Apr 23 2019
Apr 23

The ever increasing complexity and functionality of Drupal sites does not need to translate into increasingly steeper development costs.

In the past, Drupal sites were relatively homogeneous with the occasional multi-domain or multi-site implementation. Today, as sites become more complex, with features such as headless integration with non-Drupal software, the overhead of reproducing an environment locally can become very costly.  Docker was created to bridge the gap between a homogeneous Drupal implementation and a complex integration with non-Drupal software.  

Rather than running a full virtual machine locally, Docker emulates a given environment but still uses your operating system for better efficiency. This is done via "containers" for things like MySQL and PHP, enabling you to do things such as set a given PHP version for each site rather than system-wide. As a result, the process of increasing a site’s complexity has less of an impact on onboarding time.

To build on the benefits of Docker, Expresso PHP was created. Expresso PHP is an open-source Docker setup geared toward PHP development, including Drupal. To illustrate the benefits of Docker and Expresso PHP, let’s walk through setting up a local Drupal environment in Drupal 8 using macOS Mojave.

Software Versions Used

  • macOS Mojave 10.14.4
  • Drupal 8.6.14
  • Docker 18.09.3
  • Docker Compose 1.24.0-rc1
  • Expresso PHP v1.1.0

Setting up Drupal using Expresso PHP

1.

The first step is cloning the Expresso PHP Git repo and doing some initial setup.  This installation assumes you are installing docker sites in a "docker" directory within your local environment's home directly.  In the directions for this example,  the site in question is called "my-site."

cd ~/docker
git clone https://github.com/expresso-php/expresso-php.git my-site
cd my-site
git checkout nginx-php

2.

After cloning the repo, specify the desired PHP version here:

~/docker/my-site/docker/php/Dockerfile

The first line will look something like this:

FROM php:7.2-fpm

3.

Next, clone the Drupal site's Git repo or otherwise add the site.  This example assumes the repo will be cloned within a directory called "my-site", so its location would be

~/docker/my-site/my-site

4.

Replace the existing "web" directory with a symlink to the document root:

rm -rf ~/docker/my-site/web
cd ~/docker/my-site
ln -s my-site/docroot web

This example assumes the document root is "docroot" but it could be "www" or something else.

5.

Copy the settings.php file from default.settings.php

cd ~/docker/my-site/my-site/docroot
cp sites/default/default.settings.php sites/default/settings.php
cd sites/default

6.

Edit settings.php and replace

$databases = array();

with the following

$databases['default']['default'] = [
  'database' => 'expresso-php',
  'username' => 'expresso-php',
  'password' => 'expresso-php',
  'host' => 'db',
  'port' => '3306',
  'driver' => 'mysql',
  'prefix' => '',
  'collation' => 'utf8mb4_general_ci',
];

7.

Edit settings.php and replace

$settings['hash_salt'] = '';

with

$settings['hash_salt'] = 'expresso-php';

8.

A local domain can be used to update the host’s file..  You will need to use sudo to edit /etc/hosts and add the following:

0.0.0.0 my-site.test

9.

Optionally, create a directory for a copy of the site's database and place a *.sql of the database into this directory:

cd ~/docker/my-site
mkdir ref_db
cd ref_db


This is only needed if a Makefile or build script will be used, which is recommended; otherwise, DB import could be done via drush.

Note - The designated location for the reference database may be different for a given Makefile or build script.

10.

Add the Drupal files directory here and modify permissions if needed:

cd ~/docker/my-site/my-site/docroot/sites/default

11.

Build the Docker containers; this is only needed during setup:

cd ~/docker/my-site
docker-compose up -d

12.

The next step is importing the Drupal database.  Ideally this would be done via a Makefile or build script.

Alternatively, the DB import can be done via drush:

cd ~/docker/my-site/docroot
docker-compose exec -T php_nginx drush sql-cli < ../ref_db/ecoDB.sql

13.

Once the DB is imported, check the port needed to access the site:

docker-compose ps

It will use the port associated with my-site_nginx_1; for example 32768.

14.

Access the local website to confirm it works; for example, if the IP is 32768 then the site's URL would be:

http://my-site.test:32768
 

Commonly used Commands

To use Drush:

docker-compose exec php_nginx drush cr

To SSH in to the nginx container:

docker-compose exec php_nginx /bin/bash

To restart services:

docker-compose restart
docker-compose ps

"docker-compose ps" is included here since restarting services resets the port used to access the site.

