How to Configure Trusted Host Patterns?

By scanner737 on 30 Jun 2016 at 19:35 UTC

Just installed Drupal 8 and am getting a notice in my Status Report that Trusted Host Patterns has not been configured in my settings.php.

Can someone tell me exactly what I need to change or add to my settings.php file in order to fix this?

Thanks in advance.

Comments

Instrux and examples here

sam moore

he/him

Sandy Hook, CT

commented 30 June 2016 at 20:55

Instrux and examples here:
https://www.drupal.org/node/2410395

============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics

Thank You

scanner737 commented 1 July 2016 at 15:35

That worked. My only question now is are the "^" and "$" and "\" symbols necessary?

In my status report it's including those with the URLs. I pulled them from the example code of:

'^example\.com$',
'^www\.example\.com$',

... and just wanted to know if they were necessary or if i should remove them? Normally I wouldn't mention it but they're showing up expressly in the status report as being the approved URLs so it just struck me as odd. Thank you again.

Those marks are part of a

sam moore

he/him

Sandy Hook, CT

commented 1 July 2016 at 17:16

Those marks are part of a scheme called "regular expressions" (RegEx), which allows you to specify patterns rather than exact strings to match.
For example [a-z]* matches any string that starts with a lower case letter.
So you could say something like "Match every hostname that ends with example.com", and it would match dev.example.com, stage.example.com, and example.com.
This is massively useful, especially when you add subdomains.
The backslash ("\") is just there to escape the dots, which otherwise would be meaningful operators to the RegEx parser.

Thank You Again

scanner737 commented 1 July 2016 at 21:50

Thank you again for the help, Sam.

Suppose sites with example.com/abc and example.com/def

chetanpearson commented 7 November 2017 at 09:40

Have a requirement for drupal8 multi site with the url pattern like::

example.com

example.com/abd

example.com/rser

Any solutions...

No problem, all the same domain!

mmjvb commented 7 November 2017 at 14:18

So, trusted host pattern should be: '^example\.com$'.

Advised against that kind of set up. Suggest to use subdomains instead of folders in root, at least with a site in root.

Hi -

adminMN2023 commented 17 October 2017 at 16:52

Hi -

'^example\.com$',
'^www\.example\.com$',

Is the above code an example of what you would use for both non-www and www versions of URL?

Thanks in advance!

That is correct.

romreactor commented 17 October 2017 at 17:16

That is correct.

Although correct ...

mmjvb commented 17 October 2017 at 17:41

you would normally only use example.com and remove the www from it when entered (using .htaccess). You'll run into issues when keeping them both(cookies/sessions). Obviously you can have real subdomains, which can be served by different servers and sites.

I have htaccess pointing www

adminMN2023 commented 17 October 2017 at 18:13

I have htaccess pointing www to non-www. Knowing that - should I then ONLY use the non-www version?

Yes, ...

mmjvb commented 17 October 2017 at 19:56

you shouldn't let it test www when that is never passed.
When pointing www to non-www gets removed you should see an error.

What we should write for

chetanpearson commented 7 November 2017 at 06:11

What we should write for example.com/site1 and example.com/site2

where site1 and site2 are different sites.

=-=

vm commented 1 July 2016 at 00:23

settings.php provides examples as well. No one can tell you exactly what to change as no one knows how you are accessing your site (ie domain name, IP, etc.)

Still no luck after multiple troubleshoots.

romreactor commented 1 July 2016 at 03:51

Hey guys, I don't know why I am struggling on such an easy fix however, I tried multiple variations of adding trusted host patterns and still no luck with Drupal 8.1.3. I have also tried creating a settings.local.php file and add the local connections there, but still no luck. What I am trying to do is to add my domain in as well as localhost, and or IP if it helps to enable it and calm my nerves that their are no errors with the new Drupal install.

Unfortunately, I'm not so fortunate.

Below is the code that I'm using now for review in my settings.php file.

$settings['trusted_host_patterns'] = array(
   '^drivenbyfury\.com$',
   '^www\.drivenbyfury\.com$',
   '^drivenbyfury\.nyc',
   '^www\.drivenbyfury\.nyc',
   '^127\.20.\0.\1$',
   '^localhost$',
);

But I also tried using these codes

$settings['trusted_host_patterns'] = array(
  '^localhost$',
  '^.+\localhost$',
  '^localhost$',
  '^.+\localhost$',
);

As well as, these codes in settings.local.php, and settings.php respectively.

settings.local.php file:

<?php
$settings['trusted_host_patterns'] = array(
  '^localhost$',
?>

Settings.php file:

if (file_exists(__DIR__ . '/settings.local.php')) {
  include __DIR__ . '/settings.local.php';
}

Any help would be much appreciated.

