Introduction
Before you can host a Drupal site there are several prerequisites that you'll need. The collection of these softwares is refereed to as a LAMP (Linux, Apache, MySQL, PHP) stack. It's assumed that you will be hosting this on a Linux machine and that you have root access on the box.
Prerequisites
As discussed in the introduction section, you will need to have one of each of the following softwares installed:
- Web server (Nginx, Apache, IIS, etc)
- Database (MySQL/MariaDB, PostgresSQL)
- PHP (>= 7.3)
Web server
Nginx
Click to expand
server {
server_name example.com;
root /var/www/drupal8/web; ## <-- Your only path reference.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
#rewrite ^/(.*)$ /index.php?q=$1; # For Drupal <= 6
rewrite ^ /index.php; # For Drupal >= 7
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
# Protect files and directories from prying eyes.
location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|/(\.(?!well-known).*)|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config$|/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
deny all;
return 404;
}
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Security note: If you're running a version of PHP older than the
# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
# See http://serverfault.com/q/627903/94922 for details.
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# PHP 5 socket location.
#fastcgi_pass unix:/var/run/php5-fpm.sock;
# PHP 7 socket location.
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
# Enforce clean URLs
# Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
# Could be done with 301 for permanent or other redirect codes.
if ($request_uri ~* "^(.*/)index\.php/(.*)") {
return 307 $1$2;
}
}
Apache
Click to expand
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/web
SSLEngine on
SSLCertificateFile /etc/apache2/certs/mysite_cert.pem
SSLCertificateKeyFile /etc/apache2/certs/mysite_key.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
ErrorLog /var/log/httpd/logs/ssl_error.log
<Directory /var/www/html/web>
Options FollowSymlinks Indexes
AllowOverride All
DirectoryIndex index.php
Require all granted
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</Directory>
<LocationMatch "^/(.*\.php(/.*)?)$">
ProxyPass "fcgi://127.0.0.1:9000/var/www/html/web/"
</LocationMatch>
</VirtualHost>
Database
You will need to create a new database for the Drupal site. You also need to create a new mysql user to restrict access.
CREATE DATABASE databasename;
CREATE USER username@localhost IDENTIFIED BY 'password';
GRANT ALL ON databasename.* TO 'username'@'localhost' IDENTIFIED BY 'password';
PHP
Besides the base php package, you will need a handful of php extentions.
- php-gd
- php-mysql
- php-pdo
- php-opcache
- php-xml
- php-mbstring
- php-curl
- php-bz2
- php-zip
Composer
Once you've installed and configured your stack, you'll next need to download and install Composer. Composer is the chosen PHP package manager for Drupal projects. In order to install the latest version of Composer you can run the following commands in your terminal shell.
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === '756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
Assuming that you received no errors, you should next move the composer.phar
file into your PATH and verify that you can use it.
sudo mv composer.phar /usr/local/bin/composer
composer --version
You should see something like "Composer version 2.1.3 2021-06-09 16:31:20" following the composer version check.
Downloading Drupal
composer create-project drupal/recommended-project my-site-name
This will download the latest version of Drupal (9.2.2 at the time of writing) and place it into the specified directory.
cd my-site-name
# Skip installing packages listed in require-dev
composer install --no-dev
# Highly recommended, but not strictly required.
composer require drush/drush
Running the composer install
command downloads all dependencies that the project has specified in the composer.json file.
Requiring the drush/drush
package will install the Drupal command line tool which will be used extensively in later lessons.
Installing Drupal
At this point you should have your web server running, a database created, and PHP installed and configured. Assuming that is the case, navigate to the domain you've registered for the site.
You should automatically be redirected to the installation wizard.