Commit 55e85078 authored by Jon Pugh's avatar Jon Pugh

Merge branch '2960237-sync-alter' into 3016995-file-path-properties

parents 7faa6e9f 6bed7757
......@@ -65,6 +65,7 @@ build:deb:
test:debian-jessie-aegir3-apt:
stage: test
image: debian:jessie
allow_failure: true
dependencies:
- build:deb
only:
......@@ -88,6 +89,11 @@ test:debian-stretch-aegir3-apt:
dependencies:
- build:deb
only:
- 7.x-3.x
- /^7\.x-3\.\d+\.x/
- /-runalltests$/
before_script:
- apt-get update
# Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start.
......@@ -97,17 +103,13 @@ test:debian-stretch-aegir3-apt:
script: "scripts/ci-aegir-dev-install-apt-debian9.sh"
test:ubuntu-xenial-aegir3-apt:
test:debian-buster-aegir3-apt:
stage: test
image: ubuntu:xenial
image: debian:buster
allow_failure: false
dependencies:
- build:deb
only:
- 7.x-3.x
- /^7\.x-3\.\d+\.x/
- /-runalltests$/
before_script:
- apt-get update
# Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start.
......@@ -115,11 +117,11 @@ test:ubuntu-xenial-aegir3-apt:
- echo "exit 0" >> /usr/sbin/policy-rc.d
- apt-get install --yes sudo curl
script: "scripts/ci-aegir-dev-install-apt-ubuntu-xenial.sh"
script: "scripts/ci-aegir-dev-install-apt-debian10.sh"
test:ubuntu-artful-aegir3-apt:
test:ubuntu-xenial-aegir3-apt:
stage: test
image: ubuntu:artful
image: ubuntu:xenial
dependencies:
- build:deb
......@@ -135,8 +137,7 @@ test:ubuntu-artful-aegir3-apt:
- echo "exit 0" >> /usr/sbin/policy-rc.d
- apt-get install --yes sudo curl
script: "scripts/ci-aegir-dev-install-apt-ubuntu-artful.sh"
script: "scripts/ci-aegir-dev-install-apt-ubuntu-xenial.sh"
test:ubuntu-bionic-aegir3-apt:
stage: test
......@@ -252,9 +253,9 @@ publish:unstable-repo:
#
# Upgrade the latest stable Aegir to our unstable repo.
upgradetest:debian-jessie-aegir3-apt-upgrade:
upgradetest:debian-stretch-aegir3-apt-upgrade:
stage: upgradetest
image: debian:jessie
image: debian:stretch
dependencies:
- publish:unstable-repo
......@@ -271,7 +272,7 @@ upgradetest:debian-jessie-aegir3-apt-upgrade:
- apt-get install --yes sudo curl cron
script:
- "scripts/ci-aegir-stable-install-apt-debian8.sh"
- "scripts/ci-aegir-stable-install-apt-debian9.sh"
# extra step to run the task queue.
- sudo su aegir --login --command 'drush @hostmaster php-eval "echo hosting_task_count();"'
- sudo su aegir --login --command 'drush @hostmaster hosting-tasks --force'
......@@ -283,6 +284,6 @@ upgradetest:debian-jessie-aegir3-apt-upgrade:
- sudo su aegir --login --command 'drush @hostmaster php-eval "echo hosting_task_count_running();"'
# upgrade to the latest version from the unstable repo.
- rm -v /etc/apt/sources.list.d/aegir-stable.list
- echo "deb http://debian.aegirproject.org unstable main" | sudo tee -a /etc/apt/sources.list.d/aegir-unstable.list
- echo "deb [signed-by=/usr/share/keyrings/aegir-archive-keyring.gpg] http://debian.aegirproject.org unstable main" | sudo tee -a /etc/apt/sources.list.d/aegir-unstable.list
- sudo apt-get update
- sudo apt-get --yes dist-upgrade
<?php
/**
* @file
* Provides the Provision_Config_Drupal_Services class.