Just on quick inspection -

sam moore

he/him

Sandy Hook, CT

commented 1 July 2016 at 17:19

Just on quick inspection - you've got some errors here- specifically, the backslash ("\") goes BEFORE the dot, not after it.

Oops yeah sorry, didn't

romreactor commented 3 July 2016 at 23:47

Oops yeah sorry, didn't notice that when I added the local ip address to the code.

But yeah still get the error even when updating the code to include all \ before the .

This is what the code looks now and I still get the error.

# $settings['trusted_host_patterns'] = array(
# '^localhost$',
# '^.+\localhost$',
# '^localhost$',
# '^.+\localhost$',
# );

$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
 '^drivenbyfury\.nyc',
 '^www\.drivenbyfury\.nyc',
 '^127\.20\.0\.1$',
 '^localhost$',
);

/**
*
?>

I really don't know why it's not turning on. Is this a consistant error message in Drupal 1.8.3?

If that really is literally

sam moore

he/him

Sandy Hook, CT

commented 4 July 2016 at 00:47

If that really is literally the end of your setting.php, you should probably get rid of the last three lines:

/**
*
?>

I'd recommend still cleaning up your array a bit:

$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
 '^drivenbyfury\.nyc$',
 '^www\.drivenbyfury\.nyc$',
 '^127\.0\.0\.1$',
 '^localhost$',
 '^.+\localhost$',
 '^localhost$',
 '^.+\localhost$',
);

A few points:
- 127.0.0.1, not 127.20.0.1
- '^drivenbyfury\.nyc$', not '^drivenbyfury\.nyc',
- '^www\.drivenbyfury\.nyc$', not '^www\.drivenbyfury\.nyc'
- 'localhost" has several possible variations

Unfortunately, even that didn

romreactor commented 4 July 2016 at 02:22

Unfortunately, even that didn't help, and I cleared my cache just to be sure as well.

This is what my code is from even a longer perspective.

*
 * @see http://drupal.org/node/244924
 *
 * Remove the leading hash signs to disable.
 */
# $conf['allow_authorize_operations'] = FALSE;
$databases['default']['default'] = array (
  'database' => 'custom',
  'username' => 'custom',
  'password' => 'custom',
  'prefix' => '',
  'host' => 'localhost',
  'port' => 'MINE',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
);
/**
*
*/
$settings['hash_salt'] = 'YoFYpiltqRkuPeR4LlgCzaZPdaVUu1FctwzUJmJW0446fffhesW67ft0BvPa6YGYha1MLeNNBcZuA';
$settings['install_profile'] = 'standard';
$config_directories['sync'] = 'sites/default/files/config_SwWuIw1WTdi78Lh9W0EI29fCT1JY8fhfh75SV3Ac5RrpFw2TA1wovl20eeKh-0TtWFJEOF0xw/sync';
$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
 '^drivenbyfury\.nyc$',
 '^www\.drivenbyfury\.nyc$',
 '^127\.0\.0\.1$',
 '^localhost$',
 '^.+\localhost$',
 '^localhost$',
 '^.+\localhost$',
);

In this case I am not using a settings.local.php file.

However, there is also a default.settings.php file, but I thought that was just a back up used for default settings incase if anything goes wrong with your settings.php file.

Any help is really appreciated cause I feel like I'm stuck in a maze for no reason.

default.settings.php is the

sam moore

he/him

Sandy Hook, CT

commented 4 July 2016 at 03:58

default.settings.php is the template used to generate your own settings.php at installation time; don't mess with it.
When you say "didn't help" - is your site loading? Are you just getting complaints in the Status Report?

Also see if this helps:
http://drupal.stackexchange.com/questions/145690/untrusted-host-localhos...

Status Bar message after site load

romreactor commented 4 July 2016 at 17:21

Thanks for the heads up on the default.settings.php file.

Yes, after loading my site, here is the error message when I enter my configuration menu.

Drupal help Photos

And this is after I made the recommended changes in the settings.php file and cleared all cache from the Drupal Site.

Also I tried the above link and made the following changes.

I copied and renamed example.settings.local.php file and moved it to the sites/default directory as settings.local.php file.

Then I added the following code on the first lines in the file.

<?php
$settings['trusted_host_patterns'][] = '^localhost$';

/**
 * @file
 * Local development override configuration feature.
 *
 * To activate this feature, copy and rename it such that its path plus
 * filename is 'sites/default/settings.local.php'. Then, go to the bottom of
 * 'sites/default/settings.php' and uncomment the commented lines that mention
 * 'settings.local.php'.
 *
 * If you are using a site name in the path, such as 'sites/example.com', copy
 * this file to 'sites/example.com/settings.local.php', and uncomment the lines
 * at the bottom of 'sites/example.com/settings.php'.
 */

I also updated the settings.php file to include the code at the bottom of the default.settings.php file for local development.

