Now that you've successfully installed SupportPal, we recommend carrying out the following as your first steps when getting started.
Login to the Operator Panel
It is best to first log in to the operator panel and walk through the getting started guide. Further information about the various settings available can be found in the Configuration section.
Please note that the frontend (for your users) and operator panel are separate areas, your login will only work on the operator panel.
There are a number of immediate steps that you can take to ensure the security of your new installation:
Ensure Pretty URLs is working
Ensuring redirection rules are correctly enabled is critical to prevent unauthorised access to sensitive file stores.
All URLs served by SupportPal should not include
/index.php within them. If your
/index.php then our web server redirection rules are not enabled or are misconfigured.
Apache web server
SupportPal ships with a
.htaccessfile. If the included
.htaccessfile doesn't work automatically, you may need to set the
AllowOverridedirective in the Apache configuration to
Alland ensure that the
mod_rewritemodule is enabled.
Other web servers
Use and adapt our example configurations found at New Installation.
You may just need to toggle the Settings > Pretty URLs field if it is not already enabled.
https ensures encrypted transport of communication between your customers and your server. A number
of third-party integrations require your installation to use
https. We recommend to redirect
http traffic to
https using web server redirects.
Please consult your web server documentation for steps on how to achieve this.
Change default operator Panel directory
Change the default operator panel URL prefix from admin to something that only your staff know. The prefix can be updated using the Settings > Admin Folder field in the operator panel.
Configure HTTP Headers
Scan your installation using https://securityheaders.com/. There are a number of headers which we suggest to enable:
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type.
X-XSS-Protection: 1; mode=block
X-XSS-Protection sets the configuration for the XSS Auditor built into older browsers.
Referrer-Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Strict-Transport-Security should be used after enabling SSL. It strengthens the implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Content-Security-Policy is a new method of enforcing what a user agent can load on a given page. It supersedes
X-XSS-Protectionin modern browsers. All content loaded by SupportPal is served from your servers so the majority of policy directives should be set to
style-srcneed to permit
Please consult your web server documentation for steps on how to configure these headers.
Verify the Cron is Running
As the cron job is used to send out emails amongst many other tasks, it is paramount that it is running successfully. You can verify it is running by going to Settings -> General -> Scheduled Tasks, the status bar will be green and all the tasks will have a recent last run time. Otherwise you should check over the configuration of the cron job, this includes ensuring the configuration for PHP CLI (usually different to the web server process) also passes the system requirements.
We highly recommend to ensure that you're subscribed to errors generated by the cron. On Linux, this can be achieved using the MAILTO setting.
By default, SupportPal expects your help desk to be available to the public.
If you intend to keep your installation private behind a firewall then you'll need to make some changes in order to ensure customers can access email attachments and more. Before proceeding with this approach though, you should be aware of its shortcomings:
gifimage types can be embedded, all other types will be added as attachments.
By default, a cumulative embed limit of
10 MBexists (this is separate to the Cumulative Attachment Limit setting in the operator panel). Any embedded images which exceed this size will be added as attachments.
- Potential memory and performance issues when sending large attachments via the cron job. The larger the images/attachments that you choose to accept, the higher the likelihood that you'll run into such issues. Thus it's important to decide on sensible values when configuring the below settings.
If you're happy with the above shortcomings, then please follow the below steps to use SupportPal behind a firewall.
Edit your MySQL configuration file:
Set a sensible
max_allowed_packet. Embedded images tend to use up to three times the size of the original image size, for example a
3 MBimage would be
9 MBwhen embedded.
- Set a sensible
Edit your PHP configuration file for both web server and the cron (these are usually two separate files):
- Set a sensible
upload_max_filesize. This will prevent users/operators from uploading large files, we would recommend to keep this below
post_max_sizeis larger than or equal to
post_max_size. You may wish to disable the
memory_limitcompletely on the cron. As mentioned above, sending a
30 MBattachment via email may require
~90 MBso this can rapidly increase when there are multiple large attachments/images.
- Set a sensible
Edit SupportPal settings:
Browse to Settings > General > Email in the operator panel and increase/disable the Cumulative Attachment Limit.
Any attachments which exceed the limit will not be attached. If you choose to disable the cumulative attachment limit then you must ensure you have sufficient memory on your server to handle sending large attachments. The speed of the cron job will also dramatically slow down.
- Browse to Settings > Tickets > General and adjust/disable the Allowed Attachment File Types to account for additional image formats (tiff, bmp, webp, etc). Otherwise the user will receive a notification saying that certain attachments / images could not be processed.
For more information on modifying configuration files, please read: Updating Config Files
- Browse to Settings > General > Email in the operator panel and increase/disable the Cumulative Attachment Limit.