Open Journal Systems (OJS) relies on a central configuration file, config.inc.php, which serves as the backbone for customizing and controlling the entire platform. This configuration file encompasses critical settings that determine how your journal system operates, from fundamental infrastructure choices to advanced security measures.

The configuration file allows you to customize crucial aspects such as database connections, caching mechanisms (including options like Memcache, XCache, and APC), file storage configurations, and email server settings. Whether you’re setting up a production environment with enhanced security measures (such as SSL enforcement and secure session management) or configuring a development instance with debugging capabilities, understanding these settings is crucial for maintaining a robust and efficient journal platform.

Key areas covered by the configuration file include:

• Database configuration for stable data management
• Security protocols, including password encryption and API key management
• Caching mechanisms for improved performance
• File storage and management settings
• Email server configuration for reliable communication
• Localization options for multilingual support
• Development and debugging tools
• Interface customization options
• Integration with external services

This guide provides a detailed explanation of each setting within the config.inc.php file, helping you understand not only what each option does but also how it affects your journal’s operation. Whether you’re launching a new journal, optimizing performance, enhancing security, or troubleshooting issues, having a thorough understanding of these configuration options is essential.

Use this resource as your reference to ensure your OJS installation is properly configured, secure, and optimized for your specific needs.

Please note: These settings may require adjustments based on your server, hosting environment, and specific infrastructure. It’s essential to proceed carefully when making any changes, and always back up your configuration and data before applying updates. For detailed guidance or customized support, don’t hesitate to reach out to us or consult with OJS experts to ensure your platform remains stable, secure, and optimized.

1. General Settings

• installed: This determines whether the OJS system is installed. Set to On once installation is complete, as it is typically done automatically by the installer.
• base_url: The main URL for the OJS installation, excluding the trailing slash. For example, "https://yourdomain.com".
• session_cookie_name: Specifies a unique name for the session cookie. Set unique names if running multiple OJS instances to prevent session conflicts.
• session_cookie_path: Defines the session cookie path. If not set, it defaults to the base path detected by the server.
• session_lifetime: Determines the number of days a login session remains valid if “Remember Me” is selected. For example, 30 means the session remains active for 30 days.
• scheduled_tasks: Enable scheduled tasks by setting this to On. This allows tasks like automated backups and email notifications to run.
• time_zone: Sets the system’s time zone. Refer to lib/pkp/registry/timeZones.xml for a complete list of supported time zones. For example, time_zone = "Europe/Istanbul".
• date_format_short / date_format_long / datetime_format_short / datetime_format_long / time_format: Defines date and time formats for display. %Y is the year, %m is the month, %d is the day, %I:%M %p is the time.
• disable_path_info: Enables the use of URL parameters instead of CGI PATH_INFO. This option is generally left as Off unless server compatibility requires otherwise.
• allow_url_fopen: Allows reading from URLs using PHP’s fopen(...) function. Typically set to Off due to security concerns, especially on modern servers.
• base_url[index] / base_url[myJournal]: Override the base URL for specific journals. For example, base_url[index] = http://myUrl.com for the index page and base_url[myJournal] = http://myUrl.com/myJournal for a specific journal.
• restful_urls: Enable RESTful URLs with mod_rewrite. Set to On and configure .htaccess for this to work.
• trust_x_forwarded_for: Set to On if you are behind a reverse proxy and want to use the X_FORWARDED_FOR header for IP addresses. This defaults to On if unset for backward compatibility.
• citation_checking_max_processes: The maximum number of citation-checking processes that may run in parallel. Setting between 3 and 10 is generally recommended.
• show_upgrade_warning: Displays an upgrade notification to the site admin and journal managers if a new version is available. It’s generally good to leave this On.
• enable_minified: Minifies JavaScript files. Set to Off for debugging or development.
• enable_beacon: Shares a unique site ID and OAI base URL with PKP for statistics and security alerts. Leaving this On is recommended.
• sitewide_privacy_statement: Determines whether to use a single site-wide Privacy Statement or separate ones for each journal. Set to On for a single statement.

