|
1242 | 1242 | </ul> |
1243 | 1243 | </nav> |
1244 | 1244 |
|
| 1245 | +</li> |
| 1246 | + |
| 1247 | + <li class="md-nav__item"> |
| 1248 | + <a href="#important-ip-based-embargoes-and-anubis" class="md-nav__link"> |
| 1249 | + <span class="md-ellipsis"> |
| 1250 | + IMPORTANT!! (IP Based embargoes and Anubis) |
| 1251 | + </span> |
| 1252 | + </a> |
| 1253 | + |
1245 | 1254 | </li> |
1246 | 1255 |
|
1247 | 1256 | <li class="md-nav__item"> |
|
4149 | 4158 | </ul> |
4150 | 4159 | </nav> |
4151 | 4160 |
|
| 4161 | +</li> |
| 4162 | + |
| 4163 | + <li class="md-nav__item"> |
| 4164 | + <a href="#important-ip-based-embargoes-and-anubis" class="md-nav__link"> |
| 4165 | + <span class="md-ellipsis"> |
| 4166 | + IMPORTANT!! (IP Based embargoes and Anubis) |
| 4167 | + </span> |
| 4168 | + </a> |
| 4169 | + |
4152 | 4170 | </li> |
4153 | 4171 |
|
4154 | 4172 | <li class="md-nav__item"> |
@@ -4478,6 +4496,20 @@ <h5 id="anubis-wants-to-know-if-they-are-invited">Anubis wants to know if they a |
4478 | 4496 | <p>If you want to run NGINX first without any intercepting please do. You can always come back to this later on.</p> |
4479 | 4497 | <div class="highlight"><pre><span></span><code>cp config_storage/nginxconfig/template/nginx.conf.template.default config_storage/nginxconfig/template/nginx.conf.template |
4480 | 4498 | </code></pre></div> |
| 4499 | +<h4 id="important-ip-based-embargoes-and-anubis">IMPORTANT!! (IP Based embargoes and Anubis)</h4> |
| 4500 | +<p>If you decided to run Anubis, you must be aware that because of how it acts as "middleware" in NGINX, the client IP, Port and other original Client Information are going to be sent via headers from NGINX to PHP on the backend. By default Drupal and Symfony will not trust those headers (nor its origin) and that will intefere with IP Based embargo Bypass Logic as defined on the Format Strawberry Field Module (if you set that up). If you don't act on this, still any IP based embargoed ADOs will be secure. Without making the changes recommended below, your site's embargoed objects will be <em>so secure</em> that literally nobody other than a logged in (via Drupal) user will be able to access them because the Client IP that PHP will see is the one of the NGINX Container (inside Docker).</p> |
| 4501 | +<p>Only IF you are running Anubis (don't do this if not - DANGER -), and to ensure trustable information from the Forwarded IP headers is decoded as trusted "Client IP" on PHP, please edit your <code>drupal\web\sites\default\settings.php</code> and ensure that you replace the following <code>if (PHP_SAPI !== 'cli')</code> statement with the following snippet (or if recently deployed just comment/uncomment what is there already).</p> |
| 4502 | +<div class="highlight"><pre><span></span><code><span class="x">if (PHP_SAPI !== 'cli') {</span> |
| 4503 | +<span class="x"> $settings['reverse_proxy'] = TRUE;</span> |
| 4504 | +<span class="x"> # $settings['reverse_proxy_addresses'] = [@\$_SERVER['REMOTE_ADDR']];</span> |
| 4505 | +<span class="x"> # If Running Anubis via NGINX, as Documented in this release, comment (or keep commented out) the previous line</span> |
| 4506 | +<span class="x"> # and (keep) uncomment The two following Lines. Add/Replace Any Private IP Ranges under which your Docker Containers Run. </span> |
| 4507 | +<span class="x"> # The ranges set there are the most common ones found for Docker Networks, but could be different if you customized it.</span> |
| 4508 | +<span class="x"> # You can also disable some of the trusted headers for extra security (most important one is the .</span> |
| 4509 | +<span class="x"> $settings['reverse_proxy_addresses'] = ['10.0.0.0/8','192.168.0.0/16', '172.16.0.0/12'];</span> |
| 4510 | +<span class="x"> $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;</span> |
| 4511 | +<span class="x">}</span> |
| 4512 | +</code></pre></div> |
4481 | 4513 | <p>That is all. DONE! Danke!</p> |
4482 | 4514 | <h4 id="actual-first-run">Actual first run</h4> |
4483 | 4515 | <p>Time to spin our docker containers for the first time. We will start all without going into background so log/error checking is easier, especially if you have selected a Valid/Signed Cert choice and also want to be sure S3 keys/access are working.</p> |
@@ -4596,7 +4628,7 @@ <h2 id="license">License</h2> |
4596 | 4628 | <span class="md-icon" title="Last update"> |
4597 | 4629 | <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"></path></svg> |
4598 | 4630 | </span> |
4599 | | - <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date" title="September 12, 2025 18:39:06 UTC">September 12, 2025</span> |
| 4631 | + <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date" title="September 16, 2025 20:05:14 UTC">September 16, 2025</span> |
4600 | 4632 | </span> |
4601 | 4633 |
|
4602 | 4634 |
|
|
0 commit comments