Hi everyone, I've noticed a lot of questions on the forum that relate to configuration of mojoPortal. If you've read the documentation, you'll know that your site is configured by the use of web.config (and optionally user.config). I thought it might be valuable for everyone to see a comprehensive user.config example file. I built this by going option-by-option through the delivered web.config, and including all of the configuration values I thought we might want to override. This is an exercise that I would recommend to every mojoPortal user, because it will really give you insight into some of the inner workings of mojoPortal, and you'll see just how flexible it is.

Some of the settings in this file may be the same as the delivered value stored in web.config. This is not a problem, of course, and placing it in user.config gives us the flexibility to easily change that value as needed.

Remember that any time you make a change to your user.config, you'll need to "touch" web.config to make the web server refresh and read the changes. I do this by loading web.config into a text editor, then add and remove a space, and save.

I think I've documented this file pretty thoroughly with comments, but if anybody has questions about this, I'd be happy to answer them if I can.

Jamie

<?xml version="1.0" encoding="utf-8"?>
<appSettings>

   <!-- Disable setup page by default. If logged in as admin, can still get to setup page -->
   <add key="DisableSetup" value="true" />
 
   <!-- Connection string for MySQL Database -->
   <add key="MySqlConnectionString" value="Server=localhost;Database=our_db;Uid=our_user;Pwd=our_pw" />
 
   <!-- Note: In new installations as of version 2.3.5.5, it is not necessary to generate an RSA key to secure mojoPortal. With the UseLegacyCryptoHelper key set to false, all encryption is done using the Machine Key, so the mojoCryptoHelperKeyFile setting is obsolete (left here for informational use only for sites established using a version prior to 2.3.5.5) -->

   <add key="UseLegacyCryptoHelper" value="false" />.

<!--        Custom generated RSA key file
        Steps used to generate the key:
          C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pc "MyKeys" -exp
          C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -px "MyKeys" "c:\temp\keys.xml" -pri
   <add key="mojoCryptoHelperKeyFile" value="~/our_file.config" /> -->
 
   <!-- Indicate that SSL is available to the site. Forces high security pages to use SSL (login, etc.)
        and enables optional use of SSL on a page-by-page basis -->
   <add key="SSLIsAvailable" value="true" />
  
   <!-- We have a wildcard SSL certificate, so any subdomain on the server can also use SSL -->
   <add key="EnableSSLInChildSites" value="true" />
  
   <!-- Use SSL for LDAP authentication requests -->
   <add key="UseSslForLdap" value="true" />
 
   <!-- Notify administrators when new users register on the system -->
   <add key="NotifyAdminsOnNewUserRegistration" value="true" />
 
   <!-- Turn on content versioning globally throughout the site -->
   <add key="EnforceContentVersioningGlobally" value="true" />
 
   <!-- Added .dwg to the allowed extensions for upload -->
   <add key="AllowedUploadFileExtensions" value=".gif|.jpg|.jpeg|.png|.flv|.swf|.wmv|.mp3|.mp4|.tif|.asf|.asx|.avi|.mov|.mpeg|.mpg|.zip|.pdf|.doc|.docx|.xls|.xlsx|.ppt|.pptx|.csv|.txt|.dwg"/>

   <!-- Add two keys to allow for mixed case in folder/file names. Per Joe Audette,

        The reason we force lower case by default is because mojoPortal can run on Linux. On Windows urls are not case sensitive
        because the file system is not case sensitive, but on Linux both the file system and urls are case sensitive so one
        mistake in capitalization can cause a broken url and forcing lower case ensures a convention that will prevent that.
 
        If you are 100% sure you will never move your mojoPortal site to Linux or host the files on a Linux server it is fine
        to allow mixed case.-->
   <add key="ForceLowerCaseForFolderCreation" value="false" />
   <add key="ForceLowerCaseForUploadedFiles" value="false" />
 
   <!-- Place galleries under media folder. Recommended for new sites -->
   <add key="ImageGalleryUseMediaFolder" value="true" />
 
   <!-- Take advantage of latest search improvements -->
   <add key="DisableSearchFeatureFilters" value="false" />
   <add key="SearchUseBackwardCompatibilityMode" value="false" />
   <add key="EnableSearchResultsHighlighting" value="true" />
 
   <!-- Allow admins to easily rebuild search index when needed -->
   <add key="ShowRebuildSearchIndexButtonToAdmins" value="true" />
  
