I was recently working on a Drupal project that had some internal DNS managed via hosts file. Tell me about it. Having no publicly accessible DNS or IP creates a challenge when your SaaS based Jenkins runs the tests.

The solution for this is a little custom work in your FeatureContext constructor and a BeforeScenario method.

And a little glue in the behat.yml to pass the custom hostHeader variable to the FeatureContext. Make sure that you're also setting the IP of the server for base_url and you're all set.

You can use this same pattern to pass around other variables from behat.yml to your FeatureContext.

Update: A commenter suggests using InsuFixer which simplifies this process greatly.

A few weeks ago Google Play started throwing an error the error "Insufficient storage available." I looked at my phone storage and saw ~4gb available. Annoyed, I googled around for fixes. Most forums suggest clearing caches, repairing permissions, or deleting random things out of /data/app. Of course, none of which fixed my issues.

I decided to poke around with adb shell to see what was going on and discovered a great tool that ships with the SDK called monitor.

Running monitor gives a live view (LogCat) of whatever is going on while the error condition is happening.

I assume you don't have android sdk on OS X so here are the steps, you can watch them too.

• brew install android-sdk
• android
• Select and install the defaults
• Connect your phone to your computer with a USB cable
• adb shell and authorize your computer to connect on your phone
• exit
• monitor
• Once the monitor app has started, visit the play store on your phone and try to install the misbehaving app
• Keep an eye on the LogCat for error conditions or strange output
• Resolve the errors

For me, it turned out there was a permission error being thrown in /data/app-lib. I resolved it and my app installed successfully.

It comes as no shock to most of you, but you get a lot done when you're not distracted. And these days its getting harder and harder not to fall victim to distraction.

More and more it seems that our devices distract by default. Chime, hey a tweet. Beep, oh an email. Ring ring, a phone call.

Here are some tips for a distraction free day:

Disable notifications on your phone.

I use a tasker task on my phone called dark mode, which disables all notifications from email/twitter/etc. It also kills my ringer for all but a few select individuals. I also have a weekend task that disables work related notifications on the weekend.

Disable notification center.

Just found out about this one, but if you open up notification center and scroll down, you can put it in do not disturb mode.

Open a new Chrome window.

With two Gmail accounts, one work and one personal, it's hard to ignore the 1 on the favicon begging to for attention. Minimise your email.

Close/minimise your chat apps.

Go away and minimise it. The memes you'll miss aren't that important anyways.

Have a distraction free playlist.

Find some music you can work to without having to moderate what is playing.

I'm sure I have more... what do you do?

In this article, I’m going to show you a few methods to separate your public site from the vulnerable parts of your administration area. What you need is an effective way to keep your site locked and secure, and protected from attacks, while still leaving your site editable for trusted users.

Methods for securing the admin section of your site

One of the things that is often overlooked when setting up and securing a Drupal site is the administrative sections. Sure, Drupal protects these paths with access controls but you can do a lot more to protect your site, especially if your site doesn’t require public login.

If the public has no business accessing /user, they shouldn’t be able to. This path is an attack vector for denial of service (DDoS), brute force password guessing, and it drastically increases attack surface of the site.

Public/administrative separation has the additional benefit of protecting against some types of XSS and CSRF.

A typical server setup for Drupal might look something like this.

This diagram shows how public traffic and your administrators/content editors access the site from the same paths and web servers. For example, your public site is http://www.example.com and your administrators/content editors login to site via http://www.example.com/user

Don’t get me wrong, this is a tried and true method and serves the majority of the use cases out there. But we can do better. Your content administrators/content editors don’t need to be logging into the public site.

This diagram shows the administration edit server locked behind a secure DMZ firewall. I like this setup since now you have separated your public side and your administrative side. But how do you go about it?

Set up rewrite rules for .htaccess

On your public web servers run an .htaccess rule similar to the rule below. (If you are using Drupal 6, you should drop the dash.) There are a couple of caveats to be aware of, so you may need to tweak the rule to remove cron.php or xmlrpc.php.

