96 lines
6.3 KiB
Text
96 lines
6.3 KiB
Text
<?php
|
|
|
|
/* ### file storage configuration ### */
|
|
// Uploaded files temporary storage
|
|
// This repository must be accessible (write access) by the web server process. Check the webserver configuration
|
|
// But no script executed from there
|
|
// This path MUST include a final "/"
|
|
// If you change this path, do not forget to change it too in /etc/cron.d/flexisip-http-file-transfer-server
|
|
define ("fhft_tmp_path", "/var/opt/belledonne-communications/flexisip-http-file-transfer-tmp/");
|
|
// File Extension: as some client can forward the transfered file URL using external body url, we must keep the
|
|
// original file extension. For clients using the RCS recommendation, this is not mandatory but there is no way to know from the server side
|
|
// Some extensions could be dangerous (.php for example...) if for some reason the server is badly configured and is able to execute the uploaded files
|
|
// To mitigate this, the following extension filter is defined:
|
|
// This default black list include common server script extensions
|
|
define ("fhft_extension_black_list", ["html", "htm", "xhtml", "xht", "asp", "avfp", "aspx", "cshtml", "cfm", "go", "gs", "php", "php3", "php4", "php5", "phtml", "hs", "jsp", "js", "ssjs", "lasso", "lp", "op", "lua", "p", "cgi", "ipl", "pl", "py", "pyc", "pyo", "rhtml", "rb", "rbw", "smx", "tcl", "dna", "tpl", "r", "w", "wig"]);
|
|
// Any file with a black listed extension, will get the fallback one added on the server. RCS file transfer will recover from it and give the correct filename to the recipient
|
|
define ("fhft_extension_fallback", "txt");
|
|
// Validity expressed in seconds. Default is 1 week
|
|
// If you change this value, do not forget to change it too in /etc/cron.d/flexisip-http-file-transfer-server
|
|
define ("fhft_validity_period", 7*24*60*60);
|
|
// Maximum file size, in MB, accepted by the server
|
|
// This setting must be lower than the maximum file size and maximum post size defined on the
|
|
// system (either pho.ini or more likely in the apache configuration). The default setting in the apache conf
|
|
// distributed with the package is 512 MB.
|
|
// If this setting is larger than the apache one or set to 0, it is ignored (and the apache/php.ini limit is used)
|
|
define ("fhft_maximum_file_size_in_MB", 256);
|
|
|
|
/* ### Logs configuration ### */
|
|
// Time zone configuration
|
|
// see https://www.php.net/manual/en/timezones.php for a list of supported timezone
|
|
// This setting shall be done in your php.ini, if you cannot modify it, uncomment the following line and use a correct timezone
|
|
//date_default_timezone_set('UTC');
|
|
|
|
// log level one of (LogLevel::DISABLED, ERROR, WARNING, MESSAGE, DEBUG)
|
|
// default to DISABLED (recommended value)
|
|
define ("fhft_logLevel" , LogLevel::DISABLED);
|
|
define ("fhft_logFile", "/var/opt/belledonne-communications/log/flexisip-http-file-transfer-server.log"); // make sure to have actual write permission to this file
|
|
define ("fhft_logDomain", "FHFT"); // in case Logs are mixed with other applications ones, format is [time tag] -Domain- message
|
|
|
|
|
|
/* ### Authentication configuration ### */
|
|
// The default configuration is to not authenticate the users on the file server
|
|
// TLS client certificate can be enabled at web server level, a client authenticated using certificate will bypass the digest auth if enabled
|
|
|
|
// Allow Digest authentication: this setting can apply to upload only or upload and download.
|
|
// # Upload:
|
|
// set this switch to 'true'
|
|
// # Download:
|
|
// If this switch is 'true', check the apache configuration to enable/disable the auth on download: redirect
|
|
// /flexisip-http-file-transfer-server/tmp toward the /opt/belledonne-communications/share/flexisip-http-file-transfer-server/download.php script
|
|
// Note:
|
|
// - Digest auth on download is the default behaviour at install, if you do not want to authenticate the connection on download, modify the default apache configuration
|
|
// - Download filename are randomized so a fail2ban might be enough to prevent access to uploaded files
|
|
//
|
|
// File encryption is strongly encouraged if you're concerned by the privacy of your users
|
|
define("DIGEST_AUTH", false);
|
|
|
|
// Flexisip database access for authentication
|
|
define("AUTH_DB_HOST", "");
|
|
define("AUTH_DB_USER", "");
|
|
define("AUTH_DB_PASSWORD", "");
|
|
define("AUTH_DB_NAME", "");
|
|
define("ACCOUNTS_DB_TABLE", "accounts");
|
|
define("ACCOUNTS_ALGO_DB_TABLE", "passwords");
|
|
define("USE_PERSISTENT_CONNECTIONS", False);
|
|
|
|
// Authentication realm
|
|
// If this is not defined, the realm is fetched from the request. Do it ONLY if you need to run several realm on one file server.
|
|
define("AUTH_REALM", "sip.example.org");
|
|
|
|
// Authentication SQL query
|
|
// this SQL query must retrieve a field password and a field algorithm and will bind a string holding the username and one the domain into the ?, it shall extract several stored password if we store them in cleartext, MD5 or SHA-256 hash
|
|
define("AUTH_QUERY", "SELECT password, algorithm FROM ". ACCOUNTS_ALGO_DB_TABLE . " WHERE account_id=(SELECT id from " . ACCOUNTS_DB_TABLE ." WHERE username=? AND domain=? LIMIT 1);");
|
|
// This value must be a random string(12 characters minimum length) specific to each server and is private
|
|
define("AUTH_NONCE_KEY", "");
|
|
// The authentication is aimed to provide a one time usage nonce, it is not strictly inforced by storing valid once, instead
|
|
// we use a short living period, the maximum validity period will be twice the minimum one, value is in seconds
|
|
define("MIN_NONCE_VALIDITY_PERIOD", 10);
|
|
|
|
/* ### Proxy configuration ### */
|
|
// To enable fetching from other domains capabilities, define a domain managed by this server, all requests to this domain(or a subdomain of it)
|
|
// will be processed locally. To query other domains, define a FOREIGN_DOMAINS array
|
|
// define("PROXY_SELF_DOMAIN", "example.org");
|
|
|
|
// Define an array of external domain to fetch from with:
|
|
// - external domain name => client certificate to use to authenticate ourselve
|
|
// WARNING: subdomain management: insert the more specific first in the list.
|
|
// If you have certificates to connect to domainA.example.org and example.org, insert first the domainA.example.org and then the example.org
|
|
//define("FOREIGN_DOMAINS", [
|
|
// "example.org" => "/etc/flexisip-http-file-transfer-server/certificates/foreign-domain/example.org.pem"
|
|
// ]);
|
|
|
|
// Define the cafile used to authenticate foreign domain servers certificate
|
|
//define("FOREIGN_DOMAINS_CAFILE", "/etc/flexisip-http-file-transfer-server/certificates/cafile.pem");
|
|
|
|
?>
|