.. include:: Includes.txt ============= Configuration ============= The configuration file ====================== The firewall is configured in one PHP file: - Composer-based installation: ``config/system/phirewall.php`` - Classic installation: ``typo3conf/system/phirewall.php`` The file returns a closure. The closure receives the TYPO3 event dispatcher and returns a configured ``Flowd\Phirewall\Config`` object: .. code-block:: php getConnectionForTable('phirewall_cache')->getNativeConnection()); $config = new Config($cache, $eventDispatcher); // 2. Add your rules here. $config->blocklists->add( name: 'block-wp-admin', callback: fn($request) => str_starts_with(strtolower($request->getUri()->getPath()), '/wp-admin') ); return $config; }; The closure receives the TYPO3 event dispatcher. Pass it to the ``Config`` object as shown above; the effective configuration always uses the TYPO3 event dispatcher, so event logging and the :doc:`Statistics` view work even when your file does not pass it on. All rule types (safelists, blocklists, throttles, fail2ban, allow2ban, tracks) and their options are documented in the `phirewall documentation `__. They work exactly the same way inside this file. See :doc:`Examples` for TYPO3 recipes. What the extension adds automatically ===================================== The extension builds its defaults first and merges your configuration file on top. Your file wins on every name clash, so it can override each default by using its name. Client IP resolver When your configuration does not call ``$config->setIpResolver()``, the extension sets a resolver that uses ``GeneralUtility::getIndpEnv('REMOTE_ADDR')``. This applies TYPO3's ``reverseProxyIP`` settings, so rules see the real visitor address behind a reverse proxy or CDN. When no address can be resolved, the resolver returns ``null`` and rules that key on the client IP skip the request. Details: :doc:`TrustedProxies`. Backend managed block patterns The block patterns from the :doc:`backend module ` are added first as the blocklist rule ``typo3-blocklist``, and they stay active even when your configuration file is missing. A rule with the same name in your file replaces them, so only define a rule named ``typo3-blocklist`` when you want to take over the backend managed patterns yourself. Behavior without a configuration file ===================================== When the file is missing, the extension falls back to a default configuration. When the file exists but is broken, the extension logs the problem and uses the same fallback: a warning when the file does not return a closure or the closure does not return a ``Config`` object, an error when loading the file fails, for example with a syntax error or an exception: - Store: ``InMemoryCache`` (nothing persists between requests) - Rules: only the backend managed block patterns The website keeps working. Note that rate limiting and bans need a real store, so create the configuration file for any protection beyond static block patterns.