This page is about an old version of Active Collab that's not developed anymore.
Click here to open the documentation for the latest version.

Securing Your activeCollab

Even if activeCollab is very safe to use, there are a couple of security measures which can be taken in order to reduce unnecessary risk.

Install activeCollab Behind the Document Root #

Installing activeCollab above the site root ensures that only files from the /public folder are publicly available, while all other files are not accessible on the web. Even though the system encodes file names and comes with .htaccess protection by default, for folders with sensitive data (/upload, /thumbnails and other), the best approach is to have them installed above the site root.

The following steps demonstrate how to install activeCollab with the /public folder as a document root:

1

Define a virtual host where the http://intranet is mapped as public folder of your activeCollab setup. You can do that like this:

1
2
3
4
<VirtualHost *>
  ServerName intranet
  DocumentRoot /Library/WebServer/Documents/intranet/public
</VirtualHost>
2

Install activeCollab by visiting http://intranet and starting the activeCollab install utility.

3

When you confirm that activeCollab is running properly, open config/config.php and add the following line to the block where all other configuration options are defined:

1
define('PUBLIC_AS_DOCUMENT_ROOT', true);
Important Notes on the Installation behind the Document Root Process
  • Sometimes the document root folders are not named public (it can be called public_html, web, etc). In that case, put the content of the /public folder in your document root, run the installer and when you're done open config/config.php and make sure that PUBLIC_FOLDER_NAME is set to the correct value.
  • If you are using .htaccess fix to have 100% clean URLs, you will need to put it in /public folder and make appropriate changes to rewrite rules.
  • Folders like /cache, /upload, /logs, and similar, are protected by .htaccess file with rules that restrict direct access to files located in these folders. Your server will need to be configured to allow overriding using .htaccess files. To learn more, read the Apache documentation.

Use SSL Encryption #

activeCollab is protocol agnostic, so if your server supports SSL and has proper certificates installed, it will work on HTTPS as well as on HTTP. All you need to do is to run the Installer on the proper protocol and your activeCollab will use the HTTPS URL automatically.

If you already have activeCollab installed on HTTP, and decide to add the certificate later, you need to change the protocol in the config/config.php file and change the line:

1
define('ROOT_URL', 'http://example.com/public')

into:

1
define('ROOT_URL', 'https://example.com/public')

After the update is made don't forget to delete files, except the .htaccess files from the /cache and /compile folders of your activeCollab setup.