in modules. # Set to one of: 8ull + 6S + "inimal + "inor + "aPor + Brod # %here 8ull conve$s the most information) and Brod the least. # #ServerTo&ens "inimal ServerTokens Prod #ServerTo&ens 8ull # 6ptionall$ add a line containing the server version and virtual host # name to server-generated pages .internal error documents) 8TB director$ # listings) mod0status and mod0info output etc.) but not 24I generated # documents or custom error documents/. # Set to = "ail= to also include a mailto: lin& to the ServerAdmin. # Set to one of: 6n + 6ff + "ail # ServerSignature Off ServerSignature On # # Allo% TRA2 method # # Set to =e*tended= to also reflect the re'uest bod$ .onl$ for testing and # diagnostic purposes/. # # Set to one of: 6n + 6ff + e*tended # TraceEnable Off #Trace nable 6n # # 8orbid access to version control directories # # If $ou use version control s$stems in $our document root) $ou should # probabl$ den$ access to their directories. 8or e*ample) for subversion: # #9!irector$"atch =/O.svn=; # !en$ from all 10

# Satisf$ all #9/!irector$"atch; # # Setting this header %ill prevent "SI from interpreting files as something # else than declared b$ the content t$pe in the CTTB headers. # Re'uires mod0headers to be enabled. # #Ceader set T-2ontent-T$pe-6ptions: =nosniff= # Some bro%sers have a built-in TSS filter that %ill detect some cross site # scripting attac&s. >$ default) these bro%sers modif$ the suspicious part of # the page and displa$ the result. This behavior can create various problems # including ne% securit$ issues. This header %ill tell the TSS filter to # completel$ bloc& access to the page instead. # Re'uires mod0headers to be enabled. #Ceader set T-TSS-Brotection: =H< modeZbloc&= # Setting this header %ill prevent other sites from embedding pages from this # site as frames. This defends against clic&Pac&ing attac&s. # Re'uires mod0headers to be enabled. #Ceader set T-8rame-6ptions: =sameorigin= &. !""#4.&o.2 &1.LOCATIE$ /etc/apache2/conf.d/httpd.conf &1.Co.2i5ur-6i/ '/&uri"8$ Server5ame localhost

-2i3i/r/ 4/ &o.2i5ur-r/ 2olo'i"/$ -. #!#.i.i -1.LOCATIE$ /etc/phpI/apache2/php.ini -1.Co.2i5ur-6i/ #!#.i.i$ 9P0P: <<<<<<<<<<<<<<<<<<< < About php.ini < <<<<<<<<<<<<<<<<<<< < BCB(s initiali#ation file) generall$ called php.ini) is responsible for < configuring man$ of the aspects of BCB(s behavior. < BCB attempts to find and load this configuration from a number of locations. < The follo%ing is a summar$ of its search order: 11

< < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < <

H. SABI module specific location. 2. The BCBR2 environment variable. .As of BCB I.2.F/ E. A number of predefined registr$ &e$s on Gindo%s .As of BCB I.2.F/ L. 2urrent %or&ing director$ .e*cept 23I/ I. The %eb server(s director$ .for SABI modules/) or director$ of BCB .other%ise in Gindo%s/ K. The director$ from the --%ith-config-file-path compile time option) or the Gindo%s director$ .2:O%indo%s or 2:O%innt/ See the BCB docs for more specific information. http://php.net/configuration.file The s$nta* of the file is e*tremel$ simple. Ghitespace and 3ines beginning %ith a semicolon are silentl$ ignored .as $ou probabl$ guessed/. Section headers .e.g. X8ooY/ are also silentl$ ignored) even though the$ might mean something in the future. !irectives follo%ing the section heading XBATCZ/%%%/m$siteY onl$ appl$ to BCB files in the /%%%/m$site director$. !irectives follo%ing the section heading XC6STZ%%%.e*ample.comY onl$ appl$ to BCB files served from %%%.e*ample.com. !irectives set in these special sections cannot be overridden b$ user-defined I5I files or at runtime. 2urrentl$) XBATCZY and XC6STZY sections onl$ %or& under 24I/8ast24I. http://php.net/ini.sections !irectives are specified using the follo%ing s$nta*: directive Z value !irective names are -case sensitive- - fooZbar is different from 866Zbar. !irectives are variables used to configure BCB or BCB e*tensions. There is no name validation. If BCB can(t find an e*pected directive because it is not set or is mist$ped) a default value %ill be used. The value can be a string) a number) a BCB constant .e.g. 0A33 or "0BI/) one of the I5I constants .6n) 6ff) True) 8alse) 1es) 5o and 5one/ or an e*pression .e.g. 0A33 \ M 056TI2 /) a 'uoted string .=bar=/) or a reference to a previousl$ set variable or directive .e.g. @AfooD/ *pressions in the I5I file are limited to bit%ise operators and parentheses: + bit%ise 6R N bit%ise T6R \ bit%ise A5! M bit%ise 56T 7 boolean 56T

< >oolean flags can be turned on using the values H) 6n) True or 1es. < The$ can be turned off using the values F) 6ff) 8alse or 5o. < An empt$ string can be denoted b$ simpl$ not %riting an$thing after the e'ual < sign) or b$ using the 5one &e$%ord: < foo Z < sets foo to an empt$ string < foo Z 5one < sets foo to an empt$ string < foo Z =5one= < sets foo to the string (5one( 12

< If $ou use constants in $our value) and these constants belong to a < d$namicall$ loaded e*tension .either a BCB e*tension or a ]end e*tension/) < $ou ma$ onl$ use these constants -after- the line that loads the e*tension. <<<<<<<<<<<<<<<<<<< < About this file < <<<<<<<<<<<<<<<<<<< < BCB comes pac&aged %ith t%o I5I files. 6ne that is recommended to be used < in production environments and one that is recommended to be used in < development environments. < < < < < < < < php.ini-production contains settings %hich hold securit$) performance and best practices at its core. >ut please be a%are) these settings ma$ brea& compatibilit$ %ith older or less securit$ conscience applications. Ge recommending using the production ini in production and testing environments. php.ini-development is ver$ similar to its production variant) e*cept it(s much more verbose %hen it comes to errors. Ge recommending using the development version onl$ in development environments as errors sho%n to application users can inadvertentl$ lea& other%ise secure information.

<<<<<<<<<<<<<<<<<<< < Wuic& Reference < <<<<<<<<<<<<<<<<<<< < The follo%ing are all the settings %hich are different in either the production < or development versions of the I5Is %ith respect to BCB(s default behavior. < Blease see the actual settings later in the document for more details as to %h$ < %e recommend these changes in BCB(s behavior. < < < < < < < < < < < < < < < < < < < < allo%0call0time0pass0reference !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff displa$0errors !efault Ralue: 6ff !evelopment Ralue: 6ff Broduction Ralue: 6ff displa$0startup0errors !efault Ralue: 6ff !evelopment Ralue: 6n Broduction Ralue: 6ff error0reporting !efault Ralue: 0A33 \ M 056TI2 !evelopment Ralue: 0A33 + 0STRI2T Broduction Ralue: 0A33 \ M 0! BR 2AT ! html0errors !efault Ralue: 6n !evelopment Ralue: 6n Broduction value: 6ff 13

< < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < <

log0errors !efault Ralue: 6ff !evelopment Ralue: 6n Broduction Ralue: 6n magic0'uotes0gpc !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff ma*0input0time !efault Ralue: -H .:nlimited/ !evelopment Ralue: KF .KF seconds/ Broduction Ralue: KF .KF seconds/ output0buffering !efault Ralue: 6ff !evelopment Ralue: LFQK Broduction Ralue: LFQK register0argc0argv !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff register0long0arra$s !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff re'uest0order !efault Ralue: 5one !evelopment Ralue: =4B= Broduction Ralue: =4B= session.bug0compat0L2 !efault Ralue: 6n !evelopment Ralue: 6n Broduction Ralue: 6ff session.bug0compat0%arn !efault Ralue: 6n !evelopment Ralue: 6n Broduction Ralue: 6ff session.gc0divisor !efault Ralue: HFF !evelopment Ralue: HFFF Broduction Ralue: HFFF session.hash0bits0per0character !efault Ralue: L !evelopment Ralue: I Broduction Ralue: I 14

< < < < < < < < < < < < < < < <

short0open0tag !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff trac&0errors !efault Ralue: 6ff !evelopment Ralue: 6n Broduction Ralue: 6ff url0re%riter.tags !efault Ralue: =aZhref)areaZhref)frameZsrc)formZ)fieldsetZ= !evelopment Ralue: =aZhref)areaZhref)frameZsrc)inputZsrc)formZfa&eentr$= Broduction Ralue: =aZhref)areaZhref)frameZsrc)inputZsrc)formZfa&eentr$= variables0order !efault Ralue: = 4B2S= !evelopment Ralue: =4B2S= Broduction Ralue: =4B2S=

<<<<<<<<<<<<<<<<<<<< < php.ini 6ptions < <<<<<<<<<<<<<<<<<<<< < 5ame for user-defined php.ini ..htaccess/ files. !efault is =.user.ini= <user0ini.filename Z =.user.ini= < To disable this feature set this option to empt$ value <user0ini.filename Z < TT3 for user-defined php.ini files .time-to-live/ in seconds. !efault is EFF seconds .I minutes/ <user0ini.cache0ttl Z EFF <<<<<<<<<<<<<<<<<<<< < 3anguage 6ptions < <<<<<<<<<<<<<<<<<<<< < nable the BCB scripting language engine under Apache. < http://php.net/engine engine Z 6n < < < < < < < < < < < < This directive determines %hether or not BCB %ill recogni#e code bet%een 9^ and ^; tags as BCB source %hich should be processed as such. It(s been recommended for several $ears that $ou not use the short tag =short cut= and instead to use the full 9^php and ^; tag combination. Gith the %ide spread use of T"3 and use of these tags b$ other languages) the server can become easil$ confused and end up parsing the %rong code in the %rong conte*t. >ut because this short cut has been a feature for such a long time) it(s currentl$ still supported for bac&%ards compatibilit$) but %e recommend $ou don(t use them. !efault Ralue: 6n !evelopment Ralue: 6ff Broduction Ralue: 6ff http://php.net/short-open-tag 15

short0open0tag Z 6n < Allo% ASB-st$le 9S S; tags. < http://php.net/asp-tags asp0tags Z 6ff < The number of significant digits displa$ed in floating point numbers. < http://php.net/precision precision Z HL < nforce $ear 2FFF compliance .%ill cause problems %ith non-compliant bro%sers/ < http://php.net/$2&-compliance $2&0compliance Z 6n < 6utput buffering is a mechanism for controlling ho% much output data < .e*cluding headers and coo&ies/ BCB should &eep internall$ before pushing that < data to the client. If $our application(s output e*ceeds this setting) BCB < %ill send that data in chun&s of roughl$ the si#e $ou specif$. < Turning on this setting and managing its ma*imum buffer si#e can $ield some < interesting side-effects depending on $our application and %eb server. < 1ou ma$ be able to send headers and coo&ies after $ou(ve alread$ sent output < through print or echo. 1ou also ma$ see performance benefits if $our server is < emitting less pac&ets due to buffered output versus BCB streaming the output < as it gets it. 6n production servers) LFQK b$tes is a good setting for performance < reasons. < 5ote: 6utput buffering can also be controlled via 6utput >uffering 2ontrol < functions. < Bossible Ralues: < 6n Z nabled and buffer is unlimited. .:se %ith caution/ < 6ff Z !isabled < Integer Z nables the buffer and sets its ma*imum si#e in b$tes. < 5ote: This directive is hardcoded to 6ff for the 23I SABI < !efault Ralue: 6ff < !evelopment Ralue: LFQK < Broduction Ralue: LFQK < http://php.net/output-buffering output0buffering Z LFQK < 1ou can redirect all of the output of $our scripts to a function. 8or < e*ample) if $ou set output0handler to =mb0output0handler=) character < encoding %ill be transparentl$ converted to the specified encoding. < Setting an$ output handler automaticall$ turns on output buffering. < 5ote: Beople %ho %rote portable scripts should not depend on this ini < directive. Instead) e*plicitl$ set the output handler using ob0start./. < :sing this ini directive ma$ cause problems unless $ou &no% %hat script < is doing. < 5ote: 1ou cannot use both =mb0output0handler= %ith =ob0iconv0handler= < and $ou cannot use both =ob0g#handler= and =#lib.output0compression=. < 5ote: output0handler must be empt$ if this is set (6n( 7777 < Instead $ou must use #lib.output0handler. < http://php.net/output-handler <output0handler Z 16

< Transparent output compression using the #lib librar$ < Ralid values for this option are (off() (on() or a specific buffer si#e < to be used for compression .default is L?>/ < 5ote: Resulting chun& si#e ma$ var$ due to nature of compression. BCB < outputs chun&s that are fe% hundreds b$tes each as a result of < compression. If $ou prefer a larger chun& si#e for better < performance) enable output0buffering in addition. < 5ote: 1ou need to use #lib.output0handler instead of the standard < output0handler) or other%ise the output %ill be corrupted. < http://php.net/#lib.output-compression #lib.output0compression Z 6ff < http://php.net/#lib.output-compression-level <#lib.output0compression0level Z -H < 1ou cannot specif$ additional output handlers if #lib.output0compression < is activated here. This setting does the same as output0handler but in < a different order. < http://php.net/#lib.output-handler <#lib.output0handler Z < Implicit flush tells BCB to tell the output la$er to flush itself < automaticall$ after ever$ output bloc&. This is e'uivalent to calling the < BCB function flush./ after each and ever$ call to print./ or echo./ and each < and ever$ CT"3 bloc&. Turning this option on has serious performance < implications and is generall$ recommended for debugging purposes onl$. < http://php.net/implicit-flush < 5ote: This directive is hardcoded to 6n for the 23I SABI implicit0flush Z 6ff < The unseriali#e callbac& function %ill be called .%ith the undefined class( < name as parameter/) if the unseriali#er finds an undefined class < %hich should be instantiated. A %arning appears if the specified function is < not defined) or if the function doesn(t include/implement the missing class. < So onl$ set this entr$) if $ou reall$ %ant to implement such a < callbac&-function. unseriali#e0callbac&0func Z < Ghen floats \ doubles are seriali#ed store seriali#e0precision significant < digits after the floating point. The default value ensures that %hen floats < are decoded %ith unseriali#e) the data %ill remain the same. seriali#e0precision Z HFF < < < < < < < < < < This directive allo%s $ou to enable and disable %arnings %hich BCB %ill issue if $ou pass a value b$ reference at function call time. Bassing values b$ reference at function call time is a deprecated feature %hich %ill be removed from BCB at some point in the near future. The acceptable method for passing a value b$ reference to a function is b$ declaring the reference in the functions definition) not at call time. This directive does not disable this feature) it onl$ determines %hether BCB %ill %arn $ou about it or not. These %arnings should enabled in development environments onl$. !efault Ralue: 6n .Suppress %arnings/ !evelopment Ralue: 6ff .Issue %arnings/ 17

