diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e5c405d67a09f3b71b6914ca431670c75e7c5367..4153bcfb19c2e45016c1b2e44e72a273a0bab02b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -65,6 +65,7 @@ build:deb: test:debian-jessie-aegir3-apt: stage: test image: debian:jessie + allow_failure: true dependencies: - build:deb only: @@ -88,6 +89,11 @@ test:debian-stretch-aegir3-apt: dependencies: - build:deb + only: + - 7.x-3.x + - /^7\.x-3\.\d+\.x/ + - /-runalltests$/ + before_script: - apt-get update # Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start. @@ -97,17 +103,13 @@ test:debian-stretch-aegir3-apt: script: "scripts/ci-aegir-dev-install-apt-debian9.sh" -test:ubuntu-xenial-aegir3-apt: +test:debian-buster-aegir3-apt: stage: test - image: ubuntu:xenial + image: debian:buster + allow_failure: false dependencies: - build:deb - only: - - 7.x-3.x - - /^7\.x-3\.\d+\.x/ - - /-runalltests$/ - before_script: - apt-get update # Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start. @@ -115,11 +117,11 @@ test:ubuntu-xenial-aegir3-apt: - echo "exit 0" >> /usr/sbin/policy-rc.d - apt-get install --yes sudo curl - script: "scripts/ci-aegir-dev-install-apt-ubuntu-xenial.sh" + script: "scripts/ci-aegir-dev-install-apt-debian10.sh" -test:ubuntu-artful-aegir3-apt: +test:ubuntu-xenial-aegir3-apt: stage: test - image: ubuntu:artful + image: ubuntu:xenial dependencies: - build:deb @@ -135,8 +137,7 @@ test:ubuntu-artful-aegir3-apt: - echo "exit 0" >> /usr/sbin/policy-rc.d - apt-get install --yes sudo curl - script: "scripts/ci-aegir-dev-install-apt-ubuntu-artful.sh" - + script: "scripts/ci-aegir-dev-install-apt-ubuntu-xenial.sh" test:ubuntu-bionic-aegir3-apt: stage: test @@ -252,9 +253,9 @@ publish:unstable-repo: # # Upgrade the latest stable Aegir to our unstable repo. -upgradetest:debian-jessie-aegir3-apt-upgrade: +upgradetest:debian-stretch-aegir3-apt-upgrade: stage: upgradetest - image: debian:jessie + image: debian:stretch dependencies: - publish:unstable-repo @@ -271,7 +272,7 @@ upgradetest:debian-jessie-aegir3-apt-upgrade: - apt-get install --yes sudo curl cron script: - - "scripts/ci-aegir-stable-install-apt-debian8.sh" + - "scripts/ci-aegir-stable-install-apt-debian9.sh" # extra step to run the task queue. - sudo su aegir --login --command 'drush @hostmaster php-eval "echo hosting_task_count();"' - sudo su aegir --login --command 'drush @hostmaster hosting-tasks --force' @@ -283,6 +284,6 @@ upgradetest:debian-jessie-aegir3-apt-upgrade: - sudo su aegir --login --command 'drush @hostmaster php-eval "echo hosting_task_count_running();"' # upgrade to the latest version from the unstable repo. - rm -v /etc/apt/sources.list.d/aegir-stable.list - - echo "deb http://debian.aegirproject.org unstable main" | sudo tee -a /etc/apt/sources.list.d/aegir-unstable.list + - echo "deb [signed-by=/usr/share/keyrings/aegir-archive-keyring.gpg] http://debian.aegirproject.org unstable main" | sudo tee -a /etc/apt/sources.list.d/aegir-unstable.list - sudo apt-get update - sudo apt-get --yes dist-upgrade diff --git a/Provision/Config/Drupal/Services.php b/Provision/Config/Drupal/Services.php new file mode 100644 index 0000000000000000000000000000000000000000..497bf0ab2bead734333357218b63ac608875cda4 --- /dev/null +++ b/Provision/Config/Drupal/Services.php @@ -0,0 +1,34 @@ +site_path . '/aegir.services.yml'; + } + + function process() { + $this->version = provision_version(); + $this->cookie_domain = $this->getCookieDomain(); + $this->group = $this->platform->server->web_group; + } + + /** + * Extract our cookie domain from the URI. + */ + protected function getCookieDomain() { + $uri = explode('.', $this->uri); + # Leave base domain; only strip out subdomains. + if (count($uri) > 2) { + $uri[0] = ''; + } + return implode('.', $uri); + } + +} diff --git a/Provision/Config/Drupal/aegir.services.tpl.php b/Provision/Config/Drupal/aegir.services.tpl.php new file mode 100644 index 0000000000000000000000000000000000000000..bfa960d09444cbfa82f00fa6636492dbc184a4ce --- /dev/null +++ b/Provision/Config/Drupal/aegir.services.tpl.php @@ -0,0 +1,9 @@ +--- + +# This file was automatically generated by Aegir version; ?> + +# on . + +parameters: + session.storage.options: + cookie_domain: 'cookie_domain; ?>' diff --git a/Provision/Config/Drupal/provision_drupal_settings_6.tpl.php b/Provision/Config/Drupal/provision_drupal_settings_6.tpl.php index 2981bfa5e56e889c94c0aae524083e77e3ab6017..27a073ce78c257e878b37ce0ff6254ef1218339c 100644 --- a/Provision/Config/Drupal/provision_drupal_settings_6.tpl.php +++ b/Provision/Config/Drupal/provision_drupal_settings_6.tpl.php @@ -126,7 +126,6 @@ if (isset($_SERVER['db_name'])) { ini_set('session.cache_limiter', 'none'); ini_set('session.cookie_lifetime', 0); ini_set('session.gc_maxlifetime', 200000); - ini_set('session.save_handler', 'user'); ini_set('session.use_only_cookies', 1); ini_set('session.use_trans_sid', 0); ini_set('url_rewriter.tags', ''); diff --git a/Provision/Config/Drupal/provision_drupal_settings_7.tpl.php b/Provision/Config/Drupal/provision_drupal_settings_7.tpl.php index 6a3edb853f39bea2666c23e2c326028e460591e8..5a9084847d78cb471eeef950b4c503dbb926329c 100644 --- a/Provision/Config/Drupal/provision_drupal_settings_7.tpl.php +++ b/Provision/Config/Drupal/provision_drupal_settings_7.tpl.php @@ -157,6 +157,11 @@ if (isset($_SERVER['db_name'])) { + /** + * Set the Syslog identity to the site name so it's not always "drupal". + */ + $conf['syslog_identity'] = 'uri ?>'; + # Additional host wide configuration settings. Useful for safely specifying configuration settings. diff --git a/Provision/Config/Drupal/provision_drupal_settings_8.tpl.php b/Provision/Config/Drupal/provision_drupal_settings_8.tpl.php index cb7dc6b505f76e8ed1a09fdd963c57360e64c242..d7d44fe92e5178964a13ee257cf77f28f7338a31 100644 --- a/Provision/Config/Drupal/provision_drupal_settings_8.tpl.php +++ b/Provision/Config/Drupal/provision_drupal_settings_8.tpl.php @@ -23,6 +23,7 @@ print ' */ if (isset($_SERVER['SITE_SUBDIR']) && isset($_SERVER['RAW_HOST'])) { $base_url = 'http://' . $_SERVER['RAW_HOST'] . '/' . $_SERVER['SITE_SUBDIR']; + ini_set('session.cookie_path', '/' . $_SERVER['SITE_SUBDIR'] . '/'); } @@ -110,9 +111,6 @@ if (isset($_SERVER['db_name'])) { - $profile = "profile ?>"; - $install_profile = "profile ?>"; - /** * PHP settings: * @@ -133,7 +131,6 @@ if (isset($_SERVER['db_name'])) { */ umask(0002); - $settings['install_profile'] = 'profile ?>'; $settings['file_public_path'] = 'file_public_path ?>'; $settings['file_private_path'] = 'file_private_path ?>'; $config['system.file']['path']['temporary'] = 'file_temporary_path ?>'; @@ -163,6 +160,7 @@ if (isset($_SERVER['db_name'])) { /** * Load services definition file. */ + $settings['container_yamls'][] = __DIR__ . '/aegir.services.yml'; $settings['container_yamls'][] = __DIR__ . '/services.yml'; /** @@ -182,6 +180,11 @@ if (isset($_SERVER['db_name'])) { '\.local$', ); + /** + * Set the Syslog identity to the site name so it's not always "drupal". + */ + $config['syslog.settings']['identity'] = 'uri ?