*/
class Provision_Config_Drupal_Services extends Provision_Config {
public $template = 'aegir.services.tpl.php';
public $description = 'Drupal aegir.services.yml file';
protected $mode = 0440;
function filename() {
return $this->site_path . '/aegir.services.yml';
}
function process() {
$this->version = provision_version();
$this->cookie_domain = $this->getCookieDomain();
$this->group = $this->platform->server->web_group;
}
/**
* Extract our cookie domain from the URI.
*/
protected function getCookieDomain() {
$uri = explode('.', $this->uri);
# Leave base domain; only strip out subdomains.
if (count($uri) > 2) {
$uri[0] = '';
}
return implode('.', $uri);
}
}
---
# This file was automatically generated by Aegir <?php print $this->version; ?>
# on <?php print date('r'); ?>.
parameters:
session.storage.options:
cookie_domain: '<?php print $this->cookie_domain; ?>'
......@@ -126,7 +126,6 @@ if (isset($_SERVER['db_name'])) {
ini_set('session.cache_limiter', 'none');
ini_set('session.cookie_lifetime', 0);
ini_set('session.gc_maxlifetime', 200000);
ini_set('session.save_handler', 'user');
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid', 0);
ini_set('url_rewriter.tags', '');
......
......@@ -157,6 +157,11 @@ if (isset($_SERVER['db_name'])) {
<?php endif; ?>
<?php endif; ?>
/**
* Set the Syslog identity to the site name so it's not always "drupal".
*/
$conf['syslog_identity'] = '<?php print $this->uri ?>';
<?php print $extra_config; ?>
# Additional host wide configuration settings. Useful for safely specifying configuration settings.
......
......@@ -23,6 +23,7 @@ print '<?php' ?>
*/
if (isset($_SERVER['SITE_SUBDIR']) && isset($_SERVER['RAW_HOST'])) {
$base_url = 'http://' . $_SERVER['RAW_HOST'] . '/' . $_SERVER['SITE_SUBDIR'];
ini_set('session.cookie_path', '/' . $_SERVER['SITE_SUBDIR'] . '/');
}
<?php endif; ?>
......@@ -110,9 +111,6 @@ if (isset($_SERVER['db_name'])) {
<?php endif; ?>
$profile = "<?php print $this->profile ?>";
$install_profile = "<?php print $this->profile ?>";
/**
* PHP settings:
*
......@@ -133,7 +131,6 @@ if (isset($_SERVER['db_name'])) {
*/
umask(0002);
$settings['install_profile'] = '<?php print $this->profile ?>';
$settings['file_public_path'] = '<?php print $this->file_public_path ?>';
$settings['file_private_path'] = '<?php print $this->file_private_path ?>';
$config['system.file']['path']['temporary'] = '<?php print $this->file_temporary_path ?>';
......@@ -163,6 +160,7 @@ if (isset($_SERVER['db_name'])) {
/**
* Load services definition file.
*/
$settings['container_yamls'][] = __DIR__ . '/aegir.services.yml';
$settings['container_yamls'][] = __DIR__ . '/services.yml';
/**
......@@ -182,6 +180,11 @@ if (isset($_SERVER['db_name'])) {
'\.local$',
);
/**
* Set the Syslog identity to the site name so it's not always "drupal".
*/
$config['syslog.settings']['identity'] = '<?php print $this->uri ?>';
<?php print $extra_config; ?>
# Additional host wide configuration settings. Useful for safely specifying configuration settings.
......
......@@ -19,10 +19,10 @@ class Provision_Config_Drushrc_Alias extends Provision_Config_Drushrc {
function __construct($context, $data = array()) {
parent::__construct($context, $data);
if (is_array($data['aliases'])) {
if (isset($data['aliases']) && is_array($data['aliases'])) {
$data['aliases'] = array_unique($data['aliases']);
}
if (is_array($data['drush_aliases'])) {
if (isset($data['drush_aliases']) && is_array($data['drush_aliases'])) {
$data['drush_aliases'] = array_unique($data['drush_aliases']);
}
......