< Broduction Ralue: 6ff .Issue %arnings/ < http://php.net/allo%-call-time-pass-reference allo%0call0time0pass0reference Z 6ff < Safe "ode < http://php.net/safe-mode safe0mode Z 6ff < >$ default) Safe "ode does a :I! compare chec& %hen < opening files. If $ou %ant to rela* this to a 4I! compare) < then turn on safe0mode0gid. < http://php.net/safe-mode-gid safe0mode0gid Z 6ff < Ghen safe0mode is on) :I!/4I! chec&s are b$passed %hen < including files from this director$ and its subdirectories. < .director$ must also be in include0path or full path must < be used %hen including/ < http://php.net/safe-mode-include-dir safe0mode0include0dir Z < Ghen safe0mode is on) onl$ e*ecutables located in the safe0mode0e*ec0dir < %ill be allo%ed to be e*ecuted via the e*ec famil$ of functions. < http://php.net/safe-mode-e*ec-dir safe0mode0e*ec0dir Z < Setting certain environment variables ma$ be a potential securit$ breach. < This directive contains a comma-delimited list of prefi*es. In Safe "ode) < the user ma$ onl$ alter environment variables %hose names begin %ith the < prefi*es supplied here. >$ default) users %ill onl$ be able to set < environment variables that begin %ith BCB0 .e.g. BCB0866Z>AR/. < 5ote: If this directive is empt$) BCB %ill let the user modif$ A51 < environment variable7 < http://php.net/safe-mode-allo%ed-env-vars safe0mode0allo%ed0env0vars Z BCB0 < This directive contains a comma-delimited list of environment variables that < the end user %on(t be able to change using putenv./. These variables %ill be < protected even if safe0mode0allo%ed0env0vars is set to allo% to change them. < http://php.net/safe-mode-protected-env-vars safe0mode0protected0env0vars Z 3!03I>RAR10BATC < open0basedir) if set) limits all file operations to the defined director$ < and belo%. This directive ma&es most sense if used in a per-director$ < or per-virtualhost %eb server configuration file. This directive is < -56T- affected b$ %hether Safe "ode is turned 6n or 6ff. < http://php.net/open-basedir <open0basedir Z/var/%%% < This directive allo%s $ou to disable certain functions for securit$ reasons. < It receives a comma-delimited list of function names. This directive is < -56T- affected b$ %hether Safe "ode is turned 6n or 6ff. < http://php.net/disable-functions disable0functions Z 18

< This directive allo%s $ou to disable certain classes for securit$ reasons. < It receives a comma-delimited list of class names. This directive is < -56T- affected b$ %hether Safe "ode is turned 6n or 6ff. < http://php.net/disable-classes disable0classes Z < 2olors for S$nta* Cighlighting mode. An$thing that(s acceptable in < 9span st$leZ=color: ^^^^^^^=; %ould %or&. < http://php.net/s$nta*-highlighting <highlight.string Z #!!FFFF <highlight.comment Z #88QQFF <highlight.&e$%ord Z #FFJJFF <highlight.bg Z #888888 <highlight.default Z #FFFF>> <highlight.html Z #FFFFFF < If enabled) the re'uest %ill be allo%ed to complete even if the user aborts < the re'uest. 2onsider enabling it if e*ecuting long re'uests) %hich ma$ end up < being interrupted b$ the user or a bro%ser timing out. BCB(s default behavior < is to disable this feature. < http://php.net/ignore-user-abort <ignore0user0abort Z 6n < !etermines the si#e of the realpath cache to be used b$ BCB. This value should < be increased on s$stems %here BCB opens man$ files to reflect the 'uantit$ of < the file operations performed. < http://php.net/realpath-cache-si#e <realpath0cache0si#e Z HK& < !uration of time) in seconds for %hich to cache realpath information for a given < file or director$. 8or s$stems %ith rarel$ changing files) consider increasing this < value. < http://php.net/realpath-cache-ttl <realpath0cache0ttl Z H2F <<<<<<<<<<<<<<<<< < "iscellaneous < <<<<<<<<<<<<<<<<< < !ecides %hether BCB ma$ e*pose the fact that it is installed on the server < .e.g. b$ adding its signature to the Geb server header/. It is no securit$ < threat in an$ %a$) but it ma&es it possible to determine %hether $ou use BCB < on $our server or not. < http://php.net/e*pose-php e*pose0php Z 6ff <<<<<<<<<<<<<<<<<<< < Resource 3imits < <<<<<<<<<<<<<<<<<<< < "a*imum e*ecution time of each script) in seconds < http://php.net/ma*-e*ecution-time < 5ote: This directive is hardcoded to F for the 23I SABI 19

ma*0e*ecution0time Z EF < "a*imum amount of time each script ma$ spend parsing re'uest data. It(s a good < idea to limit this time on productions servers in order to eliminate une*pectedl$ < long running scripts. < 5ote: This directive is hardcoded to -H for the 23I SABI < !efault Ralue: -H .:nlimited/ < !evelopment Ralue: KF .KF seconds/ < Broduction Ralue: KF .KF seconds/ < http://php.net/ma*-input-time ma*0input0time Z KF < "a*imum input variable nesting level < http://php.net/ma*-input-nesting-level <ma*0input0nesting0level Z KL < Co% man$ 4 T/B6ST/266?I input variables ma$ be accepted < ma*0input0vars Z HFFF < "a*imum amount of memor$ a script ma$ consume .H2V">/ < http://php.net/memor$-limit memor$0limit Z H2V" <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< < rror handling and logging < <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< < This directive informs BCB of %hich errors) %arnings and notices $ou %ould li&e < it to ta&e action for. The recommended %a$ of setting values for this < directive is through the use of the error level constants and bit%ise < operators. The error level constants are belo% here for convenience as %ell as < some common settings and their meanings. < >$ default) BCB is set to ta&e action on all errors) notices and %arnings T2 BT < those related to 056TI2 and 0STRI2T) %hich together cover best practices and < recommended coding standards in BCB. 8or performance reasons) this is the < recommend error reporting setting. 1our production server shouldn(t be %asting < resources complaining about best practices and coding standards. That(s %hat < development servers and development settings are for. < 5ote: The php.ini-development file has this setting as 0A33 + 0STRI2T. This < means it prett$ much reports ever$thing %hich is e*actl$ %hat $ou %ant during < development and earl$ testing. < < rror 3evel 2onstants: < 0A33 - All errors and %arnings .includes 0STRI2T as of BCB K.F.F/ < 0 RR6R - fatal run-time errors < 0R 26R RA>3 0 RR6R - almost fatal run-time errors < 0GAR5I54 - run-time %arnings .non-fatal errors/ < 0BARS - compile-time parse errors < 056TI2 - run-time notices .these are %arnings %hich often result < from a bug in $our code) but it(s possible that it %as < intentional .e.g.) using an uninitiali#ed variable and < rel$ing on the fact it(s automaticall$ initiali#ed to an 20

< empt$ string/ < 0STRI2T - run-time notices) enable to have BCB suggest changes < to $our code %hich %ill ensure the best interoperabilit$ < and for%ard compatibilit$ of $our code < 026R 0 RR6R - fatal errors that occur during BCB(s initial startup < 026R 0GAR5I54 - %arnings .non-fatal errors/ that occur during BCB(s < initial startup < 026"BI3 0 RR6R - fatal compile-time errors < 026"BI3 0GAR5I54 - compile-time %arnings .non-fatal errors/ < 0:S R0 RR6R - user-generated error message < 0:S R0GAR5I54 - user-generated %arning message < 0:S R056TI2 - user-generated notice message < 0! BR 2AT ! - %arn about code that %ill not %or& in future versions < of BCB < 0:S R0! BR 2AT ! - user-generated deprecation %arnings < < 2ommon Ralues: < 0A33 \ M 056TI2 .Sho% all errors) e*cept for notices and coding standards %arnings./ < 0A33 \ M 056TI2 + 0STRI2T .Sho% all errors) e*cept for notices/ < 026"BI3 0 RR6R+ 0R 26R RA>3 0 RR6R+ 0 RR6R+ 026R 0 RR6R .Sho% onl$ errors/ < 0A33 + 0STRI2T .Sho% all errors) %arnings and notices including coding standards./ < !efault Ralue: 0A33 \ M 056TI2 < !evelopment Ralue: 0A33 + 0STRI2T < Broduction Ralue: 0A33 \ M 0! BR 2AT ! < http://php.net/error-reporting error0reporting Z 0A33 \ M 0! BR 2AT ! < This directive controls %hether or not and %here BCB %ill output errors) < notices and %arnings too. rror output is ver$ useful during development) but < it could be ver$ dangerous in production environments. !epending on the code < %hich is triggering the error) sensitive information could potentiall$ lea& < out of $our application such as database usernames and pass%ords or %orse. < It(s recommended that errors be logged on production servers rather than < having the errors sent to ST!6:T. < Bossible Ralues: < 6ff Z !o not displa$ an$ errors < stderr Z !ispla$ errors to ST! RR .affects onl$ 24I/23I binaries7/ < 6n or stdout Z !ispla$ errors to ST!6:T < !efault Ralue: 6n < !evelopment Ralue: 6n < Broduction Ralue: 6ff < http://php.net/displa$-errors displa$0errors Z 6ff < < < < < < < The displa$ of errors %hich occur during BCB(s startup se'uence are handled separatel$ from displa$0errors. BCB(s default behavior is to suppress those errors from clients. Turning the displa$ of startup errors on can be useful in debugging configuration problems. >ut) it(s strongl$ recommended that $ou leave this setting off on production servers. !efault Ralue: 6ff !evelopment Ralue: 6n 21

< Broduction Ralue: 6ff < http://php.net/displa$-startup-errors displa$0startup0errors Z 6ff < >esides displa$ing errors) BCB can also log errors to locations such as a < server-specific log) ST! RR) or a location specified b$ the error0log < directive found belo%. Ghile errors should not be displa$ed on productions < servers the$ should still be monitored and logging is a great %a$ to do that. < !efault Ralue: 6ff < !evelopment Ralue: 6n < Broduction Ralue: 6n < http://php.net/log-errors log0errors Z 6n < Set ma*imum length of log0errors. In error0log information about the source is < added. The default is HF2L and F allo%s to not appl$ an$ ma*imum length at all. < http://php.net/log-errors-ma*-len log0errors0ma*0len Z HF2L < !o not log repeated messages. Repeated errors must occur in same file on same < line unless ignore0repeated0source is set true. < http://php.net/ignore-repeated-errors ignore0repeated0errors Z 6ff < Ignore source of message %hen ignoring repeated messages. Ghen this setting < is 6n $ou %ill not log errors %ith repeated messages from different files or < source lines. < http://php.net/ignore-repeated-source ignore0repeated0source Z 6ff < If this parameter is set to 6ff) then memor$ lea&s %ill not be sho%n .on < stdout or in the log/. This has onl$ effect in a debug compile) and if < error reporting includes 0GAR5I54 in the allo%ed list < http://php.net/report-memlea&s report0memlea&s Z 6n < This setting is on b$ default. <report0#end0debug Z F < Store the last error/%arning message in @php0errormsg .boolean/. Setting this value < to 6n can assist in debugging and is appropriate for development servers. It should < ho%ever be disabled on production servers. < !efault Ralue: 6ff < !evelopment Ralue: 6n < Broduction Ralue: 6ff < http://php.net/trac&-errors trac&0errors Z 6ff < Turn off normal error reporting and emit T"3-RB2 error T"3 < http://php.net/*mlrpc-errors 22

<*mlrpc0errors Z F < An T"3-RB2 fault2ode <*mlrpc0error0number Z F < Ghen BCB displa$s or logs an error) it has the capabilit$ of inserting html < lin&s to documentation related to that error. This directive controls %hether < those CT"3 lin&s appear in error messages or not. 8or performance and securit$ < reasons) it(s recommended $ou disable this on production servers. < 5ote: This directive is hardcoded to 6ff for the 23I SABI < !efault Ralue: 6n < !evelopment Ralue: 6n < Broduction value: 6ff < http://php.net/html-errors html0errors Z 6ff < If html0errors is set 6n BCB produces clic&able error messages that direct < to a page describing the error or function causing the error in detail. < 1ou can do%nload a cop$ of the BCB manual from http://php.net/docs < and change docref0root to the base :R3 of $our local cop$ including the < leading (/(. 1ou must also specif$ the file e*tension being used including < the dot. BCB(s default behavior is to leave these settings empt$. < 5ote: 5ever use this feature for production bo*es. < http://php.net/docref-root < *amples <docref0root Z =/phpmanual/= < http://php.net/docref-e*t <docref0e*t Z .html < String to output before an error message. BCB(s default behavior is to leave < this setting blan&. < http://php.net/error-prepend-string < *ample: <error0prepend0string Z =9font colorZ#ffFFFF;= < String to output after an error message. BCB(s default behavior is to leave < this setting blan&. < http://php.net/error-append-string < *ample: <error0append0string Z =9/font;= < 3og errors to specified file. BCB(s default behavior is to leave this value < empt$. < http://php.net/error-log < *ample: <error0log Z php0errors.log < 3og errors to s$slog . vent 3og on 5T) not valid in Gindo%s QI/. <error0log Z s$slog <<<<<<<<<<<<<<<<< < !ata Candling < <<<<<<<<<<<<<<<<< 23