>'; + # Additional host wide configuration settings. Useful for safely specifying configuration settings. diff --git a/Provision/Config/Drushrc/Alias.php b/Provision/Config/Drushrc/Alias.php index e6c2a91eabc5ea0076b75758aa2cc544bb5a17ac..373b67ce04fd8b94b002c11dca78f73409d53d40 100644 --- a/Provision/Config/Drushrc/Alias.php +++ b/Provision/Config/Drushrc/Alias.php @@ -19,10 +19,10 @@ class Provision_Config_Drushrc_Alias extends Provision_Config_Drushrc { function __construct($context, $data = array()) { parent::__construct($context, $data); - if (is_array($data['aliases'])) { + if (isset($data['aliases']) && is_array($data['aliases'])) { $data['aliases'] = array_unique($data['aliases']); } - if (is_array($data['drush_aliases'])) { + if (isset($data['drush_aliases']) && is_array($data['drush_aliases'])) { $data['drush_aliases'] = array_unique($data['drush_aliases']); } diff --git a/aegir-release.make b/aegir-release.make index be3468d3a176aaa614662a7ea4bc4826f11f57b9..03399d771c4eae065617101a0cb4680b9a259762 100644 --- a/aegir-release.make +++ b/aegir-release.make @@ -3,17 +3,10 @@ api = 2 ; This makefile fetches the latest release of Drupal from Drupal.org. projects[drupal][type] = "core" -projects[drupal][version] = 7.60 -; Sync manually with drupal-org-core.make in the hostmaster repo. - -; Sync manually with drupal-org-core.make in the hostmaster repo. - -; Function each() is deprecated since PHP 7.2; https://www.drupal.org/project/drupal/issues/2925449 -projects[drupal][patch][2925449] = "https://www.drupal.org/files/issues/2018-04-08/deprecated_each2925449-106.patch" - -; [PHP 7.2] Avoid count() calls on uncountable variables; https://www.drupal.org/project/drupal/issues/2885610 -projects[drupal][patch][2885610] = "https://www.drupal.org/files/issues/2018-04-21/drupal-7-count-function-deprecation-fixes-2885610-19.patch" +; Pin a core version, only as long as we have a core patch below. +; Sync manually with drupal-org-core.make in the hostmaster repository. +;projects[drupal][version] = 7.61 ; The release.sh script updates the version of hostmaster. projects[hostmaster][type] = "profile" diff --git a/debian/aegir3-cluster-slave.examples b/debian/aegir3-cluster-slave.examples deleted file mode 100644 index 4ce4ab07222824f85081636c89ff5a1a71fce8fe..0000000000000000000000000000000000000000 --- a/debian/aegir3-cluster-slave.examples +++ /dev/null @@ -1 +0,0 @@ -example.sudoers diff --git a/debian/aegir3-hostmaster.postinst b/debian/aegir3-hostmaster.postinst index fad67487af9ec2cb2fff66e93cd92c14b7c7fdb0..6238baf1206acba71b70054201801ae14a5e1e9b 100644 --- a/debian/aegir3-hostmaster.postinst +++ b/debian/aegir3-hostmaster.postinst @@ -33,6 +33,9 @@ case "$1" in # this obviously doesn't work for git releases VERSION=`sed -n '/^version/{s/^.*= *//;p}' /usr/share/drush/commands/provision/provision.info` + # TODO: lookup? composer installs? + DRUSH_PATH="/usr/local/bin/drush" + FLAGS="--yes" if [ "$DPKG_DEBUG" = "developer" ]; then FLAGS="$FLAGS --debug" @@ -68,10 +71,10 @@ case "$1" in chown aegir:aegir "$AEGIRHOME" "$AEGIRHOME/config" "$AEGIRHOME/config/$WEBSERVER.conf" # flush the drush cache to find new commands - su -s /bin/sh aegir -c 'drush cache-clear drush' + su -s /bin/sh aegir -c "$DRUSH_PATH cache-clear drush" - site_uri=`su -s /bin/sh aegir -c 'drush @hostmaster status --fields="uri" --field-labels=0 2>/dev/null | tr "\n" " " | sed -e "s/^[[:space:]]*//g" -e "s/[[:space:]]*\$//g"'` - drupal_root=`su -s /bin/sh aegir -c 'drush @hostmaster status --fields="root" --field-labels=0 2>/dev/null | tr "\n" " " | sed -e "s/^[[:space:]]*//g" -e "s/[[:space:]]*\$//g"'` + site_uri=`su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status --fields='uri' --field-labels=0 2>/dev/null | tr '\n' ' ' | sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*\$//g'"` + drupal_root=`su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status --fields='root' --field-labels=0 2>/dev/null | tr '\n' ' ' | sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*\$//g'"` if [ -d "$drupal_root" ]; then # upgrade @@ -95,14 +98,14 @@ case "$1" in echo "it seems to be the same version as the one we're trying to install, not upgrading" else echo "upgrading the frontend from $drupal_root to $NEW_PLATFORM" - if su -s /bin/sh aegir -c 'drush @hostmaster pm-list --status=enabled --pipe' | grep -q hosting_queued; then + if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster pm-list --status=enabled --pipe" | grep -q hosting_queued; then service hosting-queued stop fi cd "$drupal_root" - su -s /bin/sh aegir -c "drush hostmaster-migrate $FLAGS '$site_uri' '$NEW_PLATFORM'" + su -s /bin/sh aegir -c "$DRUSH_PATH hostmaster-migrate $FLAGS '$site_uri' '$NEW_PLATFORM'" echo "upgrade finished, old platform left in $drupal_root" # restart daemon if enabled - if su -s /bin/sh aegir -c 'drush @hostmaster pm-list --status=enabled --pipe' | grep -q hosting_queued; then + if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster pm-list --status=enabled --pipe" | grep -q hosting_queued; then service hosting-queued start fi fi @@ -173,7 +176,7 @@ case "$1" in fi # pass data through JSON for extra security - su -s /bin/sh aegir -c "cd $AEGIRHOME && drush hostmaster-install $FLAGS --backend $site_uri 2>&1 | drush backend-parse $DEBUG" <&1 | $DRUSH_PATH backend-parse $DEBUG" <&1 | grep -q 'Drupal bootstrap.*Successful'; then + if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status" 2>&1 | grep -q 'Drupal bootstrap.*Successful'; then echo 'Aegir frontend bootstrap correctly, operation was a success!' echo 'Use this URL to login on your new site:' - su -s /bin/sh aegir -c 'drush @hostmaster uli' + su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster uli" else echo 'Aegir frontend failed to bootstrap, something went wrong!' echo 'Look at the log above for clues or run with DPKG_DEBUG=developer' diff --git a/debian/changelog b/debian/changelog index 9c2376f80c804a4d29e16eea94af2885567625e7..5844c1400be5848f1469e30c711d7266e13bea2a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,45 @@ +aegir3-provision (3.180) unstable; urgency=medium + + * Bugfixes and UI improvements, see http://aegir.readthedocs.org/en/3.x/release-notes/3.18 + * Include Drupal 7.67 + + -- Colan Schwartz <13228-colan@users.noreply.gitlab.com> Thu, 27 Jun 2019 15:27:28 -0400 + +aegir3-provision (3.174) testing; urgency=medium + + * Update to Hostmaster 7.x-3.174 + * Include an updated ctools, views, module_filter + * Include a new Golden Contrib module: Hosting Deploy + + -- Herman van Rink Thu, 04 Apr 2019 15:48:32 +0200 + +aegir3-provision (3.173) testing; urgency=medium + + * Update to Hostmaster 7.x-3.173 & Drupal 7.63. + + -- Jon Pugh Fri, 18 Jan 2019 14:37:21 -0500 + + +aegir3-provision (3.172) testing; urgency=medium + + * Fix regression in legacy hosting_ssl: the logic for determining a certificate wasn't good, in the legacy module. #3020747 + + -- Jon Pugh Wed, 09 Jan 2019 10:50:08 -0500 + +aegir3-provision (3.171) testing; urgency=medium + + * Fix regression in hosting_https, #3020747 + + -- Herman van Rink Sat, 22 Dec 2018 20:22:16 +0100 + +aegir3-provision (3.170) unstable; urgency=high + + * Bugfixes and UI improvements, see http://aegir.readthedocs.org/en/3.x/release-notes/3.17 + * Fixes a number of security issues. + * Include Drupal 7.61 + + -- Herman van Rink Wed, 19 Dec 2018 16:50:53 +0100 + aegir3-provision (3.161) testing; urgency=medium * Minor bugfix release diff --git a/debian/control b/debian/control index 0b084cca6f83fbafac8bd6858ec7d10e631c9eff..3dd4ca07d79d43f2ebab9ecff746cab4093c94ef 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ Vcs-browser: http://drupalcode.org/project/provision.git Package: aegir3-provision Architecture: all -Depends: ${misc:Depends}, php5-cli (>= 5.3) | php7.0-cli | php7.1-cli | php7.2-cli, php5 | php7.0-xml | php7.1-xml | php7.2-xml, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, mysql-client | mariadb-client, sudo, postfix | mail-transport-agent, apache2 | nginx, adduser, ucf, curl +Depends: ${misc:Depends}, php5-cli (>= 5.3) | php7.0-cli | php7.1-cli | php7.2-cli | php-cli, php5 | php7.0-xml | php7.1-xml | php7.2-xml | php-xml, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, mysql-client | mariadb-client, sudo, postfix | mail-transport-agent, apache2 | nginx, adduser, ucf, curl Recommends: mysql-server | mariadb-server, rsync, composer Conflicts: aegir-provision, aegir-provision2, aegir2-provision