You are here

Protecting development servers for search engines

When having development servers that clients needs to access, but you don't what search engines to index one solution is to protect the server with HTTP authorization implemented using PHP. This post while explain how to do just this on an Aegir hosting solution. PHP provides a simple way to create HTTP authentication by sending "Authentication Required" headers to the browser, which means that you can set the credentials for each site in your settings.php files.

Update .htaccess

First you need to add this to you platforms .htaccess file to make sure that Drupal sets the right headers to activate the authentication process.

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

Aegir global settings

Every site in an Aegir stack includes a global settings files which is located in ~/config/includes/global.inc. You need to add the following function to this file to make it available to all sites across platforms on the server.

<?php # global settings.php

/**
* Password protect the site with a single function.
*/
function secure_the_site_please($username = 'test', $password = 'test', $message = "This site is protected. Username and password is 'test'") {
// Password protect this site but ignore drush and other command-line
// environments.
if (php_sapi_name() != 'cli') {
   // PHP-cgi fix.
   if (!(isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password))) {
     $a = isset($_SERVER["HTTP_AUTHORIZATION"]) ? $_SERVER["HTTP_AUTHORIZATION"] : '';
     $a = base64_decode(substr($a, 6));
     if ((strlen($a) == 0) || (strcasecmp($a, ":") == 0)) {
       header('WWW-Authenticate: Basic realm="' . $message . '"');
       header('HTTP/1.0 401 Unauthorized');
     }
     else {
       list($name, $password) = explode(':', $a);
       $_SERVER['PHP_AUTH_USER'] = $name;
       $_SERVER['PHP_AUTH_PW'] = $password;
     }
     if (!(isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password))) {
       header('WWW-Authenticate: Basic realm="' . $message . '"');
       header('HTTP/1.0 401 Unauthorized');
       // Fallback message when the user presses cancel / escape.
       echo 'Access denied';
       exit;
     }
   }
}
}

Enable for site(s)

If you want to protect every site on the server with the same password simply add a call to the function above in the file ~/config/includes/global.inc that implements the function. If not you can call the function in the local settings file for each site an give a different username/password or message for the site. The file(s) is located with the pattern below.

platforms/<name>/sites/<sitename>/local.settings.php

Add this to the settings files.

<?php
// You can add the parameters  secure_the_site_please('username', 'password', 'message') or
// without parameters to use default values.
secure_the_site_please();

Now the sites should ask for an username and password to allow access to the site(s).

References

Tags

Drupal aegir PHP apache2

Add new comment