Skip to content

Commit 461c700

Browse files
github-bot-metrogithub-bot-metro
committed
sync repo docs
1 parent ddf6f7a commit 461c700

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

docs/archipelago-deployment-live-readme.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -271,6 +271,24 @@ If you want to run NGINX first without any intercepting please do. You can alway
271271
```
272272
cp config_storage/nginxconfig/template/nginx.conf.template.default config_storage/nginxconfig/template/nginx.conf.template
273273
```
274+
#### IMPORTANT!! (IP Based embargoes and Anubis)
275+
276+
If you decided to run Anubis, you must be aware that because of how it acts as "middleware" in NGINX, the client IP, Port and other original Client Information are going to be sent via headers from NGINX to PHP on the backend. By default Drupal and Symfony will not trust those headers (nor its origin) and that will intefere with IP Based embargo Bypass Logic as defined on the Format Strawberry Field Module (if you set that up). If you don't act on this, still any IP based embargoed ADOs will be secure. Without making the changes recommended below, your site's embargoed objects will be *so secure* that literally nobody other than a logged in (via Drupal) user will be able to access them because the Client IP that PHP will see is the one of the NGINX Container (inside Docker).
277+
278+
Only IF you are running Anubis (don't do this if not - DANGER -), and to ensure trustable information from the Forwarded IP headers is decoded as trusted "Client IP" on PHP, please edit your `drupal\web\sites\default\settings.php` and ensure that you replace the following `if (PHP_SAPI !== 'cli')` statement with the following snippet (or if recently deployed just comment/uncomment what is there already).
279+
280+
```PHP
281+
if (PHP_SAPI !== 'cli') {
282+
$settings['reverse_proxy'] = TRUE;
283+
# $settings['reverse_proxy_addresses'] = [@\$_SERVER['REMOTE_ADDR']];
284+
# If Running Anubis via NGINX, as Documented in this release, comment (or keep commented out) the previous line
285+
# and (keep) uncomment The two following Lines. Add/Replace Any Private IP Ranges under which your Docker Containers Run.
286+
# The ranges set there are the most common ones found for Docker Networks, but could be different if you customized it.
287+
# You can also disable some of the trusted headers for extra security (most important one is the .
288+
$settings['reverse_proxy_addresses'] = ['10.0.0.0/8','192.168.0.0/16', '172.16.0.0/12'];
289+
$settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;
290+
}
291+
```
274292

275293
That is all. DONE! Danke!
276294

0 commit comments

Comments
 (0)