RewriteRule ^(scripts|profile|includes|cron\.php|install\.php|update\.php|xmlrpc\.php|filter($|/)|user($|/)|admin($|/)) - [F,L]

This rewrite rule will trigger a 403 for a request to some of the sensitive areas of your Drupal site. For instance, http://www.example.com/user will now return 404. On the administrative server, you can just drop the rewrite rule or add a RewriteCond for a specific hostname or IP address. Check this article out if you are interested in learning more about .htaccess or mod_rewrite.

RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.8[0-9]$
RewriteRule ^(scripts|profile|includes|cron\.php|install\.php|update\.php|xmlrpc\.php|filter($|/)|user($|/)|admin($|/)) - [F,L]

or maybe even using a specific hostname to access the administrative side:

RewriteCond %{HTTP_HOST} !^admin.example.com # or some other obfuscated path
RewriteRule ^(scripts|profile|includes|cron\.php|install\.php|update\.php|xmlrpc\.php|filter($|/)|user($|/)|admin($|/)) - [F,L]

In fact, with a RewriteCond you don’t need to have a completely separate administrative server.

Now you have public/administrative separation without the extra cost and overhead of maintaining another web server.

It’s a small .htaccess configuration, but it drastically increases the security of your site.

Attend our DrupalCon course on Drupal Security

Speaking of security, if you’re going to DrupalCon Portland and want to learn more about Drupal security (and meet me, Cash, and Ben) sign up for our pre-conference training.

Originally published on dev.acquia.com

For those of you who may not have heard, the Drupal Association is electing two new board members. You can read more about that at the Election 2013 page.

I participated in the first meet the candidates session. If you didn't have the chance to listen in my answers are available in text format and are posted below.

TL;DR - I want to be part of the DA Board because I want to help shape the future and growth of the community. Having worked with the DA in the past, through my organizational experience with CapitalCamp, I bring a different perspective that will help the overall governance of the DA. So please, vote for me!

(06:09:32) stevepurkiss: If you could wave a magic wand and change one thing about the Drupal Association, what would it be and why? Drupal Camps and Cons generate a wealth of information that is spread out out over the various sites. Those who are new to Drupal are definitely not aware of all this great session material. The community needs to have a 'one stop shop' for all this great information. If I can point a new community member to a website with hundreds of videos about theming, I have drastically increased their ramp up speed. This is important for addressing the knowledge gap and growing the community as a whole.

(06:20:11) Senpai: QUESTION: How much money should the DA spend each year on furthering Drupal? The Drupal Association exists to serve the Drupal community and every reasonable dollar should be spent on serving this goal. Budgeting and saving for the future are important aspects of this if the Drupal Association wants to continue going great work. My aim will be to keep administrative overhead low so that every dollar coming in works for the Drupal Community. Followup Q: How much of that money should come from the users of Drupal vs sponsorships or advertising? Funding should come from everywhere. A diversified income stream is a happy income stream. As long as the Drupal Association stays creative with fundraising the money should be accepted from whomever to keep the DA working for the community.

(06:29:23) KatteKrab: QUESTION: How would you help make the Drupal Association reach out to parts of the world that aren't yet active in our community? How can we be more international? Drupal is a very international community, but how to do grow participation from under-represented areas. I had first heard about Drupal at school. My local Linux user group had been trying to get a website off the ground and we had been investigating the various open source CMS offerings. I think this is our grassroots base that we need to be engaging at a higher rate.

(06:35:32) dstol: QUESTION: What is your biggest annoyance with Drupal.Org currently? [the website] I asked this question. In project context is lacking for maintainers. When I am making a commit I need to have three or four tabs open to be able to provide information in the commit message and then in the issue itself. I think there really needs to be a Drupal.Org power users mode.

(06:35:39) steveoliver: QUESTION: What role do you see for the DA in developing and/or certifying formalized Drupal training/testing? While I think certification and trainings are a great way to fundraise, I do not think this is a good role for the Drupal Association. There are many Drupal Association member organizations who offer formalized trainings. It would not be appropriate for the DA to get started as a competitor to member organizations.

