Deploying a new Drupal 8 site

Revision as of 15:24, 19 July 2019 by Ian McBride (talk | contribs)

Drupal Site Setup

Set up the varnish purger

  1. drush8 -y pm-enable purge purge_drush purge_queuer_coretags purge_tokens purge_ui varnish_purger varnish_purge_tags; drush8 -y cr;
  2. Go to /admin/config/development/performance/purge
  3. Click Add purger and add a Varnish purger
  4. Configure the varnish purger
    1. Name: Varnish
    2. Type: Tag
    3. Request
      1. Hostname:
      2. Port: 80
      3. Path: /
      4. Request Method: BAN
      5. Scheme: http
    4. Headers
      1. -
        1. Header: Cache-Tags
        2. Value: [invalidation:expression]
      2. -
        1. Header: host
        2. Value: www.middlebury.edu
      3. -
        1. Header: Drupal-Site
        2. Value: www.middlebury.edu.SITE_PATH
  5. Export your configuration. It will have an id which looks something like "dd61b69fad". This is the VARNISH_ID you will add to the Chef configuration below.

Configure Site Caching

Turn off gzip generation for CSS and JS files. Since varnish will be gzipping the files for us, Drupal does not need to do this. You can only turn this off by manually updating the system.performance.yml like this.

Chef Configuration

Run knife vault edit web_drupal8 drupal8_settings

In the json file, add the database information for this new site, and be sure to add the information under both production and test. Note that if this is indeed an entirely new site, you will not need legacy db information. Also note that you need to request the creation of the database on the production server before you can complete this process.

web_drupal8 Cookbook

Update the cookbook version of web_drupal8 in metadata.rb



Use whichever install profile you picked when intializing the site for the value of :install_profile.

"SITE_URL" => {
    :database => "DATABASE_NAME",
    :install_profile => "middlebury_starter_profile",
    :config_sync_directory => '../config/SITE_NAME/sync',
    # Choose ONE of the following two lines as fits the needs of the site
    :file_public_base_url => 'https://www.middlebury.edu/SITE_NAME/sites/SITE_URL/files',
    :file_public_base_url => 'https://SITE_NAME.middlebury.edu/sites/SITE_URL/files',
    :file_public_path => 'sites/SITE_URL/files',
    :trusted_host_patterns => [



web_drupal_site "[http://www.middlebury.edu/bread-loaf-conferences/photos-and-bios S]ITE_URL" do
  session_id "SSESS0b011572177428d7211e023d0a5cb1f9" # this will need to be updated later
  allow_node_add true
  project "drupal8"
  webroot "/web"
  # If the site is of the format SITE_NAME.middlebury.edu, use the following line
  vhost_partials ({"etc/httpd/conf.d/drupal-force-https.erb" => {'cookbook' => 'web_drupal8'}})
  # OR, if the site is of the format www.middlebury.edu/SITE_NAME, use the following line
  vhost_partials ({"etc/httpd/conf.d/SITE_ALIAS.rewrite.erb" => {'cookbook' => 'web_drupal8'}})
  drupal_settings ({
    "database" => ({
      "database" => db_prefix + node["drupal8"]["sites"]["SITE_URL"]["database"],
      "username" => settings["SITE_URL[[|"]["drupal_db_username]]"],
      "password" => settings["SITE_URL"]["drupal_db_password"],
      "hostname" => database_hostname,
    "trusted_host_patterns" => node["drupal8"]["sites"]["SITE_URL"]["trusted_host_patterns"],
    "install_profile" => node["drupal8"]["sites"]["SITE_URL"]["install_profile"],
    "config_sync_directory" => node["drupal8"]["sites"]["SITE_URL"]["config_sync_directory"],
    "reverse_proxy_addresses" => reverse_proxy_addresses,
    "file_public_base_url" => node["drupal8"]["sites"]["SITE_URL"]["file_public_base_url"],
    "file_public_path" => node["drupal8"]["sites"]["SITE_URL"]["file_public_path"],
    "config_overrides" => settings["SITE_URL"]["config_overrides"],
    "varnish_purger_config_id" => 'varnish_purger.settings.VARNISH_ID',
    "protocol" => "https"
    '''# If this site is of the format SITE.middlebury.edu, remove the following 2 lines.'''
    '''# If this site is of the formate http://www.middlebury.edu/SITE www.middlebury.edu/SITE, keep the following 2 lines.'''
    # Apache configuration is handled in the http://www.middlebury.edu/ www.middlebury.edu site configuration.
    skip_vhost true


Duplicate one of the existing files in web_drupal8/files/drush_aliases, rename the file appropriately, and replace the values with the paths for you new site.


drush8 -r /var/www/drupal8/web --uri=SITE_URL cim -y


drush8 -r /var/www/drupal8/web --uri=SITE_URL cache-rebuild


drush8 -r /var/www/drupal8/web --uri=SITE_URL updatedb

web_drupal Cookbook

Update the web_drupal cookbook version in metadata.rb.


Editing this file is only necessary for sites with the URL format www.middlebury.edu/SITE_NAME. Sites with the format SITE_NAME.middlebury.edu can skip to the cron.rb section.

