Configuration
The configuration file
The firewall is configured in one PHP file:
- Composer-based installation:
config/system/phirewall.php - Classic installation:
typo3conf/system/phirewall.php
The file returns a closure. The closure receives the TYPO3 event dispatcher
and returns a configured Flowd\Phirewall\Config object:
<?php
use Flowd\Phirewall\Config;
use Flowd\Phirewall\Store\PdoCache;
use Psr\EventDispatcher\EventDispatcherInterface;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Utility\GeneralUtility;
return function (EventDispatcherInterface $eventDispatcher): Config {
// 1. The store keeps counters for rate limiting and bans. See the Storage page.
$cache = new PdoCache(GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable('phirewall_cache')->getNativeConnection());
$config = new Config($cache, $eventDispatcher);
// 2. Add your rules here.
$config->blocklists->add(
name: 'block-wp-admin',
callback: fn($request) => str_starts_with(strtolower($request->getUri()->getPath()), '/wp-admin')
);
return $config;
};
The closure receives the TYPO3 event dispatcher. Pass it to the Config
object as shown above; the effective configuration always uses the TYPO3
event dispatcher, so event logging and the Statistics view work even
when your file does not pass it on.
All rule types (safelists, blocklists, throttles, fail2ban, allow2ban, tracks) and their options are documented in the phirewall documentation. They work exactly the same way inside this file. See Examples for TYPO3 recipes.
What the extension adds automatically
The extension builds its defaults first and merges your configuration file on top. Your file wins on every name clash, so it can override each default by using its name.
- Client IP resolver
- When your configuration does not call
$config->setIpResolver(), the extension sets a resolver that usesGeneralUtility::getIndpEnv('REMOTE_ADDR'). This applies TYPO3'sreverseProxyIPsettings, so rules see the real visitor address behind a reverse proxy or CDN. When no address can be resolved, the resolver returnsnulland rules that key on the client IP skip the request. Details: Trusted proxies. - Backend managed block patterns
- The block patterns from the backend module are
added first as the blocklist rule
typo3-blocklist, and they stay active even when your configuration file is missing. A rule with the same name in your file replaces them, so only define a rule namedtypo3-blocklistwhen you want to take over the backend managed patterns yourself.
Behavior without a configuration file
When the file is missing, the extension falls back to a default
configuration. When the file exists but is broken, the extension logs the
problem and uses the same fallback: a warning when the file does not return
a closure or the closure does not return a Config object, an error when
loading the file fails, for example with a syntax error or an exception:
- Store:
InMemoryCache(nothing persists between requests) - Rules: only the backend managed block patterns
The website keeps working. Note that rate limiting and bans need a real store, so create the configuration file for any protection beyond static block patterns.