Web Portal Settings

This chapter lists and describes the available configuration options for the TeamDrive Web Portal.

You can review and modify most of these via the TeamDrive Web Portal Admin Console by clicking Settings. Some settings are marked as read-only (“R/O”), they can not be changed.

The settings are grouped into sections:

Admin Console

ExtAuthEnabled

Set this value to True to enable external authentication for the Administration Console. This should not be confued with the use of external authentication used by users of the Web Portal. See Administrator Login using External Authentication for details.

ExtAuthURL

This is the URL that is used by the Web Portal to verify the login of an Administrator, when using External Authentication. See Administrator Login using External Authentication for details.

ForceHTTPSUsage

Set to True if the Web Portal Admin Console must be accessed using HTTPS.

Language

This is the default language used by the Web Portal Admin Console.

MaxRecordsDisplayed

This setting determines the maximum number of records that may be retrieved from the database at any time. This parameter may only be changed by a Superuser.

SessionTimeout

This is the idle time in seconds after which you are required to login to the Web Portal Admin Console again.

UseTwoFactorAuth

Set to True to enable two-factor authentication for Superusers.

Note that this setting only applies to the user of the Web Portal Admin Console. The setting has nothing to do with the use of two-facter authentication used by the users of the portal. This is described in the section: How to Enable Two-Factor Authentication.

API

APIAccessList

A list of IPs which are allowed to access the API of the Web Portal.

APIChecksumSalt

To detect “man in the middle” attacks when sending API requests to the Web Portal, a random “salt value” is generated during the initial installation. The sender must add this salt value to his request before calculating the MD5 hash value of the API request content which will be sent to the Web Portal.

The checksum will be included in the URL, so that the Web Portal can check if the content was modified during the transport.

This setting is read-only and can not be changed via the Admin web interface.

Authentication

AuthLoginPageURL

This is URL of the login page which is used to login using the external Authentication Service. See Configuring Active Directory / LDAP Authentication Services for details.

When AuthServiceEnabled is True, the Web Portal login page: https://webportal.yourdomain.com/portal/login.html, redirects to the page specified by this setting.

If AuthServiceEnabled is True, but this setting has no value, then the Portal Login page provided by the Registration Server (version 3.6 or later) is used by default.

The Registration Server Portal Login page also allows the use of Two-factor authentication using the Google Authentication App. In this case, Two-factor authentication can be setup using the page: https://webportal.yourdomain.com/portal/setup-2fa.html, which redirects to the web-page that provides this service on the Registration Server.

The Registration Server Portal pages are customisable using the templates provided. Details are available in the Registration Server documentation.

AuthServiceEnabled

Since version 2.0.5 of the Web Portal, the setting is only required if you want to use a specific Authentication Service.

If AuthServiceEnabled is False the Web Portal automatically uses external authentication as required by the user, provided you are using TeamDrive Agent 4.6.11.2656 or later (WEBCLIENT-335).

The 4.6.11.2656 agent, first requires the user to enter an email (or username), and then based on this input the user is directed to the standard TeamDrive login, or the user’s external authentication service.

Note that the domain of the Web Portal must be registered with all External Authentication services used by the user of the portal. This is done by adding the domain of the Web Portal to the $allowed_origins configuration setting of the external service.

If your external authentication service does not support this configuration parameter, then it will need to be updated.

When RegistrationEnabled is set to True, you must ensure that AuthLoginPageURL (see AuthLoginPageURL) and AuthTokenVerifyURL (AuthTokenVerifyURL) are set correctly.

In this case the Web Portal will use the external authentication service specified by these settings. Only users of this authentication service may then login.

See Configuring Active Directory / LDAP Authentication Services for further using external authentication services.

AuthTokenVerifyURL

This URL is used to verify the token returned by the Authentication Service after success login by a TeamDrive user. See Configuring Active Directory / LDAP Authentication Services for details.

