drupal8 trusted_host_patterns 设置未配置。这可能导致安全漏洞

dashan 提交于

安装Drupal 8成功以后,运行状态报告会发现一个错误报告:
信任主机设置: 未启用
settings.php 中的 trusted_host_patterns 设置未配置。这可能导致安全漏洞。强烈建议您配置此项。更多详情请参见 防止 HTTP HOST 头攻击。
好吧,为了安全起见,让我们来配置一下信任主机设置。大伟哥的网站settings.php是在/var/www/html/dsjz.cn/sites/default/文件夹下,让我们找到settings.php文件里有关信任主机设置(Trusted host configuration)的注释:

  1.  
  2. /**
  3.  * Trusted host configuration.
  4.  *
  5.  * Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host
  6.  * header spoofing.
  7.  *
  8.  * To enable the trusted host mechanism, you enable your allowable hosts
  9.  * in $settings['trusted_host_patterns']. This should be an array of regular
  10.  * expression patterns, without delimiters, representing the hosts you would
  11.  * like to allow.
  12.  *
  13.  * For example:
  14.  * @code
  15.  * $settings['trusted_host_patterns'] = array(
  16.  *   '^www\.example\.com$',
  17.  * );
  18.  * @endcode
  19.  * will allow the site to only run from www.example.com.
  20.  *
  21.  * If you are running multisite, or if you are running your site from
  22.  * different domain names (eg, you don't redirect http://www.example.com to
  23.  * http://example.com), you should specify all of the host patterns that are
  24.  * allowed by your site.
  25.  *
  26.  * For example:
  27.  * @code
  28.  * $settings['trusted_host_patterns'] = array(
  29.  *   '^example\.com$',
  30.  *   '^.+\.example\.com$',
  31.  *   '^example\.org$',
  32.  *   '^.+\.example\.org$',
  33.  * );
  34.  * @endcode
  35.  * will allow the site to run off of all variants of example.com and
  36.  * example.org, with all subdomains included.
  37.  */
看了这段注释,要进行这个配置就很简单了。直接复制最简单的那三行示例代码,相应修改后放在这一大段注释后面就可以,要保证前面没有注释符号:

      $settings['trusted_host_patterns'] = array(
        '^www\.jiadz\.cn$',
      );

修改完成后再回管理界面运行状态报告,就会发现信任主机设置那一栏里,状态变为已启用了。

因为大伟哥博客设置的是所有的URL网址都重定向到www.dsjz.cn或www.jiadz.cn这个样式,所以这样设置就足够了。如果你需要在不带www的网址或者其他域名网址或者多站点,就需要按照后面的代码示例进行相应修改了。
Tags: 
drupal8