......@@ -3,17 +3,10 @@ api = 2
; This makefile fetches the latest release of Drupal from Drupal.org.
projects[drupal][type] = "core"
projects[drupal][version] = 7.60
; Sync manually with drupal-org-core.make in the hostmaster repo.
; Sync manually with drupal-org-core.make in the hostmaster repo.
; Function each() is deprecated since PHP 7.2; https://www.drupal.org/project/drupal/issues/2925449
projects[drupal][patch][2925449] = "https://www.drupal.org/files/issues/2018-04-08/deprecated_each2925449-106.patch"
; [PHP 7.2] Avoid count() calls on uncountable variables; https://www.drupal.org/project/drupal/issues/2885610
projects[drupal][patch][2885610] = "https://www.drupal.org/files/issues/2018-04-21/drupal-7-count-function-deprecation-fixes-2885610-19.patch"
; Pin a core version, only as long as we have a core patch below.
; Sync manually with drupal-org-core.make in the hostmaster repository.
;projects[drupal][version] = 7.61
; The release.sh script updates the version of hostmaster.
projects[hostmaster][type] = "profile"
......
......@@ -33,6 +33,9 @@ case "$1" in
# this obviously doesn't work for git releases
VERSION=`sed -n '/^version/{s/^.*= *//;p}' /usr/share/drush/commands/provision/provision.info`
# TODO: lookup? composer installs?
DRUSH_PATH="/usr/local/bin/drush"
FLAGS="--yes"
if [ "$DPKG_DEBUG" = "developer" ]; then
FLAGS="$FLAGS --debug"
......@@ -68,10 +71,10 @@ case "$1" in
chown aegir:aegir "$AEGIRHOME" "$AEGIRHOME/config" "$AEGIRHOME/config/$WEBSERVER.conf"
# flush the drush cache to find new commands
su -s /bin/sh aegir -c 'drush cache-clear drush'
su -s /bin/sh aegir -c "$DRUSH_PATH cache-clear drush"
site_uri=`su -s /bin/sh aegir -c 'drush @hostmaster status --fields="uri" --field-labels=0 2>/dev/null | tr "\n" " " | sed -e "s/^[[:space:]]*//g" -e "s/[[:space:]]*\$//g"'`
drupal_root=`su -s /bin/sh aegir -c 'drush @hostmaster status --fields="root" --field-labels=0 2>/dev/null | tr "\n" " " | sed -e "s/^[[:space:]]*//g" -e "s/[[:space:]]*\$//g"'`
site_uri=`su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status --fields='uri' --field-labels=0 2>/dev/null | tr '\n' ' ' | sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*\$//g'"`
drupal_root=`su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status --fields='root' --field-labels=0 2>/dev/null | tr '\n' ' ' | sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*\$//g'"`
if [ -d "$drupal_root" ]; then
# upgrade
......@@ -95,14 +98,14 @@ case "$1" in
echo "it seems to be the same version as the one we're trying to install, not upgrading"
else
echo "upgrading the frontend from $drupal_root to $NEW_PLATFORM"
if su -s /bin/sh aegir -c 'drush @hostmaster pm-list --status=enabled --pipe' | grep -q hosting_queued; then
if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster pm-list --status=enabled --pipe" | grep -q hosting_queued; then
service hosting-queued stop
fi
cd "$drupal_root"
su -s /bin/sh aegir -c "drush hostmaster-migrate $FLAGS '$site_uri' '$NEW_PLATFORM'"
su -s /bin/sh aegir -c "$DRUSH_PATH hostmaster-migrate $FLAGS '$site_uri' '$NEW_PLATFORM'"
echo "upgrade finished, old platform left in $drupal_root"
# restart daemon if enabled
if su -s /bin/sh aegir -c 'drush @hostmaster pm-list --status=enabled --pipe' | grep -q hosting_queued; then
