Settings

Settings is the panel’s control room. Fifteen tabs cover every configurable surface: how the panel looks, how the business bills, how RADIUS authenticates, how notifications go out, who can log in, what the network looks like, what TLS certificate to use, which API keys are issued, how TR-069 works, what parental controls are available, and what your own admin account looks like.

Almost every value is stored in the system_preferences table as a key/value pair, fetched via GET /api/settings. Tabs hidden in SaaS mode (e.g., HA Cluster, Network, SSL) are not relevant to tenants of a shared instance.

How to get here

Sidebar → Settings (gear icon).
Direct URL: /settings or /settings?tab=billing to deep-link to a specific tab.

Requires settings.view. Most edits require settings.edit. Some tabs require additional permissions — Network needs settings.network, License needs admin.

Tabs

Tab	What it controls
Branding	Company name, logo, favicon, login background, primary color, footer copyright, tagline, feature boxes.
General	System timezone, language, date format, default permissions, maintenance windows.
Billing	Currency, tax rate, invoice prefix, PDF paper size, bank details on invoices, collector reschedule window.
Service Change	Whether customers can change plan from the portal, whether resellers can. Prorated billing settings.
RADIUS	Daily quota reset time, FUP enforcement strategy, CoA port, WAN check toggle, generic-RADIUS vendor support.
Notifications	SMTP, SMS, WhatsApp gateway credentials (alias of Communication Rules Channels tab).
Security	2FA enable, password policy, session timeout, JWT blacklist, brute-force lockouts, admin IP whitelist.
My Account	Your own profile and password.
License	License key, server fingerprint, change-server, check for updates, restart services.
HA Cluster	Configure as main, join as secondary, promote-to-main, recover-from-server.
Network	In-panel netplan editor with 60-second test mode, interface table, route table.
SSL Certificate	Upload your own cert, Let’s Encrypt automation.
API Keys	Issue keys for third-party integrations.
TR-069 (ACS)	ACS URL, credentials, periodic-inform interval.
Parental Control	Per-subscriber category blocking.

In SaaS mode the Cluster, Network, SSL, and License tabs are hidden — these are infrastructure-level and managed by the SaaS operator, not by tenants.

Branding

Drives the look and feel:

Company name — shown in the sidebar, on the login page, and as the default email “From” name.
Logo — uploaded image, replaces the company name in the sidebar when present.
Favicon — browser tab icon.
Login background — replaces the default gradient on the login page (max 5 MB).
Primary color — picker with 17 presets and CSS variable injection. The same picker also tints individual menu items.
Footer copyright / tagline / feature boxes — all configurable; the three feature boxes on the login page can be hidden entirely.

All uploads use signed handlers (UploadLogo, UploadLoginBackground, UploadFavicon) that validate file type and size before storing in /opt/proxpanel/frontend/dist/uploads/ (bind-mounted into nginx).

General

Timezone — drives backup scheduler, daily quota reset, expiry sweeps. Set per tenant in SaaS mode. The API container has tzdata installed so all named zones (Asia/Beirut, America/New_York, etc.) resolve.
Date format — DD/MM/YYYY, MM/DD/YYYY, YYYY-MM-DD.
Maintenance windows — define future windows during which scheduled tasks pause (e.g., a planned reboot during the daily quota reset would otherwise miss the reset).

Billing

Most of the heavy lifting around invoices and collectors:

Currency — symbol and decimal precision.
Tax rate — applied to invoice line items by default.
Invoice prefix and number format — e.g., INV-2026-{seq} for a yearly counter.
PDF paper size — 17 options (see Billing & Invoices for the full list).
Bank details — printed at the bottom of every PDF invoice.
Collector reschedule window — failed assignments reappear N days later.

RADIUS

Daily quota reset time — HH:MM in your configured timezone. The DailyQuotaResetService zeroes daily counters at this time.
FUP enforcement strategy — radreply + CoA + MikroTik API (default), CoA only, or disconnect on FUP.
CoA port — 1700 (MikroTik default) or 3799 (RFC). Configurable per panel.
WAN check — periodically pings each NAS’s WAN IP; turn off in tightly-firewalled environments.
Vendor support — Cisco / Juniper / Huawei / generic-RADIUS toggle (v1.0.518–525).