< The separator used in BCB generated :R3s to separate arguments. < BCB(s default setting is =\=. < http://php.net/arg-separator.output < *ample: <arg0separator.output Z =\amp<= < 3ist of separator.s/ used b$ BCB to parse input :R3s into variables. < BCB(s default setting is =\=. < 56T : ver$ character in this directive is considered as separator7 < http://php.net/arg-separator.input < *ample: <arg0separator.input Z =<\= < This directive determines %hich super global arra$s are registered %hen BCB < starts up. If the register0globals directive is enabled) it also determines < %hat order variables are populated into the global space. 4)B)2) \ S are < abbreviations for the follo%ing respective super globals: 4 T) B6ST) 266?I ) < 5R and S RR R. There is a performance penalt$ paid for the registration of < these arra$s and because 5R is not as commonl$ used as the others) 5R is < is not recommended on productions servers. 1ou can still get access to < the environment variables through getenv./ should $ou need to. < !efault Ralue: = 4B2S= < !evelopment Ralue: =4B2S= < Broduction Ralue: =4B2S=< < http://php.net/variables-order variables0order Z =4B2S= < This directive determines %hich super global data .4)B)2) \ S/ should < be registered into the super global arra$ R W: ST. If so) it also determines < the order in %hich that data is registered. The values for this directive are < specified in the same manner as the variables0order directive) T2 BT one. < 3eaving this value empt$ %ill cause BCB to use the value set in the < variables0order directive. It does not mean it %ill leave the super globals < arra$ R W: ST empt$. < !efault Ralue: 5one < !evelopment Ralue: =4B= < Broduction Ralue: =4B= < http://php.net/re'uest-order re'uest0order Z =4B= < Ghether or not to register the 4B2S variables as global variables. 1ou ma$ < %ant to turn this off if $ou don(t %ant to clutter $our scripts( global scope < %ith user data. < 1ou should do $our best to %rite $our scripts so that the$ do not re'uire < register0globals to be on< :sing form variables as globals can easil$ lead < to possible securit$ problems) if the code is not ver$ %ell thought of. < http://php.net/register-globals register0globals Z 6ff < !etermines %hether the deprecated long @CTTB0-0RARS t$pe predefined variables < are registered b$ BCB or not. As the$ are deprecated) %e obviousl$ don(t < recommend $ou use them. The$ are on b$ default for compatibilit$ reasons but < the$ are not recommended on production servers. 24

< !efault Ralue: 6n < !evelopment Ralue: 6ff < Broduction Ralue: 6ff < http://php.net/register-long-arra$s register0long0arra$s Z 6ff < This directive determines %hether BCB registers @argv \ @argc each time it < runs. @argv contains an arra$ of all the arguments passed to BCB %hen a script < is invo&ed. @argc contains an integer representing the number of arguments < that %ere passed %hen the script %as invo&ed. These arra$s are e*tremel$ < useful %hen running scripts from the command line. Ghen this directive is < enabled) registering these variables consumes 2B: c$cles and memor$ each time < a script is e*ecuted. 8or performance reasons) this feature should be disabled < on production servers. < 5ote: This directive is hardcoded to 6n for the 23I SABI < !efault Ralue: 6n < !evelopment Ralue: 6ff < Broduction Ralue: 6ff < http://php.net/register-argc-argv register0argc0argv Z 6ff < Ghen enabled) the S RR R and 5R variables are created %hen the$(re first < used ._ust In Time/ instead of %hen the script starts. If these variables < are not used %ithin a script) having this directive on %ill result in a < performance gain. The BCB directives register0globals) register0long0arra$s) < and register0argc0argv must be disabled for this directive to have an$ affect. < http://php.net/auto-globals-Pit auto0globals0Pit Z 6n < "a*imum si#e of B6ST data that BCB %ill accept. < http://php.net/post-ma*-si#e post0ma*0si#e Z 2F" < "agic 'uotes are a preprocessing feature of BCB %here BCB %ill attempt to < escape an$ character se'uences in 4 T) B6ST) 266?I and 5R data %hich might < other%ise corrupt data being placed in resources such as databases before < ma&ing that data available to $ou. >ecause of character encoding issues and < non-standard SW3 implementations across man$ databases) it(s not currentl$ < possible for this feature to be HFFS accurate. BCB(s default behavior is to < enable the feature. Ge strongl$ recommend $ou use the escaping mechanisms < designed specificall$ for the database $our using instead of rel$ing on this < feature. Also note) this feature has been deprecated as of BCB I.E.F and is < scheduled for removal in BCB K. < !efault Ralue: 6n < !evelopment Ralue: 6ff < Broduction Ralue: 6ff < http://php.net/magic-'uotes-gpc magic0'uotes0gpc Z 6ff < "agic 'uotes for runtime-generated data) e.g. data from SW3) from e*ec./) etc. < http://php.net/magic-'uotes-runtime magic0'uotes0runtime Z 6ff 25

< :se S$base-st$le magic 'uotes .escape ( %ith (( instead of O(/. < http://php.net/magic-'uotes-s$base magic0'uotes0s$base Z 6ff < Automaticall$ add files before BCB document. < http://php.net/auto-prepend-file auto0prepend0file Z < Automaticall$ add files after BCB document. < http://php.net/auto-append-file auto0append0file Z < >$ default) BCB %ill output a character encoding using < the 2ontent-t$pe: header. To disable sending of the charset) simpl$ < set it to be empt$. < < BCB(s built-in default is te*t/html < http://php.net/default-mimet$pe default0mimet$pe Z =te*t/html= < BCB(s default character set is set to empt$. < http://php.net/default-charset <default0charset Z =iso-VVIQ-H= < Al%a$s populate the @CTTB0RAG0B6ST0!ATA variable. BCB(s default behavior is < to disable this feature. < http://php.net/al%a$s-populate-ra%-post-data <al%a$s0populate0ra%0post0data Z 6n <<<<<<<<<<<<<<<<<<<<<<<<< < Baths and !irectories < <<<<<<<<<<<<<<<<<<<<<<<<< < :5IT: =/pathH:/path2= include0path Z /var/%%%:/var/%%%/ilies < < Gindo%s: =OpathH<Opath2= <include0path Z =.<c:OphpOincludes= < < BCB(s default setting for include0path is =.</path/to/php/pear= < http://php.net/include-path < The root of the BCB pages) used onl$ if nonempt$. < if BCB %as not compiled %ith 86R2 0R !IR 2T) $ou SC6:3! set doc0root < if $ou are running php as a 24I under an$ %eb server .other than IIS/ < see documentation for securit$ issues. The alternate is to use the < cgi.force0redirect configuration belo% < http://php.net/doc-root doc0root Z < The director$ under %hich BCB opens the script using /Musername used onl$ < if nonempt$. < http://php.net/user-dir 26

user0dir Z < < < < < !irector$ in %hich the loadable e*tensions .modules/ reside. http://php.net/e*tension-dir e*tension0dir Z =./= 6n %indo%s: e*tension0dir Z =e*t=

< Ghether or not to enable the dl./ function. The dl./ function does 56T %or& < properl$ in multithreaded servers) such as IIS or ]eus) and is automaticall$ < disabled on them. < http://php.net/enable-dl enable0dl Z 6ff < cgi.force0redirect is necessar$ to provide securit$ running BCB as a 24I under < most %eb servers. 3eft undefined) BCB turns this on b$ default. 1ou can < turn it off here AT 16:R 6G5 RIS? < --1ou 2A5 safel$ turn this off for IIS) in fact) $ou ":ST.-< http://php.net/cgi.force-redirect <cgi.force0redirect Z H < if cgi.nph is enabled it %ill force cgi to al%a$s sent Status: 2FF %ith < ever$ re'uest. BCB(s default behavior is to disable this feature. <cgi.nph Z H < if cgi.force0redirect is turned on) and $ou are not running under Apache or 5etscape < .iBlanet/ %eb servers) $ou "A1 need to set an environment variable name that BCB < %ill loo& for to &no% it is 6? to continue e*ecution. Setting this variable "A1 < cause securit$ issues) ?56G GCAT 16: AR !6I54 8IRST. < http://php.net/cgi.redirect-status-env <cgi.redirect0status0env Z < < cgi.fi*0pathinfo provides -real- BATC0I586/BATC0TRA5S3AT ! support for 24I. BCB(s < previous behaviour %as to set BATC0TRA5S3AT ! to S2RIBT08I3 5A" ) and to not gro& < %hat BATC0I586 is. 8or more information on BATC0I586) see the cgi specs. Setting < this to H %ill cause BCB 24I to fi* its paths to conform to the spec. A setting < of #ero causes BCB to behave as before. !efault is H. 1ou should fi* $our scripts < to use S2RIBT08I3 5A" rather than BATC0TRA5S3AT !. < http://php.net/cgi.fi*-pathinfo <cgi.fi*0pathinfoZH < 8ast24I under IIS .on GI55T based 6S/ supports the abilit$ to impersonate < securit$ to&ens of the calling client. This allo%s IIS to define the < securit$ conte*t that the re'uest runs under. mod0fastcgi under Apache < does not currentl$ support this feature .FE/HJ/2FF2/ < Set to H if running under IIS. !efault is #ero. < http://php.net/fastcgi.impersonate <fastcgi.impersonate Z H< 27

< !isable logging through 8ast24I connection. BCB(s default behavior is to enable < this feature. <fastcgi.logging Z F < cgi.rfc2KHK0headers configuration option tells BCB %hat t$pe of headers to < use %hen sending CTTB response code. If it(s set F BCB sends Status: header that < is supported b$ Apache. Ghen this option is set to H BCB %ill send < R822KHK compliant header. < !efault is #ero. < http://php.net/cgi.rfc2KHK-headers <cgi.rfc2KHK0headers Z F <<<<<<<<<<<<<<<< < 8ile :ploads < <<<<<<<<<<<<<<<< < Ghether to allo% CTTB file uploads. < http://php.net/file-uploads file0uploads Z 6n < Temporar$ director$ for CTTB uploaded files .%ill use s$stem default if not < specified/. < http://php.net/upload-tmp-dir <upload0tmp0dir Z < "a*imum allo%ed si#e for uploaded files. < http://php.net/upload-ma*-filesi#e upload0ma*0filesi#e Z 2F" < "a*imum number of files that can be uploaded via a single re'uest ma*0file0uploads Z 2F <<<<<<<<<<<<<<<<<< < 8open %rappers < <<<<<<<<<<<<<<<<<< < Ghether to allo% the treatment of :R3s .li&e http:// or ftp:/// as files. < http://php.net/allo%-url-fopen allo%0url0fopen Z 6ff < Ghether to allo% include/re'uire to open :R3s .li&e http:// or ftp:/// as files. < http://php.net/allo%-url-include allo%0url0include Z 6ff < !efine the anon$mous ftp pass%ord .$our email address/. BCB(s default setting < for this is empt$. < http://php.net/from <fromZ=PohnUdoe.com= < !efine the :ser-Agent string. BCB(s default setting for this is empt$. < http://php.net/user-agent <user0agentZ=BCB= 28

< !efault timeout for soc&et based streams .seconds/ < http://php.net/default-soc&et-timeout default0soc&et0timeout Z KF < If $our scripts have to deal %ith files from "acintosh s$stems) < or $ou are running on a "ac and need to deal %ith files from < uni* or %inE2 s$stems) setting this flag %ill cause BCB to < automaticall$ detect the 63 character in those files so that < fgets./ and file./ %ill %or& regardless of the source of the file. < http://php.net/auto-detect-line-endings <auto0detect0line0endings Z 6ff <<<<<<<<<<<<<<<<<<<<<< < !$namic *tensions < <<<<<<<<<<<<<<<<<<<<<< < < < < < < < < < < < < < < < < < < < < If $ou %ish to have an e*tension loaded automaticall$) use the follo%ing s$nta*: e*tensionZmodulename.e*tension 8or e*ample) on Gindo%s: e*tensionZms'l.dll ... or under :5IT: e*tensionZms'l.so ... or %ith a path: e*tensionZ/path/to/e*tension/ms'l.so If $ou onl$ provide the name of the e*tension) BCB %ill loo& for it in its default e*tension director$.

<<<<<<<<<<<<<<<<<<< < "odule Settings < <<<<<<<<<<<<<<<<<<< X!ateY < !efines the default time#one used b$ the date functions < http://php.net/date.time#one <date.time#one Z < http://php.net/date.default-latitude <date.default0latitude Z EH.JKKJ < http://php.net/date.default-longitude <date.default0longitude Z EI.2EEE < http://php.net/date.sunrise-#enith 29

<date.sunrise0#enith Z QF.IVEEEE < http://php.net/date.sunset-#enith <date.sunset0#enith Z QF.IVEEEE XfilterY < http://php.net/filter.default <filter.default Z unsafe0ra% < http://php.net/filter.default-flags <filter.default0flags Z XiconvY <iconv.input0encoding Z IS6-VVIQ-H <iconv.internal0encoding Z IS6-VVIQ-H <iconv.output0encoding Z IS6-VVIQ-H XintlY <intl.default0locale Z < This directive allo%s $ou to produce BCB errors %hen some error < happens %ithin intl functions. The value is the level of the error produced. < !efault is F) %hich does not produce an$ errors. <intl.error0level Z 0GAR5I54 Xs'liteY < http://php.net/s'lite.assoc-case <s'lite.assoc0case Z F Xs'liteEY <s'liteE.e*tension0dir Z XBcreY <B2R librar$ bac&trac&ing limit. < http://php.net/pcre.bac&trac&-limit <pcre.bac&trac&0limitZHFFFFF <B2R librar$ recursion limit. <Blease note that if $ou set this value to a high number $ou ma$ consume all <the available process stac& and eventuall$ crash BCB .due to reaching the <stac& si#e limit imposed b$ the 6perating S$stem/. < http://php.net/pcre.recursion-limit <pcre.recursion0limitZHFFFFF XBdoY < Ghether to pool 6!>2 connections. 2an be one of =strict=) =rela*ed= or =off= < http://php.net/pdo-odbc.connection-pooling <pdo0odbc.connection0poolingZstrict <pdo0odbc.db20instance0name XBdo0m$s'lY < If m$s'lnd is used: 5umber of cache slots for the internal result set cache < http://php.net/pdo0m$s'l.cache0si#e pdo0m$s'l.cache0si#e Z 2FFF 30

< !efault soc&et name for local "$SW3 connects. If empt$) uses the built-in < "$SW3 defaults. < http://php.net/pdo0m$s'l.default-soc&et pdo0m$s'l.default0soc&etZ XBharY < http://php.net/phar.readonl$ <phar.readonl$ Z 6n < http://php.net/phar.re'uire-hash <phar.re'uire0hash Z 6n <phar.cache0list Z XS$slogY < Ghether or not to define the various s$slog variables .e.g. @3640BI!) < @36402R65) etc./. Turning it off is a good idea performance-%ise. In < runtime) $ou can define these variables b$ calling define0s$slog0variables./. < http://php.net/define-s$slog-variables define0s$slog0variables Z 6ff Xmail functionY < 8or GinE2 onl$. < http://php.net/smtp S"TB Z localhost < http://php.net/smtp-port <smtp0port Z 2I < 8or GinE2 onl$. < http://php.net/sendmail-from <sendmail0from Z meUe*ample.com < 8or :ni* onl$. 1ou ma$ suppl$ arguments as %ell .default: =sendmail -t -i=/. < http://php.net/sendmail-path <sendmail0path Z < 8orce the addition of the specified parameters to be passed as e*tra parameters < to the sendmail binar$. These parameters %ill al%a$s replace the value of < the Ith parameter to mail./) even in safe mode. <mail.force0e*tra0parameters Z < Add T-BCB-6riginating-Script: that %ill include uid of the script follo%ed b$ the filename mail.add0*0header Z 6n < 3og all mail./ calls including the full path of the script) line #) to address and headers <mail.log Z XSW3Y 31

