Of course. Let's break down the global.cfg file in the context of the DEDE (DedeCMS) system, focusing on its role, common configurations, and the importance of security.
What is global.cfg in DEDE?
In DedeCMS, global.cfg is a core configuration file. It's a plain text file that contains essential settings that control the basic behavior of your entire website. Unlike other configuration files that might be specific to a single module (like config_inc.php for the member system), global.cfg provides global settings that affect the whole application.
Key Characteristics:
- Location: It's typically found in the root directory of your DedeCMS installation:
/data/config.cache.inc.php.- Note: You might see a file named
global.cfgin the/include/directory, which is often a template or source for the main config file. The active, live configuration is almost always the cached version in/data/.
- Note: You might see a file named
- Format: It's a PHP file that defines variables, not a standard
.inior.xmlfile. - Caching: The file is often generated from the database settings for performance. Changing settings in the DedeCMS admin panel (系统 -> 系统基本参数) will usually update this file.
- Criticality: This is a highly sensitive file. Its exposure could lead to a complete takeover of your website.
Common Variables and Settings Explained (mc)
While you didn't specify what "mc" stands for, in the context of DedeCMS configuration, it's likely a shorthand or a typo. The most important and commonly referenced settings in global.cfg are often related to *MySQL connection (`cfgdb)** and **caching (cfg_cache)**.
Here are the most critical variables you'll find in global.cfg:
Database Connection (cfg_db_*)
These variables define how DedeCMS connects to your MySQL database. If these are exposed, your database is completely vulnerable.
cfg_dbhost: The hostname or IP address of your MySQL server (e.g.,localhostor0.0.1).cfg_dbname: The name of your DedeCMS database.cfg_dbuser: The username used to connect to the database.cfg_dbpwd: The database password. This is one of the most sensitive pieces of information in the file.cfg_dbprefix: The prefix for all DedeCMS tables in your database (e.g.,dede_). This allows multiple DedeCMS installations to share the same database.
Example Snippet:
// Database connection settings $cfg_dbhost = 'localhost'; $cfg_dbname = 'my_dedecms_db'; $cfg_dbuser = 'dede_user'; $cfg_dbpwd = 'a_very_strong_password_123!'; $cfg_dbprefix = 'dede_';
Caching Settings (cfg_*cache*)
DedeCMS uses caching to improve performance by storing frequently accessed data (like channel lists) in files instead of querying the database every time.
cfg_html_cache: This is a crucial setting for static page generation.Yor1: HTML caching is ON. When you generate a page, DedeCMS will save a static.htmlfile. This is very fast for visitors.Nor0: HTML caching is OFF. Pages are generated dynamically on each visit. This is necessary for sites with frequent updates or user-specific content.
cfg_cache_dir: The directory where cached files are stored (e.g.,/data/cache/).
Example Snippet:
// Caching settings $cfg_html_cache = 'Y'; // Set to 'N' to disable HTML caching $cfg_cache_dir = '/data/cache';
Other Common Global Settings
$cfg_cmspath: The absolute server path to your DedeCMS installation (e.g.,/home/username/public_html).$cfg_basehost: The full URL to your website's root (e.g.,https://www.yourdomain.com).$cfg_indexurl: The URL to your homepage (often the same as$cfg_basehost).$cfg_mb_open:YorN. Determines if the member (user) system is enabled.$cfg_mb_face:YorN. Determines if member avatars are enabled.
Security and Best Practices
The global.cfg file is a prime target for hackers. Its security is paramount.
CRITICAL: File Permissions
The /data/ directory and the config.cache.inc.php file within it should NOT be writable by the web server.
- Recommended Permissions:
- Directory (
/data/):755 - File (
config.cache.inc.php):644
- Directory (
You can set these via SSH or your hosting control panel's file manager.
Why? If a hacker can write to this file, they can change the database credentials to point to their own database (where they've uploaded a malicious shell) or modify other critical settings to take over your site.
Protect with .htaccess
An extra layer of security is to deny direct access to the file via the web server. You can do this by adding the following code to an .htaccess file in your /data/ directory.
Create a file named .htaccess in /data/ with this content:
<Files "config.cache.inc.php">
Order allow,deny
Deny from all
</Files>
This tells the Apache web server to block any attempt to access config.cache.inc.php directly through a browser.
Never Share Publicly
Never post the contents of your global.cfg file on a public forum, GitHub, or anywhere else. It contains all the keys to your kingdom.
Regular Backups
Keep regular backups of this file. If your site is ever compromised and the file is modified, you can restore it from a clean backup.
Summary
| Aspect | Description |
|---|---|
| What it is | A core PHP configuration file (/data/config.cache.inc.php) that controls global DedeCMS settings. |
| Key Purpose | Defines database connections, caching behavior, and other fundamental site-wide options. |
| Most Important Vars | $cfg_dbhost, $cfg_dbname, $cfg_dbuser, $cfg_dbpwd (Database) and $cfg_html_cache (Performance). |
| Security Level | EXTREMELY HIGH. Exposure can lead to a full website takeover. |
| Best Security Practices | Set file permissions to 644 for the file and 755 for the /data/ directory.Protect the file with an .htaccess rule to block web access.Never share its contents publicly. |
