HomeAdmin ManualHelpSpot 4 - Installation & SetupHelpSpot 4 Server Security

7. HelpSpot 4 Server Security

Linux Apache

Make Data Directory Writable

The data directory must be writable by the web server (and PHP). This can be done by assign group ownership/permissions of the directory as appropriate for your system.

RedHat/CentOS:

sudo chgrp -R httpd /path/to/helpspot/data
sudo chmod -R g+rw /path/to/helpspot/data

Debian/Ubuntu:

sudo chgrp -R www-data /path/to/helpspot/data
sudo chmod -R g+rw /path/to/helpspot/data

Protect Data Directory

The data directory should not be served to publicly to your audience.

We've included an .htaccess file in the data directory which denies public web-based access to that directory:

File /path/to/helpspot/data/.htaccess:

Deny from all

If your Apache installation does not allow the use of .htaccess files, you can enable them in the VirtualHost configuration for HelpSpot:

<VirtualHost *:80>
    # Other directives omitted

    <Directory /path/to/helpspot>
        AllowOverride All  # this allows .htaccess file usage

        # Other directives omitted
    </Directory>
</VirtualHost>

Alternatively, you can keep disallowing .htaccess file usage and set the permissions within the VirtualHost configuration:

<VirtualHost *:80>
    # Items omitted

    <Directory /path/to/helpspot>
        AllowOverride None

        # Other items omitted
    </Directory>

    <Directory /path/to/helpspot/data>
        Deny from all
    </Directory>
</VirtualHost>

Windows

Make Data directory writable

This is configured for you if you install HelpSpot using the Windows Installer.

Apache

This is configured for you if you install HelpSpot using the Windows Installer.

Apache installed on Windows can accomplish the same. Near the bottom of the C:\Program Files (x32)\helpspot\apache\conf\httpd.conf file, you can append a Directory configuration to the bottom:

<Directory "C:\Program Files (x32)\helpspot\helpspot\data">
    Deny from all
</Directory>

IIS

This is configured for you if you install HelpSpot using the Windows Installer.

The web.config XML file found in C:\Program Files (x32)\helpspot\helpspot\web.config file requires the addition of some security configuration.

Add the following as appropriate:

<configuration>
   <system.webServer>
       <security>
          <requestFiltering>
               <hiddenSegments>
                   <add segment="data" />
               </hiddenSegments>
           </requestFiltering>
       </security>
   </system.webServer>
</configuration>

File Permissions

IIS needs to be able to write to HelpSpot's "data" directory. This usually means user IUSR needs permission to modify/write this directory. The Windows installer will handle this for you. However, users who install HelpSpot in non-default locations will need to set security settings on the "data" directory so IUSR can modify/write to that directory.

Nginx

HelpSpot can also work with the Nginx web server.

You can restrict access to the data directory in Nginx with the following "location" block:

server {
    # Other directives omitted

    location /data {
        deny all;
    }
}

MySQL SSL

HelpSpot version 4.0.17+ can connect to MySQL over an SSL connection.

To use an SSL configuration, add the following two items to HelpSpot's config.php file:

define('cMYSQL_CLIENT_SSL', true);
define('cMYSQL_INI_PATH', '/etc/mysql/my.cnf');

Note that the path to the my.cnf file may be different on your system.

Within the my.cnf file referenced, we need to tell MySQL that clients should connect using the SSL certificate. To do so, append the relevant lines of the following under the [client] section of the MySQL my.cnf file. The certificate file paths and names will be different for you:

ssl-ca=/path/to/your/ca-cert.pem
ssl-cert=/path/to/your/client-cert.pem
ssl-key=/path/to/your/client-key.pem
ssl-verify-server-cert=1

Note: The MySQL configuration for supporting SSL connections is out of scope of HelpSpot, but generally involves:

  1. Creating an SSL certificate (key, certificate and possibly certificate authority files)
  2. Setting the my.cnf file to use the certificate files under the [mysqld] heading

This page was: Helpful | Not Helpful