Replaces: aegir-provision, aegir-provision2, aegir2-provision @@ -30,8 +30,8 @@ Description: mass Drupal hosting system - backend Package: aegir3-hostmaster Architecture: all -Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, apache2 | nginx, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | php5-fpm | php7.0-fpm | php7.1-fpm | php7.2-fpm,, aegir3-provision (>= ${source:Version}), git-core, unzip, lsb-base (>= 3.0-6) -Recommends: php5 | php7.0 | php7.1 | php7.2 +Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, php5-gd | php7.0-gd | php7.1-gd | php7.2-gd | php-gd, apache2 | nginx, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | libapache2-mod-php | php5-fpm | php7.0-fpm | php7.1-fpm | php7.2-fpm | php-fpm, aegir3-provision (>= ${source:Version}), git-core, unzip, lsb-base (>= 3.0-6) +Recommends: php5 | php7.0 | php7.1 | php7.2 | php Conflicts: aegir-hostmaster, aegir-hostmaster2, aegir2-hostmaster Replaces: aegir-hostmaster, aegir-hostmaster2, aegir2-hostmaster Description: mass Drupal hosting system - frontend @@ -69,8 +69,8 @@ Description: mass Drupal hosting system Package: aegir3-cluster-slave Architecture: all -Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, sudo, apache2, adduser, ucf, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1, libapache2-mod-php7.2, rsync, nfs-client, mysql-client -Recommends: php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, php5 | php7.0 | php7.1 | php7.2 +Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, sudo, apache2, adduser, ucf, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | libapache2-mod-php, rsync, nfs-client, mysql-client, aegir3-provision +Recommends: php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, php5 | php7.0 | php7.1 | php7.2 | php Conflicts: aegir-cluster-slave, aegir-cluster-slave2, aegir2-cluster-slave, aegir3 Replaces: aegir-cluster-slave, aegir-cluster-slave2, aegir2-cluster-slave Description: mass Drupal hosting system - slave backend diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php index f9cb9731ba5e6b0a7c87bf8aa4c4ebae9f72e105..f9f256bb2ba52af6fe6d5839e5615ba10832fdd3 100644 --- a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php +++ b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php @@ -1,5 +1,5 @@ -ssl_enabled && $this->ssl_key) : ?> +ssl_enabled && $this->ssl_key && $this->ssl_cert_ok) : ?> > site_mail) : ?> @@ -82,7 +82,7 @@ if ($this->redirection) { # Prevent direct reading of files in the private dir. # This is for Drupal7 compatibility, which would normally drop # a .htaccess in those directories, but we explicitly ignore those - site_path; ?>/private/" > + SetHandler This_is_a_Drupal_security_line_do_not_remove diff --git a/http/Provision/Config/Apache/platform.tpl.php b/http/Provision/Config/Apache/platform.tpl.php index efe9b9903408e9aaa853891adc4a3436dff9017f..4f99f515d66e5f6b4a22d8edc60982c44bcc704d 100644 --- a/http/Provision/Config/Apache/platform.tpl.php +++ b/http/Provision/Config/Apache/platform.tpl.php @@ -1,7 +1,7 @@ root; ?>> Order allow,deny Allow from all - Satisfy any + Satisfy All Require all granted diff --git a/http/Provision/Config/Apache/subdir.tpl.php b/http/Provision/Config/Apache/subdir.tpl.php index b4dbde78fd43e2ca58298042970b960fd9fb80c7..cb594fe94afd1161fd3469f9d908f9d084d94111 100644 --- a/http/Provision/Config/Apache/subdir.tpl.php +++ b/http/Provision/Config/Apache/subdir.tpl.php @@ -39,7 +39,7 @@ Alias / root; ?> # Prevent direct reading of files in the private dir. # This is for Drupal7 compatibility, which would normally drop # a .htaccess in those directories, but we explicitly ignore those -site_path; ?>/private/" > + SetHandler This_is_a_Drupal_security_line_do_not_remove Deny from all Options None diff --git a/http/Provision/Config/Apache/vhost.tpl.php b/http/Provision/Config/Apache/vhost.tpl.php index 361ecbc5915800bdd4776cbdff5ebd05961da34e..54e7341f723dfe918ecc6dead4870420f19e0b8f 100644 --- a/http/Provision/Config/Apache/vhost.tpl.php +++ b/http/Provision/Config/Apache/vhost.tpl.php @@ -83,7 +83,7 @@ if ($this->redirection || $ssl_redirection) { # Prevent direct reading of files in the private dir. # This is for Drupal7 compatibility, which would normally drop # a .htaccess in those directories, but we explicitly ignore those - site_path; ?>/private/" > + SetHandler This_is_a_Drupal_security_line_do_not_remove diff --git a/http/Provision/Config/Http/Ssl/Site.php b/http/Provision/Config/Http/Ssl/Site.php index 00658db17ba7ebb9b153b10b09bf89905e0f56f0..2170a5ae080e88eb575317869a2473c149d5f20d 100644 --- a/http/Provision/Config/Http/Ssl/Site.php +++ b/http/Provision/Config/Http/Ssl/Site.php @@ -9,12 +9,11 @@ class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site { public $template = 'vhost_ssl.tpl.php'; public $disabled_template = 'vhost_ssl_disabled.tpl.php'; + public $ssl_cert_ok = TRUE; public $description = 'encrypted virtual host configuration'; function write() { - parent::write(); - if ($this->ssl_enabled && $this->ssl_key) { $path = dirname($this->data['ssl_cert']); // Make sure the ssl.d directory in the server ssl.d exists. @@ -28,28 +27,39 @@ class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site { // XXX: test. data structure may not be sound. try d($this->uri) // if $this fails Provision_Service_http_ssl::assign_certificate_site($this->ssl_key, $this); - + // Copy the certificates to the server's ssl.d directory. - provision_file()->copy( - $this->data['ssl_cert_source'], - $this->data['ssl_cert']) - || drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place')); - provision_file()->copy( - $this->data['ssl_cert_key_source'], - $this->data['ssl_cert_key']) - || drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place')); + if (!provision_file()->copy($this->data['ssl_cert_source'], $this->data['ssl_cert'])->status()) { + drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place')); + $this->ssl_cert_ok = FALSE; + } + if (!provision_file()->copy($this->data['ssl_cert_key_source'], $this->data['ssl_cert_key'])->status()) { + drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place')); + $this->ssl_cert_ok = FALSE; + } // Copy the chain certificate, if it is set. if (!empty($this->data['ssl_chain_cert_source'])) { - provision_file()->copy( - $this->data['ssl_chain_cert_source'], - $this->data['ssl_chain_cert']) - || drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place')); + if (!provision_file()->copy($this->data['ssl_chain_cert_source'], $this->data['ssl_chain_cert'])->status()) { + drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place')); + $this->ssl_cert_ok = FALSE; + } } + + // If cert is not ok, turn off ssl_redirection. + if ($this->ssl_cert_ok == FALSE) { + $this->data['ssl_redirection'] = FALSE; + drush_log(dt('SSL Certificate preparation failed. SSL has been disabled for this site.'), 'warning'); + } + // Sync the key directory to the remote server. $this->data['server']->sync($path, array( 'exclude' => "{$path}/*.receipt", // Don't need to synch the receipts )); } + + // Call parent's write AFTER ensuring the certificates are in place to prevent + // the vhost from referencing missing files. + parent::write(); } /** diff --git a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php index 9558567c6e478f1079d75769bcb71249029165bc..9272d9294af11dd1affe36abc8c211ccfdda6b9e 100644 --- a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php +++ b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php @@ -70,10 +70,32 @@ if ($main_site_name = '') { set $main_site_name "$server_name"; } +### +### Mitigation for https://www.drupal.org/SA-CORE-2018-002 +### +set $rce "ZZ"; +if ( $query_string ~* (23value|23default_value|element_parents=%23) ) { + set $rce "A"; +} +if ( $request_method = POST ) { + set $rce "${rce}B"; +} +if ( $rce = "AB" ) { + return 403; +} + set $nocache_details "Cache"; +### +### Return 404 on special PHP URLs to avoid revealing version used, +### even indirectly. See also: https://drupal.org/node/2116387 +### +if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { + return 404; +} + ### ### Deny crawlers. ### @@ -112,7 +134,6 @@ if ($is_denied) { ### ### Add recommended HTTP headers ### -add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -149,7 +170,7 @@ location ^~ /httprl_async_function_callback { location ~* ^/httprl_async_function_callback { access_log off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } } @@ -160,7 +181,7 @@ location ^~ /admin/httprl-test { location ~* ^/admin/httprl-test { access_log off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } } @@ -179,7 +200,7 @@ location ^~ /cdn/farfuture/ { gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; - location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ { + location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less)$ { expires max; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; @@ -188,7 +209,7 @@ location ^~ /cdn/farfuture/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files $uri @nobots; + try_files $uri @drupal; } location ~* ^/cdn/farfuture/ { expires epoch; @@ -198,9 +219,9 @@ location ^~ /cdn/farfuture/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files $uri @nobots; + try_files $uri @drupal; } - try_files $uri @nobots; + try_files $uri @drupal; } @@ -211,6 +232,9 @@ location = /favicon.ico { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$main_site_name/files/favicon.ico $uri =204; } @@ -221,6 +245,9 @@ location = /favicon.ico { location = /robots.txt { access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache; @@ -305,10 +332,10 @@ location ^~ /cron/ { ### location ^~ /search { location ~* ^/search { - if ($is_bot) { + if ( $is_bot ) { return 403; } - try_files $uri @cache; + try_files $uri @drupal; } } @@ -317,7 +344,7 @@ location ^~ /search { ### location ^~ /js/ { location ~* ^/js/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } rewrite ^/(.*)$ /js.php?q=$1 last; @@ -351,7 +378,7 @@ location ^~ /hosting/c/server_master { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -367,7 +394,7 @@ location ^~ /hosting/c/server_localhost { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -379,7 +406,7 @@ location ^~ /hosting/c/server_localhost { ### Fix for #2005116 ### location ^~ /hosting/sites { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -391,12 +418,12 @@ location ^~ /hosting/sites { ### Fix for Aegir & .info .pl domain extensions. ### location ^~ /hosting { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; set $nocache_details "Skip"; - try_files $uri @cache; + try_files $uri @drupal; } @@ -421,7 +448,7 @@ location ^~ /admin/config/development/performance/redis { ### Support for backup_migrate module download/restore/delete actions. ### location ^~ /admin { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -433,7 +460,7 @@ location ^~ /admin { ### Avoid caching /civicrm* and protect it from bots. ### location ^~ /civicrm { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -458,7 +485,7 @@ location ~* ^/\w\w/civicrm { ### location ^~ /audio/download { location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } tcp_nopush off; @@ -515,11 +542,11 @@ location ~* (?:cgi-bin|vti-bin) { ### Deny bots on some weak modules uri. ### location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; - try_files $uri @cache; + try_files $uri @drupal; } ### @@ -557,6 +584,9 @@ location ~* /sites/.*/files/styles/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -570,6 +600,9 @@ location ~* /s3/files/styles/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -583,6 +616,9 @@ location ~* /sites/.*/files/imagecache/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; # fix common problems with old paths after import from standalone to Aegir multisite rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last; @@ -634,7 +670,7 @@ include /config/server_master/nginx/post.d/nginx_vhos ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^/sites/.*/files/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -651,7 +687,7 @@ location ~* ^/sites/.*/files/private/ { location ~* ^/sites/.*/private/ { internal; - if ($is_bot) { + if ( $is_bot ) { return 403; } @@ -665,7 +701,7 @@ location ~* ^/sites/.*/private/ { ### location ~* /files/private/ { internal; - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -677,7 +713,10 @@ location ~* /files/private/ { location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) { access_log off; log_not_found off; - try_files $uri @nobots; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + try_files $uri @drupal; } ### @@ -698,7 +737,7 @@ location ~* files/advagg_(?:css|js)/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } ### @@ -715,9 +754,19 @@ location ~* \.css$ { access_log off; tcp_nodelay off; expires max; #if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.css $uri =404; } +### +### Support for dynamic /sw.js requests. See #2982073 on drupal.org +### +location = /sw.js { + try_files $uri @drupal; +} + ### ### Make js files compatible with boost caching. ### @@ -732,9 +781,19 @@ location ~* \.(?:js|htc)$ { access_log off; tcp_nodelay off; expires max; # if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.js $uri =404; } +### +### Support for dynamic .json requests. +### +location ~* \.json$ { + try_files $uri @drupal; +} + ### ### Support for static .json files with fast 404 +Boost compatibility. ### @@ -746,16 +805,12 @@ location ~* ^/sites/.*/files/.*\.json$ { access_log off; tcp_nodelay off; expires max; ### if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/normal/$host${uri}_.json $uri =404; } -### -### Support for dynamic .json requests. -### -location ~* \.json$ { - try_files $uri @cache; -} - ### ### Helper location to bypass boost static files cache for logged in users. ### @@ -770,6 +825,48 @@ location @uncached { ### location ^~ /files/ { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + + ### + ### Sub-location to support Flash Video (FLV) files with short URIs. + ### + location ~* /files/.+\.flv$ { + flv; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; + } + + ### + ### Sub-location to support H.264/AAC files with short URIs. + ### + location ~* /files/.+\.(?:mp4|m4a)$ { + mp4; + mp4_buffer_size 1m; + mp4_max_buffer_size 5m; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; + } + + ### ### Sub-location to support files/styles with short URIs. ### @@ -801,7 +898,7 @@ location ^~ /files/ { try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal; } - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { expires 30d; tcp_nodelay off; access_log off; @@ -820,11 +917,14 @@ location ^~ /files/ { ### Map /downloads/ shortcut early to avoid overrides in other locations. ### location ^~ /downloads/ { - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/downloads/(.*)$ /sites/$main_site_name/files/downloads/$1 last; try_files $uri =404; } @@ -839,11 +939,14 @@ location ^~ /downloads/ { ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### -location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ { +location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|mp3|wav|midi)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/images/(.*)$ /sites/$main_site_name/files/images/$1 last; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; @@ -859,6 +962,9 @@ location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|i tcp_nopush off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; } @@ -874,6 +980,9 @@ location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ { tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -888,6 +997,9 @@ location ~* ^.