Keep Moving Forward | X-Team Magazine

Where Is the base_url Option in Drupal 8?

Written by Deji Akala | Dec 13, 2017 5:00:00 AM

The settings.php file is the main configuration file for a Drupal site where a number of system variables, among other things, may be configured. In Drupal 7, there is an optional setting, $base_url, which specifies the absolute URL of the installation.

This is often used when generating site URLs, for example, when using Drush to log in as another user.

drush user-login

This will log you in as admin user (uid: 1). To log in as another user, you can add an option after the command — either a uid, user name, or email address for the user, e.g.

drush user-login user4@example.com

This command generates a one-time login for the user, opens the default browser and logs the user in. If this is not possible, such as when the $base_url is not set, then a link like this is displayed:

http://default/user/reset/1/1504565200/Pnf1LYYAGH7ajmReIxhKqzt_5xrVQrTXcS2NyRmoR9U/login

The "default" may then be replaced with the correct URL and copied into a browser's address bar.

If you would like to be redirected immediately after logging in, you can add it as a second option to the Drush command:

drush user-login user4@example.com node/add/article

This time, you must have $base_url set for it to work properly, as the generated URL will not work. You will still get the reset login with http://default, however.

Problem

There is a known security flaw that can be exploited if the webserver has been configured to forward any HTTP request to Drupal regardless of the domain name in the request. A malicious person can make an HTTP POST request that modifies the domain in the password reset link.

Solution

The solution is to use a different approach in Drupal 8.

Symfony has a mechanism for preventing HTTP Host header spoofing. In order to enable it, provide a whitelist in an array of regular expression patterns for the hosts to allow $settings['trusted_host_patterns'] in settings.php. For example:

$settings['trusted_host_patterns'] = array(
    '^www\.example\.com$',
    '^example\.com$',
);

Since this is a better solution to counter the danger of URL spoofing, $base_url was removed from settings.php in Drupal 8. If you need to rewrite the request URL, the .htaccess file is a good place to do it. For specifying where CSS/JS files are to be loaded from, you can set $settings['file_public_base_url'] in settings.php.

The drush user-login command will still have no knowledge of the domain. This can be provided as an option to Drush. Create sites/default/drushrc.php, if you do not have it already, and add the site domain to your options as follows:

$options['uri'] = 'http://www.example.com';

This restores the original behaviour of the drush user-login, a.k.a. drush uli when $base_url has been set.