Skip to content

Configuration file

This section describes the Canvus Connect server configuration file mt-canvus-server.ini. You can modify this file directly or you can adjust some of the settings through the Canvus Connect server web UI.

About mt-canvus-server.ini

There are two versions of mt-canvus-server.ini on each Canvus server:

  • An example version is provided for reference purposes only. It contains all configuration settings currently supported by the Canvus server. When you update the Canvus server, the existing example version is overwritten by a new example version.
  • A working version of mt-canvus-server.ini is used to configure Canvus server operations. The working version is retained if you update Canvus server. After updating, you will need to manually add any new settings to the existing working version of mt-canvus-server.ini.

Note

When you configure the Canvus server, you must always edit the working version of the configuration file!

See server-config-file for default locations of the configuration file.

Specify external URL

For Canvus server to display correct links to shared canvases, it needs to know the URL under which it is reachable by your users. For example, https://canvus.example.com.

[system]
; URL on which Canvus will be reachable. If empty, will be set to use a
; detected hostname and system/port with scheme set to HTTPS if ssl/enabled is
; true (otherwise HTTP).
; DEFAULT: empty
; external-url=

Specify database

You must provide the server with details about the database that you set up during server-install.

[sql]
; Settings for PostgreSQL data storage

; PSQL server port to use
; DEFAULT: 5432
; port=5432

; Name of the database to use
; DEFAULT: empty
; databasename=

; Set the username for DB login.
; DEFAULT: empty
; username=

; Set the password for DB login.
; DEFAULT: empty
; password=

Note

Canvus server must be restarted for these changes to take effect.

Define accepted connections

Canvus server uses a single port to listen for connections. It accepts Canvus clients using proprietary TCP/SSL protocol and web browsers accessing the web UI using HTTP(S). The arriving traffic is multiplexed based on protocol.

Canvus can optionally redirect HTTP traffic from port 80 to the port it listens SSL/HTTPS connections for.

If you enable encrypted SSL connections, you may also want to server-configuration-certificates.

; The address where the server will listen for the connections
; DEFAULT: 0.0.0.0 (all available networks)
; address=0.0.0.0

; Port where the server will listen for the connections
; DEFAULT: 80 for TCP protocol
; DEFAULT: 443 for SSL protocol (if system/ssl-enabled is true)
; port=443

; Enable encrypted HTTPS or TLS connections to the server. If disabled, only
; unencrypted HTTP or TCP connections are supported.
; DEFAULT: true
; ssl-enabled=true

; If enabled, the server listens to HTTP connections on port 80 and redirects
; them to the SSL port. This is only used if system/ssl-enabled is true and
; system/port is different from 80.
; DEFAULT: true
; http-redirect-enabled=true

Tip

Due to security, we recommend only using encrypted SSL connections.

Note

Canvus server must be restarted for these changes to take effect.

Setup certificates for encrypted connections

If you want to encrypt connections between Canvus clients and the server, or between browsers and the Canvus dashboard, you need a digital certificate and specify its location on the Canvus server.

Note

All files in the [[certificates]]{.title-ref} block should be X.509 certificates in .pem format.

[certificates]
; SSL certificate settings, shared between Canvus Connect server and the
; web UI. If all fields in this sections are left empty but SSL is enabled, a
; new self-signed certificate is created automatically.

; Certificate file name (.pem). This is the digital certificate issued by
; your Certificate Authority (CA). Make sure the certificate common name
; matches the domain name in system/external-url.
; DEFAULT: empty
; certificate-file=

; Certificate private key file name (.pem).
; DEFAULT: empty
; certificate-key-file=

; Certificate chain file name (.pem). This is the intermediate certificate
; issued by your CA.
; DEFAULT: empty
; certificate-chain-file=

Tip

If you leave these values empty but set system/ssl-enabled to true, Canvus will automatically generate self-signed certificates for you during startup and use them automatically.

The automatically generated certificates are placed in the following locations:

  • Windows: %PROGRAMDATA%\MultiTaction\canvus\server\certificates
  • Ubuntu: /etc/MultiTaction/canvus/server/certificates

Note

Canvus server must be restarted for these changes to take effect.