+\.flv$ { expires 30d; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -903,6 +1015,9 @@ location ~* ^.+\.(?:mp4|m4a)$ { expires 30d; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -914,6 +1029,9 @@ location ~* /(?:cross-?domain)\.xml$ { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -928,7 +1046,7 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin tcp_nopush off; keepalive_requests 0; access_log off; - if ($is_bot) { + if ( $is_bot ) { return 403; } try_files $uri =404; @@ -945,14 +1063,14 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin ### Deny crawlers and never cache known AJAX requests. ### location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; try_files $uri @drupal; @@ -962,12 +1080,15 @@ location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -978,6 +1099,9 @@ location ~* ^/sites/.*/files/ { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -1012,8 +1136,16 @@ location ~* \.xml$ { ### ### Deny bots on never cached uri. ### -location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { - if ($is_bot) { +location ~* ^/(?:admin|user|cart|checkout|logout) { + if ( $is_bot ) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} +location ~* ^/\w\w/(?:admin|user|cart|checkout|logout) { + if ( $is_bot ) { return 403; } access_log off; @@ -1024,8 +1156,8 @@ location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { ### ### Protect from DoS attempts on never cached uri. ### -location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) { - if ($is_bot) { +location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add|comment/reply) { + if ( $is_bot ) { return 403; } access_log off; @@ -1040,7 +1172,7 @@ location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -1079,7 +1211,6 @@ location ~ ^/(?esi/.*)"$ { add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ### @@ -1105,16 +1236,16 @@ location ~ ^/(?esi/.*)"$ { fastcgi_cache_methods GET HEAD; fastcgi_cache_min_uses 1; fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; - fastcgi_cache_valid 200 5s; - fastcgi_cache_valid 301 1m; - fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid 200 3s; + fastcgi_cache_valid 301 302 403 404 1s; + fastcgi_cache_valid any 1s; fastcgi_cache_lock on; - fastcgi_ignore_headers Cache-Control Expires; + fastcgi_ignore_headers Cache-Control Expires Vary; fastcgi_pass_header Set-Cookie; fastcgi_pass_header X-Accel-Expires; fastcgi_pass_header X-Accel-Redirect; - fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; - fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_no_cache $cookie_NoCacheID $http_authorization $nocache; + fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $nocache; fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; tcp_nopush off; keepalive_requests 0; @@ -1128,13 +1259,6 @@ if ( $args ~* "/autocomplete/" ) { return 405; } error_page 405 = @drupal; - -### -### Rewrite legacy requests with /index.php to extension-free URL. -### -if ( $args ~* "^q=(?.*)" ) { - rewrite ^/index.php$ $scheme://$host/?q=$query_value? permanent; -} @@ -1195,65 +1319,61 @@ location @cache { ### Send all not cached requests to drupal with clean URLs support. ### location @drupal { - - error_page 418 = @nobots; - if ($args) { - return 418; - } - + set $core_detected "Legacy"; + set $location_detected "Nowhere"; ### - ### For Drupal >= 7 + ### Detect ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ /index.php?$query_string last; + if ( -e $document_root/web.config ) { + set $core_detected "Regular"; + } + if ( -e $document_root/core ) { + set $core_detected "Modern"; + } + error_page 402 = @legacy; + if ( $core_detected = Legacy ) { + return 402; + } + error_page 406 = @regular; + if ( $core_detected = Regular ) { + return 406; + } + error_page 418 = @modern; + if ( $core_detected = Modern ) { + return 418; } ### - ### For Drupal <= 6 + ### Fallback ### - rewrite ^/(.*)$ /index.php?q=$1 last; + set $location_detected "Fallback"; + rewrite ^ /index.php?$query_string last; } - ### -### Special location for bots custom restrictions; can be overridden. +### Special location for Drupal 6. ### -location @nobots { - ### - ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below - ### - # if ( $query_string ~ "^amp$" ) { - # rewrite ^/(.*)$ /index.php?q=$1 last; - # } - - ### - ### Send all known bots to $args free URLs (optional) - ### - # if ($is_bot) { - # return 301 $scheme://$host$request_uri; - # } +location @legacy { + set $location_detected "Legacy"; + rewrite ^/(.*)$ /index.php?q=$1 last; +} - ### - ### Return 404 on special PHP URLs to avoid revealing version used, - ### even indirectly. See also: https://drupal.org/node/2116387 - ### - if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { - return 404; - } +### +### Special location for Drupal 7. +### +location @regular { + set $location_detected "Regular"; + rewrite ^ /index.php?$query_string last; +} - ### - ### For Drupal >= 7 - ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ /index.php?$query_string last; - } - ### - ### For Drupal <= 6 - ### - rewrite ^/(.*)$ /index.php?q=$1 last; +### +### Special location for Drupal 8. +### +location @modern { + set $location_detected "Modern"; + try_files $uri /index.php?$query_string; } + ### ### Send all non-static requests to php-fpm, restricted to known php file. ### @@ -1265,13 +1385,17 @@ location = /index.php { add_header X-GeoIP-Country-Name "$geoip_country_name"; + add_header X-Core-Variant "$core_detected"; + add_header X-Loc-Where "$location_detected"; + add_header X-Http-Pragma "$http_pragma"; + add_header X-Arg-Nocache "$arg_nocache"; + add_header X-Arg-Comment "$arg_comment"; add_header X-Speed-Cache "$upstream_cache_status"; add_header X-Speed-Cache-UID "$cache_uid"; add_header X-Speed-Cache-Key "$key_uri"; add_header X-NoCache "$nocache_details"; add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -1296,20 +1420,23 @@ location = /index.php { if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) { set $nocache "NoCache"; } + add_header X-Debug-NoCache-Switch "$nocache"; + add_header X-Debug-NoCache-Auth "$http_authorization"; + add_header X-Debug-NoCache-Cookie "$cookie_NoCacheID"; fastcgi_cache speed; fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity fastcgi_cache_min_uses 1; fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; - fastcgi_cache_valid 200 10s; - fastcgi_cache_valid 301 1m; - fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid 200 3s; + fastcgi_cache_valid 301 302 403 404 1s; + fastcgi_cache_valid any 1s; fastcgi_cache_lock on; - fastcgi_ignore_headers Cache-Control Expires; + fastcgi_ignore_headers Cache-Control Expires Vary; fastcgi_pass_header Set-Cookie; fastcgi_pass_header X-Accel-Expires; fastcgi_pass_header X-Accel-Redirect; - fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; - fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_no_cache $cookie_NoCacheID $http_authorization $nocache; + fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $nocache; fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; } @@ -1324,7 +1451,7 @@ location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ { limit_conn limreq 88; - if ($is_bot) { + if ( $is_bot ) { return 404; } diff --git a/http/Provision/Config/Nginx/subdir.tpl.php b/http/Provision/Config/Nginx/subdir.tpl.php index a45b88dfa3795716d7e8e761061dce75444978ec..087358850c649cf66f39b76e70496879cdf472cc 100644 --- a/http/Provision/Config/Nginx/subdir.tpl.php +++ b/http/Provision/Config/Nginx/subdir.tpl.php @@ -75,7 +75,13 @@ $subdir_dot = str_replace('/', '.', $subdir); // use this simple fallback to guarantee that empty db_port does not // break Nginx reload which results with downtime for the affected vhosts. if (!