forked from backdrop/backdrop
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsettings.php
519 lines (487 loc) · 21.6 KB
/
settings.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
<?php
/**
* @file
* Main Backdrop CMS configuration file.
*/
/**
* Database configuration:
*
* Most sites can configure their database by entering the connection string
* below. If using master/slave databases or multiple connections, see the
* advanced database documentation at
* https://api.backdropcms.org/database-configuration
*/
$database = 'mysql://user:pass@localhost/database_name';
$database_prefix = '';
/**
* Site configuration files location.
*
* By default these directories are stored within the files directory with a
* hashed path. For the best security, these directories should be in a location
* that is not publicly accessible through a web browser.
*
* Example using directories one parent level up:
* @code
* $config_directories['active'] = '../config/active';
* $config_directories['staging'] = '../config/staging';
* @endcode
*
* Example using absolute paths:
* @code
* $config_directories['active'] = '/home/myusername/config/active';
* $config_directories['staging'] = '/home/myusername/config/staging';
* @endcode
*/
$config_directories['active'] = 'files/config_' . md5($database) . '/active';
$config_directories['staging'] = 'files/config_' . md5($database) . '/staging';
/**
* Skip the configuration staging directory cleanup
*
* When the configuration files are in version control, it may be preferable to
* not empty the staging directory after each sync.
*/
// $config['system.core']['config_sync_clear_staging'] = 0;
/**
* Access control for update.php script.
*
* If you are updating your Backdrop installation using the update.php script
* but are not logged in using either an account with the "Administer software
* updates" permission or the site maintenance account (the account that was
* created during installation), you will need to modify the access check
* statement below. Change the FALSE to a TRUE to disable the access check.
* After finishing the upgrade, be sure to open this file again and change the
* TRUE back to a FALSE!
*/
$settings['update_free_access'] = FALSE;
/**
* Salt for one-time login links and cancel links, form tokens, etc.
*
* This variable will be set to a random value by the installer. All one-time
* login links will be invalidated if the value is changed. Note that if your
* site is deployed on a cluster of web servers, you must ensure that this
* variable has the same value on each server. If this variable is empty, a hash
* of the serialized database credentials will be used as a fallback salt.
*
* For enhanced security, you may set this variable to a value using the
* contents of a file outside your docroot that is never saved together
* with any backups of your Backdrop files and database.
*
* Example:
* @code
* $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
* @endcode
*
*/
$settings['hash_salt'] = '';
/**
* Trusted host configuration (optional but highly recommended).
*
* Since the HTTP Host header can be set by the user making the request, it
* is possible for malicious users to override it and create an attack vector.
* To protect against these sort of attacks, Backdrop supports checking a list
* of trusted hosts.
*
* To enable the trusted host protection, specify the allowable hosts below.
* This should be an array of regular expression patterns representing the hosts
* you would like to allow.
*
* For example, this will allow the site to only run from www.example.com:
* @code
* $settings['trusted_host_patterns'] = array(
* '^www\.example\.com$',
* );
* @endcode
*
* If you are running a site on multiple domain names, you should specify all of
* the host patterns that are allowed by your site. For example, this will allow
* the site to run off of all variants of example.com and example.org, with all
* subdomains included:
* @code
* $settings['trusted_host_patterns'] = array(
* '^example\.com$',
* '^.+\.example\.com$',
* '^example\.org',
* '^.+\.example\.org',
* );
* @endcode
*
* If you do not need this functionality (such as in development environments or
* if protection is at another layer), you can suppress the status report
* warning by setting this value to FALSE:
* @code
* $settings['trusted_host_patterns'] = FALSE;
* @endcode
*
* For more information about trusted host patterns, see the documentation at
* https://api.backdropcms.org/documentation/trusted-host-settings
*
* @see backdrop_valid_http_host()
* @see backdrop_check_trusted_hosts()
* @see system_requirements()
*/
// $settings['trusted_host_patterns'] = array('^www\.example\.com$');
/**
* Base URL (optional).
*
* If Backdrop is generating incorrect URLs on your site, which could be in HTML
* headers (links to CSS and JS files) or visible links on pages (such as in
* menus), uncomment the Base URL statement below and fill in the absolute URL
* to your Backdrop installation.
*
* You might also want to force users to use a given domain.
* See the .htaccess file for more information.
*
* Examples:
* $base_url = 'http://www.example.com';
* $base_url = 'http://www.example.com:8888';
* $base_url = 'http://www.example.com/backdrop';
* $base_url = 'https://www.example.com:8888/backdrop';
*
* It is not allowed to have a trailing slash; Backdrop will add it for you.
*/
// $base_url = 'http://www.example.com'; // NO trailing slash!