$settings['hash_salt'] = 'YoFYpiltqRkuPeR4LlgCzaZPdaVUu1FctwzUJmJW0NIlX4nbv5Ww0BvPa6YGYha1MLeNNBcZuA';
$settings['install_profile'] = 'standard';
$config_directories['sync'] = 'sites/default/files/config_SwWuIw1WTdi78Lh9W0EI29fCT1JY6ikyzjl8SV3Ac5RrpFw2TA1wovl20eeKh-0TtWFJEOF0xw/sync';
$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
 '^drivenbyfury\.nyc$',
 '^www\.drivenbyfury\.nyc$',
 '^127\.0\.0\.1$',
 '^localhost$',
 '^.+\localhost$',
 '^localhost$',
 '^.+\localhost$',
);

if (file_exists(__DIR__ . '/settings.local.php')) {
  include __DIR__ . '/settings.local.php';
}

After deleting all cache again still the same message in the Status report under Trusted_Host_Patterns

I really don't want to pay thousands of dollars for someone to built me a site. Any help is truly appreciated as I don't know how I ran into such a frustrating issue on a new Drupal installation.

So now you've got localhost

sam moore

he/him

Sandy Hook, CT

commented 5 July 2016 at 14:28

So now you've got localhost in there three times - once from settings.local.php and twice from settings.php
Anyway the next thing I'd do would be to comment out all of the items in the array and add them back one at a time.
Start with the one you use most.

Did exactly that, still no luck

romreactor commented 6 July 2016 at 01:39

Did exactly that, but still the same error in the status report.

This is what the code looks now in the settings.php file

/**
*
*/
$settings['hash_salt'] = 'YoFYpiltqRkuPeR4LlgCzaZPdaVUu1FctwzUJmJW0NIlX4nbv5Ww0BvPa6YGYha1MLeNNBcZuA';
$settings['install_profile'] = 'standard';
$config_directories['sync'] = 'sites/default/files/config_SwWuIw1WTdi78Lh9W0EI29fCT1JY6ikyzjl8SV3Ac5RrpFw2TA1wovl20eeKh-0TtWFJEOF0xw/sync';
$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
 '^drivenbyfury\.nyc$',
 '^www\.drivenbyfury\.nyc$',
);
if (file_exists(__DIR__ . '/settings.local.php')) {
  include __DIR__ . '/settings.local.php';
}

Also, since I am using the domain www.drivenbyfury.nyc to redirect to drivenbyfury.com do I have to include it in the code? And as for the Local host ip address should that also be listed in the array of the settings.local.php file?

Also, since I am using the

sam moore

he/him

Sandy Hook, CT

commented 6 July 2016 at 02:15

Also, since I am using the domain www.drivenbyfury.nyc to redirect to drivenbyfury.com do I have to include it in the code?

If you're doing a redirect via .htaccess rewrite rule, or some other method that handles the switch before the request hits the site, then you needn't include the .nyc domain - Drupal will never see that domain in a request header if it's being rewritten by Apache.

And as for the Local host ip address should that also be listed in the array of the settings.local.php file?

I'd simplify to

$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
);

And maybe try omitting (commenting out) the settings.local.php include statement for now.
Is your site sitting on a server?

Yes, I am currently running

romreactor commented 6 July 2016 at 02:43

Yes, I am currently running my site on a cloud server.

Also, should I take off the whole command

if (file_exists(__DIR__ . '/settings.local.php')) {
  include __DIR__ . '/settings.local.php';
}

or just take out the

include __DIR__ . '/settings.local.php';

This is what the code looks like now in settings.php and the Trusted_host_patterns setting is still not enabled in the status report.

*/
$settings['hash_salt'] = 'YoFYpiltqRkuPeR4LlgCzaZPdaVUu1FctwzUJmJW0NIlX4nbv5Ww0BvPa6YGYha1MLeNNBcZuA';
$settings['install_profile'] = 'standard';
$config_directories['sync'] = 'sites/default/files/config_SwWuIw1WTdi78Lh9W0EI29fCT1JY6ikyzjl8SV3Ac5RrpFw2TA1wovl20eeKh-0TtWFJEOF0xw/sync';
$settings['trusted_host_patterns'] = array(
 '^drivenbyfury\.com$',
 '^www\.drivenbyfury\.com$',
);
if (file_exists(__DIR__ . '/settings.local.php')) {
}

Well

sam moore

he/him

Sandy Hook, CT

commented 6 July 2016 at 14:41

Well

if (file_exists(__DIR__ . '/settings.local.php')) {
}

does nothing, so I guess it can't hurt...
I'm afraid I'm out of ideas.
I don't see anything wrong with your trusted_host_patterns array.
Just a wild shot - are you sure you're editing the correct settings.php? Maybe take out a semicolon to see if you can break the site...?