$db_port) { - $db_port = $this->server->db_port ? $this->server->db_port : '3306'; + $ctrlf = '/data/conf/' . $script_user . '_use_proxysql.txt'; + if (provision_file()->exists($ctrlf)->status()) { + $db_port = '6033'; + } + else { + $db_port = $this->server->db_port ? $this->server->db_port : '3306'; + } } ?> ####################################################### @@ -97,11 +103,24 @@ if ($subdir_main_site_name = '') { set $subdir_main_site_name "$server_name"; } +# Mitigation for https://www.drupal.org/SA-CORE-2018-002 +set $rce "ZZ"; +if ( $query_string ~* (23value|23default_value|element_parents=%23) ) { + set $rce "A"; +} + +if ( $request_method = POST ) { + set $rce "${rce}B"; +} + +if ( $rce = "AB" ) { + return 403; +} + ### ### Add recommended HTTP headers ### -add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -110,6 +129,10 @@ add_header X-XSS-Protection "1; mode=block"; ### location ^~ //sites/default/files { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + root root}"; ?>; location ~* ^//sites/default/files/imagecache { @@ -118,7 +141,7 @@ location ^~ //sites/default/files { expires 30d; set $nocache_details "Skip"; rewrite ^//sites/default/files/imagecache/(.*)$ //sites/$subdir_main_site_name/files/imagecache/$1 last; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } location ~* ^//sites/default/files/styles { access_log off; @@ -126,7 +149,7 @@ location ^~ //sites/default/files { expires 30d; set $nocache_details "Skip"; rewrite ^//sites/default/files/styles/(.*)$ //sites/$subdir_main_site_name/files/styles/$1 last; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } location ~* ^//sites/default/files { access_log off; @@ -205,7 +228,7 @@ location ^~ / { location ~* ^//httprl_async_function_callback { access_log off; set $nocache_details "Skip"; - try_files /httprl_async_function_callback $uri @nobots_; + try_files /httprl_async_function_callback $uri @drupal_; } } @@ -216,7 +239,7 @@ location ^~ / { location ~* ^//admin/httprl-test { access_log off; set $nocache_details "Skip"; - try_files /admin/httprl-test $uri @nobots_; + try_files /admin/httprl-test $uri @drupal_; } } @@ -231,7 +254,7 @@ location ^~ / { gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; - location ~* ^//(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less))$ { + location ~* ^//(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less))$ { expires max; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; @@ -240,7 +263,7 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } location ~* ^//(cdn/farfuture/) { expires epoch; @@ -250,9 +273,9 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } - try_files $uri @nobots_; + try_files /$1 $uri @drupal_; } @@ -263,6 +286,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$subdir_main_site_name/files/favicon.ico /sites/$host/files/favicon.ico /favicon.ico $uri =204; } @@ -273,6 +299,9 @@ location ^~ / { location = //robots.txt { access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$subdir_main_site_name/files/$host.robots.txt /sites/$subdir_main_site_name/files/robots.txt /sites/$host/files/robots.txt /robots.txt $uri @cache_; @@ -345,10 +374,10 @@ location ^~ / { ### location ^~ //search { location ~* ^//search { - if ($is_bot) { + if ( $is_bot ) { return 403; } - try_files /search $uri @cache_; + try_files /search $uri @drupal_; } } @@ -357,7 +386,7 @@ location ^~ / { ### location ^~ //js/ { location ~* ^//js/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } rewrite ^//(.*)$ /js.php?q=$1 last; @@ -403,7 +432,7 @@ location ^~ / { ### Support for backup_migrate module download/restore/delete actions. ### location ^~ //admin { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -415,7 +444,7 @@ location ^~ / { ### Avoid caching /civicrm* and protect it from bots. ### location ^~ //civicrm { - if ($is_bot) { + if ( $is_bot ) { return 403; } set $nocache_details "Skip"; @@ -427,7 +456,7 @@ location ^~ / { ### location ^~ //audio/download { location ~* ^//(audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg))$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } tcp_nopush off; @@ -483,7 +512,7 @@ location ^~ / { rewrite ^//(.*)\.r(\.(?:jpe?g|png|gif))$ //$1$2 last; access_log off; set $nocache_details "Skip"; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } ### @@ -496,7 +525,7 @@ location ^~ / { } access_log off; set $nocache_details "Skip"; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -505,6 +534,10 @@ location ^~ / { ### location ^~ //files/ { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + ### ### Sub-location to support files/styles with short URIs. ### @@ -536,7 +569,7 @@ location ^~ / { try_files //sites/$subdir_main_site_name/files/imagecache/$1 $uri @drupal_; } - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { expires 30d; tcp_nodelay off; access_log off; @@ -545,9 +578,9 @@ location ^~ / { try_files $uri =404; } - try_files $uri @cache_; + try_files /$1 $uri @cache_; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -559,6 +592,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -572,6 +608,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -600,7 +639,7 @@ location ^~ / { ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^//(sites/.*/files/private/.*) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -617,7 +656,7 @@ location ^~ / { ### location ~* ^//sites/.*/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } @@ -631,7 +670,7 @@ location ^~ / { ### Note: this location works with X-Accel-Redirect. ### location ~* //files/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -644,7 +683,10 @@ location ^~ / { location ~* ^//(.*/wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css)) { access_log off; log_not_found off; - try_files /$1 $uri @nobots_; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + try_files /$1 $uri @drupal_; } ### @@ -664,7 +706,7 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } ### @@ -674,6 +716,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; #if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.css /$1 $uri =404; } @@ -684,6 +729,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; # if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.js /$1 $uri =404; } @@ -694,6 +742,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; ### if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/normal/$host${uri}_.json /$1 $uri =404; } @@ -701,7 +752,7 @@ location ^~ / { ### Support for dynamic .json requests. ### location ~* (.*\.json)$ { - try_files /$1 $uri @cache_; + try_files /$1 $uri @drupal_; } @@ -709,11 +760,14 @@ location ^~ / { ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### - location ~* ^//(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less))$ { + location ~* ^//(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff2?|eot|less))$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -727,6 +781,9 @@ location ^~ / { tcp_nopush off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -737,6 +794,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -776,7 +836,7 @@ location ^~ / { tcp_nopush off; keepalive_requests 0; access_log off; - if ($is_bot) { + if ( $is_bot ) { return 403; } try_files /$1 $uri =404; @@ -793,14 +853,14 @@ location ^~ / { ### Deny crawlers and never cache known AJAX requests. ### location ~* ^//(.*(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*).*)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; try_files /$1 $uri @drupal_; @@ -810,12 +870,15 @@ location ^~ / { ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^//(sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml))$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -828,6 +891,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -859,7 +925,7 @@ location ^~ / { ### Deny bots on never cached uri. ### location ~* ^//((?