if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster pm-list --status=enabled --pipe" | grep -q hosting_queued; then
service hosting-queued start
fi
fi
......@@ -173,7 +176,7 @@ case "$1" in
fi
# pass data through JSON for extra security
su -s /bin/sh aegir -c "cd $AEGIRHOME && drush hostmaster-install $FLAGS --backend $site_uri 2>&1 | drush backend-parse $DEBUG" <<EOF
su -s /bin/sh aegir -c "cd $AEGIRHOME && $DRUSH_PATH hostmaster-install $FLAGS --backend $site_uri 2>&1 | $DRUSH_PATH backend-parse $DEBUG" <<EOF
{ "yes": 1,
"version": "$VERSION",
"aegir_db_host": "$AEGIR_DB_HOST",
......@@ -183,11 +186,11 @@ case "$1" in
}
EOF
# flush the drush cache to find new commands
su -s /bin/sh aegir -c 'drush cache-clear drush'
su -s /bin/sh aegir -c "$DRUSH_PATH cache-clear drush"
# on new installs, we default to having the daemon enabled
echo 'Enabling hosting-queued daemon'
su -s /bin/sh aegir -c 'drush @hostmaster pm-enable -y hosting_queued'
su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster pm-enable -y hosting_queued"
service hosting-queued start
if [ -f /bin/systemctl ]; then
# There must be a better way, but we're trying to stay compatible with Debian Wheezy and Jessie.
......@@ -215,10 +218,10 @@ EOF
esac
# this will ensure that this script aborts if the site can't be bootstrapped
if su -s /bin/sh aegir -c 'drush @hostmaster status' 2>&1 | grep -q 'Drupal bootstrap.*Successful'; then
if su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster status" 2>&1 | grep -q 'Drupal bootstrap.*Successful'; then
echo 'Aegir frontend bootstrap correctly, operation was a success!'
echo 'Use this URL to login on your new site:'
su -s /bin/sh aegir -c 'drush @hostmaster uli'
su -s /bin/sh aegir -c "$DRUSH_PATH @hostmaster uli"
else
echo 'Aegir frontend failed to bootstrap, something went wrong!'
echo 'Look at the log above for clues or run with DPKG_DEBUG=developer'
......
aegir3-provision (3.180) unstable; urgency=medium
* Bugfixes and UI improvements, see http://aegir.readthedocs.org/en/3.x/release-notes/3.18
* Include Drupal 7.67
-- Colan Schwartz <13228-colan@users.noreply.gitlab.com> Thu, 27 Jun 2019 15:27:28 -0400
aegir3-provision (3.174) testing; urgency=medium
* Update to Hostmaster 7.x-3.174
* Include an updated ctools, views, module_filter
* Include a new Golden Contrib module: Hosting Deploy
-- Herman van Rink <helmo@initfour.nl> Thu, 04 Apr 2019 15:48:32 +0200
aegir3-provision (3.173) testing; urgency=medium
* Update to Hostmaster 7.x-3.173 & Drupal 7.63.
-- Jon Pugh <jon@thinkdrop.net> Fri, 18 Jan 2019 14:37:21 -0500
aegir3-provision (3.172) testing; urgency=medium
* Fix regression in legacy hosting_ssl: the logic for determining a certificate wasn't good, in the legacy module. #3020747
-- Jon Pugh <jon@thinkdrop.net> Wed, 09 Jan 2019 10:50:08 -0500
aegir3-provision (3.171) testing; urgency=medium
* Fix regression in hosting_https, #3020747
-- Herman van Rink <helmo@initfour.nl> Sat, 22 Dec 2018 20:22:16 +0100
aegir3-provision (3.170) unstable; urgency=high
* Bugfixes and UI improvements, see http://aegir.readthedocs.org/en/3.x/release-notes/3.17
* Fixes a number of security issues.
* Include Drupal 7.61
-- Herman van Rink <helmo@initfour.nl> Wed, 19 Dec 2018 16:50:53 +0100
aegir3-provision (3.161) testing; urgency=medium
* Minor bugfix release
......