< http://php.net/s'l.safe-mode s'l.safe0mode Z 6ff X6!>2Y < http://php.net/odbc.default-db <odbc.default0db Z 5ot $et implemented < http://php.net/odbc.default-user <odbc.default0user Z 5ot $et implemented < http://php.net/odbc.default-p% <odbc.default0p% Z 5ot $et implemented < 2ontrols the 6!>2 cursor model. < !efault: SW302:RS6R0STATI2 .default/. <odbc.default0cursort$pe < Allo% or prevent persistent lin&s. < http://php.net/odbc.allo%-persistent odbc.allo%0persistent Z 6n < 2hec& that a connection is still valid before reuse. < http://php.net/odbc.chec&-persistent odbc.chec&0persistent Z 6n < "a*imum number of persistent lin&s. -H means no limit. < http://php.net/odbc.ma*-persistent odbc.ma*0persistent Z -H < "a*imum number of lin&s .persistent [ non-persistent/. -H means no limit. < http://php.net/odbc.ma*-lin&s odbc.ma*0lin&s Z -H < Candling of 3654 fields. Returns number of b$tes to variables. F means < passthru. < http://php.net/odbc.defaultlrl odbc.defaultlrl Z LFQK < Candling of binar$ data. F means passthru) H return as is) 2 convert to char. < See the documentation on odbc0binmode and odbc0longreadlen for an e*planation < of odbc.defaultlrl and odbc.defaultbinmode < http://php.net/odbc.defaultbinmode odbc.defaultbinmode Z H <birdstep.ma*0lin&s Z -H XInterbaseY < Allo% or prevent persistent lin&s. ibase.allo%0persistent Z H < "a*imum number of persistent lin&s. -H means no limit. ibase.ma*0persistent Z -H 32

< "a*imum number of lin&s .persistent [ non-persistent/. -H means no limit. ibase.ma*0lin&s Z -H < !efault database name for ibase0connect./. <ibase.default0db Z < !efault username for ibase0connect./. <ibase.default0user Z < !efault pass%ord for ibase0connect./. <ibase.default0pass%ord Z < !efault charset for ibase0connect./. <ibase.default0charset Z < !efault timestamp format. ibase.timestampformat Z =S1-Sm-Sd SC:S":SS= < !efault date format. ibase.dateformat Z =S1-Sm-Sd= < !efault time format. ibase.timeformat Z =SC:S":SS= X"$SW3Y < Allo% accessing) from BCB(s perspective) local files %ith 36A! !ATA statements < http://php.net/m$s'l.allo%0local0infile m$s'l.allo%0local0infile Z 6n < Allo% or prevent persistent lin&s. < http://php.net/m$s'l.allo%-persistent m$s'l.allo%0persistent Z 6n < If m$s'lnd is used: 5umber of cache slots for the internal result set cache < http://php.net/m$s'l.cache0si#e m$s'l.cache0si#e Z 2FFF < "a*imum number of persistent lin&s. -H means no limit. < http://php.net/m$s'l.ma*-persistent m$s'l.ma*0persistent Z -H < "a*imum number of lin&s .persistent [ non-persistent/. -H means no limit. < http://php.net/m$s'l.ma*-lin&s m$s'l.ma*0lin&s Z -H < !efault port number for m$s'l0connect./. If unset) m$s'l0connect./ %ill use < the @"1SW30T2B0B6RT or the m$s'l-tcp entr$ in /etc/services or the < compile-time value defined "1SW30B6RT .in that order/. GinE2 %ill onl$ loo& < at "1SW30B6RT. < http://php.net/m$s'l.default-port m$s'l.default0port Z < !efault soc&et name for local "$SW3 connects. If empt$) uses the built-in < "$SW3 defaults. 33

< http://php.net/m$s'l.default-soc&et m$s'l.default0soc&et Z < !efault host for m$s'l0connect./ .doesn(t appl$ in safe mode/. < http://php.net/m$s'l.default-host m$s'l.default0host Z < !efault user for m$s'l0connect./ .doesn(t appl$ in safe mode/. < http://php.net/m$s'l.default-user m$s'l.default0user Z < !efault pass%ord for m$s'l0connect./ .doesn(t appl$ in safe mode/. < 5ote that this is generall$ a -bad- idea to store pass%ords in this file. < -An$- user %ith BCB access can run (echo get0cfg0var.=m$s'l.default0pass%ord=/ < and reveal this pass%ord7 And of course) an$ users %ith read access to this < file %ill be able to reveal the pass%ord as %ell. < http://php.net/m$s'l.default-pass%ord m$s'l.default0pass%ord Z < "a*imum time .in seconds/ for connect timeout. -H means no limit < http://php.net/m$s'l.connect-timeout m$s'l.connect0timeout Z KF < Trace mode. Ghen trace0mode is active .Z6n/) %arnings for table/inde* scans and < SW3- rrors %ill be displa$ed. < http://php.net/m$s'l.trace-mode m$s'l.trace0mode Z 6ff X"$SW3iY < "a*imum number of persistent lin&s. -H means no limit. < http://php.net/m$s'li.ma*-persistent m$s'li.ma*0persistent Z -H < Allo% accessing) from BCB(s perspective) local files %ith 36A! !ATA statements < http://php.net/m$s'li.allo%0local0infile <m$s'li.allo%0local0infile Z 6n < Allo% or prevent persistent lin&s. < http://php.net/m$s'li.allo%-persistent m$s'li.allo%0persistent Z 6n < "a*imum number of lin&s. -H means no limit. < http://php.net/m$s'li.ma*-lin&s m$s'li.ma*0lin&s Z -H < If m$s'lnd is used: 5umber of cache slots for the internal result set cache < http://php.net/m$s'li.cache0si#e m$s'li.cache0si#e Z 2FFF < !efault port number for m$s'li0connect./. If unset) m$s'li0connect./ %ill use < the @"1SW30T2B0B6RT or the m$s'l-tcp entr$ in /etc/services or the 34

< compile-time value defined "1SW30B6RT .in that order/. GinE2 %ill onl$ loo& < at "1SW30B6RT. < http://php.net/m$s'li.default-port m$s'li.default0port Z EEFK < !efault soc&et name for local "$SW3 connects. If empt$) uses the built-in < "$SW3 defaults. < http://php.net/m$s'li.default-soc&et m$s'li.default0soc&et Z < !efault host for m$s'l0connect./ .doesn(t appl$ in safe mode/. < http://php.net/m$s'li.default-host m$s'li.default0host Z < !efault user for m$s'l0connect./ .doesn(t appl$ in safe mode/. < http://php.net/m$s'li.default-user m$s'li.default0user Z < !efault pass%ord for m$s'li0connect./ .doesn(t appl$ in safe mode/. < 5ote that this is generall$ a -bad- idea to store pass%ords in this file. < -An$- user %ith BCB access can run (echo get0cfg0var.=m$s'li.default0p%=/ < and reveal this pass%ord7 And of course) an$ users %ith read access to this < file %ill be able to reveal the pass%ord as %ell. < http://php.net/m$s'li.default-p% m$s'li.default0p% Z < Allo% or prevent reconnect m$s'li.reconnect Z 6ff Xm$s'lndY < nable / !isable collection of general statstics b$ m$s'lnd %hich can be < used to tune and monitor "$SW3 operations. < http://php.net/m$s'lnd.collect0statistics m$s'lnd.collect0statistics Z 6n < nable / !isable collection of memor$ usage statstics b$ m$s'lnd %hich can be < used to tune and monitor "$SW3 operations. < http://php.net/m$s'lnd.collect0memor$0statistics m$s'lnd.collect0memor$0statistics Z 6ff < Si#e of a pre-allocated buffer used %hen sending commands to "$SW3 in b$tes. < http://php.net/m$s'lnd.net0cmd0buffer0si#e <m$s'lnd.net0cmd0buffer0si#e Z 2FLV < Si#e of a pre-allocated buffer used for reading data sent b$ the server in < b$tes. < http://php.net/m$s'lnd.net0read0buffer0si#e <m$s'lnd.net0read0buffer0si#e Z E2JKV X62IVY < 2onnection: nables privileged connections using e*ternal < credentials .62I0S1S6B R) 62I0S1S!>A/ < http://php.net/ociV.privileged-connect 35

<ociV.privileged0connect Z 6ff < 2onnection: The ma*imum number of persistent 62IV connections per < process. :sing -H means no limit. < http://php.net/ociV.ma*-persistent <ociV.ma*0persistent Z -H < 2onnection: The ma*imum number of seconds a process is allo%ed to < maintain an idle persistent connection. :sing -H means idle < persistent connections %ill be maintained forever. < http://php.net/ociV.persistent-timeout <ociV.persistent0timeout Z -H < 2onnection: The number of seconds that must pass before issuing a < ping during oci0pconnect./ to chec& the connection validit$. Ghen < set to F) each oci0pconnect./ %ill cause a ping. :sing -H disables < pings completel$. < http://php.net/ociV.ping-interval <ociV.ping0interval Z KF < 2onnection: Set this to a user chosen connection class to be used < for all pooled server re'uests %ith 6racle HHg !atabase Resident < 2onnection Booling .!R2B/. To use !R2B) this value should be set to < the same string for all %eb servers running the same application) < the database pool must be configured) and the connection string must < specif$ to use a pooled server. <ociV.connection0class Z < Cigh Availabilit$: :sing 6n lets BCB receive 8ast Application < 5otification .8A5/ events generated %hen a database node fails. The < database must also be configured to post 8A5 events. <ociV.events Z 6ff < Tuning: This option enables statement caching) and specifies ho% < man$ statements to cache. :sing F disables statement caching. < http://php.net/ociV.statement-cache-si#e <ociV.statement0cache0si#e Z 2F < Tuning: nables statement prefetching and sets the default number of < ro%s that %ill be fetched automaticall$ after statement e*ecution. < http://php.net/ociV.default-prefetch <ociV.default0prefetch Z HFF < 2ompatibilit$. :sing 6n means oci0close./ %ill not close < oci0connect./ and oci0ne%0connect./ connections. < http://php.net/ociV.old-oci-close-semantics <ociV.old0oci0close0semantics Z 6ff XBostgresSW3Y < Allo% or prevent persistent lin&s. < http://php.net/pgs'l.allo%-persistent pgs'l.allo%0persistent Z 6n < !etect bro&en persistent lin&s al%a$s %ith pg0pconnect./. 36

< Auto reset feature re'uires a little overheads. < http://php.net/pgs'l.auto-reset-persistent pgs'l.auto0reset0persistent Z 6ff < "a*imum number of persistent lin&s. -H means no limit. < http://php.net/pgs'l.ma*-persistent pgs'l.ma*0persistent Z -H < "a*imum number of lin&s .persistent[non persistent/. -H means no limit. < http://php.net/pgs'l.ma*-lin&s pgs'l.ma*0lin&s Z -H < Ignore BostgreSW3 bac&ends 5otice message or not. < 5otice message logging re'uire a little overheads. < http://php.net/pgs'l.ignore-notice pgs'l.ignore0notice Z F < 3og BostgreSW3 bac&ends 5otice message or not. < :nless pgs'l.ignore0noticeZF) module cannot log notice message. < http://php.net/pgs'l.log-notice pgs'l.log0notice Z F XS$base-2TY < Allo% or prevent persistent lin&s. < http://php.net/s$bct.allo%-persistent s$bct.allo%0persistent Z 6n < "a*imum number of persistent lin&s. -H means no limit. < http://php.net/s$bct.ma*-persistent s$bct.ma*0persistent Z -H < "a*imum number of lin&s .persistent [ non-persistent/. -H means no limit. < http://php.net/s$bct.ma*-lin&s s$bct.ma*0lin&s Z -H < "inimum server message severit$ to displa$. < http://php.net/s$bct.min-server-severit$ s$bct.min0server0severit$ Z HF < "inimum client message severit$ to displa$. < http://php.net/s$bct.min-client-severit$ s$bct.min0client0severit$ Z HF < Set per-conte*t timeout < http://php.net/s$bct.timeout <s$bct.timeoutZ <s$bct.pac&et0si#e < The ma*imum time in seconds to %ait for a connection attempt to succeed before returning failure. < !efault: one minute <s$bct.login0timeoutZ 37

< The name of the host $ou claim to be connecting from) for displa$ b$ sp0%ho. < !efault: none <s$bct.hostnameZ < Allo%s $ou to define ho% often deadloc&s are to be retried. -H means =forever=. < !efault: F <s$bct.deadloc&0retr$0countZ XbcmathY < 5umber of decimal digits for all bcmath functions. < http://php.net/bcmath.scale bcmath.scale Z F Xbro%scapY < http://php.net/bro%scap <bro%scap Z e*tra/bro%scap.ini XSessionY < Candler used to store/retrieve data. < http://php.net/session.save-handler session.save0handler Z files < Argument passed to save0handler. In the case of files) this is the path < %here data files are stored. 5ote: Gindo%s users have to change this < variable in order to use BCB(s session functions. < < The path can be defined as: < < session.save0path Z =5</path= < < %here 5 is an integer. Instead of storing all the session files in < /path) %hat this %ill do is use subdirectories 5-levels deep) and < store the session data in those directories. This is useful if $ou < or $our 6S have problems %ith lots of files in one director$) and is < a more efficient la$out for servers that handle lots of sessions. < < 56T H: BCB %ill not create this director$ structure automaticall$. < 1ou can use the script in the e*t/session dir for that purpose. < 56T 2: See the section on garbage collection belo% if $ou choose to < use subdirectories for session storage < < The file storage module creates files using mode KFF b$ default. < 1ou can change that b$ using < < session.save0path Z =5<"6! </path= < < %here "6! is the octal representation of the mode. 5ote that this < does not over%rite the process(s umas&. < http://php.net/session.save-path <session.save0path Z =/tmp= < Ghether to use coo&ies. < session.use0coo&ies Z H 38