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply)) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -871,7 +937,7 @@ location ^~ / { ### Protect from DoS attempts on never cached uri. ### location ~* ^//((?:.*/)?(?:node/[0-9]+/edit|node/add)) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -886,7 +952,7 @@ location ^~ / { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -929,9 +995,9 @@ location ^~ / { return 403; } - try_files $uri @cache_; + try_files /$1 $uri @cache_; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -945,7 +1011,7 @@ location ^~ / { limit_conn limreq 88; - if ($is_bot) { + if ( $is_bot ) { return 404; } @@ -1025,7 +1091,6 @@ location ^~ / { add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Sub-Name "$subdir_main_site_name"; add_header X-Response-Status "$status"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -1044,9 +1109,11 @@ location ^~ / { fastcgi_param db_host ; fastcgi_param db_port ; - fastcgi_param HTTP_HOST uri; ?>; + fastcgi_param HTTP_HOST $host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; + fastcgi_param SCRIPT_URL //; + fastcgi_param SCRIPT_URI $scheme://$host//; fastcgi_param MAIN_SITE_NAME uri; ?>; fastcgi_param REDIRECT_STATUS 200; @@ -1054,6 +1121,8 @@ location ^~ / { set $real_fastcgi_script_name index.php; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; + fastcgi_param SCRIPT_NAME //$real_fastcgi_script_name; + fastcgi_param PHP_SELF //$real_fastcgi_script_name; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; tcp_nopush off; @@ -1084,6 +1153,7 @@ location ^~ / { fastcgi_cache_valid 200 10s; fastcgi_cache_valid 301 1m; fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid any 3s; fastcgi_cache_lock on; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; @@ -1148,65 +1218,34 @@ location @cache_ { ### Send all not cached requests to drupal with clean URLs support. ### location @drupal_ { - - error_page 418 = @nobots_; - if ($args) { - return 418; - } - + set $core_detected "Legacy"; ### ### For Drupal >= 7 ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ //index.php?$query_string last; + if ( -e $document_root/web.config ) { + set $core_detected "Regular"; + } + if ( -e $document_root/core ) { + set $core_detected "Modern"; + } + error_page 418 = @modern_; + if ( $core_detected ~ (?:NotForD7|Modern) ) { + return 418; } ### - ### For Drupal <= 6 + ### For Drupal 6 ### rewrite ^//(.*)$ //index.php?q=$1 last; } - ### -### Special location for bots custom restrictions; can be overridden. +### Special location for Drupal 7+. ### -location @nobots_ { - ### - ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below - ### - # if ( $query_string ~ "^amp$" ) { - # rewrite ^//(.*)$ //index.php?q=$1 last; - # } - - ### - ### Send all known bots to $args free URLs (optional) - ### - # if ($is_bot) { - # return 301 $scheme://$host$request_uri; - # } - - ### - ### Return 404 on special PHP URLs to avoid revealing version used, - ### even indirectly. See also: https://drupal.org/node/2116387 - ### - if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { - return 404; - } - - ### - ### For Drupal >= 7 - ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ //index.php?$query_string last; - } - ### - ### For Drupal <= 6 - ### - rewrite ^//(.*)$ //index.php?q=$1 last; +location @modern_ { + try_files $uri //index.php?$query_string; } + ### ### Internal location for /authorize.php and /update.php restricted access. ### diff --git a/install.hostmaster.inc b/install.hostmaster.inc index df1f142b3395dfbd8222e666a5e5a536a8bc55a8..692922619c8e89178e73ebe080bf2659908d16a8 100644 --- a/install.hostmaster.inc +++ b/install.hostmaster.inc @@ -264,6 +264,11 @@ function drush_provision_hostmaster_install($site = NULL) { 'client_email' => drush_get_option('client_email'), 'profile' => $profile, 'drush_aliases' => 'hm', + 'command-specific' => array ( + 'pm-download' => array ( + 'use-site-dir' => 1, + ), + ), )); drush_log('Starting with the hostmaster frontend installation.', 'notice'); diff --git a/migrate.hostmaster.inc b/migrate.hostmaster.inc index 7e27b1981081340bf3896bbf30225dbaeba717f1..36fb245531c73d409d45a6bae8981c2437b32e72 100644 --- a/migrate.hostmaster.inc +++ b/migrate.hostmaster.inc @@ -146,6 +146,11 @@ We are making the following assumptions: 'uri' => $site, 'profile' => 'hostmaster', 'drush_aliases' => 'hm', + 'command-specific' => array ( + 'pm-download' => array ( + 'use-site-dir' => 1, + ), + ), )); provision_backend_invoke($site_name, 'provision-verify'); drush_set_option('site_name', $site_name); diff --git a/platform/delete.provision.inc b/platform/delete.provision.inc index efedd522e82eef2eab8058623c8a1eba8457417c..33b63b21209f251a3017b4ca013a3926ad2d75bb 100644 --- a/platform/delete.provision.inc +++ b/platform/delete.provision.inc @@ -48,8 +48,12 @@ function drush_provision_drupal_provision_delete() { drush_set_error(dt('Existing sites were found on this platform. These sites will need to be deleted before this platform can be deleted.')); } else { + drush_invoke_process('@none', 'provision-save', array(d()->name), array('delete' => TRUE)); _provision_recursive_delete(d()->root); d()->service('http')->sync(d()->root); } } + elseif (d()->type === 'server') { + drush_invoke_process('@none', 'provision-save', array(d()->name), array('delete' => TRUE)); + } } diff --git a/platform/drupal/install_6.inc b/platform/drupal/install_6.inc index 2a8316f5aa1f47203c769854371e69b0287bfac3..e4000f85472d326b820e19a107c1539a0e80ba00 100644 --- a/platform/drupal/install_6.inc +++ b/platform/drupal/install_6.inc @@ -366,8 +366,14 @@ function install_main() { $client_email = install_validate_client_email(drush_get_option('client_email', FALSE)); $account = install_create_admin_user($client_email); - $onetime = user_pass_reset_url($account); - // Store the one time login link in an option so the front end can direct the user to their new site. + + // If a redirect is defined, the symlink to the alias needs to exist before + // we generate the login link, below. + _provision_drupal_maintain_aliases(); + + // Store the one time login link in an option so the front end can direct the + // user to their new site. + $onetime = provision_generate_login_reset(); drush_set_option('login_link', $onetime . '/login'); drush_log(dt('Login url: !onetime', array('!onetime' => $onetime . '/login')), 'success'); diff --git a/platform/drupal/install_7.inc b/platform/drupal/install_7.inc index 73f9aac1bb44987df7994558efc269b36489759e..9efa9264bebd5a5e3f2f53617e84dc0254e7de45 100644 --- a/platform/drupal/install_7.inc +++ b/platform/drupal/install_7.inc @@ -158,10 +158,16 @@ function install_main() { _provision_drupal_create_directories(); $account = user_load(1); - $onetime = user_pass_reset_url($account); - // Store the one time login link in an option so the front end can direct the user to their new site. - drush_set_option('login_link', $onetime . '/login'); - drush_log(dt('Login url: !onetime', array('!onetime' => $onetime . '/login')), 'success'); + + // If a redirect is defined, the symlink to the alias needs to exist before + // we generate the login link, below. + _provision_drupal_maintain_aliases(); + + // Store the one time login link in an option so the front end can direct the + // user to their new site. + $onetime = provision_generate_login_reset(); + drush_set_option('login_link', $onetime); + drush_log(dt('Login url: !onetime', array('!onetime' => $onetime)), 'success'); if (drush_get_option('client_email', FALSE)) { install_send_welcome_mail($url, $account, $install_locale, $client_email, $onetime); diff --git