To uninstall the site:

cd ~/docker/my-site/my-site/docroot

docker-compose down -v
cd ~/docker
rm -fr ~/docker/my-site

That's all there is to it.  When a build script or Makefile is used, a new environment can be set up in a matter of minutes. The main, limiting factor is time needed to copy in the Drupal files/ directory and import the database.
    
Expresso PHP and Docker are excellent tools that enable you to maintain a straightforward setup process, even as complexity increases -- serving as another clear indicator of the inherent agility of Drupal.

Looking for further insights on leveraging Drupal to achieve specific outcomes? Contact us today.

Feb 06 2013
Feb 06
Josh Estep's picture

Josh Estep  | Senior Drupal Developer, Themer

Feb

06

2013

Now that features are frozen, let's take a look at what to expect in Drupal 8, both front and back-end.

Behind the scenes, Symfony2, an object-oriented application framework, will be part of Core and will provide multiple benefits:

  • Partial page caching
  • Higher performance and efficiency  
  • Easier to maintain Drupal Core as custom code is reduced
  • Improved Multi-lingual support

Universal Unique IDs (UUIDs)

Drupal 8 will also add more uniformity to data structures.  In previous versions of drupal you’d have IDs for nodequeue, taxonomy terms, and many other units of content.  With universal unique IDs (UUIDs) assigned to multiple types of content, development will be more streamlined, particularly during migrations.

Web Services and Context Core Initiative (Whiskey)

Typically, a site receives an HTTP request from a user browser and then returns HTML; however, there are cases where data must be sent and received between sites.  In Drupal 8, Drupal will become a "RESTful" interface, with the following attributes:

  • Machine to machine communication - A common use-case for this is sharing feeds between Drupal Sites.
  • Stateless - There is no need to define a context for the data.  Data is requested the same way each time.  
  • Multiple HTTP methods are used depending on the activity - POST for creating, PUT for updating, GET for requesting data, and DELETE for removing it.
  • Caching - Frequently requested data can be cacheable for efficiency and scalability.

Views in Core

Another great feature of D8 is Views in Drupal Core. This and a great and long-awaited change. This simplifies things when clients need to customize things like the content list page.  Instead of making a fresh view or modifying it a more invasive way, developers can simply modify the view. 

Configuration Management 

With the Configuration Management Initiative, Developers will be able to take a snapshot of overall Drupal configuration at a specific point in time. This will be an invaluable tool, similar to featurization, that will help streamline development, deployments, and migrations. When a setting is changed it will be saved in a config file as well as the DB. Allowing configuration to live in the file system This allows changes to be deployed via version control.

Theming and Presentation Changes

Drupal's mobile support is improved with the Mobile Initiative.  With the growing popularity of mobile devices it is essential for Drupal to improve its support of this medium. To this end, the default Stark, Bartik, and Seven themes are expected to become responsive, meaning that their presentation changes based on the browser width.

Twig framework Theming engine - This will replace PHPTemplate and will be fast, secure, and flexible. It allows templates to be compiled down to PHP code which is stored in RAM for superior performance as it reduces disk access. 

Improved Content Authoring Experience

Using the Spark project, D8 will support inline editing.  This will allow content updates directly on the page via AJAX rather than the traditional edit form workflow.  Furthermore, the Media module is expected to be moved to core which should make image and video development easier. Note that the conventional “edit page” workflow will still be possible.

With these upcoming changes, Drupal sites will become easier to use, build, support, and migrate.

What do you think?

Additional Resources

Nov 27 2012
Nov 27
Josh Estep's picture

Josh Estep  | Senior Drupal Developer, Themer

Nov

27

2012

Although table Views are typically used to express complex numeric data in Drupal, usability can be increased by displaying data graphically.  The shape and color of chart elements can be leveraged to make data easier to digest and patterns easier to recognize.  

In the example below, width is displayed graphically through the bar lengths and temperature is indicated with color:

Drupal and Charts

Luckily, exploring Drupal contrib modules is a great way to start and there's a wide array of solutions available.

One approach is to leverage the Charts and Graphs API module along with Views Charts module to render view data as a chart. This is pretty flexible since multiple libraries can be plugged in depending the need, including:

  • Flot - Real-time updates, interactive charts.
  • amCharts - Filterable charts and much more support and documentation but requires the purchase of a license.
  • Bluff  - This is a port of the Gruff library for Ruby which is free.