< http://php.net/session.coo&ie-secure <session.coo&ie0secure Z < This option forces BCB to fetch and use a coo&ie for storing and maintaining < the session id. Ge encourage this operation as it(s ver$ helpful in combatting < session hiPac&ing %hen not specif$ing and managing $our o%n session id. It is < not the end all be all of session hiPac&ing defense) but it(s a good start. < http://php.net/session.use-onl$-coo&ies session.use0onl$0coo&ies Z H < 5ame of the session .used as coo&ie name/. < http://php.net/session.name session.name Z BCBS SSI!ilies < Initiali#e session on re'uest startup. < http://php.net/session.auto-start session.auto0start Z F < 3ifetime in seconds of coo&ie or) if F) until bro%ser is restarted. < http://php.net/session.coo&ie-lifetime session.coo&ie0lifetime Z F < The path for %hich the coo&ie is valid. < http://php.net/session.coo&ie-path session.coo&ie0path Z / < The domain for %hich the coo&ie is valid. < http://php.net/session.coo&ie-domain session.coo&ie0domain Z < Ghether or not to add the http6nl$ flag to the coo&ie) %hich ma&es it inaccessible to bro%ser scripting languages such as _avaScript. < http://php.net/session.coo&ie-httponl$ session.coo&ie0httponl$ Z H < Candler used to seriali#e data. php is the standard seriali#er of BCB. < http://php.net/session.seriali#e-handler session.seriali#e0handler Z php < !efines the probabilit$ that the (garbage collection( process is started < on ever$ session initiali#ation. The probabilit$ is calculated b$ using < gc0probabilit$/gc0divisor. Ghere session.gc0probabilit$ is the numerator < and gc0divisor is the denominator in the e'uation. Setting this value to H < %hen the session.gc0divisor value is HFF %ill give $ou appro*imatel$ a HS chance < the gc %ill run on an$ give re'uest. < !efault Ralue: H < !evelopment Ralue: H < Broduction Ralue: H < http://php.net/session.gc-probabilit$ session.gc0probabilit$ Z F < !efines the probabilit$ that the (garbage collection( process is started on ever$ 39

< session initiali#ation. The probabilit$ is calculated b$ using the follo%ing e'uation: < gc0probabilit$/gc0divisor. Ghere session.gc0probabilit$ is the numerator and < session.gc0divisor is the denominator in the e'uation. Setting this value to H < %hen the session.gc0divisor value is HFF %ill give $ou appro*imatel$ a HS chance < the gc %ill run on an$ give re'uest. Increasing this value to HFFF %ill give $ou < a F.HS chance the gc %ill run on an$ give re'uest. 8or high volume production servers) < this is a more efficient approach. < !efault Ralue: HFF < !evelopment Ralue: HFFF < Broduction Ralue: HFFF < http://php.net/session.gc-divisor session.gc0divisor Z HFFF < After this number of seconds) stored data %ill be seen as (garbage( and < cleaned up b$ the garbage collection process. < http://php.net/session.gc-ma*lifetime session.gc0ma*lifetime Z HLLF < 56T : If $ou are using the subdirector$ option for storing session files < .see session.save0path above/) then garbage collection does -not< happen automaticall$. 1ou %ill need to do $our o%n garbage < collection through a shell script) cron entr$) or some other method. < 8or e*ample) the follo%ing script %ould is the e'uivalent of < setting session.gc0ma*lifetime to HLLF .HLLF seconds Z 2L minutes/: < cd /path/to/sessions< find -cmin [2L + *args rm < BCB L.2 and less have an undocumented feature/bug that allo%s $ou to < to initiali#e a session variable in the global scope) even %hen register0globals < is disabled. BCB L.E and later %ill %arn $ou) if this feature is used. < 1ou can disable the feature and the %arning separatel$. At this time) < the %arning is onl$ displa$ed) if bug0compat0L2 is enabled. This feature < introduces some serious securit$ problems if not handled correctl$. It(s < recommended that $ou do not use this feature on production servers. >ut $ou < should enable this on development servers and enable the %arning as %ell. If $ou < do not enable the feature on development servers) $ou %on(t be %arned %hen it(s < used and debugging errors caused b$ this can be difficult to trac& do%n. < !efault Ralue: 6n < !evelopment Ralue: 6n < Broduction Ralue: 6ff < http://php.net/session.bug-compat-L2 session.bug0compat0L2 Z 6ff < This setting controls %hether or not $ou are %arned b$ BCB %hen initiali#ing a < session value into the global space. session.bug0compat0L2 must be enabled before < these %arnings can be issued b$ BCB. See the directive above for more information. < !efault Ralue: 6n < !evelopment Ralue: 6n 40

< Broduction Ralue: 6ff < http://php.net/session.bug-compat-%arn session.bug0compat0%arn Z 6ff < 2hec& CTTB Referer to invalidate e*ternall$ stored :R3s containing ids. < CTTB0R 8 R R has to contain this substring for the session to be < considered as valid. < http://php.net/session.referer-chec& session.referer0chec& Z < Co% man$ b$tes to read from the file. < http://php.net/session.entrop$-length session.entrop$0length Z F < Specified here to create the session id. < http://php.net/session.entrop$-file < 6n s$stems that don(t have /dev/urandom /dev/arandom can be used < 6n %indo%s) setting the entrop$0length setting %ill activate the < Gindo%s random source .using the 2r$ptoABI/ <session.entrop$0file Z /dev/urandom < Set to Anocache)private)public)D to determine CTTB caching aspects < or leave this empt$ to avoid sending anti-caching headers. < http://php.net/session.cache-limiter session.cache0limiter Z nocache < !ocument e*pires after n minutes. < http://php.net/session.cache-e*pire session.cache0e*pire Z HVF < trans sid support is disabled b$ default. < :se of trans sid ma$ ris& $our users securit$. < :se this option %ith caution. < - :ser ma$ send :R3 contains active session I! < to other person via. email/irc/etc. < - :R3 that contains active session I! ma$ be stored < in publicall$ accessible computer. < - :ser ma$ access $our site %ith the same session I! < al%a$s using :R3 stored in bro%ser(s histor$ or boo&mar&s. < http://php.net/session.use-trans-sid session.use0trans0sid Z F < Select a hash function for use in generating session ids. < Bossible Ralues < F ."!I H2V bits/ < H .SCA-H HKF bits/ < This option ma$ also be set to the name of an$ hash function supported b$ < the hash e*tension. A list of available hashes is returned b$ the hash0algos./ < function. < http://php.net/session.hash-function < session.hash0function Z F session.hash0function Z H < !efine ho% man$ bits are stored in each character %hen converting 41

< the binar$ hash data to something readable. < Bossible values: < L .L bits: F-Q) a-f/ < I .I bits: F-Q) a-v/ < K .K bits: F-Q) a-#) A-]) =-=) =)=/ < !efault Ralue: L < !evelopment Ralue: I < Broduction Ralue: I < http://php.net/session.hash-bits-per-character session.hash0bits0per0character Z I < The :R3 re%riter %ill loo& for :R3s in a defined set of CT"3 tags. < form/fieldset are special< if $ou include them here) the re%riter %ill < add a hidden 9input; field %ith the info %hich is other%ise appended < to :R3s. If $ou %ant TCT"3 conformit$) remove the form entr$. < 5ote that all valid entries re'uire a =Z=) even if no value follo%s. < !efault Ralue: =aZhref)areaZhref)frameZsrc)formZ)fieldsetZ= < !evelopment Ralue: =aZhref)areaZhref)frameZsrc)inputZsrc)formZfa&eentr$= < Broduction Ralue: =aZhref)areaZhref)frameZsrc)inputZsrc)formZfa&eentr$= < http://php.net/url-re%riter.tags url0re%riter.tags Z =aZhref)areaZhref)frameZsrc)inputZsrc)formZfa&eentr$= X"SSW3Y < Allo% or prevent persistent lin&s. mss'l.allo%0persistent Z 6n < "a*imum number of persistent lin&s. -H means no limit. mss'l.ma*0persistent Z -H < "a*imum number of lin&s .persistent[non persistent/. -H means no limit. mss'l.ma*0lin&s Z -H < "inimum error severit$ to displa$. mss'l.min0error0severit$ Z HF < "inimum message severit$ to displa$. mss'l.min0message0severit$ Z HF < 2ompatibilit$ mode %ith old versions of BCB E.F. mss'l.compatabilit$0mode Z 6ff < 2onnect timeout <mss'l.connect0timeout Z I < Wuer$ timeout <mss'l.timeout Z KF < Ralid range F - 2HLJLVEKLJ. !efault Z LFQK. <mss'l.te*tlimit Z LFQK < Ralid range F - 2HLJLVEKLJ. !efault Z LFQK. <mss'l.te*tsi#e Z LFQK < 3imits the number of records in each batch. F Z all records in one batch. 42

<mss'l.batchsi#e Z F < Specif$ ho% datetime and datetimL columns are returned < 6n Z; Returns data converted to SW3 server settings < 6ff Z; Returns values as 1111-""-!! hh:mm:ss <mss'l.datetimeconvert Z 6n < :se 5T authentication %hen connecting to the server mss'l.secure0connection Z 6ff < Specif$ ma* number of processes. -H Z librar$ default < msdlib defaults to 2I < 8reeT!S defaults to LFQK <mss'l.ma*0procs Z -H < Specif$ client character set. < If empt$ or not set the client charset from freetds.comf is used < This is onl$ used %hen compiled %ith 8reeT!S <mss'l.charset Z =IS6-VVIQ-H= XAssertionY < Assert.e*pr/< active b$ default. < http://php.net/assert.active <assert.active Z 6n < Issue a BCB %arning for each failed assertion. < http://php.net/assert.%arning <assert.%arning Z 6n < !on(t bail out b$ default. < http://php.net/assert.bail <assert.bail Z 6ff < :ser-function to be called if an assertion fails. < http://php.net/assert.callbac& <assert.callbac& Z F < val the e*pression %ith current error0reporting./. Set to true if $ou %ant < error0reporting.F/ around the eval./. < http://php.net/assert.'uiet-eval <assert.'uiet0eval Z F X26"Y < path to a file containing 4:I!s) II!s or filenames of files %ith T$pe3ibs < http://php.net/com.t$pelib-file <com.t$pelib0file Z < allo% !istributed-26" calls < http://php.net/com.allo%-dcom <com.allo%0dcom Z true < autoregister constants of a components t$plib on com0load./ < http://php.net/com.autoregister-t$pelib <com.autoregister0t$pelib Z true 43

< register constants casesensitive < http://php.net/com.autoregister-casesensitive <com.autoregister0casesensitive Z false < sho% %arnings on duplicate constant registrations < http://php.net/com.autoregister-verbose <com.autoregister0verbose Z true < The default character set code-page to use %hen passing strings to and from 26" obPects. < !efault: s$stem A5SI code page <com.code0pageZ XmbstringY < language for internal character representation. < http://php.net/mbstring.language <mbstring.language Z _apanese < internal/script encoding. < Some encoding cannot %or& as internal encoding. < .e.g. S_IS) >I4I) IS6-2F22--/ < http://php.net/mbstring.internal-encoding <mbstring.internal0encoding Z :2-_B < http input encoding. < http://php.net/mbstring.http-input <mbstring.http0input Z auto < http output encoding. mb0output0handler must be < registered as output buffer to function < http://php.net/mbstring.http-output <mbstring.http0output Z S_IS < enable automatic encoding translation according to < mbstring.internal0encoding setting. Input chars are < converted to internal encoding b$ setting this to 6n. < 5ote: !o 0not0 use automatic encoding translation for < portable libs/applications. < http://php.net/mbstring.encoding-translation <mbstring.encoding0translation Z 6ff < automatic encoding detection order. < auto means < http://php.net/mbstring.detect-order <mbstring.detect0order Z auto < substitute0character used %hen character cannot be converted < one from another < http://php.net/mbstring.substitute-character <mbstring.substitute0character Z none< < overload.replace/ single b$te functions b$ mbstring functions. < mail./) ereg./) etc are overloaded b$ mb0send0mail./) mb0ereg./) 44

< etc. Bossible values are F)H)2)L or combination of them. < 8or e*ample) J for overload ever$thing. < F: 5o overload < H: 6verload mail./ function < 2: 6verload str-./ functions < L: 6verload ereg-./ functions < http://php.net/mbstring.func-overload <mbstring.func0overload Z F < enable strict encoding detection. <mbstring.strict0detection Z 6ff < This directive specifies the rege* pattern of content t$pes for %hich mb0output0handler./ < is activated. < !efault: mbstring.http0output0conv0mimet$peZN.te*t/+application/*htmlO[*ml/ <mbstring.http0output0conv0mimet$peZ < Allo%s to set script encoding. 6nl$ affects if BCB is compiled %ith --enable-#endmultib$te < !efault: == <mbstring.script0encodingZ XgdY < Tell the Ppeg decode to ignore %arnings and tr$ to create < a gd image. The %arning %ill then be displa$ed as notices < disabled b$ default < http://php.net/gd.Ppeg-ignore-%arning <gd.Ppeg0ignore0%arning Z F Xe*ifY < *if :5I26! user comments are handled as :2S-2> /:2S-23 and _IS as _IS. < Gith mbstring support this %ill automaticall$ be converted into the encoding < given b$ corresponding encode setting. Ghen empt$ mbstring.internal0encoding < is used. 8or the decode settings $ou can distinguish bet%een motorola and < intel b$te order. A decode setting cannot be empt$. < http://php.net/e*if.encode-unicode <e*if.encode0unicode Z IS6-VVIQ-HI < http://php.net/e*if.decode-unicode-motorola <e*if.decode0unicode0motorola Z :2S-2> < http://php.net/e*if.decode-unicode-intel <e*if.decode0unicode0intel Z :2S-23 < http://php.net/e*if.encode-Pis <e*if.encode0Pis Z < http://php.net/e*if.decode-Pis-motorola <e*if.decode0Pis0motorola Z _IS < http://php.net/e*if.decode-Pis-intel <e*if.decode0Pis0intel Z _IS 45

XTid$Y < The path to a default tid$ configuration file to use %hen using tid$ < http://php.net/tid$.default-config <tid$.default0config Z /usr/local/lib/php/default.tcfg < Should tid$ clean and repair output automaticall$^ < GAR5I54: !o not use this option if $ou are generating non-html content < such as d$namic images < http://php.net/tid$.clean-output tid$.clean0output Z 6ff XsoapY < nables or disables GS!3 caching feature. < http://php.net/soap.%sdl-cache-enabled soap.%sdl0cache0enabledZH < Sets the director$ name %here S6AB e*tension %ill put cache files. < http://php.net/soap.%sdl-cache-dir soap.%sdl0cache0dirZ=/tmp= < .time to live/ Sets the number of second %hile cached file %ill be used < instead of original one. < http://php.net/soap.%sdl-cache-ttl soap.%sdl0cache0ttlZVKLFF < Sets the si#e of the cache limit. ."a*. number of GS!3 files to cache/ soap.%sdl0cache0limit Z I Xs$svshmY < A default si#e of the shared memor$ segment <s$svshm.init0mem Z HFFFF XldapY < Sets the ma*imum number of open lin&s or -H for unlimited. ldap.ma*0lin&s Z -H Xmcr$ptY < 8or more information about mcr$pt settings see http://php.net/mcr$pt-moduleopen < !irector$ %here to load mcr$pt algorithms < !efault: 2ompiled in into libmcr$pt .usuall$ /usr/local/lib/libmcr$pt/ <mcr$pt.algorithms0dirZ < !irector$ %here to load mcr$pt modes < !efault: 2ompiled in into libmcr$pt .usuall$ /usr/local/lib/libmcr$pt/ <mcr$pt.modes0dirZ XdbaY <dba.default0handlerZ < 3ocal Rariables: < tab-%idth: L 46