2. Database Settings

• driver: Specifies the database driver, usually mysqli or postgres.
• host: Database server address, typically localhost.
• username / password: The database username and password.
• name: The name of the database, e.g., "ojs_database".
• port / unix_socket: The database port or Unix socket file. Leave commented out if not needed.
• collation: The database collation type. utf8_general_ci is recommended for UTF-8 character support.
• debug: Enables verbose database debug output. Set to On only for development environments.

3. Cache Settings

• object_cache: Sets the type of object data caching. Options are:
  • memcache: Uses the memcache server configured below.
  • xcache: Uses the xcache variable store.
  • apc: Uses the APC variable store.
  • none: Disables caching.
• memcache_hostname and memcache_port: Memcache server hostname and port, typically localhost and 11211. Configure according to your server.
• web_cache: Enables local flat-file caching for frequently accessed pages. This is helpful for high-traffic open-access journals. Set to On with caution.
• web_cache_hours: Defines the number of hours for which the web cache is valid before it is refreshed.

4. Localization Settings

• locale: Default locale setting, e.g., en_US for English or tr_TR for Turkish.
• client_charset: Sets the character set for the client interface. Typically utf-8.
• connection_charset: The database connection character set. Recommended to set as utf8.

5. File Settings

• files_dir: The directory path for storing uploaded files. For security, this directory should not be directly web-accessible.
• public_files_dir: Directory for publicly accessible files, specified as a relative path from the OJS base directory.
• public_user_dir_size: Sets a storage limit in kilobytes (KB) for each user’s public files directory. Example: 5000 KB.
• umask: The permissions mask for created files and directories. Default is 0022.
• filename_revision_match: Percentage similarity between filenames to be considered a possible revision. Default is 70.

6. Fileinfo (MIME) Settings

• mime_database_path: Path to the MIME database file. Generally not required, but custom paths can be set if needed.

7. Security Settings

• force_ssl: Forces SSL (HTTPS) site-wide. It’s recommended to set this to On for secure connections.
• force_login_ssl: Forces SSL only for login pages.
• session_check_ip: Invalidates a session if the user’s IP changes. Provides additional security but can cause issues for proxy users.
• encryption: Specifies the encryption algorithm for user passwords, either md5 or sha1. sha1 is more secure.
• salt: Unique salt for password reset hashes. Use a strong, unique string for added security.
• api_key_secret: Unique secret used to encode and decode API keys.
• reset_seconds: Expiration time in seconds for password reset hashes. Default is 7200 seconds (2 hours).
• allowed_html: Defines HTML tags allowed in restricted fields, e.g., "a[href|target|title],em,strong".

8. Email Settings

• smtp: Enables SMTP email sending. Typically set to On.
• smtp_server and smtp_port: SMTP server address and port number, e.g., smtp_server = yourdomain.com, smtp_port = 587.
• smtp_auth: Specifies SMTP authentication type, either tls or ssl.
• smtp_username and smtp_password: Credentials for the SMTP server.
• smtp_suppress_cert_check: Disables SMTP certificate verification, though it’s not recommended for security.
• allow_envelope_sender and default_envelope_sender: Enables a custom envelope sender. Specify an address if desired.
• force_default_envelope_sender and force_dmarc_compliant_from: Forces a DMARC-compliant from header for email security.
• time_between_emails: Sets a minimum time (in seconds) between non-editorial emails to reduce spam.
• max_recipients: Limits the maximum number of recipients per email for non-privileged users.
• require_validation and validation_timeout: Requires email address validation for login and sets the expiration time for unvalidated accounts.

9. Search Settings

• min_word_length: Defines the minimum indexed word length for searches. Set to 3 to index shorter words.
• results_per_keyword: Maximum search results fetched per keyword. Higher numbers may increase server load.
• index[application/pdf] / index[application/postscript] / index[application/msword]: Specifies helper programs for indexing non-text files like PDFs and Word documents.

10. OAI Settings

• oai: Enables the Open Archives Initiative (OAI) front-end. Set to On for OAI-PMH compliance.
• repository_id: Sets a unique repository identifier for the OAI. Typically, something like oai.yourdomain.com.
• oai_max_records: Maximum number of records per OAI request. Default is 100.