By default, this setting is set to the Registration Server Portal verification URL: https://<reg-server-domain>/portal/verify.html

LicenseBuyURL

This URL will be displayed for a user, if LicenseProfessionalRequired is set and the user has no professional license.

LicenseProfessionalRequired

Login at the Web Portal requires a professional license for the user.

RegistrationEnabled

Set to True in order to allow users to register directly From the Web Portal. By default this value is set to False.

The setting RegistrationURL (see RegistrationURL) specifies the URL that provides the registration page.

When RegistrationEnabled is set to True there are 2 possibilities, depending on whether AuthServiceEnabled (AuthServiceEnabled) is set to True or False.

If AuthServiceEnabled is True, then registration uses the external Authentication Service mechanism which results in the user being logged-in, immediately after registration.

When AuthServiceEnabled is True, it is possible to use the customisable registration page provided by the Registration Server (version 3.6 or later). In this case RegistrationURL must not be set (see RegistrationURL) .

If AuthServiceEnabled is False, then the TeamDrive Agent Web-GUI provides a “Register Now” button which references this page specified by RegistrationURL, in the login dialog.

In this case, the page referenced by RegistrationURL is a custom developed web-page which performs registration using the Registration Server API and then redirects to the Web Portal login page: https://webportal.yourdomain.com/portal/login.html.

RegistrationURL

This URL references a Web-page where a user can register as a TeamDrive user. Alternatively, if an external Authentication Service is being used this page allows users to register with this service.

This page will only be used of RegistrationEnabled is set to True.

The Web Portal register page: https://webportal.yourdomain.com/portal/register.html, automatically redirects to the page.

If RegistrationEnabled is True, but this setting has no value, then the Portal Registration page provided by the Registration Server (version 3.6 or later) is used by default. In this case, AuthServiceEnabled (see AuthServiceEnabled) must be set to True.

If RegistrationEnabled is True and AuthServiceEnabled is False then this setting must reference a custom developed web-page which performs registration using the Registration Server API and then redirects to the Web Portal login page: https://webportal.yourdomain.com/portal/login.html.

UseEmbeddedLogin

This setting determines whether the Web Portal uses the embedded, or non-embedded form of external login / registration.

External authentication can be embedded in the TeamDrive Web GUI, or can the external authentication pages can be used directly. Set UseEmbeddedLogin to True in order to use the embedded login form.

By default, UseEmbeddedLogin is set to False if you upgrade from a previous version of the Web Portal that was using external authentication, otherwise, the default is True.

Accessing the Web Portal domain, for example: https://webportal.yourdomain.com, will automatically present the login in the embedded or non-embedded form, as specified by UseEmbeddedLogin.

You can now use “explicit” links to the login page in order to set the default provider code and language, for the login or registration.

For the non-embedded login form use the following explicit link:

https://webportal.yourdomain.com/portal/login.html?dist=CODE&lang=LG

and for the embedded login form use the following explicit link:

https://webportal.yourdomain.com/extauth/login.html?dist=CODE&lang=LG

where CODE is the provider code, and LG is the language code, for example en or de.

Note that the external authentication service must be able to handle the specified provider code and language.

Docker Settings

ContainerDatabases

This setting allows you to specify an alternative path for the SQLite databases used by the containers. If empty (the default value) then the SQLite database is placed with the rest of the data in the ContainerRoot directory.

When specified, the user-specific directory in this location will be mounted in the container under the path: “/teamdrive/dbs”. However, this path will only be used if you build a new image using the TeamDrive Agent version 4.6.12.2637 or later.

This version of the client supports the “–database-path” option which allows you to specify an alternative path for the SQLite database. When ContainerDatabases is set, the image build process will automatically add this option to the start parameters of the agent (see @USEDATABASEPATH in the BuildDockerfile setting).

ContainerHosts

Specify a list of hosts and IP addresses that should be added to the “/etc/hosts” file of the container when it is started.