/**
* PHP settings:
*
* To see what PHP settings are possible, including whether they can be set at
* runtime (by using ini_set()), read the PHP documentation:
* http://www.php.net/manual/ini.list.php
* See backdrop_environment_initialize() in includes/bootstrap.inc for required
* runtime settings and the .htaccess file for non-runtime settings. Settings
* defined there should not be duplicated here so as to avoid conflict issues.
*/
/**
* Some distributions of Linux (most notably Debian) ship their PHP
* installations with garbage collection (gc) disabled. Since Backdrop depends
* on PHP's garbage collection for clearing sessions, ensure that garbage
* collection occurs by using the most common settings.
*/
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
/**
* Set session lifetime (in seconds), i.e. the time from the user's last visit
* to the active session may be deleted by the session garbage collector. When
* a session is deleted, authenticated users are logged out, and the contents
* of the user's $_SESSION variable is discarded.
*/
ini_set('session.gc_maxlifetime', 200000);
/**
* Set session cookie lifetime (in seconds), i.e. the time from the session is
* created to the cookie expires, i.e. when the browser is expected to discard
* the cookie. The value 0 means "until the browser is closed".
*/
ini_set('session.cookie_lifetime', 2000000);
/**
* If you encounter a situation where users post a large amount of text, and
* the result is stripped out upon viewing but can still be edited, Backdrop's
* output filter may not have sufficient memory to process it. If you
* experience this issue, you may wish to uncomment the following two lines
* and increase the limits of these variables. For more information, see
* http://php.net/manual/en/pcre.configuration.php.
*/
// ini_set('pcre.backtrack_limit', 200000);
// ini_set('pcre.recursion_limit', 200000);
/**
* Backdrop automatically generates a unique session cookie name for each site
* based on its full domain name. If you have multiple domains pointing at the
* same Backdrop site, you can either redirect them all to a single domain (see
* comment in .htaccess), or uncomment the line below and specify their shared
* base domain. Doing so assures that users remain logged in as they cross
* between your various domains. Make sure to always start the $cookie_domain
* with a leading dot, as per RFC 2109.
*/
// $cookie_domain = '.example.com';
/**
* A custom theme can be set for the offline page. This applies when the site
* is explicitly set to maintenance mode through the administration page or when
* the database is inactive due to an error. It can be set through the
* 'maintenance_theme' key. The template file should also be copied into the
* theme. It is located inside
* 'core/modules/system/templates/maintenance-page.tpl.php'.
* Note: This setting does not apply to installation and update pages.
*/
// $settings['maintenance_theme'] = 'bartik';
/**
* Reverse Proxy Configuration:
*
* Reverse proxy servers are often used to enhance the performance
* of heavily visited sites and may also provide other site caching,
* security, or encryption benefits. In an environment where Backdrop
* is behind a reverse proxy, the real IP address of the client should
* be determined such that the correct client IP address is available
* to Backdrop's logging and access management systems. In
* the most simple scenario, the proxy server will add an
* X-Forwarded-For header to the request that contains the client IP
* address. However, HTTP headers are vulnerable to spoofing, where a
* malicious client could bypass restrictions by setting the
* X-Forwarded-For header directly. Therefore, Backdrop's proxy
* configuration requires the IP addresses of all remote proxies to be
* specified in $settings['reverse_proxy_addresses'] to work correctly.
*
* Enable this setting to get Backdrop to determine the client IP from
* the X-Forwarded-For header (or $settings['reverse_proxy_header'] if set).
* If you are unsure about this setting, do not have a reverse proxy,
* or Backdrop operates in a shared hosting environment, this setting
* should remain commented out.
*
* In order for this setting to be used you must specify every possible
* reverse proxy IP address in $settings['reverse_proxy_addresses'].
* If a complete list of reverse proxies is not available in your
* environment (for example, if you use a CDN) you may set the
* $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
* Be aware, however, that it is likely that this would allow IP
* address spoofing unless more advanced precautions are taken.
*/
// $settings['reverse_proxy'] = TRUE;
/**
* Specify every reverse proxy IP address in your environment.
* This setting is required if $settings['reverse_proxy'] is TRUE.
*/
// $settings['reverse_proxy_addresses'] = array('a.b.c.d', ...);
/**
* Set this value if your proxy server sends the client IP in a header
* other than X-Forwarded-For.