......@@ -11,7 +11,7 @@ Vcs-browser: http://drupalcode.org/project/provision.git
Package: aegir3-provision
Architecture: all
Depends: ${misc:Depends}, php5-cli (>= 5.3) | php7.0-cli | php7.1-cli | php7.2-cli, php5 | php7.0-xml | php7.1-xml | php7.2-xml, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, mysql-client | mariadb-client, sudo, postfix | mail-transport-agent, apache2 | nginx, adduser, ucf, curl
Depends: ${misc:Depends}, php5-cli (>= 5.3) | php7.0-cli | php7.1-cli | php7.2-cli | php-cli, php5 | php7.0-xml | php7.1-xml | php7.2-xml | php-xml, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, mysql-client | mariadb-client, sudo, postfix | mail-transport-agent, apache2 | nginx, adduser, ucf, curl
Recommends: mysql-server | mariadb-server, rsync, composer
Conflicts: aegir-provision, aegir-provision2, aegir2-provision
Replaces: aegir-provision, aegir-provision2, aegir2-provision
......@@ -30,8 +30,8 @@ Description: mass Drupal hosting system - backend
Package: aegir3-hostmaster
Architecture: all
Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, apache2 | nginx, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | php5-fpm | php7.0-fpm | php7.1-fpm | php7.2-fpm,, aegir3-provision (>= ${source:Version}), git-core, unzip, lsb-base (>= 3.0-6)
Recommends: php5 | php7.0 | php7.1 | php7.2
Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, php5-gd | php7.0-gd | php7.1-gd | php7.2-gd | php-gd, apache2 | nginx, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | libapache2-mod-php | php5-fpm | php7.0-fpm | php7.1-fpm | php7.2-fpm | php-fpm, aegir3-provision (>= ${source:Version}), git-core, unzip, lsb-base (>= 3.0-6)
Recommends: php5 | php7.0 | php7.1 | php7.2 | php
Conflicts: aegir-hostmaster, aegir-hostmaster2, aegir2-hostmaster
Replaces: aegir-hostmaster, aegir-hostmaster2, aegir2-hostmaster
Description: mass Drupal hosting system - frontend
......@@ -69,8 +69,8 @@ Description: mass Drupal hosting system
Package: aegir3-cluster-slave
Architecture: all
Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql, sudo, apache2, adduser, ucf, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1, libapache2-mod-php7.2, rsync, nfs-client, mysql-client
Recommends: php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, php5 | php7.0 | php7.1 | php7.2
Depends: ${misc:Depends}, php5-mysql | php7.0-mysql | php7.1-mysql | php7.2-mysql | php-mysql, sudo, apache2, adduser, ucf, libapache2-mod-php5 | libapache2-mod-php7.0 | libapache2-mod-php7.1 | libapache2-mod-php7.2 | libapache2-mod-php, rsync, nfs-client, mysql-client, aegir3-provision
Recommends: php5-gd | php7.0-gd | php7.1-gd | php7.2-gd, php5 | php7.0 | php7.1 | php7.2 | php
Conflicts: aegir-cluster-slave, aegir-cluster-slave2, aegir2-cluster-slave, aegir3
Replaces: aegir-cluster-slave, aegir-cluster-slave2, aegir2-cluster-slave
Description: mass Drupal hosting system - slave backend
......
<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
<?php if ($this->ssl_enabled && $this->ssl_key && $this->ssl_cert_ok) : ?>
<VirtualHost <?php print "{$ip_address}:{$http_ssl_port}"; ?>>
<?php if ($this->site_mail) : ?>
......@@ -82,7 +82,7 @@ if ($this->redirection) {
# Prevent direct reading of files in the private dir.
# This is for Drupal7 compatibility, which would normally drop
# a .htaccess in those directories, but we explicitly ignore those
<Directory "<?php print $this->site_path; ?>/private/" >
<Directory ~ "sites/.*/private">
<Files *>
SetHandler This_is_a_Drupal_security_line_do_not_remove
</Files>
......
<Directory <?php print $this->root; ?>>
Order allow,deny
Allow from all
Satisfy any
Satisfy All
Require all granted
<?php print $extra_config; ?>
......