Use the same format as used in the “/etc/hosts”, for example:

192.168.2.101   my.host.org alt.host.org
192.168.30.30   our.server.com

You can also use ; or , in order to separate lines, for example:

192.168.2.101 my.host.org alt.host.org;192.168.30.30 our.server.com

The Docker “ExtraHosts” parameter is used to add the hosts specified here to the contaner on startup, so changes only take effect if a container is re-created.

ContainerIdleTimeout

This is a timeout value in seconds that determines when the TeamDrive Agent running in a container will automatically shutdown, stopping the container. The default value is 15 minutes. This results in the user of the container loosing their session information, and login is required on the next access.

The value set here specifies the value of the idle-shutdown-timeout client setting (see ClientSettings), which is written to the teamdrive.ini file.

If a SharedIniPath is specified then changes to this setting take affect when a container is restarted. Otherwise the Docker container image must be rebuilt for changes to take effect (see SharedIniPath for a description of why this is the case).

ContainerImage

This is the name of the image that must be used when creating a new container. See Upgrading the Database Structure and Docker Container Image for details.

Note that if the MinimumAgentVersion specifies a TeamDrive agent version that is higher than the version of the Agent specified by ContainerImage, then the container image used will be determined by MinimumAgentVersion.

ContainerRoot

This is the absolute path that reference the directory in which all containers will store their user data.

Data in this location is stored in a sub-directory for each container. The sub-directory name is the username of the user of the container.

This user-specific directory is mounted in the container under the “/teamdrive/data” directory, which ensures that containers cannot access the data of other users.

ContainerStorageTimeout

This is the time, in minutes, that a container must be idle before its storage is removed. Zero means that the container storage is never deleted. See Upgrading the Database Structure and Docker Container Image for details.

CurrentGUIVersion

The version of the installed GUI package. The update process will retrieve or build a new Docker container (see update process for details). The GUI package will be extracted from this container and the HTML pages, images and javascript code will be located in the apache document root. The GUI version should be identical to the ContainerImage version.

DockerHost

This is the host name and port of the Docker daemon which runs the containers. See Installing Docker for details.

MinDockerDataSpaceAvailable

A minimum value in GB for the available Docker data space on the storage (see https://docs.docker.com/storage/storagedriver/overlayfs-driver/) If the minimum value is reached, no more Docker container for new users will be created. Set to 0 to disable checking the available Docker data space.

MinDockerMetaDataSpaceAvailable

A minimum value in GB for the available Docker meta data space on the storage (see https://docs.docker.com/storage/storagedriver/overlayfs-driver/) If the minimum value is reached, no more Docker container for new users will be created. Set to 0 to disable checking the available Docker meta data space.

MinimumAgentVersion

This setting is specifies the minimum TeamDrive Agent version that is required by the Web Portal. The setting may not be modified. If The current image used by containers has a Agent version that is earlier than MinimumAgentVersion, then upgrade of the containers will be forced by the Web Portal. This means that users may experience a spontaneous logout.

Following upgrade, ContainerImage will be set to the required image.

MaxActiveContainer

A parameter to limit the currently active users. Set to 0 to disable the limitation.

OldImageRemovalTime

Use this setting to specify when containers with old images should be removed. You can set it to “now”, to remove the containers immediately, if set to “never”, then containers are only removed if the OldImageTimeout is exceeded. This value can also be set to a time (e.g. 03:00, format: hh:mm), or a date (format YYYY-MM-DD hh:mm). Note, if RemoveOldImages is False, this setting is ignored. See Upgrading the Database Structure and Docker Container Image for details.

OldImageTimeout

This is the time, in seconds, that a container with an old image must be idle before it is removed. Zero means the container is removed, even if it is running. Note, if RemoveOldImages is False, this setting is ignored. See Upgrading the Database Structure and Docker Container Image for details.

RemoveIdleContainerTime

This is the time, in seconds, that a container must be idle before it is removed. Zero means that containers are never removed. See Upgrading the Database Structure and Docker Container Image for details.

