Category: Apache

Securing Drupal’s user login

June 14 2008
11 Comments
- English
- Drupal

Now that I managed to get SSL set up using a wildcard certificate (*.kkaefer.com) signed by CACert, securing the login to a Drupal site is amazingly easy:

# Force the user to use https.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule /(user|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R]

# Enfore SSL for user login and administration.
<LocationMatch "/(user|admin)">
    SSLRequireSSL
</LocationMatch>

That’s pretty much all you need. It works transparently for the user: When the user tries to access a URL beginning with admin or user, a redirect to the exact same request, but with http replaced by https is performed. Additionally, SSL is set to be required for those locations (I added that to prevent logins without SSL in case mod_rewrite fails, becomes unavailable etc.). You can easily add new paths that require SSL by just adding them to both regular expressions.

Sometimes users can login using a URL that doesn’t begin with user. Therefore you should also install securelogin.module which rewrites the actions of forms to use https.

Installing GD2 on the stock Leopard Apache

March 25 2008
5 Comments
- English
- Drupal
- PHP

Unfortunately, Leopard’s PHP installation does not ship with a GD module. If you use this PHP version, Drupal will report that it can’t find a GD library (and no image processing will be performed either). There is a tutorial on the web that explains step by step how to compile GD2 for the stock PHP 5.2.4 that comes with Leopard; however, PHP segfaults after the installation (at least for me).

Fortunately, there is an alternative: Entropy.ch’s PHP 5.2.5 beta package comes with all kinds of modules prepackaged. The folks over at Moodle created a very good step by step instruction for setting that bug.

The drawback: On my (32bit) machine, PHP would refuse to log in (connecting worked fine!) to my (unaltered) database server. At the same time, I was able to connect to it using the mysql CLI binary with the exact same credentials. It turns out that the MySQL Client API in Entropy’s PHP package is somewhat broken on 32bit Intel and PPC (but works fine on 64bit Intel!). After some debugging (checking socks, reviewing debug logs, …) I stumbled upon a forum post which provides a quick fix for this issue: Just copy over the stock Leopard MySQL Client libs to the new PHP installation and you’re done.