Home
Submit a Request
Check on a Request
Knowledge Books
Getting StartedHome → Installation and Upgrade Manual → HelpSpot 4 - Installation & Setup → HelpSpot 4 Server Security
8. HelpSpot 4 Server Security
Linux Apache
Make Data Directory Writable
The data directory must be writable by the web server (and PHP). This can be done by assign group ownership/permissions of the directory as appropriate for your system.
RedHat/CentOS:
sudo chgrp -R httpd /path/to/helpspot/data sudo chmod -R g+rw /path/to/helpspot/data
Debian/Ubuntu:
sudo chgrp -R www-data /path/to/helpspot/data sudo chmod -R g+rw /path/to/helpspot/data
Protect Data Directory
The data directory should not be served to publicly to your audience.
We've included an .htaccess file in the data directory which denies public web-based access to that directory:
File /path/to/helpspot/data/.htaccess:
Deny from all
If your Apache installation does not allow the use of .htaccess files, you can enable them in the VirtualHost configuration for HelpSpot:
<VirtualHost *:80>
# Other directives omitted
<Directory /path/to/helpspot>
AllowOverride All # this allows .htaccess file usage
# Other directives omitted
</Directory>
</VirtualHost>
Alternatively, you can keep disallowing .htaccess file usage and set the permissions within the VirtualHost configuration:
<VirtualHost *:80>
# Items omitted
<Directory /path/to/helpspot>
AllowOverride None
# Other items omitted
</Directory>
<Directory /path/to/helpspot/data>
Deny from all
</Directory>
</VirtualHost>
Windows
Make Data directory writable
This is configured for you if you install HelpSpot using the Windows Installer.
Apache
This is configured for you if you install HelpSpot using the Windows Installer.
Apache installed on Windows can accomplish the same. Near the bottom of the C:\Program Files (x32)\helpspot\apache\conf\httpd.conf file, you can append a Directory configuration to the bottom:
<Directory "C:\Program Files (x32)\helpspot\helpspot\data">
Deny from all
</Directory>
IIS
This is configured for you if you install HelpSpot using the Windows Installer.
The web.config XML file found in C:\Program Files (x32)\helpspot\helpspot\web.config file requires the addition of some security configuration.
Add the following as appropriate:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="data" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
File Permissions
IIS needs to be able to write to HelpSpot's "data" directory. This usually means user IUSR needs permission to modify/write this directory. The Windows installer will handle this for you. However, users who install HelpSpot in non-default locations will need to set security settings on the "data" directory so IUSR can modify/write to that directory.
Nginx
HelpSpot can also work with the Nginx web server.
You can restrict access to the data directory in Nginx with the following "location" block:
server {
# Other directives omitted
location /data {
deny all;
}
}
MySQL SSL
HelpSpot version 4.0.17+ can connect to MySQL over an SSL connection.
To use an SSL configuration, add the following two items to HelpSpot's config.php file:
define('cMYSQL_CLIENT_SSL', true);
define('cMYSQL_INI_PATH', '/etc/mysql/my.cnf');
Note that the path to the my.cnf file may be different on your system.
Within the my.cnf file referenced, we need to tell MySQL that clients should connect using the SSL certificate. To do so, append the relevant lines of the following under the [client] section of the MySQL my.cnf file. The certificate file paths and names will be different for you:
ssl-ca=/path/to/your/ca-cert.pem ssl-cert=/path/to/your/client-cert.pem ssl-key=/path/to/your/client-key.pem ssl-verify-server-cert=1
Note: The MySQL configuration for supporting SSL connections is out of scope of HelpSpot, but generally involves:
- Creating an SSL certificate (key, certificate and possibly certificate authority files)
- Setting the
my.cnffile to use the certificate files under the[mysqld]heading