RemoveOldImages

Set to True if containers running an old image (i.e. not equal to ContainerImage) should be removed. See Upgrading the Database Structure and Docker Container Image for details.

SharedIniPath

Used SharedIniPath you can specify a global path for the teamdrive.ini file which is then used by all containers.

The recommended value for this settings is /teamdrive/$$global/ where /teamdrive is the value of ContainerRoot (see ContainerRoot). In other words, place the teamdrive.ini in a directory called $$global in the ContainerRoot path.

When you set this path, the Web Portal will automatically create the teamdrive.ini file in the SharedIniPath location. If there is a non-empty teamdrive.ini file at this path, then you will not be able to set SharedIniPath because the Web Portal overwrites the contents of this file.

Do not edit the teamdrive.ini file directly. Instead specify the client settings you required using the ClientSettings setting (ClientSettings).

When SharedIniPath is used, then changes ClientSettings which are written to the teamdrive.ini file when a container is restarted. If not the teamdrive.ini file is built into the Docker container image, and changes only take effect after rebuilding the image.

Email Settings

EmailOriginHost

Specify the domain of the origin host, for emails sent by the server. See Enabling Two-Factor Authentication for Administrators for details.

EmailSendTimeout

Timeout in seconds, when sending an email. See Enabling Two-Factor Authentication for Administrators for details.

EmailReplyToAddress

This is the email address that will appear in the Reply-To header of the email, and will be used by the email client if the user attempts to reply to emails sent by the Web Portal. See Enabling Two-Factor Authentication for Administrators for details.

EmailSenderAddress

The email address of the sender. This address is not directly visible to the email receiver. If an email bounces, a message will be sent to this address. See Enabling Two-Factor Authentication for Administrators for details.

EmailSettingsToConfirm

A hash of the email settings that need to be confirmed before saving. See Enabling Two-Factor Authentication for Administrators for details.

SMTPServerHost

Domain name (and port) of the SMTP server used to send emails. See Enabling Two-Factor Authentication for Administrators for details.

General Settings

AllowedProviders

This is a list of Provider codes of the users that may login to the Portal. If empty, any user may login to the Portal.

Note

Changes to the list will not be recognized by running container instances. You have to stop all running instances manually.

ClientSettings

This is a list of settings for the TeamDrive Agent running in all containers belonging to the Web Portal. In addition to these settings, the Web Portal automatically sets sqlite-synchronous=normal and idle-shutdown-timeout (which depends on the value of ContainerIdleTimeout).

If the setting SharedIniPath (see SharedIniPath) is empty, then the client settings are added to the “/etc/teamdrive.ini” file which is built into the Docker container image.

If SharedIniPath is not empty, the then client settings are written to the teamdrive.ini file created in the directory specified by SharedIniPath.

This means if the client settings are changed, then they only take effect when the container is rebuild, if``SharedIniPath`` is not specified. If a SharedIniPath is given, then the client setting changes take effect when a container is restarted.

MaxLoginRate

This is the maximum number of logins to the Web Portal within one minute. The default value is 20. The logins are averaged over 10 minutes so it is possible to exceed this number in bursts.

The object of this setting is to prevent Denial Service and other brute force attacks against the Web Portal login, by automated systems.

As a result, only IP numbers used more than 4 times over the last 10 minutes count towards the total. This means that a login from a little-userd IP address is not subject to this restriction.

If the rate is exceeded, the users will get an error message that login has been temporarily disable for security reasons, and that they should try again in a few minutes.

In addition, an email is sent to the administrators of the Web Portal, specifying the current login rate. This helps administrators to identify attacks on the Web Portal login.

MaxLoginLogAge

The Web Portal keeps a log of the logins, which includes the login name, and the IP address of the user. This setting specifies how long the log entries are preserved. By default this is 48 hours.

The purpose of the log is to detect possible abuse or denial of service attacks aimed at the Web Portal.

