My first site on Drupal 8. Or securing a Drupal site like a paranoid.
So, I just upgraded my first site to Drupal 8. Yup. It's in production right now. And it has an animated gif front and center.
The site itself is a pretty simple site. It is about the mobile game Crash n Dash (check it out by the way). It contains a front page, where we also display a somewhat real time statistic of online users. And it has a high scores list. As you probably understand, this requires a custom module, so there was that. Also, we have a simple custom theme, built on the Foundation framework. So there was that.
This allowed me to learn more about making a module in Drupal 8, the guzzle library for making requests, some good ol twig for the theme. I'll cover my findings in separate posts later.
Second, a word about security. Since Drupal 8 is alpha still, who know what kind of bugs and potential security holes you can find in there, right? So I ended up disallowing login through regular channels. Since this particular server is behind varnish, disallowing on the default address was really easy, I just put this in my vcl file:
if (req.http.host == "crashndash.com") { unset req.http.Cookie; }
What this does, is effectively denying all logging in to your site on port 80, since no user ever will get a cookie. OK. Well that does not stop someone from logging in if they find the apache port, right? So I put this in my virtual host for the domain (in the directory directive):
Order Deny,AllowDeny from allAllow from 127.0.0.1Allow from x.x.x.x # <- my own ip, so I personally can log in to the site.AllowOverride All
Of course this does not cover all kinds of other tactics that some people might want to try, but at least we are limiting the possibilities to do harm. So next project on d8 is this blog. I mean, as developers, do we really have any excuse for not moving to Drupal 8 with these simple blog sites we put up? I am moving right after I get my feet wet with the migrate module in d8, as I have really enjoyed the projects I have used migrate for earlier.
Full disclosure: I am also the author behind the website mentioned, and the game referenced in that site. It's a free game, but I think it is still fair to mention. This blog post is a cross post from Crash n Dash tech blog and is in part written for shameless self-promotion :) Let's end the post with the animated gif that actually is on the front page of that shiny new Drupal 8 site.