[general]
; General configuration (any core configuration not belonging to other
; categories).

; Human readable file for logging all blocked access attempts. Specify a
; filename, or leave blank to disable.
logfile=''

; Apache-style file for logging all blocked access attempts. Specify a
; filename, or leave blank to disable.
logfile_apache=''

; Serialised file for logging all blocked access attempts. Specify a filename,
; or leave blank to disable.
logfile_serialized=''

; A file for logging any non-fatal errors detected. Specify a filename, or
; leave blank to disable.
error_log=''

; A list of the stages in the execution chain that should have any generated
; errors logged.
error_log_stages='Tests,Modules,SearchEngineVerification,SocialMediaVerification,OtherVerification,Aux,Reporting,Tracking,RL,CAPTCHA,Statistics,Webhooks,Output,NonBlockedCAPTCHA'

; Truncate logfiles when they reach a certain size? Value is the maximum size
; in B/KB/MB/GB/TB that a logfile may grow to before being truncated. The
; default value of 0KB disables truncation (logfiles can grow indefinitely).
; Note: Applies to individual logfiles! The size of logfiles is not considered
; collectively.
truncate='0KB'

; Log rotation limits the number of logfiles that should exist at any one time.
; When new logfiles are created, if the total number of logfiles exceeds the
; specified limit, the specified action will be performed. You can specify the
; desired limit here. A value of 0 will disable log rotation.
log_rotation_limit=0

; Log rotation limits the number of logfiles that should exist at any one time.
; When new logfiles are created, if the total number of logfiles exceeds the
; specified limit, the specified action will be performed. You can specify the
; desired action here. Delete = Delete the oldest logfiles, until the limit is
; no longer exceeded. Archive = Firstly archive, and then delete the oldest
; logfiles, until the limit is no longer exceeded.
log_rotation_action='Delete'

; This is used to specify the timezone to use (e.g., Africa/Cairo,
; America/New_York, Asia/Tokyo, Australia/Perth, Europe/Berlin, Pacific/Guam,
; etc). Specify "SYSTEM" to let PHP handle this for you automatically.
timezone='SYSTEM'

; Timezone offset in minutes.
time_offset=0

; The date/time notation format used by CIDRAM. Additional options may be added
; upon request.
time_format='{Day}, {dd} {Mon} {yyyy} {hh}:{ii}:{ss} {tz}'

; Where to find the IP address of connecting requests? (Useful for services
; such as Cloudflare and the likes). Default = REMOTE_ADDR. WARNING: Don't
; change this unless you know what you're doing!
ipaddr='REMOTE_ADDR'

; Which HTTP status message should CIDRAM send when blocking requests? (Refer
; to the documentation for more information).
forbid_on_block=200

; Should CIDRAM silently redirect blocked access attempts instead of displaying
; the "Access Denied" page? If yes, specify the location to redirect blocked
; access attempts to. If no, leave this variable blank.
silent_mode=''

; Specify the default language for CIDRAM.
lang='en'

; Localise according to HTTP_ACCEPT_LANGUAGE whenever possible? True = Yes
; [Default]; False = No.
lang_override=true

; How do you prefer numbers to be displayed? Select the example that looks the
; most correct to you.
numbers='Latin-1'

; If you wish, you can supply an email address here to be given to users when
; they're blocked, for them to use as a point of contact for support and/or
; assistance for in the event of them being blocked mistakenly or in error.
; WARNING: Whatever email address you supply here will most certainly be
; acquired by spambots and scrapers during the course of its being used here,
; and so, it's strongly recommended that if you choose to supply an email
; address here, that you ensure that the email address you supply here is a
; disposable address and/or an address that you don't mind being spammed (in
; other words, you probably don't want to use your primary personal or primary
; business email addresses).
emailaddr=''

; How would you prefer the email address to be presented to users?
emailaddr_display_style='default'

; Disable front-end access? Front-end access can make CIDRAM more manageable,
; but can also be a potential security risk, too. It's recommended to manage
; CIDRAM via the back-end whenever possible, but front-end access is provided
; for when it isn't possible. Keep it disabled unless you need it. False =
; Enable front-end access; True = Disable front-end access [Default].
disable_frontend=true

; Maximum number of front-end login attempts. Default = 5.
max_login_attempts=5

; File for logging front-end login attempts. Specify a filename, or leave blank
; to disable.
frontend_log=''

; A file for logging when signatures are updated via the front-end. Specify a
; filename, or leave blank to disable.
signatures_update_event_log=''