There are also several Flash-based tools, including FusionCharts and Open Flash Chart 2; however, Flash is quickly being replaced by HTML5 for a plethora of reasons including mobile support. 
The pChart API also has a Drupal project which allows more granular control without re-inventing the wheel.

On the other hand, a completely custom chart solution can be created via HTML5. The HTML5 canvas element generates primarily stateless bitmap image which can be manipulated via JavaScript commands. Therefore, view content can be displayed by translating numeric field output into JavaScript:

  • The first step is to iterate over row data to be displayed via PHP in a view preprocess hook and insert it into a JavaScript array.
  • Next, the JS propagates through the array, drawing associated data onto the canvas.  

Note that, although some draw history is retained, the canvas is primarily stateless so its data should be maintained in JS in order for additional manipulation to take place. During or after this process, the graph can be marked up with text along each axis.

It may also be useful to have some level of zoom. Luckily, canvas makes it easy to scale content; however, this is sometimes not enough. Imagine an attempt to output 50000 data points on a graph 500 pixels wide, although this could be rendered on a massively large bitmap, it is more efficient to avoid parsing that much data on the client side. Instead, segments of the content across an access can be grouped and averaged together.  If there is a need for dynamic zooming, exposed filter actions can trigger an ajax request for fresh data. For further performance, the initial data set as well as certain zoom levels can be cached to avoid excessive processing.

Ultimately, the increased adoption and browser support of HTML5 greatly simplifies charting which, in the past, would have required a lot of custom JavaScript + CSS or a Flash-based solution. In the future, expect to see the level of difficulty with these kinds of graphical activities continue to decrease as tools for integration continue to be created and refined.

Additional Resources:

Oct 04 2012
Oct 04
Josh Estep's picture

Josh Estep  | Senior Drupal Developer, Themer

Oct

04

2012

This webinar looks at HTML5 canvas as a way to dynamically rendering charts from view-based content. This includes some general discussion of the canvas element as well as a review of several example charts.