Add a directory alias for /var/www/drupal8/web

# General Drupal8 settings.
"/var/www/drupal8/web" => {
    :directory_alias => [

Add a site base to the section for drupal.htaccess.erb

"etc/httpd/conf.d/drupal.htaccess.erb" => {
    :cookbook => "web_drupal8",
    :variables => ({
        'rewrite_base' => '/',
        'site_bases' => [

Add a site header

"etc/httpd/conf.d/drupal-site-header.erb" => {
    :cookbook => "web_drupal8",
    :variables => ({
        'site_bases' => {
            "/institute" => "www.middlebury.edu.institute",
            "/bread-loaf-conferences/photos-and-bios" => "www.middlebury.edu.bread-loaf-conferences.photos-and-bios",
            "/SITE_PATH" => "www.middlebury.edu.SITE_PATH_REPLACING_SLASHES_WITH_PERIODS",

Add the following code to the end of the vhost_directories array, replacing values as appropriate

"/var/www/drupal8/web/sites/SITE_NAME/files" => {
  # Insert the Drupal rules from the .htaccess here so that they can be loaded at
  # server-start rather than have the filesystem checked for every request.
  :flags => {"AllowOverride" => "None"},
  :partials => {"etc/httpd/conf.d/drupal-files.htaccess.erb" => {:cookbook => "web_drupal8"}}


Add a rewrite condition for the new sub-path.

Editing this file is only necessary for sites with the URL format www.middlebury.edu/SITE_NAME. Sites with the format SITE_NAME.middlebury.edu can skip to the cron.rb section.

RewriteCond %{REQUEST_URI} !^/SITE_PATH/


In the drupal_purge_worker section

"/var/www/drupal8/drush8 -q --root=/var/www/drupal8/web -l SITE_URL p-queue-work",

In the drupal_cron section

"/var/www/drupal8/drush8 -q --root=/var/www/drupal8/web -l SITE_URL core-cron",

web_apache_config Cookbook

Increment the version in metadata.rb


Add a rewrite condition for the new sub-path.


web_varnish_config Cookbook

Increment the version in metadata.rb

Block access to the site from off-campus while it is being built.


Search for "# Block access to some hostnames from off-campus" and add the site path to the exclusion list.

Test the new Chef configuration

knife cookbook upload web_apache_config
knife cookbook upload web_drupal8
knife cookbook upload web_drupal
knife cookbook upload web_varnish_config

ssh drupaltest
dzdo -s

ssh vole
dzdo -s

Test the new site out by adding this to your HOSTS file. www.middlebury.edu

Load the nwe site in a browser and log in. Open the browser inspector and view your cookies. There will be one that looks like "SSESS0b011572177428d7211e023d0a5cb1f9", but with a different hash. Copy this into the place it belongs in the web_drupal8 sites.rb recipe and repeat the chef-client test.

AzureAD Setup

Initialize the Drupal site

  1. Navigate to /admin/config/people/saml in your site administration.
  2. Set the Service Provider Configuration -> Entity ID to the path of this site's front page without the trailing slash.
  3. Download the metadata from /saml/metadata. You will need to upload this file to AzureAD.

Configure AzureAD

  1. Go to https://portal.azure.com
  2. Click on Azure Active Directory in the left nav
    1. Click on Enterprise Applications in the second-most left nav
    2. Click the + New application button at the top of the pane
    3. Select Non-gallery Application
    4. Enter Drupal - <site name> in the Name textfield
    5. Click the Create button
  3. Click Properties under Manage in the second-most left nav
    1. Upload the Drupal logo file
    2. Change User assignment required? to No
    3. Change Visible to users? to No
    4. Click the Save button at the top of the pane
  4. Click Owners under Manage in the second-most left nav
    1. Add yourself and any other members of Web_Technologies_&_Services as owners.
  5. Click Single sign-on under Manage in the second-most left nav
    1. Select SAML
    2. Click the Upload metadata file button at the top of the pane and upload the file you downloaded in the Initialize the Drupal site section above.
    3. Click the pencil icon under step 3 SAML Signing Certificate and delete the Notification Email Addressses, then add itswebapplications@middlebury.edu as a notification email address.
    4. Click the Save button at the top of the pane then click the X button at the top right
    5. Click the Download link next to Federation Metadata XML under step 3 SAML Signing Certificate

Configure the Drupal site

  1. Navigate to /admin/config/people/saml in your site administration.
    1. Paste the value from the <X509Certificate> element in the XML file you downloaded from Azure into the Primary x509 Certificate textarea.
    2. The Entity ID and other values should be the same for all sites, but can be verified against the content of the XML file.
    1. Set Unique identifier attribute to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    2. Set Attempt to map SAML users to existing local users to Yes
    3. Set Create users specified by SAML server to No
    4. Set Synchronize user name on every login to Yes
    5. Set Synchronize email address on every login to Yes
    6. Set User name attribute to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    7. Set User email attribute to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail
    1. Set Strict mode to Yes
    2. Set Sign authentication requests to Yes
    3. Set Request messages to be signed to No
    4. Set Request authn context to No
  5. Export this configuration for the site and deploy it to production.
Powered by MediaWiki