; Override "forbid_on_block" when "infraction_limit" is exceeded? When
; overriding: Blocked requests return a blank page (template files aren't
; used). 200 = Don't override [Default]. Other values are the same as the
; available values for "forbid_on_block".
ban_override=200

; Include blocked requests from banned IPs in the logfiles? True = Yes
; [Default]; False = No.
log_banned_ips=true

; A comma delimited list of DNS servers to use for hostname lookups. Default =
; "8.8.8.8,8.8.4.4" (Google DNS). WARNING: Don't change this unless you know
; what you're doing!
default_dns='8.8.8.8,8.8.4.4'

; Attempt to verify requests from search engines? Verifying search engines
; ensures that they won't be banned as a result of exceeding the infraction
; limit (banning search engines from your website will usually have a negative
; effect upon your search engine ranking, SEO, etc). When verified, search
; engines can be blocked as per normal, but won't be banned. When not verified,
; it's possible for them to be banned as a result of exceeding the infraction
; limit. Additionally, search engine verification provides protection against
; fake search engine requests and against potentially malicious entities
; masquerading as search engines (such requests will be blocked when search
; engine verification is enabled). True = Enable search engine verification
; [Default]; False = Disable search engine verification.
search_engine_verification=true

; Attempt to verify social media requests? Social media verification provides
; protection against fake social media requests (such requests will be
; blocked). True = Enable social media verification [Default]; False = Disable
; social media verification.
social_media_verification=true

; Wherever possible, attempt to verify other kinds of requests (e.g., AdSense,
; SEO checkers, etc)? When detected, faked requests will be blocked. True =
; Enable [Default]; False = Disable.
other_verification=true

; Specifies whether the protections normally provided by CIDRAM should be
; applied to the front-end. True = Yes [Default]; False = No.
protect_frontend=true

; Disable webfonts? True = Yes [Default]; False = No.
disable_webfonts=true

; Enable maintenance mode? True = Yes; False = No [Default]. Disables
; everything other than the front-end. Sometimes useful for when updating your
; CMS, frameworks, etc.
maintenance_mode=false

; Defines which algorithm to use for all future passwords and sessions.
; Options: PASSWORD_DEFAULT (default), PASSWORD_BCRYPT, PASSWORD_ARGON2I
; (requires PHP >= 7.2.0), PASSWORD_ARGON2ID (requires PHP >= 7.3.0).
default_algo='PASSWORD_DEFAULT'

; Track CIDRAM usage statistics? True = Yes; False = No [Default].
statistics=false

; Force hostname lookups? True = Yes; False = No [Default]. Hostname lookups
; are normally performed on an "as needed" basis, but can be forced for all
; requests. Doing so may be useful as a means of providing more detailed
; information in the logfiles, but may also have a slightly negative effect on
; performance.
force_hostname_lookup=false

; Allow gethostbyaddr lookups when UDP is unavailable? True = Yes [Default];
; False = No.
allow_gethostbyaddr_lookup=true

; Hide version information from logs and page output? True = Yes; False = No
; [Default].
hide_version=false

; How should CIDRAM handle empty fields when logging and displaying block event
; information? "include" = Include empty fields. "omit" = Omit empty fields
; [default].
empty_fields='omit'

; When using the front-end logs page to view log data, CIDRAM sanitises the log
; data before displaying it, to protect users from XSS attacks and other
; potential threats that log data could contain. However, by default, data
; isn't sanitised during logging. This is to ensure that log data is preserved
; accurately, to aid any heuristic or forensic analysis that might be necessary
; in the future. However, in the event that a user attempts to read log data
; using external tools, and if those external tools don't perform their own
; sanitisation process, the user could be exposed to XSS attacks. If necessary,
; you can change the default behaviour using this configuration directive. True
; = Sanitise data when logging it (data is preserved less accurately, but XSS
; risk is lower). False = Don't sanitise data when logging it (data is
; preserved more accurately, but XSS risk is higher) [Default].
log_sanitisation=false

; This can be used to prevent CIDRAM from using particular channels when
; sending requests (e.g., when updating, when fetching component metadata,
; etc).
disabled_channels=''

; Default timeout to use for external requests? Default = 12 seconds.
default_timeout=12

; A comma delimited list of files to import into the CIDRAM default
; configuration. Typically populated by the updates page when activating
; components which need it when necessary. In most cases, can ignore it.
config_imports='bypasses.yml'

; Files listed here are loaded directly after the event handlers file.
; Typically populated by the updates page when activating components which need
; it when necessary. In most cases, can ignore it.
events=''


[signatures]
; Configuration for signatures, signature files, modules, etc.