PrimaryRegistrationServer

Web Portals can be connected to a number or Registration Servers. The Primary Registration Server must be selected from the servers that have been registered. This can be done from the Registration Server list.

ServerRoot

The installation directory of the Web Portal application. This setting is read-only, and cannot be changed after installation.

WebPortalDomain

This is the domain name (or URL) of this service.

WebPortalName

This name of this service. The name is displayed in the Web Portal Admin Console. The default value is the domain name of the service. The name is used for display purposes only, and may be set to any value.

Outgoing Connections

UseProxy

Set this value to True in order to enable the use of a proxy for all outgoing connections of the Web Portal, and the TeamDrive Agent running in the Docker environment.

ProxyHost

This is the domain name (or IP address) and port number of the proxy to be used for outgoing connections. If not set, the UseProxy setting will be ignored.

Note that this setting is used for both HTTP and HTTPS connections.

NoProxyList

This is a comma separated list of domains and IP addresses that are to be contacted without the use of a proxy.

ConnectionTimeout

The timeout in milliseconds when making outbound connections. The default is 30 seconds.

Build Image

The Build Image settings are used to build and, if necessary, customize the Docker container image for use with the Web Portal.

AgentCommandLineArgs

These are the command line arguments passed to the TeamDrive Agent when started in a container. This is a read-only value that is affected by the following settings: ContainerIdleTimeout, ContainerDatabases and SharedIniPath (see AgentDownloadURL, ContainerDatabases and SharedIniPath).

In addition, if SharedIniPath is empty, then the value set using ClientSettings will be added to the command line parameters.

When the container image is built, the value of this setting is substituted for the @COMMANDLINEARGS@ in the BuildDockerfile (see BuildDockerfile).

AgentDownloadURL

This URL is used to download the TeamDrive Agent archive (.tar.gz file).

By default the URL refers to the TeamDrive download portal:

http://s3download.teamdrive.net/{VERSIONSHORT}/{PROVIDERCODE}/linux-x86_64/{PRODUCTNAME}_agent_{VERSION}_el7.x86_64.tar.gz

Before usage, the following substitutions are made:

  • {PRODUCTNAME} is set to BuildProductName, after converting to all lowercase letters.
  • {PROVIDERCODE} is set to the value of the BuildProviderCode setting.
  • {VERSION} is set to the version of the Agent being built.
  • {VERSIONSHORT} a short version of the version number of the archive, which does not include the “patch” number. Version numbers have the form: <major>.<minor>.<patch>.<build>

If you have your own download portal, you can remove the placeholders as required.

If the required TeamDrive Agent archive is found in the build folder (ImageBuildFolder) the Web Portal will not attempt to download the archive.

BuildBinaryName

BuildBinaryName is the name of TeamDrive Agent binary executable which is started when launching a Docker container. The executable is included in the Agent archive (.tar.gz file).

By default, this value is “teamdrived.bin”.

BuildDockerfile

The contents of the Dockerfile used by docker to build a new TeamDrive Agent image, as described in the Docker documentation: https://docs.docker.com/engine/reference/builder/.

A number of replacements are performed before the file is used:

  • @AGENTARCHIVE@ is set to the last component of the AgentDownloadURL setting.
  • @BINARYNAME@ is set to the value of the BuildBinaryName setting.
  • @COMMANDLINEARGS@ is set to the value of the AgentCommandLineArgs setting.
  • @PRODUCTNAME@ is set to BuildProductName, after converting to all lowercase letters.

Note the place-holder variable @IDLETIMEOUT@ (value of the ContainerIdleTimeout setting) has been deprecated. You should use @COMMANDLINEARGS@ instead as demonstrated by the default BuildDockerfile, as follows:

CMD [ \"./@BINARYNAME@\", @COMMANDLINEARGS@ ]

After substitution, the Web Portal uses the value of ImageBuildCommand to call docker to create the image.

BuildProductName

This is the customisable Product name. The default Product name is “teamdrive”.