Experience Level: Intermediate

Mobile and Drupal

Additional Resources

Maps and Drupal 7 (Part 1) | Mediacurrent Blog Post

Sep 24 2012
Sep 24
DEC OCT HEX BIN Symbol HTML Name Description 7-bit Characters (0-127): 0 000 00 00000000 NUL &#000;   Null char 1 001 01 00000001 SOH &#001;   Start of Heading 2 002 02 00000010 STX &#002;   Start of Text 3 003 03 00000011 ETX &#003;   End of Text 4 004 04 00000100 EOT &#004;   End of Transmission 5 005 05 00000101 ENQ &#005;   Enquiry 6 006 06 00000110 ACK &#006;   Acknowledgment 7 007 07 00000111 BEL &#007;   Bell 8 010 08 00001000 BS &#008;   Back Space 9 011 09 00001001 HT &#009;   Horizontal Tab 10 012 0A 00001010 LF &#010;   Line Feed 11 013 0B 00001011 VT &#011;   Vertical Tab 12 014 0C 00001100 FF &#012;   Form Feed 13 015 0D 00001101 CR &#013;   Carriage Return 14 016 0E 00001110 SO &#014;   Shift Out / X-On 15 017 0F 00001111 SI &#015;   Shift In / X-Off 16 020 10 00010000 DLE &#016;   Data Line Escape 17 021 11 00010001 DC1 &#017;   Device Control 1 (oft. XON) 18 022 12 00010010 DC2 &#018;   Device Control 2 19 023 13 00010011 DC3 &#019;   Device Control 3 (oft. XOFF) 20 024 14 00010100 DC4 &#020;   Device Control 4 21 025 15 00010101 NAK &#021;   Negative Acknowledgement 22 026 16 00010110 SYN &#022;   Synchronous Idle 23 027 17 00010111 ETB &#023;   End of Transmit Block 24 030 18 00011000 CAN &#024;   Cancel 25 031 19 00011001 EM &#025;   End of Medium 26 032 1A 00011010 SUB &#026;   Substitute 27 033 1B 00011011 ESC &#027;   Escape 28 034 1C 00011100 FS &#028;   File Separator 29 035 1D 00011101 GS &#029;   Group Separator 30 036 1E 00011110 RS &#030;   Record Separator 31 037 1F 00011111 US &#031;   Unit Separator 32 040 20 00100000   &#32;   Space 33 041 21 00100001 ! &#33;   Exclamation mark 34 042 22 00100010 " &#34; &quot; Double quotes (or speech marks) 35 043 23 00100011 # &#35;   Number 36 044 24 00100100 $ &#36;   Dollar 37 045 25 00100101 % &#37;   Procenttecken 38 046 26 00100110 & &#38; &amp; Ampersand 39 047 27 00100111 ' &#39;   Single quote 40 050 28 00101000 ( &#40;   Open parenthesis (or open bracket) 41 051 29 00101001 ) &#41;   Close parenthesis (or close bracket) 42 052 2A 00101010 * &#42;   Asterisk 43 053 2B 00101011 + &#43;   Plus 44 054 2C 00101100 , &#44;   Comma 45 055 2D 00101101 - &#45;   Hyphen 46 056 2E 00101110 . &#46;   Period, dot or full stop 47 057 2F 00101111 / &#47;   Slash or divide 48 060 30 00110000 0 &#48;   Zero 49 061 31 00110001 1 &#49;   One 50 062 32 00110010 2 &#50;   Two 51 063 33 00110011 3 &#51;   Three 52 064 34 00110100 4 &#52;   Four 53 065 35 00110101 5 &#53;   Five 54 066 36 00110110 6 &#54;   Six 55 067 37 00110111 7 &#55;   Seven 56 070 38 00111000 8 &#56;   Eight 57 071 39 00111001 9 &#57;   Nine 58 072 3A 00111010 : &#58;   Colon 59 073 3B 00111011 ; &#59;   Semicolon 60 074 3C 00111100 < &#60; &lt; Less than (or open angled bracket) 61 075 3D 00111101 = &#61;   Equals 62 076 3E 00111110 > &#62; &gt; Greater than (or close angled bracket) 63 077 3F 00111111 ? &#63;   Question mark 64 100 40 01000000 @ &#64;   At symbol 65 101 41 01000001 A &#65;   Uppercase A 66 102 42 01000010 B &#66;   Uppercase B 67 103 43 01000011 C &#67;   Uppercase C 68 104 44 01000100 D &#68;   Uppercase D 69 105 45 01000101 E &#69;   Uppercase E 70 106 46 01000110 F &#70;   Uppercase F 71 107 47 01000111 G &#71;   Uppercase G 72 110 48 01001000 H &#72;   Uppercase H 73 111 49 01001001 I &#73;   Uppercase I 74 112 4A 01001010 J &#74;   