......@@ -39,7 +39,7 @@ Alias /<?php print $subdir; ?> <?php print $this->root; ?>
# Prevent direct reading of files in the private dir.
# This is for Drupal7 compatibility, which would normally drop
# a .htaccess in those directories, but we explicitly ignore those
<Directory "<?php print $this->site_path; ?>/private/" >
<Directory ~ "sites/.*/private">
SetHandler This_is_a_Drupal_security_line_do_not_remove
Deny from all
Options None
......
......@@ -83,7 +83,7 @@ if ($this->redirection || $ssl_redirection) {
# Prevent direct reading of files in the private dir.
# This is for Drupal7 compatibility, which would normally drop
# a .htaccess in those directories, but we explicitly ignore those
<Directory "<?php print $this->site_path; ?>/private/" >
<Directory ~ "sites/.*/private">
<Files *>
SetHandler This_is_a_Drupal_security_line_do_not_remove
</Files>
......
......@@ -9,12 +9,11 @@
class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site {
public $template = 'vhost_ssl.tpl.php';
public $disabled_template = 'vhost_ssl_disabled.tpl.php';
public $ssl_cert_ok = TRUE;
public $description = 'encrypted virtual host configuration';
function write() {
parent::write();
if ($this->ssl_enabled && $this->ssl_key) {
$path = dirname($this->data['ssl_cert']);
// Make sure the ssl.d directory in the server ssl.d exists.
......@@ -28,28 +27,39 @@ class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site {
// XXX: test. data structure may not be sound. try d($this->uri)
// if $this fails
Provision_Service_http_ssl::assign_certificate_site($this->ssl_key, $this);
// Copy the certificates to the server's ssl.d directory.
provision_file()->copy(
$this->data['ssl_cert_source'],
$this->data['ssl_cert'])
|| drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place'));
provision_file()->copy(
$this->data['ssl_cert_key_source'],
$this->data['ssl_cert_key'])
|| drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place'));
if (!provision_file()->copy($this->data['ssl_cert_source'], $this->data['ssl_cert'])->status()) {
drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place'));
$this->ssl_cert_ok = FALSE;
}
if (!provision_file()->copy($this->data['ssl_cert_key_source'], $this->data['ssl_cert_key'])->status()) {
drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place'));
$this->ssl_cert_ok = FALSE;
}
// Copy the chain certificate, if it is set.
if (!empty($this->data['ssl_chain_cert_source'])) {
provision_file()->copy(
$this->data['ssl_chain_cert_source'],
$this->data['ssl_chain_cert'])
|| drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place'));
if (!provision_file()->copy($this->data['ssl_chain_cert_source'], $this->data['ssl_chain_cert'])->status()) {
drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place'));
$this->ssl_cert_ok = FALSE;
}
}
// If cert is not ok, turn off ssl_redirection.
if ($this->ssl_cert_ok == FALSE) {
$this->data['ssl_redirection'] = FALSE;
drush_log(dt('SSL Certificate preparation failed. SSL has been disabled for this site.'), 'warning');
}
// Sync the key directory to the remote server.
$this->data['server']->sync($path, array(
'exclude' => "{$path}/*.receipt", // Don't need to synch the receipts
));
}
// Call parent's write AFTER ensuring the certificates are in place to prevent
// the vhost from referencing missing files.
parent::write();
}
/**
......
......@@ -70,10 +70,32 @@ if ($main_site_name = '') {
set $main_site_name "$server_name";
}
###
### Mitigation for https://www.drupal.org/SA-CORE-2018-002
###
set $rce "ZZ";
if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
set $rce "A";
}
if ( $request_method = POST ) {
set $rce "${rce}B";
}
if ( $rce = "AB" ) {
return 403;
}
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Cache";
<?php if ($satellite_mode == 'boa'): ?>
###
### Return 404 on special PHP URLs to avoid revealing version used,
### even indirectly. See also: https://drupal.org/node/2116387
###
if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
return 404;