Security

Two-factor authentication — Per-user. The Setup endpoint generates a TOTP secret and QR. Users scan with Google Authenticator or 1Password and enter the 6-digit code to confirm. After enabling, login requires both password and code.
Password policy — min length, must-contain-digit, must-contain-special, expiration days.
Session timeout — JWT lifetime; defaults to 24 hours. Reducing it forces more-frequent re-logins, helpful for high-security environments.
JWT blacklist — tokens invalidated on logout are added; subsequent uses are rejected.
Brute-force lockouts — 5 fails = 15-minute lockout, 10 = 1 hour, 20 = 24 hours.
Admin IP whitelist — optional; if non-empty, admin logins from outside the list are refused.

Theme

In Branding, the same primary color picker also exposes 17 CSS-variable colors — sidebar, top bar, primary buttons, success/warning/danger accents, table-row hover, etc. The variables are injected into a <style> tag at runtime so the change is instant; no rebuild required.

System Info

SystemInfo (under the General tab in some views, or its own sub-page on others) detects the deployment environment:

Detection priority	Source
LXC container	`/proc/1/environ` contains `container=lxc`
Docker container	`/.dockerenv` exists
VM (KVM, VMware, Hyper-V, Xen)	`/sys/class/dmi/id/product_name` matches
Physical server	Default if nothing above matches

The panel strongly recommends physical or VM deployment. LXC and Docker are flagged with a warning banner — /proc/stat and /proc/meminfo inside an LXC or Docker container show the host’s metrics, not the container’s, making System Metrics on the Dashboard misleading.

The same page surfaces: CPU model and cores, total / used memory, total / free disk + type (NVMe / SSD / HDD), OS / kernel version, uptime, and a capacity estimate (cores × 2000 × storage_multiplier).

Cluster

See the dedicated HA Cluster tab for setup-main / join-secondary / promote / recover flows. Standalone is the default — change only if you’re running multi-server HA.

Network

The Network tab is an in-panel netplan editor with TrueNAS-style 60-second test mode.

How TestNetworkConfig works:

You change interface IP / gateway / DNS on screen and click Apply.
The handler writes the new netplan, runs netplan try which applies the change and waits 60 seconds.
If you click Confirm within 60 seconds, the change is committed.
If you don’t (because you lost connectivity and can’t reach the panel anymore), netplan reverts automatically — your old config is back and you can try again.

The Network tab also detects DHCP, shows multi-interface dropdowns (filtered to exclude Docker bridges and veth pairs), and emits a clear warning when the server is on DHCP — strongly recommends converting to static.

privileged: true and /etc/netplan bind-mount are required on the API container for the netplan editor to work; the install script sets both.

License

License key + change server — Change Server resets the hardware binding so the same license can be activated on new hardware (see Settings → License).
Check for Updates — calls the license server’s update endpoint. New version available → Install Update downloads, verifies checksum, replaces binaries, restarts containers via Docker API (or systemd-watcher fallback).
Restart services — Restart API or Restart All (API + RADIUS + Frontend). Useful after a failed update or after changing core settings.

Common workflows

Change the daily quota reset time

Settings → RADIUS.
Set Daily quota reset time to e.g. 00:05.
Confirm the timezone shown above matches your operating timezone.
Save. The DailyQuotaResetService picks up the new schedule on its next tick (within 60 seconds).

Convert the server from DHCP to static IP

Settings → Network. Confirm the DHCP warning banner is visible.
Click Convert DHCP → Static. Fill in IP, gateway, DNS.
Click Apply — the page starts a 60-second countdown.
Confirm you can still load the panel. If yes, click Confirm before the countdown ends. Done.
If you lose connectivity, do nothing — the change reverts automatically in 60 seconds.

Enable 2FA on your admin account

Settings → My Account → Two-Factor.
Click Set up 2FA. A QR appears.
Scan with your authenticator app. Enter the 6-digit code to confirm.
Save recovery codes — they’re the only way back in if you lose your authenticator.
Log out and log back in to confirm 2FA prompts as expected.

Permissions

Permission	What it gates
`settings.view`	Open the page and most read-only tabs.
`settings.edit`	Edit settings (per-tab additional checks may apply).
`settings.network`	Use the Network tab.
`settings.security`	Edit the Security tab.
`settings.license`	Change server, install updates, restart services.
`settings.wan_check`	(resellers only) Configure per-reseller WAN check port.

Admins have all permissions implicitly. Resellers without any of the above see the page in read-only mode for the tabs they can view.

Backups — backup-related settings live here and are summarised on the Backups page.
Communication Rules — full template editor for notifications.
Audit Logs — every settings change is audited.
Users & Permissions — assigning the settings.* permissions.
License Server — the License tab interacts with the central license server.