Note that the Product name is required to be all lowercase letters.

This value is the first part of the name of the Agent archive (.tar.gz file) which contains the binary of the TeamDrive Agent, as specified by the last component of the AgentDownloadURL setting, for example: “teamdrive_agent_4.5.5.1838_el7.x86_64.tar.gz”.

When the Agent archive is unpacked, the Web Portal assumes that the top-level directory is the same as the value of this setting. In addition, when upgrading, the Web Portal will create a Docker image with a name of the form:

<build-product-name>/agent:<version-number>-<provider-code>.

The Web Portal also uses the image name to search the Docker hub before building a custom image.

BuildProviderCode

This is your 4 letter Provider code. This should correspond to the provider code specified in the DISTRIBUTOR file. By default, the Provide code is “TMDR”.

BuildWgetCommand

This is a shell command calls the wget executable to download the TeamDrive Agent archive. Additional arguments (e.g. -O, -e and the download URL) will be added to this command as required.

The only reason to change this setting is to determine the “wget” executable to be used by add a path, or to specify a different location for the log file.

Before usage, {BUILDFOLDER} is set to the value of the ImageBuildFolder setting.

If the wget call fails, check the “wget-log” log file for details.

DISTRIBUTORFile

This is the contents of the signed DISTRIBUTOR file to be used by the TeamDrive agent running in the container. This value replaces the contents of the DISTRIBUTOR file included in the Agent archive.

By default this value is empty, which means that the DISTRIBUTOR file in the Agent archive is used.

Please notice, that only signed DISTRIBUTOR files will be accepted. The signature will be checked during the creation of the docker image and at each start of the agent.

The default contents for the TeamDrive Agent are as follows:

code=TMDR
reg-server-list-url=http://reg.teamdrive.net/pbas/td2as/lis/regserverlist.htm
reg-server-name=TeamDriveMaster
reg-server-url=http://reg.teamdrive.net/pbas/td2as/reg/
notification-url=http://notification.teamdrive.net/pbas/td2as/reg/
media-server-url=http://media.teamdrive.net/pbas/td2as/reg/
update-program-url=http://reg.teamdrive.net/pbas/td2as/upd/update.xml
balance-url=http://balance.teamdrive.net/pbas/td2as/bal/balance.xml
log-upload-url=http://logupload.teamdrive.com/upload.php
redirector-url=http://www.teamdrive.com/redirector.php
ping-url=http://ping.teamdrive.net/ping.xml

enable-provider-panel-android=false
enable-provider-panel-ios=false
enable-provider-panel-linux=true
enable-provider-panel-mac=true
enable-provider-panel-win=true

HttpConfigFolder

The path to the Apache folder for configuration files, “/etc/httpd/conf.d/” by default. There is no need to change this setting if you are running the Web Portal on CentOS 6 or CentOS 7.

HttpDocsFolder

This must be set to the path to the Apache documents folder. By default, the value is “/var/www/”. There is no need to change this setting if you are running the Web Portal on CentOS 6 or CentOS 7.

ImageBuildCommand

This is a shell command which calls the docker executable to build a new Docker image. The only reason to change this setting is to determine the “docker” executable to be used by specifying the path of the executable.

Before usage, the following substitutions are made:

  • {BUILDFOLDER} is set to the value of the ImageBuildFolder setting.
  • {PRODUCTNAME} is set to BuildProductName, after converting to all lowercase letters.
  • {PROVIDERCODE} is set to the value of the BuildProviderCode setting.
  • {VERSION} is set to the version of the Agent being built.

ImageBuildFolder

This is the folder in the filesystem where the files are created during the Docker image build process.

If the Agent archive cannot be downloaded then it may be copied manually to this directory before the build is initiated (see Installing the TeamDrive Agent Docker Image).

The DISTRIBTOR file and the Dockerfile used to build the Docker image are created in this directory. Since these files are not deleted you can check the contents after the build is completed.