Configuration Guide
Cory Marsh
Share:
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.
BitFire is a robust security tool for any PHP-based web application. It has many configuration options suitable for a wide variety of servers, software systems, and CMS.
* All file paths must be absolute filenames (paths beginning with "/"), or relative to the BitFire directory
| DESCRIPTION | DEFAULT |
|---|---|
| bitfire_enabled | true |
| Global setting to enable / disable the BitFire firewall. Set to false to prevent all firewall blocking. | |
| allow_ip_block | false |
| Allow the firewall to block agressive IPs with immediate drop. This will block all traffic from offending IPs for several hours. | |
| security_headers_enabled | true |
| When enabled, BitFire will send HTTP securirty headers to secure browser interactions.https://www.securityheaders.com | |
| enforce_ssl_1year | false |
| When enabled, this will instruct all connecting browsers to disallow any non-SSL connections. This will improve security but your site will be offline if your SSL certificate expires. | |
| password | default |
| Password for the dashboard page. plain-text or sha3-256 format. | |
| cache_type | shmop |
| Server side cache to use, auto-configured. Supported are shmop, apc and apcu. BitFire will use on average about 1000 keys and 100Kb of memory. | |
| cookies_enabled | true |
| Enable if your web site supports cookies. Some very agressive caches do not support cookies. auto-configured. | |
| cache_bust_parameter | "" |
| If your server has very agressive caching, and you have problems with enableing browser_verify, set this to a short random name to enable cache busting. | |
| report_file | cache/alert.json |
| Name of the file to save alerts to. All features support alert mode. If a feature is flags a request and is in alert mode, the rquest will be logged here. (800 line rotating file) | |
| block_file | cache/block.json |
| Name of the file to save the actual blocked requests to. (800 line rotating file) | |
| debug_file | "" |
| BitFire has extensive internal debugging and logging. Set this parameter to a filename to enable server-side debug logging. | |
| debug_header | false |
| Turn on the BitFire debug log and include it in each response header. * This can expose some sensative information and should only be enabled for short periods. | |
| browser_cookie | _bitf |
| After bitfire validates a client or robot it sets an encrypted cookie to validate that same client. This is the cookie name. | |
| dashboard_path | /bitfire |
| The path to the bitfire dashboard. | |
| encryption_key | <UNIQUE> |
| A unique random encryption key, 24 character minimum. | |
| secret | <UNIQUE> |
| A unique random authentication key, 24 character minimum. | |
| debug | false |
| When enabled, a hidden HTML comment will be added to the block page showing the block reason. | |
| response_code | 403 |
| The HTTP response code for blocked pages | |
| ip_header | REMOTE_ADDR |
| The HTTP header value to pull the IP address from. Supported headers: forwarded, x-forwarded-for, or custom | |
| dns_service | localhost |
| The DNS resolution. Most servers should use localhost for fastest resolution, but DNS over HTTPS is supported by using the value: 1.1.1.1 | |
| short_block_time | 600 |
| Number of seconds to ban an IP for a short block. | |
| medium_block_time | 3600 |
| Number of seconds to ban an IP for a medium block. | |
| long_block_time | 86400 |
| Number of seconds to ban an IP for a long block. | |
| cache_ini_files | true |
| If true, BitFire will attempt to parse the configuration file and write a PHP cached version of the file on every update. Requires bitfire/config.ini.php to be web writeable. Improves performance by ~.5ms | |
| skip_local_bots | true |
| Some websites (like WordPress) make HTTP calls to themselves (notable wp-cron.php). When this is enabled these types of requests will be ignored by the firewall. | |
| configured | false |
| If this value is false, BitFire will attempt to auto configure all system settings and then change this value to true. Requires bitfire/config.ini to be web writeable. | |
Security Guide
Find out the best tricks and tips to secure your website.
Cory Marsh
Share:
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.Get WebSite Security Notifications
From us to your inbox weekly.