11. Interface Settings

• items_per_page: Number of items displayed per page, defaulting to 25. Can be overridden per journal.
• page_links: Maximum number of page links displayed at once.

12. Captcha Settings

• recaptcha: Enables ReCaptcha for spam protection.
• recaptcha_public_key and recaptcha_private_key: Keys for Google ReCaptcha. Obtainable from Google’s ReCaptcha site.
• captcha_on_register: Enables Captcha for user registration to prevent spam.
• recaptcha_enforce_hostname: Enforces hostname verification in the ReCaptcha response.

13. External Commands

• tar: Path to the tar command for backup and translation packaging plugins. Typically /bin/tar.
• xslt_command: Specifies a path to an external XSLT processor if needed.

14. Proxy Settings

• http_proxy and https_proxy: Proxy configurations for HTTP and HTTPS if required.

15. Debug Settings

• show_stacktrace: Shows a stack trace on fatal errors. Enable only in development.
• display_errors: Displays errors when something goes wrong. Set to Off in production.
• deprecation_warnings: Shows warnings for deprecated functions.
• log_web_service_info: Logs web service request info for debugging.

16. Curl Settings

• cainfo: Specifies a custom CA certificate path for cURL calls.

17. iThenticate Plugin Settings

• ithenticate: Enables iThenticate for plagiarism checking.
• username and password: Credentials for iThenticate’s API.

Recommended Configuration Tips for Security, Performance, and Reliability

1. Security Settings:
   • SSL Enforcement: Enable force_ssl = On to secure site-wide connections, and set force_login_ssl = On to secure login pages. These settings protect user data, especially on login and registration pages.
   • Session Security: Set session_check_ip = On to prevent session hijacking, though this may cause issues for users on dynamic IPs.
   • Password Encryption: Use encryption = sha1 (or a stronger hashing algorithm if available) for more secure password storage.
   • Unique Salt for Password Resets: Customize the salt setting to a unique, strong value, providing added protection to password recovery processes.
   • DMARC Compliance: If needed, use force_default_envelope_sender and force_dmarc_compliant_from to ensure email compliance with DMARC policies, reducing email rejection or spam filtering.
2. Performance Optimization:
   • Enable Caching: Select an appropriate caching option under object_cache (e.g., memcache, xcache, or apc). This improves load times and reduces server load.
   • Set Web Cache for High Traffic: For high-traffic sites, enable web_cache = On with an optimal web_cache_hours value to reduce repeated database queries for static pages.
   • Minify JavaScript: Set enable_minified = On to reduce file sizes and speed up page load times.
   • Limit Citation Checking Processes: Adjust citation_checking_max_processes between 3 and 10, depending on server capacity, to prevent overloading with parallel tasks.
3. Database Stability:
   • Database Collation: Set collation = utf8_general_ci (or a preferred UTF-8 collation) to support international character encoding.
   • Enable Debug Mode Only in Development: Use debug = Off in production to avoid exposing sensitive information and improve database performance.
4. Email Configuration:
   • SMTP Security: Use smtp_auth = tls or ssl for email encryption, and keep smtp_suppress_cert_check = Off if possible to maintain email security.
   • Limit Email Frequency: Set time_between_emails to prevent spam abuse, and max_recipients to control the number of recipients per email.
   • Configure Envelope Sender: For reliable email delivery, especially with DMARC policies, configure default_envelope_sender and consider enabling force_default_envelope_sender.
5. Development and Debugging:
   • Enable Debugging for Development Only: Use show_stacktrace = Off, display_errors = Off, and deprecation_warnings = Off in production to avoid exposing vulnerabilities and maintain a clean user experience.
   • Use Custom Certificates with cURL: If required, set cainfo to a specific CA certificate for secure API and external requests.
6. Other Recommendations:
   • Regularly Check for Updates: Leave show_upgrade_warning = On to get notifications for new releases, which often include security and performance enhancements.
   • Restrict Allowed HTML Tags: Limit allowed_html to essential tags only, reducing risks from harmful HTML elements in user-generated content.

This checklist helps ensure a robust, secure, and high-performing OJS platform, offering peace of mind for administrators managing journal sites.