< nd: < php0value auto0prepend0fileZ=/etc/apache2/sites-enabled/acu-phpaspect.php=

PHPMYADMIN este o aplicaie free i ope!"so#rce scris$ %! PHP pe!tr# a&'i!istrarea MY()* c# a+#tor#l #!#i ,ro-ser. Aceast$ aplicaie este folosit$ pe!tr# /estio!area ,a0ei &e &ate 1*A23*IN4. Acces#l este per'is &oar local i &oar a&'i!istrator#l#i ser5er#l#i 647.
-2i3i/r 4/ &o.2i5ur-r/ 2olo'i"$ -. -#-&!/1.&o.2 -1.LOCATIE$ /etc/phpm$admin/apache.conf -1.Co.2i5ur-6i/ -#-&!/.&o.2$ # php"$Admin default Apache configuration Alias /phpm$adminsecret /usr/share/phpm$admin 9!irector$ /usr/share/phpm$admin; 6ptions 8ollo%S$m3in&s !irector$Inde* inde*.php 6rder !en$)Allo% !en$ from all Allo% from H2J.F.F.H 9If"odule mod0phpI.c; AddT$pe application/*-httpd-php .php php0flag magic0'uotes0gpc 6ff php0flag trac&0vars 6n php0flag register0globals 6ff php0value include0path . 9/If"odule; 9/!irector$; # Authori#e for setup 9!irector$ /usr/share/phpm$admin/setup; 9If"odule mod0authn0file.c; AuthT$pe >asic Auth5ame =php"$Admin Setup= Auth:ser8ile /etc/phpm$admin/htpass%d.setup 9/If"odule; Re'uire valid-user 9/!irector$; # !isallo% %eb access to directories that don(t need it 47

9!irector$ /usr/share/phpm$admin/libraries; 6rder !en$)Allo% !en$ from All 9/!irector$; 9!irector$ /usr/share/phpm$admin/setup/lib; 6rder !en$)Allo% !en$ from All 9/!irector$;

6e,ali0er este o aplicaie 8P* care /e!erea0$ pa/i!i -e, i care este folosit$ %! sit#aia &e fa$ pe!tr# i!terpretarea lo/#rilor ser5er#l#i APA1H4 . Acces#l la statisticile i re0#ltatele oferite este restricio!at &i! ser5er#l -e,9fi ier#l &e co!fi/#rare 000-default: &oar local pe ser5er#l -e, &isp#s i! DM;. Acces#l este per'is &oar local i !#'ai a&'i!istrator#l#i ser5er#l#i 647. 1o!fi/#raia aplicat$ este o co!fi/#raie sta!&ar&.

-2i3i/r 4/ &o.2i5ur-r/ 2olo'i"$ -. %/(-li=/r.&o.2 -1.LOCATIE$ <etc<-e,ali0er<-e,ali0er.co!f -1.Co.2i5ur-6i/ %/(-li=/r.&o.2$ # # # # # # # # # # # # # # # # # # # # Sample Gebali#er configuration file 2op$right HQQJ-2FFF b$ >radford 3. >arrett .bradUmruni*.net/ !istributed under the 45: 4eneral Bublic 3icense. See the files =2op$right= and =26B1I54= provided %ith the %ebali#er distribution for additional information. This is a sample configuration file for the Gebali#er .ver 2.FH/ 3ines starting %ith pound signs (#( are comment lines and are ignored. >lan& lines are s&ipped as %ell. 6ther lines are considered as configuration lines) and have the form =2onfig6ption Ralue= %here 2onfig6ption is a valid configuration &e$%ord) and Ralue is the value to assign that configuration option. Invalid &e$%ord/values are ignored) %ith appropriate %arnings being displa$ed. There must be at least one space or tab bet%een the &e$%ord and its value. As of version F.QV) The Gebali#er %ill loo& for a (default( configuration file named =%ebali#er.conf= in the current director$) and if not found there) %ill loo& for =/etc/%ebali#er.conf=. 48

# # # #

3og8ile defines the %eb server log file to use. If not specified here or on on the command line) input %ill default to ST!I5. If the log filename ends in (.g#( .ie: a g#ip compressed file/) it %ill be decompressed on the fl$ as it is being read.

3og8ile /var/log/apache2/access.log.H # # # # # 3ogT$pe defines the log t$pe being processed. 5ormall$) the Gebali#er e*pects a 238 or 2ombined %eb server log as input. :sing this option) $ou can process ftp logs as %ell .*ferlog as produced b$ %u-ftp and others/) or S'uid native logs. Ralues can be (clf() (ftp( or (s'uid() %ith (clf( the default. clf


# 6utput!ir is %here $ou %ant to put the output files. This should # should be a full path name) ho%ever relative ones might %or& as %ell. # If no output director$ is specified) the current director$ %ill be used. 6utput!ir /var/%%%/%ebali#er # # # # # # # Cistor$5ame allo%s $ou to specif$ the name of the histor$ file produced b$ the Gebali#er. The histor$ file &eeps the data for up to H2 months %orth of logs) used for generating the main CT"3 page .inde*.html/. The default is a file named =%ebali#er.hist=) stored in the specified output director$. If $ou specif$ Pust the filename .%ithout a path/) it %ill be &ept in the specified output director$. 6ther%ise) the path is relative to the output director$) unless absolute .leading //. %ebali#er.hist

#Cistor$5ame # # # # # # # # # # # #

Incremental processing allo%s multiple partial log files to be used instead of one huge one. :seful for large sites that have to rotate their log files more than once a month. The Gebali#er %ill save its internal state before e*iting) and restore it the ne*t time run) in order to continue processing %here it left off. This mode also causes The Gebali#er to scan for and ignore duplicate records .records alread$ processed b$ a previous run/. See the R A!" file for additional information. The value ma$ be ($es( or (no() %ith a default of (no(. The file (%ebali#er.current( is used to store the current state data) and is located in the output director$ of the program .unless changed %ith the Incremental5ame option belo%/. Blease read at least the section on Incremental processing in the R A!" file before $ou enable this option. no

#Incremental # # # # # #

Incremental5ame allo%s $ou to specif$ the filename for saving the incremental data in. It is similar to the Cistor$5ame option %here the name is relative to the specified output director$) unless an absolute filename is specified. The default is a file named =%ebali#er.current= &ept in the normal output director$. If $ou don(t specif$ =Incremental= as ($es( then this option has no meaning. %ebali#er.current 49


# # # #

ReportTitle is the te*t to displa$ as the title. The hostname .unless blan&/ is appended to the end of this string .seperated %ith a space/ to generate the final full title string. !efault is .for english/ =:sage Statistics for=.

ReportTitle :sage statistics for # # # # # # # # Cost5ame defines the hostname for the report. This is used in the title) and is prepended to the :R3 table items. This allo%s clic&ing on :R3(s in the report to go to the proper location in the event $ou are running the report on a (virtual( %eb server) or for a server different than the one the report resides on. If not specified here) or on the command line) %ebali#er %ill tr$ to get the hostname via a uname s$stem call. If that fails) it %ill default to =localhost=.

Cost5ame %%% # CT"3 *tension allo%s $ou to specif$ the filename e*tension to use # for generated CT"3 pages. 5ormall$) this defaults to =html=) but # can be changed for sites %ho need it .li&e for BCB embeded pages/. #CT"3 *tension html # # # # # BageT$pe lets $ou tell the Gebali#er %hat t$pes of :R3(s $ou consider a (page(. "ost people consider html and cgi documents as pages) %hile not images and audio files. If no t$pes are specified) defaults %ill be used .(htm-() (cgi( and CT"3 *tension if different for %eb logs) (t*t( for ftp logs/. htmcgi phtml phpE pl php

BageT$pe BageT$pe #BageT$pe BageT$pe #BageT$pe BageT$pe

# BageBrefi* allo%s all re'uests %ith a specified prefi* to be # considered as (pages(. If $ou %ant ever$thing under /documents # to be treated as pages no matter %hat their e*tension is. Also # useful if $ou have cgi-scripts %ith BATC0I586. #BageBrefi* /m$cgi/parameters # # # # # :seCTTBS should be used if the anal$sis is being run on a secure server) and lin&s to urls should use (https://( instead of the default (http://(. If $ou need this) set it to ($es(. !efault is (no(. This onl$ changes the behaviour of the (Top :R3(s( table. no


# !5S2ache specifies the !5S cache filename to use for reverse !5S loo&ups. # This file must be specified if $ou %ish to perform name loo&ups on an$ IB 50

# # # #

addresses found in the log file. If an absolute path is not given as part of the filename .ie: starts %ith a leading (/(/) then the name is relative to the default output director$. See the !5S.R A!" file for additional information.

#!5S2ache dns0cache.db # # # # # # # # # # # !5S2hildren allo%s $ou to specif$ ho% man$ =children= processes are run to perform !5S loo&ups to create or update the !5S cache file. If a number is specified) the !5S cache file %ill be created/updated each time the Gebali#er is run) immediatel$ prior to normal processing) b$ running the specified number of =children= processes to perform !5S loo&ups. If used) the !5S cache filename ":ST be specified as %ell. The default value is #ero .F/) %hich disables !5S cache file creation/updates at run time. The number of children processes to run ma$ be an$%here from H to HFF) ho%ever a large number ma$ effect normal s$stem operations. Reasonable values should be bet%een I and 2F. See the !5S.R A!" file for additional information. F


# CT"3Bre defines CT"3 code to insert at the ver$ beginning of the # file. !efault is the !62T1B line sho%n belo%. "a* line length # is VF characters) so use multiple CT"3Bre lines if $ou need more. #CT"3Bre 97!62T1B CT"3 B:>3I2 =-//GE2//!T! CT"3 L.F Transitional// 5=; # CT"3Cead defines CT"3 code to insert %ithin the 9C A!;9/C A!; # bloc&) immediatel$ after the 9TIT3 ; line. "a*imum line length # is VF characters) so use multiple lines if needed. #CT"3Cead 9" TA 5A" Z=author= 265T 5TZ=The Gebali#er=; # # # # CT"3>od$ defined the CT"3 code to be inserted) starting %ith the 9>6!1; tag. If not specified) the default is sho%n belo%. If used) $ou ":ST include $our o%n 9>6!1; tag as the first line. "a*imum line length is VF char) use multiple lines if needed.

#CT"3>od$ 9>6!1 >42636RZ=# V V V= T TTZ=#FFFFFF= 3I5?Z=#FFFF88= R3I5?Z=#88FFFF=; # # # # # # # CT"3Bost defines the CT"3 code to insert immediatel$ before the first 9CR; on the document) %hich is Pust after the title and =summar$ period=-=4enerated on:= lines. If an$thing) this should be used to clean up in case an image %as inserted %ith CT"3>od$. As %ith CT"3Cead) $ou can define as man$ of these as $ou %ant and the$ %ill be inserted in the output stream in order of apperance. "a* string si#e is VF characters. :se multiple lines if $ou need to.

#CT"3Bost 9>R 23 ARZ=all=; # CT"3Tail defines the CT"3 code to insert at the bottom of each # CT"3 document) usuall$ to include a lin& bac& to $our home # page or insert a small graphic. It is inserted as a table 51

# data element .ie: 9T!; $our code here 9/T!;/ and is right # alligned %ith the page. "a* string si#e is VF characters. #CT"3Tail 9I"4 SR2Z=msfree.png= A3TZ=HFFS "icro@oft free7=; # # # # CT"3 nd defines the CT"3 code to add at the ver$ end of the generated files. It defaults to %hat is sho%n belo%. If used) $ou ":ST specif$ the 9/>6!1; and 9/CT"3; closing tags as the last lines. "a* string length is VF characters.

#CT"3 nd 9/>6!1;9/CT"3; # # # # The Wuiet option suppresses output messages... :seful %hen run as a cron Pob to prevent bogus e-mails. Ralues can be either =$es= or =no=. !efault is =no=. 5ote: this does not suppress %arnings and errors .%hich are printed to stderr/. no

#Wuiet # # # # #

Reall$Wuiet %ill supress all messages including errors and %arnings. Ralues can be ($es( or (no( %ith (no( being the default. If ($es( is used here) it cannot be overriden from the command line) so use %ith caution. A value of (no( has no effect. no

#Reall$Wuiet # # # #

Time"e allo%s $ou to force the displa$ of timing information at the end of processing. A value of ($es( %ill force the timing information to be displa$ed. A value of (no( has no effect. no

#Time"e # # # # # # #

4"TTime allo%s reports to sho% 4"T .:T2/ time instead of local time. !efault is to displa$ the time the report %as generated in the time#one of the local machine) such as !T or BST. This &e$%ord allo%s $ou to have times displa$ed in :T2 instead. :se onl$ if $ou reall$ have a good reason) since it %ill probabl$ scre% up the reporting periods b$ ho%ever man$ hours $our local time #one is off of 4"T. no

#4"TTime # # # # # # #

!ebug prints additional information for error messages. This %ill cause %ebali#er to dump bad records/fields instead of Pust telling $ou it found a bad one. As usual) the value can be either =$es= or =no=. The default is =no=. It shouldn(t be needed unless $ou start getting a lot of Garning or rror messages and %ant to see %h$. .5ote: %arning and error messages are printed to stderr) not stdout li&e normal messages/. no 52


# # # # # # #

8oldSe' rr forces the Gebali#er to ignore se'uence errors. This is useful for 5etscape and other %eb servers that cache the %riting of log records and do not guarentee that the$ %ill be in chronological order. The use of the 8oldSe' rr option %ill cause out of se'uence log records to be treated as if the$ had the same time stamp as the last valid record. !efault is to ignore out of se'uence log records.