a/platform/drupal/install_8.inc b/platform/drupal/install_8.inc index 87f96e2b7658a60a40325de0bb80f662fde470b5..d56c5039b08b77660362f034574351bd867c5339 100644 --- a/platform/drupal/install_8.inc +++ b/platform/drupal/install_8.inc @@ -159,8 +159,13 @@ function install_main() { $account = user_load(1); - $onetime = user_pass_reset_url($account); - // Store the one time login link in an option so the front end can direct the user to their new site. + // If a redirect is defined, the symlink to the alias needs to exist before + // we generate the login link, below. + _provision_drupal_maintain_aliases(); + + // Store the one time login link in an option so the front end can direct the + // user to their new site. + $onetime = provision_generate_login_reset(); drush_set_option('login_link', $onetime); drush_log(dt('Login url: !onetime', array('!onetime' => $onetime)), 'message'); diff --git a/platform/provision_drupal.drush.inc b/platform/provision_drupal.drush.inc index 52aac8faf98e15b17b306680d7c2992528fdf529..5447dcb41afb548f69e9abc5a55e1fb19e11ae87 100644 --- a/platform/provision_drupal.drush.inc +++ b/platform/provision_drupal.drush.inc @@ -108,7 +108,9 @@ function provision_drupal_push_site($override_slave_authority = FALSE) { )); // Sync the platform - d()->service('http')->sync(d()->root, array('exclude-sites' => TRUE)); + $sync_path = d()->root; + drush_command_invoke_all_ref('provision_platform_sync_path_alter', $sync_path, d()); + d()->service('http')->sync($sync_path, array('exclude-sites' => TRUE)); if (d()->type === 'site') { // Check whether we're hosted on a cluster, in which case, the master is @@ -168,8 +170,12 @@ function provision_drupal_fetch_site($alias = NULL) { * Generate a settings file for the site. */ function _provision_drupal_create_settings_file() { - $config = new Provision_Config_Drupal_Settings(d()->name, drush_get_context('site')); - $config->write(); + $name = d()->name; + $context = drush_get_context('site'); + $settings = new Provision_Config_Drupal_Settings($name, $context); + $settings->write(); + $services = new Provision_Config_Drupal_Services($name, $context); + $services->write(); } /** @@ -593,6 +599,16 @@ function _provision_drupal_find_modules($scope, $key = '') { $source = file_get_contents(trim($install_file)); $source = str_replace("\r\n", "\n", $source); $source = str_replace("\r", "\n", $source); + // Also search included files for function signature + $include_matches = array(); + preg_match_all('!^\s*(include|require)(_once)?[\s\.\w\(]+([\'\"]{1}([\\\s\w\-\.\/]*)[\'\"]{1})!m', $source, $include_matches); + if (sizeof($include_matches[0])) { + foreach($include_matches[4] as $include) { + if ($include_file = realpath(dirname($info->filename) . DIRECTORY_SEPARATOR . $include)) { + $source .= "\n" . file_get_contents($include_file); + } + } + } $function_matches = array(); preg_match_all('!function\s*&?([a-zA-Z0-9_]+)_update_([0-9]+)\s*\(.*?\s*\{!', $source, $function_matches); diff --git a/platform/reset.login.provision.inc b/platform/reset.login.provision.inc index 522e5f6906081d6b8f46e7806beaeb6e2b5dcc07..d9480a7d5489a7e177f20b0795d359421f17f33f 100644 --- a/platform/reset.login.provision.inc +++ b/platform/reset.login.provision.inc @@ -15,9 +15,9 @@ * Generate a one-time login reset url */ function drush_provision_drupal_provision_login_reset() { - // pass the login link to the front end - drush_set_option('browser', FALSE); - $onetime = drush_user_login(); - drush_set_option('login_link', $onetime); - drush_log(dt('Login url: !onetime', array('!onetime' => $onetime)), 'success'); + $uri = d()->redirection ?: d()->uri; + $result = drush_invoke_process(d()->name, 'user-login', array(), array('uri' => $uri, 'no-browser' => TRUE)); + + drush_set_option('login_link', $result['output']); + drush_log(dt('Login url: !onetime', array('!onetime' => $result['output'])), 'success'); } diff --git a/provision.drush.inc b/provision.drush.inc index 81979bc84755c475a2cbd461e55ec024b4981702..128e31601c0ae4a3c0d72c153f66c21580ec581d 100644 --- a/provision.drush.inc +++ b/provision.drush.inc @@ -491,3 +491,12 @@ function provision_hosting_feature_enabled($feature) { return array_key_exists($feature, $features) && $features[$feature]; } +/** + * Generate one-time login link + */ +function provision_generate_login_reset() { + $uri = d()->redirection ?: d()->uri; + $result = drush_invoke_process(d()->name, 'user-login', array(), array('uri' => $uri, 'no-browser' => TRUE)); + + return $result['output']; +} diff --git a/provision.inc b/provision.inc index f7b5e9a4f9707f692b4810b7c6b8e6732d617c3a..b7deadc17e089fe5b55981921df50962c3a76cf5 100644 --- a/provision.inc +++ b/provision.inc @@ -460,7 +460,7 @@ function provision_backend_invoke($target, $command, $arguments = array(), $data * @return string|void * The output or error output of the command. */ -function provision_process($command, $cwd = null, $label = 'Process', $env = array(), $log_output = TRUE, $error_message = NULL, $throw_drush_error = TRUE) { +function provision_process($command, $cwd = null, $label = 'Process', $env = array(), $log_output = TRUE, $error_message = NULL, $throw_drush_error = TRUE, $log_type = 'p_info') { if (empty($command)) { return; } @@ -481,8 +481,8 @@ function provision_process($command, $cwd = null, $label = 'Process', $env = arr if ($log_output) { drush_log("[$label] $command", 'p_command'); - $exit_code = $process->run(function ($type, $buffer) { - drush_log($buffer, 'p_info'); + $exit_code = $process->run(function ($type, $buffer) use ($log_type) { + drush_log($buffer, $log_type); }); } else { @@ -508,7 +508,7 @@ function provision_process($command, $cwd = null, $label = 'Process', $env = arr } if ($throw_drush_error) { - drush_set_error('PROVISION_PROCESS_ERROR', dt($error_message)); + drush_set_error('PROVISION_PROCESS_ERROR', !empty($error_message)? $error_message: $process->getErrorOutput()); } return $process->getErrorOutput(); } diff --git a/scripts/ci-aegir-dev-install-apt-ubuntu-artful.sh b/scripts/ci-aegir-dev-install-apt-debian10.sh similarity index 57% rename from scripts/ci-aegir-dev-install-apt-ubuntu-artful.sh rename to scripts/ci-aegir-dev-install-apt-debian10.sh index ee53aee4439528c9cd911ad7278c93b93d305642..9da919b3ab3de6383ba5f2c323e918446d32f537 100755 --- a/scripts/ci-aegir-dev-install-apt-ubuntu-artful.sh +++ b/scripts/ci-aegir-dev-install-apt-debian10.sh @@ -2,20 +2,20 @@ # Install Aegir debian packages located in the 'build/' directory. # These are provided by the GitLab CI build stage. # -# This script is tuned for Ubuntu 17.10. +# This script is tuned for Debian 9 - Stretch. # + echo "[CI] Updating APT" sudo apt-get update echo "[CI] Setting debconf settings" -echo "debconf debconf/frontend select Noninteractive" | debconf-set-selections -#echo "debconf debconf/priority select critical" | debconf-set-selections +echo "debconf debconf/frontend select Noninteractive" | sudo debconf-set-selections -debconf-set-selections <" + echo "Usage: $0 " + echo "Best not to use the tags for minor releases, repositories that don't have this tag then fail to generate notes fails " exit 1 fi prev_release=$1 -cd .. +CURRENT_BRANCH=7.x-3.x + +TEMPDIR=`mktemp --directory` + + +echo "Cloning into temp dir $TEMPDIR..." +echo + +cd $TEMPDIR for shortname in $modules; do + + # Grab a fresh copy, to avoid projects being on feature branches and having local commits. + git clone --quiet --branch $CURRENT_BRANCH git@git.drupal.org:project/$shortname.git >> $TEMPDIR/clone.log + cd $shortname >> /dev/null; git pull --quiet echo "**Changes to $shortname since $prev_release**" @@ -35,3 +48,5 @@ for shortname in $modules; do done cd - >> /dev/null; + +echo "Fresh clones left in temp dir $TEMPDIR for your conveniance."