(06:43:41) beeradb_: QUESTION: What community leadership have you show that you think positions you well to be a community representative on the board? I am: * active Drupal evangelist * popular module maintainer * local Washington, DC community group organizer * organizer of CapitalCamp * occasional speaker at Drupal Camps * hard working * committed to improving and growing the Drupal community

(06:44:30) j_matthew_s: My question is related to Governance VS Operations at the DA. Where are the lines between what the Board should do vs Staff? For example - who should be directing mission vs strategic planning vs program management? The Board sets the high level tone; values, mission, goals of the Drupal Association. Everything else should fall to the operational full time staff. However, as a Board member, I am still invested in the organization and willing to get my hands dirty, if I am asked. After all, this is a do-ocracy.

(06:45:07) joebachana: What is the greatest threat to the Drupal project today and what should the DA's role be in ameliorating/resolving that threat? Drupal's biggest threat is not growing enough talent to keep up with the demands of the community. Who will be doing core development when they start burning out? Who will be our future community leaders? More strategically, if companies can't hire talented Drupal developers our growth as a community will start to shrink, as companies start to use other platforms.

(06:46:01) starl3n: Q: how do candidates define the Drupal 'community'? And, developers Vs users... Everyone who uses Drupal. From project managers, users, developers. Anyone who interacts with Drupal in some minuscule way is a community member. Drupal 8 will do a great job of expanding the community to include more traditional PHP developers.

(06:48:42) beeradb_: QUESTION: If you weren't running, which of the other candidates do you think would be great for the board? All the candidates are great and in talking with them more and more it makes my decisions even harder. I know that they all have some great ideas to help grow and improve the community. I am excited for the future of the Drupal Association.

Even if you don't vote for me, please do vote, it is important.

Last weekend I gave my session at the second annual Capital Camp, as you may have gathered from my last blog post. It was really well attended, despite the attendance being down due to Metro track work. The session went really well, there were a lot of great questions and follow-ups. I'm still answering emails, actually.

I think this goes to show that not a lot of people are well-versed in what to do when faced with a DDoS. I hope that other people pick up the torch here and I'd be glad to help anyone that is interested. I also plan on advance-ifying the session for PNW or BadCamp.

Slides for OMG DDoS - Drupal lessons learned the hard way
Video for OMG DDoS - Drupal lessons learned the hard way

My session on DDoS was accepted to Capital Camp! (Full disclosure: I'm an organizer of Capital Camp. I don't think my co-organizers had it in them to deny my session.)

I'm pretty excited to give this talk, as there doesn't seem to be a lot of info about Drupal and DDoS. You can find my session in the Grand Ballroom, Friday, July 27, 12:00 - 1:00 PM. It's setup as a beginner session, so all are welcome to attend. See you there.

Also, have you registered for Capital Camp yet?

You never know where and when you might land your dream job working at Twitter, Google, GitHub, the White House, etc.

* vs ?
Solved a little problem I'd had on my Alfred module.

Rather then globbing the whole string, it'll glob the first character. I've know about * from day 2 of my linux usage, but I'm Just now finding out about ?.

Modern web browsers put a cap on the number of connections they make to a host. This means if you've got a lot of assets on one hostname the browser will queue the remaining assets, while the ones in front download. This is referred to as blocking.

One way around blocking is to create multiple subdomains, for instance, assets0.davidstoline.com and assets1.davidstoline.com to increase the number of resources downloaded in parallel. This is method is called domain sharding and it is recommended by both Google's PageSpeed and Yahoo's YSlow.

I can't exactly afford a high quality CDN like Akamai but I can still leverage some of the benefits and fun of using a CDN. My friend Wim Leers wrote the Drupal CDN module, which you can leverage to do a little home grown sharding of your own.

In my nginx configuration for davidstoline.com I added...

  server_name assets0.davidstoline.com;
  server_name assets1.davidstoline.com;

Then in my Drupal sites directory I created two new directories for assets0.davidstoline.com and assets1.davidstoline.com with a settings file that looks like

die();

I set it up to die(); because I don't actually want to serve my site from those two subdomains.

Boom! Now you just configure the CDN module to use those two subdomains. Just download, install and enable Wim's CDN module. Visit admin/config/development/cdn/details and add something like

http://assets0.davidstoline.com|.css
http://assets1.davidstoline.com

And you're set. You may want to tweak your CDN module setup if you serve a lot of image assets.