}
###
### Deny crawlers.
###
......@@ -112,7 +134,6 @@ if ($is_denied) {
###
### Add recommended HTTP headers
###
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php endif; ?>
......@@ -149,7 +170,7 @@ location ^~ /httprl_async_function_callback {
location ~* ^/httprl_async_function_callback {
access_log off;
set $nocache_details "Skip";
try_files $uri @nobots;
try_files $uri @drupal;
}
}
......@@ -160,7 +181,7 @@ location ^~ /admin/httprl-test {
location ~* ^/admin/httprl-test {
access_log off;
set $nocache_details "Skip";
try_files $uri @nobots;
try_files $uri @drupal;
}
}
......@@ -179,7 +200,7 @@ location ^~ /cdn/farfuture/ {
gzip_http_version 1.0;
if_modified_since exact;
set $nocache_details "Skip";
location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ {
location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less)$ {
expires max;
add_header X-Header "CDN Far Future Generator 1.0";
add_header Cache-Control "no-transform, public";
......@@ -188,7 +209,7 @@ location ^~ /cdn/farfuture/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
try_files $uri @nobots;
try_files $uri @drupal;
}
location ~* ^/cdn/farfuture/ {
expires epoch;
......@@ -198,9 +219,9 @@ location ^~ /cdn/farfuture/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
try_files $uri @nobots;
try_files $uri @drupal;
}
try_files $uri @nobots;
try_files $uri @drupal;
}
<?php endif; ?>
......@@ -211,6 +232,9 @@ location = /favicon.ico {
access_log off;
log_not_found off;
expires 30d;
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
try_files /sites/$main_site_name/files/favicon.ico $uri =204;
}
......@@ -221,6 +245,9 @@ location = /favicon.ico {
location = /robots.txt {
access_log off;
log_not_found off;
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache;
<?php else: ?>
......@@ -305,10 +332,10 @@ location ^~ /cron/ {
###
location ^~ /search {
location ~* ^/search {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
try_files $uri @cache;
try_files $uri @drupal;
}
}
......@@ -317,7 +344,7 @@ location ^~ /search {
###
location ^~ /js/ {
location ~* ^/js/ {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
rewrite ^/(.*)$ /js.php?q=$1 last;
......@@ -351,7 +378,7 @@ location ^~ /hosting/c/server_master {
if ($cache_uid = '') {
return 403;
}
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
......@@ -367,7 +394,7 @@ location ^~ /hosting/c/server_localhost {
if ($cache_uid = '') {
return 403;
}
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
......@@ -379,7 +406,7 @@ location ^~ /hosting/c/server_localhost {
### Fix for #2005116
###
location ^~ /hosting/sites {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
......@@ -391,12 +418,12 @@ location ^~ /hosting/sites {
### Fix for Aegir & .info .pl domain extensions.
###
location ^~ /hosting {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
set $nocache_details "Skip";
try_files $uri @cache;
try_files $uri @drupal;
}
<?php if ($satellite_mode == 'boa'): ?>
......@@ -421,7 +448,7 @@ location ^~ /admin/config/development/performance/redis {
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /admin {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
......@@ -433,7 +460,7 @@ location ^~ /admin {
### Avoid caching /civicrm* and protect it from bots.
###
location ^~ /civicrm {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
......@@ -458,7 +485,7 @@ location ~* ^/\w\w/civicrm {
###
location ^~ /audio/download {
location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
tcp_nopush off;
......@@ -515,11 +542,11 @@ location ~* (?:cgi-bin|vti-bin) {
### Deny bots on some weak modules uri.
###
location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) {
if ($is_bot) {
if ( $is_bot ) {
return 403;
}
access_log off;
try_files $uri @cache;
try_files $uri @drupal;
}
###
......@@ -557,6 +584,9 @@ location ~* /sites/.*/files/styles/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
......@@ -570,6 +600,9 @@ location ~* /s3/files/styles/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
......@@ -583,6 +616,9 @@ location ~* /sites/.*/files/imagecache/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>