   <!-- Prevent leaking of hidden information through search -->
   <add key="SearchIncludeModuleRoleFilters" value="true" />
 
   <!-- custom value below to prevent other Silverlight apps from logging into the server -->
   <add key="SilverlightClientKey" value="our_key" />
 
   <!-- SMTP Settings -->
   <add key="SMTPServer" value="our_server" />
   <add key="SMTPUser" value="our_user" />
   <add key="SMTPUseSsl" value="false" />
   <add key="SMTPPort" value="25" />
   <add key="SMTPTimeoutInMilliseconds" value="30000" />
 
   <add key="SearchResultsPageSize" value="20" />
 
   <add key="FolderGalleryPreviewWidth" value="800" />
 
   <!-- Customize hiding/unhiding of menus throughout different parts of the site --> 
   <add key="HideMenusOnLoginPage" value="true" />
   <add key="HideMenusOnRegisterPage" value="true" />
   <add key="HideMenusOnPasswordRecoveryPage" value="true" />
   <add key="HideMenusOnChangePasswordPage" value="true" />
   <add key="HideAllMenusOnProfilePage" value="false" />
   <add key="HidePageMenuOnProfilePage" value="true" />
   <add key="HideAllMenusOnMyPage" value="false" />
   <add key="HideMenusOnSiteMap" value="false" />
   <add key="HidePageMenusOnSiteMap" value="true" />
   <add key="SuppressMenuOnBuiltIn404Page" value="false"/>
 
   <!-- Alter page title - may make it better for SEO -->
   <add key="PageTitleFormatName" value="TitlePlusSite" />
 
   <!-- Specify a custom config file name for potential custom profile options -->
   <add key="mojoProfileConfigFileName" value="our_profile.config" /> 
 
   <!-- Don't show the Google search on the 404 page -->
   <add key="EnableGoogle404Enhancement" value="false"/>
 
   <!-- We need to be able to force host name, so the SSL will work correctly.
        This is also good for SEO optimization purposes, or so I hear -->
   <add key="AllowForcingPreferredHostName" value="true" />
    
   <!-- NOTE: The following should be disabled on a development server only! -->
   <add key="CombineCSS" value="true" />
   <add key="MinifyCSS" value="true" />
   <add key="CacheCssOnServer" value="true"/>
   <add key="CacheCssInBrowser" value="true"/>

</appSettings>
 

Hi there, in my original post in this thread I did document a way to generate an RSA key using the aspnet_regiis program, which is delivered with the .NET framework itself:

<!-- Custom generated RSA key file
Steps used to generate the key:
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pc "MyKeys" -exp
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -px "MyKeys" "c:\temp\keys.xml" -pri
-->
<add key="mojoCryptoHelperKeyFile" value="~/our_file.config" />
 

However, I have since learned that the mojoCryptoHelperKeyFile setting is obsolete (all encryption is done via the Machine Key, so this setting and RSA key generation is not needed any longer to secure mojoPortal. I will edit my original post to reflect this so as to not cause any confusion.

Hope that helps,

Jamie

Hi Guys,

Just to clarify a few things. We have kept these legacy settings for crypto helper to prevent breaking existing sites. For new sites we have this setting in the user.config.sample file:

<add key="UseLegacyCryptoHelper" value="false" />

so that new installations will use the newer logic by default, but this setting is not present in Web.config so that existing sites that upgrade are not affected. So basically this setting toggles the crypto helper to use the new logic instead of the old logic which needed this crypto key, the new logic uses the same encryption as the membership provider which encrypts passwords based on the machine key, so no extra key is needed.

If someone upgrading wants to use the new logic they can add this setting to user.config but if they already had encrypted data they may need to clear those values out and then reset them after the change.

The other thing to know is that this cryptohelper is used only in a few places in mojoPortal (but could also be used in existing custom features that people may be using), but basically we use crypto helper to encrypt sensitive data that we may want to store in the db. For example by default smtp settings go in web.config appSettings section, but it is possible to configure it to use settings from the database (via Site Settings) (so that in a multi site installation the settings can be different per site). So in this case we encrypt the smtp user password. 

But other than that is not used very much in mojoPortal.

Best,

Joe

The legacy implementation of cryptohelper is still being used unless you add the new setting to user.config

<add key="UseLegacyCryptoHelper" value="false" />

The new implementation and this setting which enables it were introduced in 2.3.5.5.

Best,

Joe