Uppercase J 75 113 4B 01001011 K &#75;   Uppercase K 76 114 4C 01001100 L &#76;   Uppercase L 77 115 4D 01001101 M &#77;   Uppercase M 78 116 4E 01001110 N &#78;   Uppercase N 79 117 4F 01001111 O &#79;   Uppercase O 80 120 50 01010000 P &#80;   Uppercase P 81 121 51 01010001 Q &#81;   Uppercase Q 82 122 52 01010010 R &#82;   Uppercase R 83 123 53 01010011 S &#83;   Uppercase S 84 124 54 01010100 T &#84;   Uppercase T 85 125 55 01010101 U &#85;   Uppercase U 86 126 56 01010110 V &#86;   Uppercase V 87 127 57 01010111 W &#87;   Uppercase W 88 130 58 01011000 X &#88;   Uppercase X 89 131 59 01011001 Y &#89;   Uppercase Y 90 132 5A 01011010 Z &#90;   Uppercase Z 91 133 5B 01011011 [ &#91;   Opening bracket 92 134 5C 01011100 \ &#92;   Backslash 93 135 5D 01011101 ] &#93;   Closing bracket 94 136 5E 01011110 ^ &#94;   Caret - circumflex 95 137 5F 01011111 _ &#95;   Underscore 96 140 60 01100000 ` &#96;   Grave accent 97 141 61 01100001 a &#97;   Lowercase a 98 142 62 01100010 b &#98;   Lowercase b 99 143 63 01100011 c &#99;   Lowercase c 100 144 64 01100100 d &#100;   Lowercase d 101 145 65 01100101 e &#101;   Lowercase e 102 146 66 01100110 f &#102;   Lowercase f 103 147 67 01100111 g &#103;   Lowercase g 104 150 68 01101000 h &#104;   Lowercase h 105 151 69 01101001 i &#105;   Lowercase i 106 152 6A 01101010 j &#106;   Lowercase j 107 153 6B 01101011 k &#107;   Lowercase k 108 154 6C 01101100 l &#108;   Lowercase l 109 155 6D 01101101 m &#109;   Lowercase m 110 156 6E 01101110 n &#110;   Lowercase n 111 157 6F 01101111 o &#111;   Lowercase o 112 160 70 01110000 p &#112;   Lowercase p 113 161 71 01110001 q &#113;   Lowercase q 114 162 72 01110010 r &#114;   Lowercase r 115 163 73 01110011 s &#115;   Lowercase s 116 164 74 01110100 t &#116;   Lowercase t 117 165 75 01110101 u &#117;   Lowercase u 118 166 76 01110110 v &#118;   Lowercase v 119 167 77 01110111 w &#119;   Lowercase w 120 170 78 01111000 x &#120;   Lowercase x 121 171 79 01111001 y &#121;   Lowercase y 122 172 7A 01111010 z &#122;   Lowercase z 123 173 7B 01111011 { &#123;   Opening brace 124 174 7C 01111100 | &#124;   Vertical bar 125 175 7D 01111101 } &#125;   Closing brace 126 176 7E 01111110 ~ &#126;   Equivalency sign - tilde 127 177 7F 01111111   &#127;   Delete 8-bit Characters (128-255): 128 200 80 10000000 € &#128; &euro; Euro sign 129 201 81 10000001         130 202 82 10000010 ‚ &#130; &sbquo; Single low-9 quotation mark 131 203 83 10000011 ƒ &#131; &fnof; Latin small letter f with hook 132 204 84 10000100 „ &#132; &bdquo; Double low-9 quotation mark 133 205 85 10000101 … &#133; &hellip; Horizontal ellipsis 134 206 86 10000110 † &#134; &dagger; Dagger 135 207 87 10000111 ‡ &#135; &Dagger; Double dagger 136 210 88 10001000 ˆ &#136; &circ; Modifier letter circumflex accent 137 211 89 10001001 ‰ &#137; &permil; Per mille sign 138 212 8A 10001010 Š &#138; &Scaron; Latin capital letter S with caron 139 213 8B 10001011 ‹ &#139; &lsaquo; Single left-pointing angle quotation 140 214 8C 10001100 Œ &#140; &OElig; Latin capital ligature OE 141 215 8D 10001101         142 216 8E 10001110 Ž &#142;   Latin captial letter Z with caron 143 217 8F 10001111         144 220 90 10010000         145 221 91 10010001 ‘ &#145; &lsquo; Left single quotation mark 146 222 92 10010010 ’ &#146; &rsquo; Right single quotation mark 147 223 93 10010011 “ &#147; &ldquo; Left double quotation mark 148 224 94 10010100 ” &#148; &rdquo; Right double quotation mark 149 225 95 10010101 • &#149; &bull; Bullet 150 226 96 10010110 – &#150; &ndash; En dash 151 227 97 10010111 — &#151; &mdash; Em dash 152 230 98 10011000 ˜ &#152; &tilde; Small tilde 153 231 99 10011001 ™ &#153; &trade; Trade mark sign 154 232 9A 10011010 š &#154; &scaron; Latin small letter S with caron 155 233 9B 10011011 › &#155; &rsaquo; Single right-pointing angle quotation mark 156 234 9C 10011100 œ &#156; &oelig; Latin small ligature oe 157 235 9D 10011101         158 236 9E 10011110 ž &#158;   Latin small letter z with caron 159 237 9F 10011111 Ÿ &#159; &yuml; Latin capital letter Y with diaeresis 160 240 A0 10100000   &#160; &nbsp; Non-breaking space 161 241 A1 10100001 ¡ &#161; &iexcl; Inverted exclamation mark 162 242 A2 10100010 ¢ &#162; &cent; Cent sign 163 243 A3 10100011 £ &#163; &pound; Pound sign 164 244 A4 10100100 ¤ &#164; &curren; Currency sign 165 245 A5 10100101 ¥ &#165; &yen; Yen sign 166 246 A6 10100110 ¦ &#166; &brvbar; Pipe, Broken vertical bar 167 247 A7 10100111 § &#167; &sect; Section sign 168 250 A8 10101000 ¨ &#168; &uml; Spacing diaeresis - umlaut 169 251 A9 10101001 © &#169; &copy; Copyright sign 170 252 AA 10101010 ª &#170; &ordf; Feminine ordinal indicator 171 253 AB 10101011 « &#171; &laquo; Left double angle quotes 172 254 AC 10101100 ¬ &#172; &not; Not sign 173 255 AD 10101101 ­ &#173; &shy; Soft hyphen 174 256 AE 10101110 ® &#174; &reg; Registered trade mark sign 175 257 AF 10101111 ¯ &#175; &macr; Spacing macron - overline 176 260 B0 10110000 ° &#176; &deg; Degree sign 177 261 B1 10110001 ± &#177; &plusmn; Plus-or-minus sign 178 262 B2 10110010 ² &#178; &sup2; Superscript two - squared 179 263 B3 10110011 ³ &#179; &sup3; Superscript three - cubed 180 264 B4 10110100 ´ &#180; &acute; Acute accent - spacing acute 181 265 B5 10110101 µ &#181; &micro; Micro sign 182 266 B6 10110110 ¶ &#182; &para; Pilcrow sign - paragraph sign 183 267 B7 10110111 · &#183; &middot; Middle dot - Georgian comma 184 270 B8 10111000 ¸ &#184; &cedil; Spacing cedilla 185 271 B9 10111001 ¹ &#185; &sup1; Superscript one 186 272 BA 10111010 º &#186; &ordm; Masculine ordinal indicator 187 273 BB 10111011 » &#187; &raquo; Right double angle quotes 188 274 BC 10111100 ¼ &#188; &frac14; Fraction one quarter 189 275 BD 10111101 ½ &#189; &frac12; Fraction one half 190 276 BE 10111110 ¾ &#190; &frac34; Fraction three quarters 191 277 BF 10111111 ¿ &#191; &iquest; Inverted question mark 192 300 C0 11000000 À &#192; &Agrave; Latin capital letter A with grave 193 301 C1 11000001 Á &#193; &Aacute; Latin capital letter A with acute 194 302 C2 11000010  &#194; &Acirc; Latin capital letter A with circumflex 195 303 C3 11000011 à &#195; &Atilde; Latin capital letter A with tilde 196 304 C4 11000100 Ä &#196; &Auml; Latin capital letter A with diaeresis 197 305 C5 11000101 Å &#197; &Aring; Latin capital letter A with ring above 198 306 C6 11000110 Æ &#198; &AElig; Latin capital letter AE 199 307 C7 11000111 Ç &#199; &Ccedil; Latin capital letter C with cedilla 200 310 C8 11001000 È &#200; &Egrave; Latin capital letter E with grave 201 311 C9 11001001 É &#201; &Eacute; Latin capital letter E with acute 202 312 CA 11001010 Ê &#202; &Ecirc; Latin capital letter E with circumflex 203 313 CB 11001011 Ë &#203; &Euml; Latin capital letter E with diaeresis 204 314 CC 11001100 Ì &#204; &Igrave; Latin capital letter I with grave 205 315 CD 11001101 Í &#205; &Iacute; Latin capital letter I with acute 206 316 CE 11001110 Î &#206; &Icirc; Latin capital letter I with