; A list of the IPv4 signature files that CIDRAM should attempt to parse,
; delimited by commas.
ipv4='ipv4.dat,ipv4_bogons.dat,ipv4_custom.dat,ipv4_isps.dat,ipv4_nonblocking.dat,ipv4_other.dat'

; A list of the IPv6 signature files that CIDRAM should attempt to parse,
; delimited by commas.
ipv6='ipv6.dat,ipv6_bogons.dat,ipv6_custom.dat,ipv6_isps.dat,ipv6_nonblocking.dat,ipv6_other.dat'

; Block CIDRs identified as belonging to webhosting/cloud services? If you
; operate an API service from your website or if you expect other websites to
; connect to your website, this should be set to false. If you don't, then,
; this directive should be set to true.
block_cloud=true

; Block bogon/martian CIDRs? If you expect connections to your website from
; within your local network, from localhost, or from your LAN, this directive
; should be set to false. If you don't expect these such connections, this
; directive should be set to true.
block_bogons=false

; Block CIDRs generally recommended for blacklisting? This covers any
; signatures that aren't marked as being part of any of the other more specific
; signature categories.
block_generic=true

; Block CIDRs in response to legal obligations? This directive shouldn't
; normally have any effect, because CIDRAM doesn't associate any CIDRs with
; "legal obligations" by default, but it exists nonetheless as an additional
; control measure for the benefit of any custom signature files or modules that
; might exist for legal reasons.
block_legal=true

; Block IPs associated with malware? This includes C&C servers, infected
; machines, machines involved in malware distribution, etc.
block_malware=true

; Block CIDRs identified as belonging to proxy services or VPNs? If you require
; that users be able to access your website from proxy services and VPNs, this
; directive should be set to false. Otherwise, if you don't require proxy
; services or VPNs, this directive should be set to true as a means of
; improving security.
block_proxies=false

; Block CIDRs identified as being high-risk for spam? Unless you experience
; problems when doing so, generally, this should always be set to true.
block_spam=true

; A list of module files to load after checking the IPv4/IPv6 signatures,
; delimited by commas.
modules=''

; How many seconds to track IPs banned by modules. Default = 604800 (1 week).
default_tracktime=604800

; Maximum number of infractions an IP is allowed to incur before it is banned
; by IP tracking. Default = 10.
infraction_limit=10

; When should infractions be counted? False = When IPs are blocked by modules.
; True = When IPs are blocked for any reason. Default = False.
track_mode=false

; Allow modules to override tracking options? True = Yes [Default]; False = No.
tracking_override=true


[recaptcha]
; Configuration for ReCaptcha (provides a way for humans to regain access when
; blocked).

; When should the CAPTCHA be offered? Note: Whitelisted or verified and
; non-blocked requests never need to complete a CAPTCHA.
usemode=0

; Lock CAPTCHA to IPs?
lockip=false

; Lock CAPTCHA to users?
lockuser=true

; This value can be found in the dashboard for your CAPTCHA service.
sitekey=''

; This value can be found in the dashboard for your CAPTCHA service.
secret=''

; Number of hours to remember CAPTCHA instances. Default = 720 (1 month).
expiry=720

; Log all CAPTCHA attempts? If yes, specify the name to use for the logfile. If
; no, leave this variable blank.
logfile=''

; Maximum number of signatures allowed before the CAPTCHA offer is withdrawn.
; Default = 1.
signature_limit=1

; Which API to use?
api='V2'

; Show cookie warning? True = Yes [Default]; False = No.
show_cookie_warning=true

; Show API message? True = Yes [Default]; False = No.
show_api_message=true

; Which status code should be used when displaying CAPTCHAs to non-blocked
; requests?
nonblocked_status_code=200


[hcaptcha]
; Configuration for HCaptcha (provides a way for humans to regain access when
; blocked).

; When should the CAPTCHA be offered? Note: Whitelisted or verified and
; non-blocked requests never need to complete a CAPTCHA.
usemode=0

; Lock CAPTCHA to IPs?
lockip=false

; Lock CAPTCHA to users?
lockuser=true

; This value can be found in the dashboard for your CAPTCHA service.
sitekey=''

; This value can be found in the dashboard for your CAPTCHA service.
secret=''

; Number of hours to remember CAPTCHA instances. Default = 720 (1 month).
expiry=720

; Log all CAPTCHA attempts? If yes, specify the name to use for the logfile. If
; no, leave this variable blank.
logfile=''

; Maximum number of signatures allowed before the CAPTCHA offer is withdrawn.
; Default = 1.
signature_limit=1

; Which API to use?
api='V1'

; Show cookie warning? True = Yes [Default]; False = No.
show_cookie_warning=true

; Show API message? True = Yes [Default]; False = No.
show_api_message=true

; Which status code should be used when displaying CAPTCHAs to non-blocked
; requests?
nonblocked_status_code=200


[legal]
; Configuration for legal requirements.

