By 大伟哥 |
安装Drupal 8成功以后,运行状态报告会发现一个错误报告:
信任主机设置: 未启用
settings.php 中的 trusted_host_patterns 设置未配置。这可能导致安全漏洞。强烈建议您配置此项。更多详情请参见 防止 HTTP HOST 头攻击。
好吧,为了安全起见,让我们来配置一下信任主机设置。大伟哥的网站settings.php是在/var/www/html/daweibro.com/sites/default/文件夹下,让我们找到settings.php文件里有关信任主机设置(Trusted host configuration)的注释:
/** * Trusted host configuration. * * Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host * header spoofing. * * To enable the trusted host mechanism, you enable your allowable hosts * in $settings['trusted_host_patterns']. This should be an array of regular * expression patterns, without delimiters, representing the hosts you would * like to allow. * * For example: * @code * $settings['trusted_host_patterns'] = array( * '^www\.example\.com$', * ); * @endcode * will allow the site to only run from www.example.com. * * If you are running multisite, or if you are running your site from * different domain names (eg, you don't redirect http://www.example.com to * http://example.com), you should specify all of the host patterns that are * allowed by your site. * * For example: * @code * $settings['trusted_host_patterns'] = array( * '^example\.com$', * '^.+\.example\.com$', * '^example\.org$', * '^.+\.example\.org$', * ); * @endcode * will allow the site to run off of all variants of example.com and * example.org, with all subdomains included. */
看了这段注释,要进行这个配置就很简单了。直接复制最简单的那三行示例代码,相应修改后放在这一大段注释后面就可以,要保证前面没有注释符号:
$settings['trusted_host_patterns'] = array( '^www\.daweibro\.com$', );
修改完成后再回管理界面运行状态报告,就会发现信任主机设置那一栏里,状态变为已启用了。
因为大伟哥博客设置的是所有的URL网址都重定向到www.daweibro.com这个样式,所以这样设置就足够了。如果你需要在不带www的网址或者其他域名网址或者多站点,就需要按照后面的代码示例进行相应修改了。
- 添加新评论
- 1419 阅读
评论
Drupal 好用么?
好用的,模块多,功能强大,数据多了加载速度仍然快…
drupal是一个伟大的cms
添加新评论