*/
// $settings['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
/**
* Page caching:
*
* By default, Backdrop sends a "Vary: Cookie" HTTP header for anonymous page
* views. This tells a HTTP proxy that it may return a page from its local
* cache without contacting the web server, if the user sends the same Cookie
* header as the user who originally requested the cached page. Without "Vary:
* Cookie", authenticated users would also be served the anonymous page from
* the cache. If the site has mostly anonymous users except a few known
* editors/administrators, the Vary header can be omitted. This allows for
* better caching in HTTP proxies (including reverse proxies), i.e. even if
* clients send different cookies, they still get content served from the cache.
* However, authenticated users should access the site directly (i.e. not use an
* HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid
* getting cached pages from the proxy.
*/
// $settings['omit_vary_cookie'] = TRUE;
/**
* Expiration of cache_form entries:
*
* Backdrop's Form API stores details of forms in cache_form and these entries
* are kept for at least 6 hours by default. Expired entries are cleared by
* cron. Busy sites can encounter problems with the cache_form table becoming
* very large. It's possible to mitigate this by setting a shorter expiration
* for cached forms. In some cases it may be desirable to set a longer cache
* expiration. For example to prolong cache_form entries for Ajax forms in
* cached HTML.
*
* @see form_set_cache()
* @see system_cron()
* @see ajax_get_form()
*/
// $settings['form_cache_expiration'] = 21600;
/**
* String overrides:
*
* To override specific strings on your site with or without enabling locale
* module, add an entry to this list. This functionality allows you to change
* a small number of your site's default English language interface strings.
*
* Uncomment the lines below to enable.
*/
/*
$settings['locale_custom_strings_en'][''] = array(
'forum' => 'Discussion board',
'@count min' => '@count minutes',
);
*/
/**
* Fast 404 pages:
*
* Backdrop can generate fully themed 404 pages. However, some of these
* responses are for images or other resource files that are not displayed to
* the user. This can waste bandwidth, and also generate server load.
*
* The options below return a simple, fast 404 page for URLs matching a
* specific pattern:
* - 404_fast_paths_exclude: A regular expression to match paths to exclude,
* such as images generated by image styles, or dynamically-resized images.
* The default pattern provided below also excludes the private file system.
* If you need to add more paths, you can add '|path' to the expression.
* - 404_fast_paths: A regular expression to match paths that should return a
* simple 404 page, rather than the fully themed 404 page. If you don't have
* any aliases ending in htm or html you can add '|s?html?' to the expression.
* - 404_fast_html: The html to return for simple 404 pages.
*
* Comment out this code if you would like to disable this functionality.
*/
$settings['404_fast_paths_exclude'] = '/\/(?:styles)|(?:system\/files)\//';
$settings['404_fast_paths'] = '/\.(?:txt|png|gif|jpe?g|css|js|ico|swf|flv|cgi|bat|pl|dll|exe|asp)$/i';
$settings['404_fast_html'] = '<!DOCTYPE html><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "@path" was not found on this server.</p></body></html>';
/**
* By default, fast 404s are returned as part of the normal page request
* process, which will properly serve valid pages that happen to match and will
* also log actual 404s to the Backdrop log. Alternatively you can choose to
* return a 404 now by uncommenting the following line. This will reduce server
* load, but will cause even valid pages that happen to match the pattern to
* return 404s, rather than the actual page. It will also prevent the Backdrop
* system log entry. Ensure you understand the effects of this before enabling.
*
* To enable this functionality, uncomment the line below.
*/
// fast_404();
/**
* External access proxy settings:
*
* If your site must access the Internet via a web proxy then you can enter
* the proxy settings here. Currently only basic authentication is supported
* by using the username and password variables. The proxy_user_agent variable
* can be set to NULL for proxies that require no User-Agent header or to a
* non-empty string for proxies that limit requests to a specific agent. The
* proxy_exceptions variable is an array of host names to be accessed directly,
* not via proxy.
*/
// $settings['proxy_server'] = '';
// $settings['proxy_port'] = 8080;
// $settings['proxy_username'] = '';
// $settings['proxy_password'] = '';
// $settings['proxy_user_agent'] = '';
// $settings['proxy_exceptions'] = array('127.0.0.1', 'localhost');
/**
* Authorized file system operations:
*
* The Update Manager module included with Backdrop provides a mechanism for
* site administrators to securely install missing updates for the site
* directly through the web user interface. On securely-configured servers,
* the Update manager will require the administrator to provide SSH or FTP
* credentials before allowing the installation to proceed; this allows the
* site to update the new files as the user who owns all the Backdrop files,
* instead of as the user the webserver is running as. On servers where the
* webserver user is itself the owner of the Backdrop files, the administrator
* will not be prompted for SSH or FTP credentials (note that these server
* setups are common on shared hosting, but are inherently insecure).
*
* Some sites might wish to disable the above functionality, and only update
* the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
*
* Uncomment the line below to disable authorize operations.