However, if you are later renewing existing certificate files on disk (e.g. Let\'s Encrypt), you can run mt-canvus-server --reload-certs to notify the server to reload the certificates and avoid having to restart it.

Define authentication methods

Canvus server supports multiple authentication methods for users. You can also configure which authentication methods can be used to sign up.

Tip

You can configure authentication methods also from the web UI.

[authentication]
; Enables authentication using email and password
; DEFAULT: true
; password-enabled=true

; Enables creation new local accounts
; Applies only if password authentication enabled
; DEFAULT: true
; password-sign-up-enabled=true

; Enables authentication using SAML
; DEFAULT: false
; saml-enabled=false

; Enables creating new accounts using SAML authentication
; Applies only if SAML authentication is enabled
; DEFAULT: true
; saml-sign-up-enabled=true

; Enables QR code authentication
; DEFAULT: true
; qr-code-enabled=true

; Comma separated list of domains allowed for creating new accounts (both SAML and local)
; Wildcards are allowed in the domain names
; Example: sign-up-allow-list=multitaction.com,gmail.com,*.gov
; DEFAULT: *
; sign-up-allow-list=*

; When enabled, any user signing up and creating an account will have to be approved
; by an administrator before they can sign in
; DEFAULT: false
; require-admin-approval=false

Configure SAML authentication

Canvus server can be configured to act as a SAML 2.0 Service Provider (SP). This allows Canvus to consume assertations from a SAML Identity Provider (IdP) to authenticate users.

You must first configure SAML 2.0 support in Canvus and then register Canvus server in your SAML IdP.

Tip

You can configure SAML from the web UI.

[saml]
; ACS URL
; DEFAULT: empty
; acs-url=

; SP Entity ID
; DEFAULT: canvus
; sp-entity-id=canvus

; IDP target URL
; DEFAULT: empty
; idp-target-url=

; IDP Entity ID
; DEFAULT: empty
; idp-entity-id=

; IDP X509 certificate SHA256 fingerprint
; IDP certificate is supposed to be included in SAML response
; Example: 2C:16:23:31:0B:39:B7:0F:EE:54:4F:ED:A3:92:20:FD:BA:24:24:33:8F:A1:80:CE:9E:C5:97:83:2A:D5:B0:DE
; DEFAULT: empty
; idp-cert-fingerprint=

; NameID format
; Should be one of the values listed in http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf ยง8.3
; DEFAULT: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
; name-id-format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Codice folders

Canvus allows content to be stored in special folders associated with Codice markers. These folders are called Codice folders.

This feature is always enabled on the Canvus server. No configuration steps are required to enable it. Some behavior of the feature can be controlled by modifying settings in the following settings.

Enforce Codice folder passwords

Codice folders can be protected by a password that must be entered before the contents of the folder can be accessed by a user. The password can be made mandatory by adjusting the following setting:

[system]

; Set to true if all newly-created personal folders must be protected by a
; password.
; DEFAULT: false
; enforce-personal-folder-password=false

Note

This setting has no effect on any Codice folders on the server that were created before the setting was enabled.

Enforce Codice folder registration

A Codice folder can be either anonymous or registered. Anonymous Codice folders are only linked with a specific Codice card. Registered Codice folder has additionally the user\'s name and email address associated with it.

To disallow anonymous Codice folders, the registration can be made mandatory by adjusting the following setting:

[system]

; Set to true if all newly-created personal folders must be registered with
; a valid name and email address. If false, personal folders can be
; anonymous and just attached to a Codice marker.
; DEFAULT: false
; enforce-personal-folder-registration=false

Note

This setting has no effect on any Codice folders on the server that were created before the setting was enabled.

Info

Advanced configuration settings

The Canvus server configuration file contains additional settings not documented in this manual. These settings are used to configure advanced Canvus server operations. You do not need to change these settings from their default values unless instructed to do so by MultiTaction support staff.