Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.We're using securesite with the HTML form auth (and I tried it using HTTP Basic auth as well), and it seems to cause compatibility issues with Advanced CSS/JS Aggregation (advagg). advagg attempts to verify that it is handling 404 requests by querying for a non-existent file in the advagg directory. If it can't do this, it throws an error in the status report.
In this case, it isn't handling the 404 request because securesite is stopping it before it is able to process this request.
Would it be possible to have a whitelist of URLs that can bypass securesite? If so, we could add a regex for advagg_ requests, or similar.
Comments
Comment #1
mikeytown2 CreditAttribution: mikeytown2 commentedI think securesite_boot is where the check takes place. Looking at the code I might be able to fix this if I include the session cookie from the logged in user when making the loopback request.
Looks like _securesite_forced() is where the exceptions to the rules are located. This would be the ideal fix.
You can also disable advagg 404 checking in the settings.php file
Comment #2
NaX CreditAttribution: NaX commentedI think we should consider a hook here where other modules can hook into securesite boot and bypass it. Its a dangerous feature to add but if we want to play nice with other modules then it makes sense.
Comment #3
rael9 CreditAttribution: rael9 commentedThanks for the info, mikeytown2. That pointed me in the right direction for a workaround. My workaround for now is that I changed the line:
if (php_sapi_name() == 'cli' || $_GET['q'] == 'admin/reports/request-test') {To:
if (php_sapi_name() == 'cli' || $_GET['q'] == 'admin/reports/request-test' || (strpos($_GET['q'], '/advagg_') !== FALSE && module_exists('advagg'))) {This fixes the verification in the status report as well as some intermittent issues I was having where the styles would not load correctly, presumably because advagg wasn't able to properly handle the 404 requests.
NaX, I'm all for a hook that other modules can use, but I still think there should be a setting to ignore certain URLs for cases where a module hasn't yet been updated, or can't be updated for some reason. Soemthing along the lines of:
$conf['securesite_ignore_urls = array('advagg_', 'foo', 'bar');Where each entry in the array is a regex. Perhaps with available logging so that this can be debugged.
Comment #4
rael9 CreditAttribution: rael9 commentedAs it turns out, the change I mentioned above does fix the errors in the status report, but not so much the intermittent styling issues. It appears that that was caused by this issue:
https://drupal.org/node/2216825
Comment #5
NaX CreditAttribution: NaX commentedThis problem seems to affect more than one issue. Please see meta issue #2235715: Support custom paths for satic file caches.