Darren Mothersele

Software Developer

Warning: You are viewing old, legacy content. Kept for posterity. Information is out of date. Code samples probably don't work. My opinions have probably changed. Browse at your own risk.

A couple of simple Aegir add-ons

May 19, 2012

devops

I'm using an Aegir based hosting system for Drupal sites, and I've needed to do a couple of configuration tasks on certain sites. Rather than just hack the configuration generated by Aegir, or hard code this in (and have to do the same each time I need it), I have put this in two simple modules. The first allows you to specify IP address that can access the site, the second applies some simple htaccess rules to harden up security. Get them from my GitHub, or read on for more details...

Simple Hosting Firewall

This is good for staging sites where you just want to restrict access to just developers, or clients who will approve the changes before they are pushed to the (live) production site. It means you dont have to expose your staging sites to the world.

It works by adding Apache conf rules to restrict by IP address. If you don't provide IP addresses then the whole world can see your site. If you provide a list of IP address then only clients with those IP addresses can access the site. Grab the code from my GitHub account.

NB: If you are using a reverse proxy cache, such as Varnish, in front of Drupal. Then you will need to have mod_rpaf installed in order for the correct IP address to be reported to Apache. On Ubuntu server you can install that mod like this:

sudo apt-get install libapache2-mod-rpaf

Aegir Secure Mods

This module adds some simple htaccess rewrite rules to harden up security a little. At the moment it just blocks access to the files left over from the Drupal installation process that are not required for a production site.

This module came about after a security agency performed penetration testing on a client's website and recommended that these files were removed. I decided, rather than remove them, to just rewrite them to a 404 error - making them look like they never existed! I prefer this approach because I'm building platforms from Drush make files and I don't want to keep removing the files each time, or have to roll a patch to remove them.

This module provides a simple checkbox on sites within Aegir to turn on the blocking of install files. Grab the code from my GitHub account.

Installation

Both modules need installing in your Aegir site same way you install any Drupal module. I recommend putting them in your aegir sites folder, (not the sites/all), so that when you upgrade Aegir using apt-get the modules are taken along with the site.

You also need to copy the provision script into your .drush folder, so that the Aegir backend can find it.