Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

My first site on Drupal 8. Or securing a Drupal site like a paranoid.

Parent Feed: 
eiriksm.dev

So, I just upgraded my first site to Drupal 8. Yup. It's in production right now. And it has an animated gif front and center.

The site itself is a pretty simple site. It is about the mobile game Crash n Dash (check it out by the way). It contains a front page, where we also display a somewhat real time statistic of online users. And it has a high scores list. As you probably understand, this requires a custom module, so there was that. Also, we have a simple custom theme, built on the Foundation framework. So there was that.

This allowed me to learn more about making a module in Drupal 8, the guzzle library for making requests, some good ol twig for the theme. I'll cover my findings in separate posts later.

Second, a word about security. Since Drupal 8 is alpha still, who know what kind of bugs and potential security holes you can find in there, right? So I ended up disallowing login through regular channels. Since this particular server is behind varnish, disallowing on the default address was really easy, I just put this in my vcl file:

if (req.http.host == "crashndash.com") { 
  unset req.http.Cookie; 
}

What this does, is effectively denying all logging in to your site on port 80, since no user ever will get a cookie. OK. Well that does not stop someone from logging in if they find the apache port, right? So I put this in my virtual host for the domain (in the directory directive):

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from x.x.x.x # <- my own ip, so I personally can log in to the site.
AllowOverride All

Of course this does not cover all kinds of other tactics that some people might want to try, but at least we are limiting the possibilities to do harm. So next project on d8 is this blog. I mean, as developers, do we really have any excuse for not moving to Drupal 8 with these simple blog sites we put up? I am moving right after I get my feet wet with the migrate module in d8, as I have really enjoyed the projects I have used migrate for earlier.

Full disclosure: I am also the author behind the website mentioned, and the game referenced in that site. It's a free game, but I think it is still fair to mention. This blog post is a cross post from Crash n Dash tech blog and is in part written for shameless self-promotion :) Let's end the post with the animated gif that actually is on the front page of that shiny new Drupal 8 site.

Original Post: 
https://eiriksm.dev/my-first-site-drupal-8-or-securing-drupal-site-paranoid

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web