#8oldSe' rr no # # # # # # # # RisitTimeout allo%s $ou to set the default timeout for a visit .sometimes called a (session(/. The default is EF minutes) %hich should be fine for most sites. Risits are determined b$ loo&ing at the time of the current re'uest) and the time of the last re'uest from the site. If the time difference is greater than the RisitTimeout value) it is considered a ne% visit) and visit totals are incremented. Ralue is the number of seconds to timeout .defaultZHVFFZEFmin/ HVFF

#RisitTimeout # # # # # #

IgnoreCist shouldn(t be used in a config file) but it is here Pust because it might be usefull in certain situations. If the histor$ file is ignored) the main =inde*.html= file %ill onl$ report on the current log files contents. :sefull onl$ %hen $ou %ant to reproduce the reports from scratch. :S GITC 2A:TI657 Ralid values are =$es= or =no=. !efault is =no=.

#IgnoreCist no # 2ountr$ 4raph allo%s the usage b$ countr$ graph to be disabled. # Ralues can be ($es( or (no() default is ($es(. #2ountr$4raph $es

# !ail$4raph and !ail$Stats allo%s the dail$ statistics graph # and statistics table to be disabled .not displa$ed/. Ralues # ma$ be =$es= or =no=. !efault is =$es=. #!ail$4raph #!ail$Stats $es $es

# Courl$4raph and Courl$Stats allo%s the hourl$ statistics graph # and statistics table to be disabled .not displa$ed/. Ralues # ma$ be =$es= or =no=. !efault is =$es=. #Courl$4raph #Courl$Stats # # # # $es $es

4raph3egend allo%s the color coded legends to be turned on or off in the graphs. The default is for them to be displa$ed. This onl$ toggles the color coded legends) the other legends are not changed. If $ou thin& the$ are hideous and ugl$) sa$ (no( here :/ 53

#4raph3egend # # # # # # #


4raph3ines allo%s $ou to have inde* lines dra%n behind the graphs. I personall$ am not cra#$ about them) but a lot of people re'uested them and the$ %eren(t a big deal to add. The number represents the number of lines $ou %ant displa$ed. !efault is 2) $ou can disable the lines b$ using a value of #ero .(F(/. Xma* is 2FY 5ote) due to rounding errors) some values don(t %or& 'uite right. The lo%er the better) %ith H)2)E)L)K and HF producing nice results. 2

#4raph3ines # # # # # #

The =Top= options belo% define the number of entries for each table. !efaults are SitesZEF) :R3(sZEF) ReferrersZEF and AgentsZHI) and 2ountriesZEF. Top?Sites and Top?:R3s .b$ ?>$te tables/ both default to HF) as do the top entr$/e*it tables .Top ntr$/Top *it/. The top search strings and usernames default to 2F. Tables ma$ be disabled b$ using #ero .F/ for the value.

#TopSites EF #Top?Sites HF #Top:R3s EF #Top?:R3s HF #TopReferrers EF #TopAgents HI #Top2ountries EF #Top ntr$ HF #Top *it HF #TopSearch 2F #Top:sers 2F # # # # # # # # # # # # # # The All- &e$%ords allo% the displa$ of all :R3(s) Sites) Referrers :ser Agents) Search Strings and :sernames. If enabled) a seperate CT"3 page %ill be created) and a lin& %ill be added to the bottom of the appropriate =Top= table. There are a couple of conditions for this to occur.. 8irst) there must be more items than %ill fit in the =Top= table .other%ise it %ould Pust be duplicating %hat is alread$ displa$ed/. Second) the listing %ill onl$ sho% those items that are normall$ visable) %hich means it %ill not sho% an$ hidden items. 4rouped entries %ill be listed first) follo%ed b$ individual items. The value for these &e$%ords can be either ($es( or (no() %ith the default being (no(. Blease be a%are that these pages can be 'uite large in si#e) particularl$ the sites page) and seperate pages are generated for each month) %hich can consume 'uite a lot of dis& space depending on the traffic to $our site.

#AllSites no #All:R3s no #AllReferrers #AllAgents no #AllSearchStr #All:sers no

no no

# The Gebali#er normall$ strips the string (inde*.( off the end of 54

# # # # # # # # # # #

:R3(s in order to consolidate :R3 totals. 8or e*ample) the :R3 /somedir/inde*.html is turned into /somedir/ %hich is reall$ the same :R3. This option allo%s $ou to specif$ additional strings to treat in the same %a$. 1ou don(t need to specif$ (inde*.( as it is al%a$s scanned for b$ The Gebali#er) this option is Pust to specif$ 0additional0 strings if needed. If $ou don(t need an$) don(t specif$ an$ as each string %ill be scanned for in R R1 log record... A bunch of them %ill degrade performance. Also) the string is scanned for an$%here in the :R3) so a string of (home( %ould turn the :R3 /somedir/homepages/brad/home.html into Pust /somedir/ %hich is probabl$ not %hat %as intended.

#Inde*Alias home.htm #Inde*Alias homepage.htm # # # # # # # # # # # # # # # # # # # # # # # The Cide-) 4roup- and Ignore- and Include- &e$%ords allo% $ou to change the %a$ Sites) :R3(s) Referrers) :ser Agents and :sernames are manipulated. The Ignore- &e$%ords %ill cause The Gebali#er to completel$ ignore records as if the$ didn(t e*ist .and thus not counted in the main site totals/. The Cide- &e$%ords %ill prevent things from being displa$ed in the (Top( tables) but %ill still be counted in the main totals. The 4roup- &e$%ords allo% grouping similar obPects as if the$ %ere one. 4rouped records are displa$ed in the (Top( tables and can optionall$ be displa$ed in >63! and/or shaded. 4roups cannot be hidden) and are not counted in the main totals. The 4roup- options do not) b$ default) hide all the items that it matches. If $ou %ant to hide the records that match .so Pust the grouping record is displa$ed/) follo% %ith an identical Cide&e$%ord %ith the same value. .see e*ample belo%/ In addition) 4roup- &e$%ords ma$ have an optional label %hich %ill be displa$ed instead of the &e$%ords value. The label should be seperated from the value b$ at least one (%hite-space( character) such as a space or tab. The value can have either a leading or trailing (-( %ildcard character. If no %ildcard is found) a match can occur an$%here in the string. 4iven a string =%%%.$ourmama.com=) the values =$our=) =-mama.com= and =%%%.$our-= %ill all match.

# 1our o%n site should be hidden #CideSite -mruni*.net #CideSite localhost # 1our o%n site gives most referrals #CideReferrer mruni*.net/ # This one hides non-referrers .=-= !irect re'uests/ #CideReferrer !irect Re'uest # :suall$ $ou %ant to hide these Cide:R3 -.gif Cide:R3 -.4I8 Cide:R3 -.Ppg Cide:R3 -._B4 55

Cide:R3 Cide:R3 Cide:R3

-.png -.B54 -.ra

# Ciding agents is &ind of futile #CideAgent RealBla$er # 1ou can also hide based on authenticated username #Cide:ser root #Cide:ser admin # 4rouping options #4roup:R3 /cgi-bin/#4roup:R3 /images/24I Scripts Images

#4roupSite -.aol.com #4roupSite -.compuserve.com #4roupReferrer #4roupReferrer #4roupReferrer #4roupReferrer #4roup:ser #4roup:ser #4roup:ser $ahoo.com/ 1ahoo7 e*cite.com/ *cite infosee&.com/ InfoSee& %ebcra%ler.com/ Geb2ra%ler root admin %heel Admin users Admin users Admin users

# The follo%ing is a great %a$ to get an overall total # for bro%sers) and not displa$ all the detail records. # .1ou should use "angleAgent to refine further.../ #4roupAgent "SI #CideAgent "SI #4roupAgent "o#illa #CideAgent "o#illa #4roupAgent 3$n*#CideAgent 3$n*# # # # # # # "icro@oft Internet *ploder 5etscape 3$n*

CideAllSites allo%s forcing individual sites to be hidden in the report. This is particularl$ useful %hen used in conPunction %ith the =4roup!omain= feature) but could be useful in other situations as %ell) such as %hen $ou onl$ %ant to displa$ grouped sites .%ith the 4roupSite &e$%ords.../. The value for this &e$%ord can be either ($es( or (no() %ith (no( the default) allo%ing individual sites to be displa$ed. no

#CideAllSites # # # # # #

The 4roup!omains &e$%ord allo%s $ou to group individual hostnames into their respective domains. The value specifies the level of grouping to perform) and can be thought of as (the number of dots( that %ill be displa$ed. 8or e*ample) if a visiting host is named custH.tnt.mia.uu.net) a domain grouping of H %ill result in Pust =uu.net= being displa$ed) %hile a 2 %ill result in =mia.uu.net=. 56

# The default value of #ero disable this feature. !omains %ill onl$ # be grouped if the$ do not match an$ e*isting =4roupSite= records) # %hich allo%s overriding this feature %ith $our o%n if desired. #4roup!omains # # # # # F

The 4roupShading allo%s grouped ro%s to be shaded in the report. :seful if $ou have lots of groups and individual records that intermingle in the report) and $ou %ant to diferentiate the group records a little more. Ralue can be ($es( or (no() %ith ($es( being the default. $es


# 4roupCighlight allo%s the group record to be displa$ed in >63!. # 2an be either ($es( or (no( %ith the default ($es(. #4roupCighlight # # # # # # # # $es

The Ignore- &e$%ords allo% $ou to completel$ ignore log records based on hostname) :R3) user agent) referrer or username. I hessitated in adding these) since the Gebali#er %as designed to generate 0accurate0 statistics about a %eb servers performance. >$ choosing to ignore records) the accurac$ of reports become s&e%ed) negating %h$ I %rote this program in the first place. Co%ever) due to popular demand) here the$ are. :se the same as the Cide- &e$%ords) %here the value can have a leading or trailing %ildcard (-(. :se at $our o%n ris& </

#IgnoreSite bad.site.net IgnoreSite localhost #Ignore:R3 /test#IgnoreReferrer file:/IgnoreReferrer localhost #IgnoreAgent RealBla$er #Ignore:ser root # # # # # # The Include- &e$%ords allo% $ou to force the inclusion of log records based on hostname) :R3) user agent) referrer or username. The$ ta&e precidence over the Ignore- &e$%ords. 5ote: :sing Ignore/Include combinations to selectivl$ process parts of a %eb site is 0e*tremel$ inefficent0777 Avoid doing so if possible .ie: grep the records to a seperate file if $ou reall$ %ant that &ind of report/.

# *ample: 6nl$ sho% stats on _oe :ser(s pages... #Ignore:R3 #Include:R3 MPoeuser# 6r based on an authenticated username #Ignore:ser #Include:ser someuser # The "angleAgents allo%s $ou to specif$ ho% much) if an$) The Gebali#er # should mangle user agent names. This allo%s several levels of detail # to be produced %hen reporting user agent statistics. There are si* 57

# # # # # # # # # #

levels that can be specified) %hich define different levels of detail supression. 3evel I sho%s onl$ the bro%ser name ."SI or "o#illa/ and the maPor version number. 3evel L adds the minor version number .single decimal place/. 3evel E displa$s the minor version to t%o decimal places. 3evel 2 %ill add an$ sub-level designation .such as "o#illa/E.FH4old or "SI E.Fb/. 3evel H %ill attempt to also add the s$stem t$pe if it is specified. The default 3evel F displa$s the full user agent field %ithout modification and produces the greatest amount of detail. :ser agent names that can(t be mangled %ill be left unmodified. F

#"angleAgents # # # # # #

The Search ngine &e$%ords allo% specification of search engines and their 'uer$ strings on the :R3. These are used to locate and report %hat search strings are used to find $our site. The first %ord is a substring to match in the referrer field that identifies the search engine) and the second is the :R3 variable used b$ that search engine to define it(s search terms. ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine ngine $ahoo.com pZ altavista.com 'Z google.com 'Z eure&a.com 'Z l$cos.com 'uer$Z hotbot.com "TZ msn.com "TZ infosee&.com 'tZ %ebcra%ler searchTe*tZ e*cite searchZ netscape.com searchZ mamma.com 'uer$Z allthe%eb.com 'uer$Z northernlight.com 'rZ sensis.com.au findZ google.nl 'Z google.fr 'Z google.ch 'Z google.ca 'Z google.be 'Z

Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search Search # # # #

The !ump- &e$%ords allo% the dumping of Sites) :R3(s) Referrers :ser Agents) :sernames and Search strings to seperate tab delimited te*t files) suitable for import into most database or spreadsheet programs.

# !umpBath specifies the path to dump the files. If not specified) # it %ill default to the current output director$. !o not use a # trailing slash .(/(/. #!umpBath /var/lib/httpd/logs # The !umpCeader &e$%ord specifies if a header record should be # %ritten to the file. A header record is the first record of the 58

# # # #

file) and contains the labels for each field %ritten. 5ormall$) files that are intended to be imported into a database s$stem %ill not need a header record) %hile spreadsheets usuall$ do. Ralue can be either ($es( or (no() %ith (no( being the default. no

#!umpCeader # # # #

!ump *tension allo% $ou to specif$ the dump filename e*tension to use. The default is =tab=) but some programs are pic&e$ about the filenames the$ use) so $ou ma$ change it here .for e*ample) some people ma$ prefer to use =csv=/.

