This section describes how to run a secure server. Before reading this section, make sure you have followed the recommended configuration instructions to secure the application.
It’s important to run OJS, OMP and OPS on a secure server environment. In addition to the security settings in the recommended configuration of the application, you must ensure the server is secure where the applicaiton is run.
This section makes a few recommendations for running secure servers. However, if you are unfamiliar with server administration, we strongly encourage you to use a professional hosting service or hire a professional system administrator.
salt
and api_secret_key
settings in config.inc.php
.encryption
setting in config.inc.php
is set to sha1
.https://
.files_dir
folder can not be accessed through the web.files_dir
at regular intervals. We recommend a backup for every day in the last 7 days, one per week for the last 4 weeks, and one per month for the last 12 months. View the upgrade guide for more complete backup instructions.The files_dir
is where all private submission files are stored. If this directory is located in the web root, anyone will be able to download submission files. Once you have configured the files_dir
outside of the web root, lock down access to that directory by setting the read/write permissions so that only the application can read, add, edit and delete files.
The exact details of file permissions will depend on how your web server runs PHP scripts. Read more about file permissions
All web applications should be protected with SSL/TLS encryption, so that they can encrypt traffic through the server. Without encryption, user login credentials are passed in plain text, which allows anyone scanning the network to intercept them.
The following section describes how to get a SSL certificate, enable it, and configure the server to update it.
A certificate enables a secure connection from the user’s Web browser to the server hosting your site. Installing a certificate for your site can not be done within the OJS, OMP, or OCS software and will require technical expertise or assistance at the server level. When considering a software host, determining their level of certificate support is an important consideration.
A good start is asking your hosting service provider if they have an existing solution for supporting TLS or SSL certificates – Your hosting provider may be able to create/issue an TLS or SSL certificate for you. If you do not have shell access to your installation this may be the only way to go about adding SSL/TLS protection for your site.
Purchasing a certificate may be an option available to you as well. Commercial businesses that provide certificates are called Certificate Authorities (CA). Wikipedia provides a listing of CA providers by market share. In addition to providing certificates that enable encryption, traditional CA issued certificates offer several advantages including customer vetting to help validate customer identity, and wildcard certificates. Depending on what features you select with your purchase, CA issued certificates can cost $100s per year and must be renewed before expiry.
Let’s Encrypt is a popular option for obtaining subscription as well. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Certificates are provided for free, with some limitations:
To test that your certificate is installed correctly, go to https://www.ssllabs.com/ssltest/index.html and enter your host name. If your grade is “B” or worse, your server may not be available to secure client software.
Required step to generate a certificate if you are going to be purchasing a certificate from a CA that is not Let’s Encrypt. In terms of how to do this, this varies from one Linux distribution to the next, some common Linux examples can be found here:
When you purchase a certificate from a CA, you will typically purchase a certificate that lasts between 1 to 3 years. Certificates are set to expire and will need to be renewed resulting in a new expense at the time of renewal. Let’s Encrypt certificates expire every 90 days. The Let’s Encrypt software (certbot) can be configured to automatically renew certificates before they expire. Meaning once installed you should have minimal maintenance moving forward. Automation is done with cron
or systemd
.
Contributors: PKP staff, Kenton Good