*/
// $settings['allow_authorize_operations'] = FALSE;
/**
* Mixed-mode sessions:
*
* Set to TRUE to create both secure and insecure sessions when using HTTPS.
* Defaults to FALSE.
*/
// $settings['https'] = TRUE;
/**
* Drupal backwards compatibility.
*
* By default, Backdrop 1.0 includes a compatibility layer to keep it compatible
* with Drupal 7 APIs. Backdrop core itself does not use this compatibility
* layer however. You may disable it if all the modules you're running were
* built for Backdrop.
*/
$settings['backdrop_drupal_compatibility'] = TRUE;
/**
* Suppress warnings of multiple versions of the same module being found.
*
* When scanning for module files, if Backdrop encounters multiple instances of
* the same module (for example, a version of a module in the /modules directory
* that has the same name as a module in /core), then only the last module will
* be loaded. In such cases, Backdrop will show a warning on the status report
* page.
*
* Having multiple versions of the same module may be intentional in certain use
* cases though, such as in some multisite configurations, when there is need to
* override a core or contrib module with a different version in the /sites
* folder. In such cases, you may want to disable the status report warnings.
*
* Uncomment the line below to disable the warnings.
*/
// $settings['disable_multiple_modules_warnings'] = TRUE;
/**
* Configuration overrides.
*
* These settings allow you to specify values for anything stored in config
* within the files stored in the $config_directories variable above.
* This can be useful to store per-environment values or sensitive data that
* is undesirable to store in the config storage.
*
* There are particular configuration values that are risky to override. For
* example overriding field storage will create errors because associated
* database changes are necessary. Modifying values within complicated objects
* such as views, content types, vocabularies, etc. may not work as expected.
* Use any available API functions for complex systems instead.
*/
//$config['system.core']['site_name'] = 'My Backdrop site';
//$config['system.core']['file_temporary_path'] = '/tmp';
/**
* Add Permissions-Policy header to disable Google FLoC.
*
* By default, Backdrop sends the 'Permissions-Policy: interest-cohort=()'
* header, to disable Google's Federated Learning of Cohorts (FLoC) feature,
* which was introduced in Chrome v89. For more information about FLoC, see:
* https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts
*
* If you don't wish to disable FLoC in Chrome, you can uncomment the following
* setting, and make sure its value is set to "FALSE".
*/
//$config['system.core']['block_interest_cohort'] = FALSE;
/**
* File schemes whose paths should not be normalized.
*
* Normally, Backdrop normalizes '/./' and '/../' segments in file URIs in order
* to prevent unintended file access. For example, 'private://css/../image.png'
* is normalized to 'private://image.png' before checking access to the file.
*
* On Windows, Backdrop also replaces '\' with '/' in file URIs.
*
* If file URIs with one or more scheme should not be normalized like this, then
* list the schemes here. For example, if 'example://path/./filename.png' should
* not be normalized to 'example://path/filename.png', then add 'example' to
* this array. In this case, make sure that the module providing the 'example'
* scheme does not allow unintended file access when using '/../' to move up the
* directory tree.
*/
//$config['system.core']['file_not_normalized_schemes'] = array('example');
/**
* Additional public file schemes.
*
* Public schemes are URI schemes that allow download access to all users for
* all files within that scheme.
*
* The "public" scheme is always public, and the "private" scheme is always
* private, but other schemes, such as "https", "s3", "example", or others,
* can be either public or private depending on the site. By default, they're
* private, and access to individual files is controlled via
* hook_file_download().
*
* Typically, if a scheme should be public, a module makes it public by
* implementing hook_file_download(), and granting access to all users for all
* files. This could be either the same module that provides the stream wrapper
* for the scheme, or a different module that decides to make the scheme
* public. However, in cases where a site needs to make a scheme public, but
* is unable to add code in a module to do so, the scheme may be added to this
* variable, the result of which is that system_file_download() grants public
* access to all files within that scheme.
*/
//$config['system.core']['file_additional_public_schemes'] = array('example');
/**
* Include a local settings file, if available.
*
* To make local development easier, you can add a settings.local.php file that
* contains settings specific to your local installation, or to any secondary
* environment (staging, development, etc).
*
* Typically used to specify a different database connection information, to
* disable caching, JavaScript/CSS compression, re-routing of outgoing emails,
* Google Analytics, and other things that should not happen on development and
* testing sites.
*
* This local settings file can be ignored in your Git repository, so that any
* updates to settings.php can be pulled in without overwriting your local
* changes.
*
* Keep this code block at the end of this file to take full effect.
*/
if (file_exists(__DIR__ . '/settings.local.php')) {
include __DIR__ . '/settings.local.php';
}