; Pseudonymise IP addresses when logging? True = Yes [Default]; False = No.
pseudonymise_ip_addresses=true

; Omit IP addresses from logs? True = Yes; False = No [Default]. Note:
; "pseudonymise_ip_addresses" becomes redundant when "omit_ip" is "true".
omit_ip=false

; Omit hostnames from logs? True = Yes; False = No [Default].
omit_hostname=false

; Omit user agents from logs? True = Yes; False = No [Default].
omit_ua=false

; The address of a relevant privacy policy to be displayed in the footer of any
; generated pages. Specify a URL, or leave blank to disable.
privacy_policy=''


[template_data]
; Configuration for templates and themes.

; Default theme to use for CIDRAM.
theme='default'

; Font magnification. Default = 1.
magnification=1

; CSS file URL for custom themes.
css_url=''


[PHPMailer]
; Configuration for PHPMailer (used for two-factor authentication).

; A file for logging all events in relation to PHPMailer. Specify a filename,
; or leave blank to disable.
event_log=''

; Setting this directive to true instructs PHPMailer to skip the normal
; authentication process that normally occurs when sending email via SMTP. This
; should be avoided, because skipping this process may expose outbound email to
; MITM attacks, but may be necessary in cases where this process prevents
; PHPMailer from connecting to an SMTP server.
skip_auth_process=false

; This directive determines whether to use 2FA for front-end accounts.
enable_two_factor=false

; The SMTP host to use for outbound email.
host=''

; The port number to use for outbound email. Default = 587.
port=587

; The protocol to use when sending email via SMTP (TLS or SSL).
smtp_secure='-'

; This directive determines whether to authenticate SMTP sessions (should
; usually be left alone).
smtp_auth=true

; The username to use when sending email via SMTP.
username=''

; The password to use when sending email via SMTP.
password=''

; The sender address to cite when sending email via SMTP.
set_from_address=''

; The sender name to cite when sending email via SMTP.
set_from_name=''

; The reply address to cite when sending email via SMTP.
add_reply_to_address=''

; The reply name to cite when sending email via SMTP.
add_reply_to_name=''


[rate_limiting]
; Configuration for rate limiting (not recommended for general use).

; The maximum amount of bandwidth allowed within the allowance period before
; rate limiting future requests. A value of 0 disables this type of rate
; limiting. Default = 0KB.
max_bandwidth='0KB'

; The maximum number of requests allowed within the allowance period before
; rate limiting future requests. A value of 0 disables this type of rate
; limiting. Default = 0.
max_requests=0

; The precision to use for tracking IPv4 usage. Value mirrors CIDR block size.
; Set to 32 for best precision. Default = 32.
precision_ipv4=32

; The precision to use for tracking IPv6 usage. Value mirrors CIDR block size.
; Set to 128 for best precision. Default = 128.
precision_ipv6=128

; The number of hours to track usage. Default = 0.
allowance_period=0

; Exceptions (i.e., requests which shouldn't be rate limited). Relevant only
; when rate limiting is enabled.
exceptions=''


[supplementary_cache_options]
; Supplementary cache options.

; Specifies whether to try using APCu for caching. Default = False.
enable_apcu=false

; Specifies whether to try using Memcached for caching. Default = False.
enable_memcached=false

; Specifies whether to try using Redis for caching. Default = False.
enable_redis=false

; Specifies whether to try using PDO for caching. Default = False.
enable_pdo=false

; Memcached host value. Default = "localhost".
memcached_host='localhost'

; Memcached port value. Default = "11211".
memcached_port=11211

; Redis host value. Default = "localhost".
redis_host='localhost'

; Redis port value. Default = "6379".
redis_port=6379

; Redis timeout value. Default = "2.5".
redis_timeout=2.5

; PDO DSN value. Default = "mysql:dbname=cidram;host=localhost;port=3306".
pdo_dsn='mysql:dbname=cidram;host=localhost;port=3306'

; PDO username.
pdo_username=''

; PDO password.
pdo_password=''


[bypasses]
; Default signature bypasses configuration.

; Which bypasses should be used?
used='AbuseIPDB,Bingbot,DuckDuckBot,Embedly,Feedbot,Feedspot,Grapeshot,Jetpack,Pinterest,WordPress REST API'