#!ump *tension tab # These control the dumping of each individual table. The value # can be either ($es( or (no(.. the default is (no(. #!umpSites no #!ump:R3sno #!umpReferrers #!umpAgents #!ump:sers #!umpSearchStr # # # #

no no no no

If $ou compiled Gebali#er %ith 4eoIB librar$) it becomes enabled b$ default. >ut if $ou %ish to disable it) Pust set 4eoIB to (no(. 1ou ma$ also %ant to specif$ database file path manuall$) if $ou don(t have one installed on s$stem .in case of static build/. $es /usr/share/4eoIB/4eoIB.dat

#4eoIB #4eoIB!atabase

# The custom bar graph 2olors are defined here. !eclare them # in the standard he*adecimal %a$ .as CT"3) %ithout the (#(/ # If none are given) $ou %ill get the standard %ebali#er colors. #2olorCit FFVFIc #2olor8ile FFFFff #2olorSite ffVFFF #2olor?b$te ffFFFF #2olorBage FFcFff #2olorRisit ffffFF #Bie2olorH #Bie2olor2 #Bie2olorE #Bie2olorL # # # # # # VFFFVF VFffcF ffFFff ffcLVF

TrueT$pe8ont ma&es possible to replace 4! built-in font b$ specified TrueT$pe8ont. The value can be (/path/to/$our/true0t$pe0font.file( or empt$. If value is empt$.or commented out/) 4! built-in font %ill be used. The default is empt$. .Supplement for _apanese: 59

# # # #

:nder :2-_B locale) TT8 file must be specified %hich has -Gindo%s Shift-_IS encoding-. This limitation is derived from libgd. e.g. $ou can use =/usr/share/fonts/truet$pe/T-TT/%adalab-gothic.ttf= provided b$ ttf-*tt-%adalab-gothic pac&age/

#TrueT$pe8ont # nd of configuration file... Cave a nice da$7

6e,'i! repre0i!t$ #! soft-are ,a0at pe i!terfa$ -e, care per'ite a&'i!istrarea &e tip 8=I98rap>ical =ser I!terface: pe!tr# siste'#l &e operare =!i? i! ca0#l &e fa$. @oto&at$ folosirea acest#i i!str#'e!t per'ite a&'i!istrator#l#i -e, s$ ai,$ c#!o ti!e 'i!i'e &espre =!i? . I! acest co!te?tA #tilitatea 647MIN s"a co!creti0at %!B 1. crearea #!#i co!t local &e #tili0ator care s$ poat$ 5i0#ali0a<'o&ifica<a&$#/a pa/i!ile -e, i c# &rept#ri &epli!e &e acces la ser5er#l 647 sa# oricare alte facilit$i a&'i!istrati5e 'e!ite s$ 'e!i!$<opti'i0e0e ,#!a f#!cio!are a acest#i ser5er. Acest co!t 5a fi #! co!t c# &rept#ri &e a&'i!istrator9root: pe siste'#l &e operare. Pe!tr# facilit$ile ce per'it &rept#ri &epli!e &e acces la ser5er#l<site"#l -e,A acces#l este per'is &oar local i &oar pe!tr# co!t#l &e!#'it /e!eric %/(-4>i.. Pa/i!a care 5a fi accesat$ 5a fi B >ttpsB<<local>ostB10000. Pe!tr# sit#aia cC!& !# este co!si&erat$ !ecesar$ folosirea i!terfeei /rafice 647MINA aceasta 5a fi &e0acti5at$ local &i! 1*I astfelB /etc/init.d/webmin stop
Pe!tr# acti5area 647MIN 9at#!ci cC!& este &e0acti5at: se 5a folosi co'a!&a 1*IB


DI246A** DAI*27AN P4N@2= (41=2I;A24A (=P*IM4N@A2E A (42F42"=*=I APA1H4

-2i3i/r/ 4/ &o.2i5ur-r/ 2olo'i"/$ -. 2-il1(-..&o.2 -1.LOCATIE$ /etc/fail2ban/fail2ban.conf -1.Co.2i5ur-6i/ 2-il1(-..&o.2$ 60

# 8ail2>an configuration file # # Author: 2$ril _a'uier # # @Revision@ # X!efinitionY # 6ption: loglevel # 5otes.: Set the log level output. # H Z RR6R # 2 Z GAR5 # E Z I586 # L Z ! >:4 # Ralues: 5:" !efault: E # loglevel Z E # 6ption: logtarget # 5otes.: Set the log target. This could be a file) S1S364) ST! RR or ST!6:T. # 6nl$ one log target can be specified. # Ralues: ST!6:T ST! RR S1S364 file !efault: /var/log/fail2ban.log # logtarget Z /var/log/fail2ban.log # 6ption: soc&et # 5otes.: Set the soc&et file. This is used to communicate %ith the daemon. !o # not remove this file %hen 8ail2ban runs. It %ill not be possible to # communicate %ith the server after%ards. # Ralues: 8I3 !efault: /var/run/fail2ban/fail2ban.soc& # soc&et Z /var/run/fail2ban/fail2ban.soc& (. ?-il.&o.2 (1.LOCATIE$ /etc/fail2ban/Pail.conf (1.Co.2i5ur-6i/ ?-il.&o.2$ # # # # # # # # # # # # # 8ail2>an configuration file. This file %as composed for !ebian s$stems from the original one provided no% under /usr/share/doc/fail2ban/e*amples/Pail.conf for additional e*amples. To avoid merges during upgrades !6 56T "6!I81 TCIS 8I3 and rather provide $our changes in /etc/fail2ban/Pail.local Author: 1aroslav 6. Calchen&o 9debianUonerussian.com; @Revision@ 61

# The ! 8A:3T allo%s a global definition of the options. The$ can be overridden # in each Pail after%ards. X! 8A:3TY # =ignoreip= can be an IB address) a 2I!R mas& or a !5S host ignoreip Z H2J.F.F.H/V bantime Z HFFF ma*retr$ Z E # =bac&end= specifies the bac&end used to get files modification. Available # options are =gamin=) =polling= and =auto=. # $oh: 8or some reason !ebian shipped p$thon-gamin didn(t %or& as e*pected # This issue left To!o) so polling is default bac&end for no% bac&end Z auto # # !estination email address used solel$ for the interpolations in # Pail.Aconf)localD configuration files. destemail Z fire%all2I2IUgmail.com # # A2TI65S # # !efault banning action .e.g. iptables) iptables-ne%) # iptables-multiport) shore%all) etc/ It is used to define # action0- variables. 2an be overridden globall$ or per # section %ithin Pail.local file banaction Z iptables-multiport # email action. Since F.V.H upstream fail2ban uses sendmail # "TA for the mailing. 2hange mta configuration parameter to mail # if $ou %ant to revert to conventional (mail(. mta Z ssmtp # !efault protocol protocol Z tcp # Specif$ chain %here Pumps %ould need to be added in iptables-- actions chain Z I5B:T # # Action shortcuts. To be used to define action parameter # The simplest action to ta&e: ban onl$ action0 Z S.banaction/sXnameZS.00name00/s) portZ=S.port/s=) protocolZ=S .protocol/s=) chainZ=S.chain/s=Y # ban \ send an e-mail %ith %hois report to the destemail. action0m% Z S.banaction/sXnameZS.00name00/s) portZ=S.port/s=) protocolZ=S .protocol/s=) chainZ=S.chain/s=Y 62

S.mta/s-%hoisXnameZS.00name00/s) destZ=S.destemail/s=) protocolZ=S.protocol/s=) chainZ=S.chain/s=Y # ban \ send an e-mail %ith %hois report and relevant log lines # to the destemail. action0m%l Z S.banaction/sXnameZS.00name00/s) portZ=S.port/s=) protocolZ=S.protocol/s=) chainZ=S.chain/s=Y S.mta/s-%hois-linesXnameZS.00name00/s) destZ=S.destemail/s=) logpathZS.logpath/s) chainZ=S.chain/s=Y # 2hoose default action. To change) Pust override value of (action( %ith the # interpolation to the chosen action shortcut .e.g. action0m%) action0m%l) etc/ in Pail.local # globall$ .section X! 8A:3TY/ or per specific section action Z S.action0/s # # _AI3S # # # # # # 5e*t Pails corresponds to the standard configuration in 8ail2ban F.K %hich %as shipped in !ebian. nable an$ defined here Pail b$ including XS 2TI6505A" Y enabled Z true

# # in /etc/fail2ban/Pail.local. # # 6ptionall$ $ou ma$ override an$ other parameter .e.g. banaction) # action) port) logpath) etc/ in that section %ithin Pail.local XsshY enabled Z true port Z ssh filter Z sshd logpath Z /var/log/auth.log ma*retr$ Z K XdropbearY enabled Z false port Z ssh filter Z sshd logpath Z /var/log/dropbear ma*retr$ Z K # 4eneric filter for pam. Cas to be used %ith action %hich bans all ports # such as iptables-allports) shore%all Xpam-genericY enabled Z false # pam-generic filter can be customi#ed to monitor specific subset of (tt$(s 63

filter Z pam-generic # port actuall$ must be irrelevant but lets leave it all for some possible uses port Z all banaction Z iptables-allports port Z an$port logpath Z /var/log/auth.log ma*retr$ Z K X*inetd-failY enabled Z false filter Z *inetd-fail port Z all banaction Z iptables-multiport-log logpath Z /var/log/daemon.log ma*retr$ Z 2 Xssh-ddosY enabled Z false port Z ssh filter Z sshd-ddos logpath Z /var/log/auth.log ma*retr$ Z K # # CTTB servers # XapacheY enabled Z true port Z https filter Z apache-auth logpath Z /var/log/apache-/-error.log action Z iptables-multiportXnameZApache-Auth) portZ=http)https=Y sendmail-bufferedXnameZApache-Auth) linesZI) destZiulica.iliesUgmail.comY # default action is no% multiport) so apache-multiport Pail %as left # for compatibilit$ %ith previous .9F.J.K-2/ releases Xapache-multiportY enabled Z false port Z http)https filter Z apache-badbots logpath Z /var/log/apache-/-error.log ma*retr$ Z 2 64

Xapache-noscriptY enabled Z false port Z http)https filter Z apache-noscript logpath Z /var/log/apache-/-error.log ma*retr$ Z K Xapache-overflo%sY enabled Z false port Z http)https filter Z apache-overflo%s logpath Z /var/log/apache-/-error.log ma*retr$ Z 2 # # 8TB servers # XvsftpdY enabled Z false port Z ftp)ftp-data)ftps)ftps-data filter Z vsftpd logpath Z /var/log/vsftpd.log # or over%rite it in Pails.local to be # logpath Z /var/log/auth.log # if $ou %ant to rel$ on BA" failed login attempts # vsftpd(s failrege* should match both of those formats ma*retr$ Z K XproftpdY enabled Z false port Z ftp)ftp-data)ftps)ftps-data filter Z proftpd logpath Z /var/log/proftpd/proftpd.log ma*retr$ Z K Xpure-ftpdY enabled Z false port Z ftp)ftp-data)ftps)ftps-data filter Z pure-ftpd logpath Z /var/log/auth.log ma*retr$ Z K X%uftpdY enabled Z false 65

port Z ftp)ftp-data)ftps)ftps-data filter Z %uftpd logpath Z /var/log/auth.log ma*retr$ Z K # # "ail servers # Xpostfi*Y enabled Z true port Z smtp)ssmtp filter Z postfi* logpath Z /var/log/mail.log XcouriersmtpY enabled Z false port Z smtp)ssmtp filter Z couriersmtp logpath Z /var/log/mail.log # # "ail servers authenticators: might be used for smtp)ftp)imap servers) so # all relevant ports get banned # XcourierauthY enabled Z false port Z smtp)ssmtp)imap2)imapE)imaps)popE)popEs filter Z courierlogin logpath Z /var/log/mail.log XsaslY enabled Z false port Z smtp)ssmtp)imap2)imapE)imaps)popE)popEs filter Z sasl # 1ou might consider monitoring /var/log/mail.%arn instead if $ou are # running postfi* since it %ould provide the same log lines at the # =%arn= level but overall at the smaller filesi#e. logpath Z /var/log/mail.log XdovecotY enabled Z false port Z smtp)ssmtp)imap2)imapE)imaps)popE)popEs filter Z dovecot 66

logpath Z /var/log/mail.log # !5S Servers # # # # # # # # # # # # # # # These Pails bloc& attac&s against named .bindQ/. >$ default) logging is off %ith bindQ installation. 1ou %ill need something li&e this: logging A channel securit$0file A file =/var/log/named/securit$.log= versions E si#e EFm< severit$ d$namic< print-time $es< D< categor$ securit$ A securit$0file< D< D< in $our named.conf to provide proper logging

# 777 GAR5I54 777 # Since :!B is connection-less protocol) spoofing of IB and imitation # of illegal actions is %a$ too simple. Thus enabling of this filter # might provide an eas$ %a$ for implementing a !oS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/KQF-fail2ban-[-dns-fail.html # Blease !6 56T :S this Pail unless $ou &no% %hat $ou are doing. #Xnamed-refused-udpY # #enabled Z false #port Z domain)QIE #protocol Z udp #filter Z named-refused #logpath Z /var/log/named/securit$.log Xnamed-refused-tcpY enabled Z false port Z domain)QIE protocol Z tcp filter Z named-refused logpath Z /var/log/named/securit$.log


3.1. 4le'e!te /e!erale Faria!tele &e soft-are folosite per'it reali0area perio&ic$ a patc>"#rilor &e sec#ritate. D/ -&//- A-ri-."/l/ 4/ 'o2"uri 2olo'i"/ 3i /.u>/r-"/ Aor #u"/2i u#5r-4-"/ -"u.&i &B.4 'i"u-6i- o A- i>#u./ 2CrC B.'C - >o4i2i&SETRILE ACTI+E #r/&i=-"/ B. -&/'" 4o&u>/.".

3.2. 2eali0area a&'i!istr$rii platfor'ei 1laroli!e i a ser5er#l#i 647 -.A4>i.i'"r-r/- '/rA/rului WEB Pe!tr# facilit$ile ce per'it &rept#ri &epli!e &e acces la ser5er#l<site" #l -e,A acces#l este per'is &oar local i &oar pe!tr# co!t#l &e!#'it /e!eric %/(-4>i.. Acces#l i a&'i!istrarea c# &rept#ri &e tip Gf#ll" accessH se poate face &oar local &e pe ser5er#l 647 &isp#s i! DM; i 5a fi acor&at perso!al#l#i !#'it a &esf$ #ra acti5it$i specifice %! acest se!s. Acest l#cr# se co!creti0ea0$ %! crearea #!#i co!t local &e #tili0ator care s$ poat$ 5i0#ali0a<'o&ifica<a&$#/a pa/i!ile -e, i c# &rept#ri &epli!e &e acces la ser5er#l 647 i a ele'e!telor co!e?e !ecesare 'e!i!erii<opti'i0$rii acest#i ser5er. 4le'e!tele co!e?e s#!t repre0e!tate &e acces#l c# &rept#ri &epli!e pe!tr# #r'$toarele ele'e!te s#pli'e!tare i!stalateB "soft-are"#l 647MINI "co!fi/#raia PHPI " soft-are"#l 647A*I;42I "fire-all"#l -e, DAI*27ANI "ser5er#l DN(. Acces#l %! ceea ce pri5e te a&'i!istrarea platfor'ei 1laroli!e este i!ter0is. Acest co!t 5a fi #! co!t c# &rept#ri &e a&'i!istrator9root: pe siste'#l &e operare. (.A4>i.i'"r-r/- #l-"2or>/i Cl-roli./ Aceasta pres#p#!e crearea #!#i co!t local &e #tili0ator c# &rept#ri re&#se pe ser5er#l -e, &ar care s$ ai,$ &rept#ri a&'i!istrati5e pe platfor'a &e %!5$$'C!t la &ista!$ 1laroli!e. Acest co!t 5a fi &e!#'it /e!eric &l-roli./A4>i.A iar pa/i!a care 5a fi accesat$ pe!tr# a&'i!istrare 5a fi B >ttpsB<<local>ost<claroli!e<claroli!e<a&'i! . Pe!tr# facilit$ile ce per'it &rept#ri &epli!e &e acces la aceast$ platfor'$A

acces#l este per'is &oar local i &oar pe!tr# co!t#l &e!#'it /e!eric &l-roli./A4>i..