circumflex 207 317 CF 11001111 Ï &#207; &Iuml; Latin capital letter I with diaeresis 208 320 D0 11010000 Ð &#208; &ETH; Latin capital letter ETH 209 321 D1 11010001 Ñ &#209; &Ntilde; Latin capital letter N with tilde 210 322 D2 11010010 Ò &#210; &Ograve; Latin capital letter O with grave 211 323 D3 11010011 Ó &#211; &Oacute; Latin capital letter O with acute 212 324 D4 11010100 Ô &#212; &Ocirc; Latin capital letter O with circumflex 213 325 D5 11010101 Õ &#213; &Otilde; Latin capital letter O with tilde 214 326 D6 11010110 Ö &#214; &Ouml; Latin capital letter O with diaeresis 215 327 D7 11010111 × &#215; &times; Multiplication sign 216 330 D8 11011000 Ø &#216; &Oslash; Latin capital letter O with slash 217 331 D9 11011001 Ù &#217; &Ugrave; Latin capital letter U with grave 218 332 DA 11011010 Ú &#218; &Uacute; Latin capital letter U with acute 219 333 DB 11011011 Û &#219; &Ucirc; Latin capital letter U with circumflex 220 334 DC 11011100 Ü &#220; &Uuml; Latin capital letter U with diaeresis 221 335 DD 11011101 Ý &#221; &Yacute; Latin capital letter Y with acute 222 336 DE 11011110 Þ &#222; &THORN; Latin capital letter THORN 223 337 DF 11011111 ß &#223; &szlig; Latin small letter sharp s - ess-zed 224 340 E0 11100000 à &#224; &agrave; Latin small letter a with grave 225 341 E1 11100001 á &#225; &aacute; Latin small letter a with acute 226 342 E2 11100010 â &#226; &acirc; Latin small letter a with circumflex 227 343 E3 11100011 ã &#227; &atilde; Latin small letter a with tilde 228 344 E4 11100100 ä &#228; &auml; Latin small letter a with diaeresis 229 345 E5 11100101 å &#229; &aring; Latin small letter a with ring above 230 346 E6 11100110 æ &#230; &aelig; Latin small letter ae 231 347 E7 11100111 ç &#231; &ccedil; Latin small letter c with cedilla 232 350 E8 11101000 è &#232; &egrave; Latin small letter e with grave 233 351 E9 11101001 é &#233; &eacute; Latin small letter e with acute 234 352 EA 11101010 ê &#234; &ecirc; Latin small letter e with circumflex 235 353 EB 11101011 ë &#235; &euml; Latin small letter e with diaeresis 236 354 EC 11101100 ì &#236; &igrave; Latin small letter i with grave 237 355 ED 11101101 í &#237; &iacute; Latin small letter i with acute 238 356 EE 11101110 î &#238; &icirc; Latin small letter i with circumflex 239 357 EF 11101111 ï &#239; &iuml; Latin small letter i with diaeresis 240 360 F0 11110000 ð &#240; &eth; Latin small letter eth 241 361 F1 11110001 ñ &#241; &ntilde; Latin small letter n with tilde 242 362 F2 11110010 ò &#242; &ograve; Latin small letter o with grave 243 363 F3 11110011 ó &#243; &oacute; Latin small letter o with acute 244 364 F4 11110100 ô &#244; &ocirc; Latin small letter o with circumflex 245 365 F5 11110101 õ &#245; &otilde; Latin small letter o with tilde 246 366 F6 11110110 ö &#246; &ouml; Latin small letter o with diaeresis 247 367 F7 11110111 ÷ &#247; &divide; Division sign 248 370 F8 11111000 ø &#248; &oslash; Latin small letter o with slash 249 371 F9 11111001 ù &#249; &ugrave; Latin small letter u with grave 250 372 FA 11111010 ú &#250; &uacute; Latin small letter u with acute 251 373 FB 11111011 û &#251; &ucirc; Latin small letter u with circumflex 252 374 FC 11111100 ü &#252; &uuml; Latin small letter u with diaeresis 253 375 FD 11111101 ý &#253; &yacute; Latin small letter y with acute 254 376 FE 11111110 þ &#254; &thorn; Latin small letter thorn 255 377 FF 11111111 ÿ &#255; &yuml; Latin small letter y with diaeresis
May 09 2012
May 09
Josh Estep's picture

Josh Estep  | Senior Drupal Developer, Themer

May

09

2012

Photo Credit: businessinternetconsultant.com

SSL, or Secure Socket Layer, was first developed by Netscape in the mid-1990's to address the growing need to be able to securely transmit data.  It protects data, verifies legitimacy of a website, and is supported by all major browsers.  When you log into a banking website, your computer is sent a file called an "SSL certificate" which contains the following data:

  1. The website or associated business name.
  2. The website's domain name.
  3. A public key which is a string of characters used to encrypt data.
  4. A private key which is used to decrypt data

Based on the certificate's info, your browser decides whether or not to trust the certificate. This is possible because it uses third-party data, already in your browser, to confirm the certificate wasn't sent by a hacker. Once the certificate is received, the browser checks that the certificate was issued by a trusted third party known as a certificate authority. The browser then uses the public key to encrypt a random, symmetric encryption key and sends it to the server. The web server then decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and the HTTP data. Finally, the browser decrypts a response from the server using the symmetric key and displays the information.

Due to the nature of the Internet, the path the content follows between a server and a web browser is not secure. There is always the possibility someone is using a "packet sniffer" to capture data as it passes through a network or, if you're wireless, right out of the air. This is where encryption comes in. Originally, SSL used 40-bit encryption, meaning the value of the key used to decrypt data was selected from 1 out of 1,099,511,627,776 possible values.  Today, that level of encryption can be broken almost instantly; so, a 128-bit encryption is commonly used which means 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values; increase it to 256 bits for more security and you have the theoretical number of atoms in the universe. Even with millions of today's top-of-the-line computers working together, brute-force decryption simply takes too long if data is encrypted properly. That said, it's always best to be paranoid because future technologies like quantum computing may render conventional encryption obsolete.

If a brute-force attack won't work, how else can SSL be compromised? No matter how air-tight a security system is, all that work is pointless if users trusted with access have weak passwords or can be tricked into providing their passwords. Although not SSL-specific, it's vital best practices are used to prevent non-technical, "social engineering" attacks.

There is also the possibility that browser and/or server flaws could be exploited. A good way to minimize the risk of a hacker taking advantage of exploits is to subscribe to twitter feeds or blogs related to web security.  This way, vulnerabilities can be fixed shortly after they're made public. Another approach would be to establish a list of supported browsers so that you can block or redirect users whose browsers aren't secure.

Flaws in SSL itself could potentially be identified and exploited.  SSL supports multiple types of encryption and, in 2008, researchers were able to spoof a certificates by exploiting md5 encryption. This was done with an array of 200 PlayStation 3's and it was made possible because some certificate authorities relied on md5 alone. So, the reliability of an SSL certificate is directly related to the reliability of its certificate authority.  If a certificate authority issues an SSL to a hacker's site, users could be fooled into thinking they are on a legitimate site due to successful SSL authentication. Furthermore, some authorities use better encryption methods than others.  You can get a certificate from GoDaddy for $70/year or you can spend at least $695 at Symantec. Guess which business takes security more seriously!

If SSL is so great then why not simply add it to all websites?

First, there's a yearly cost associated with SSL which must be weighed against the security benefit. Is there any data on the site that any hackers might use or is there any motivation for your site to be hacked more than another site?  If you're doing financial transactions then you pretty much have to use SSL or users will not feel secure, not to mention it would be an obvious target for hackers.  That said, if your site only contains openly shared data and is backed up regularly, the biggest risks might be that an admin's password could be captured or that users might use the same password on other sites that do contain sensitive data.

SSL also uses additional server resources encrypting and decrypting content. Although the difference is minor due to processing power of today's servers, it can be noticeable on high-traffic sites. If you want to mix secure and non-secure content on the same page then users may get a browser warnings, so this limits the ability to host some content elsewhere; for example, a content distribution network. Finally, extra time is needed to purchase the certificate, set up the server, configure the website, and test.

How do you decide whether or not to use SSL on a site?  

Sometimes SSL is a given, but it can be more of a qualitative question based on the balance between practicality and ideology. Yes, any unencrypted login is vulnerable to attack, but what are the chances?  The best thing do is weigh the overall cost of SSL against how sensitive your content is and what might happen, worst case,if it is compromised. If you're not sure whether or not to use SSL but you have the money and don't see any major technical obstacles then go ahead and use it.

Are there any alternatives to SSL?  

A less expensive alternative might be to integrate a service like PayPal that handles authentication outside your website.  On the other hand, if SSL's authentication and encryption aren't enough, consider using physical tokens.  A physical token is a device that assists with authentication. For example, the device may periodically display a different value used to log in based on the current time.  This approach removes the reliance in the certificate authority and allows more control over who has access. It can even be used to establish a VPN connection to the server before the website can be accessed.

Drupal Setup

When configuring Drupal to use SSL, a good place to start is the Secure Pages modules which lets you define which pages are secure and handles redirects from or to secure pages as needed. If you're using Secure Pages with Drupal 6 then the Secure Pages Prevent Hijack module should be installed to prevent hijacked sessions from access SSL pages. Also, the Auth SSL Redirect module can be used to redirect authenticated users to SSL and it will work in conjunction with Secure Pages. If you're using Ubercart and want to either secure the whole site or just Ubercart pages then another option is Ubercart SSL and it can be extended to secure additional pages. In general, these modules help manage transitions between secure and insecure pages.

[Updated based on comment feedback.]


What do you think, what approaches do you recommend, and what do you recommend against?

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web