Local host added to settings.php

tinabeena commented 30 May 2017 at 21:33

I imagine you've solved this by now, but I have found that all I need for the Trusted Host error on my local dev sites (Mac) is this added to the end of settings.php:

$settings['trusted_host_patterns'] = array(
'^localhost$','^127.0.0.1$'
);

This assumes you've changed both the sites/default folder and the settings.php file permissions with
chmod 755 default
and
chmod 755 settings.php
via a terminal or console prompt before the edit (be sure to restore correct permissions to both when done with chmod 555 settings.php and chmod 555 default!).

localhost settings of trusted_host_patterns

mobil_maniak commented 3 March 2017 at 07:24

If you develop on localhost and/or using vhosts (appache etc.) and for example name of Virtual host is test.
<VirtualHost test> or <VirtualHost test:80> in httpd-vhosts.conf then add port to your patterns in sites/default/settings.php:

$settings['trusted_host_patterns'] = array(
 '^127\.0\.0\.1$',
 '^.+\127\.0\.0\.1$',
 '^localhost$',
 '^.+\localhost$',
 '^test$',
 '^.+\test$',
 '^.+\test\:80$'
);

This example allows host patterns for localhost and test.
127.0.0.1 and localhost is same host in standard cases, example showing howto type IP address in patterns.

If you accessing machine with these settings like in local lan, then add IP to patterns ( w/o port; with port; vhost folder w/o port; and vhost folder with port)

  '^.+\192\.168\.0\.110$',
  '^.+\192\.168\.0\.110$\:80',
  '^.+\192\.168\.0\.110.\test$',
  '^.+\192\.168\.0\.110.\test\:80$',

This saved ,me a lot of pain.

bahson commented 26 April 2018 at 09:18

This saved ,me a lot of pain..thanks

pattern for .com.au

markagregory commented 30 December 2016 at 09:38

I think I've tried every variety possible for mycompany.com.au and it does not work.
I'm using Drupal 8.2.4 and it is hosted on a cpanel site. My site redirects from www.mycompany.com.au to mycompany.com.au
I've put in
$settings['trusted_host_patterns'] = array(
'^www\.mycompany\.com\.au$',
);

and

$settings['trusted_host_patterns'] = array(
'^www\.mycompany\.com\.au$',
'^mycompany\.com\.au$',
);
and
$settings['trusted_host_patterns'] = array(
'^mycompany\.com\.au$',
);

Any help to resolve this appreciated

I had problems with this for

stuhannaford commented 9 January 2017 at 12:38

I had problems with this for a little while and couldn't seem to get around it. Eventually, it came down to three issues on my side:

File permissions - Make sure the settings.php file is set to 644 whilst editing, then revert back to 444 once finished. I had an issue with permissions in cPanel and eventually went via FTP which seemed to get around it. Really odd one this as cPanel kept reverting my file permissions to 444 from 644 and thus the changes weren't actually being saved properly.
DON'T just uncomment the lines in the settings example, you MUST copy it out and then place under the line */ and above the line /** on roughly lines 726 and 728
Using what I ended up with, you should add it like this:
$settings['trusted_host_patterns'] = array(
'^mycompany\.com\.au$',
'^.+\.mycompany\.com\.au$',
);

Hope that helps

Thank you

Amanda Jane commented 20 January 2017 at 05:29

That configured it correctly for me.

Thanks

balter commented 19 April 2023 at 03:34

This sorted it for me too.

I get the same too

Rosina Ramos commented 24 February 2017 at 13:58

I'm doing web hosting and not localhost, should I add the IP too?
thank you

Localhost is an alias for

sam moore

he/him

Sandy Hook, CT

commented 26 February 2017 at 16:27

Localhost is an alias for whatever box you're running on, whether it's hosted elsewhere or on your own machine.
If you're not getting complaints in the status report, then you don't need to change anything.

Same problem... my solution

davidjmcq commented 14 June 2017 at 04:29

I also had to retype the line, rather than modify the example. I can't figure out what was different but retyping worked for me. There must be some obscure special character in the examples given in the settings file.

$settings['trusted_host_patterns'] = array(
'^www\.example\.com\.au$',
'^example\.com\.au$',
);

Same problem but i found a solution in my case

abiyub commented 29 June 2017 at 15:18

I was trying to fix this issue on my local dev environment to make sure everything is okay before i move my code to staging. It took me a while to fix it. but finally i ended up creating a url for my local dev .... for example "drupal.local" in hosts, it might be different for you if you are using MAMP or XAMP or any hosting service like Acquia cloud or Amazon ...

For me

$settings['trusted_host_patterns'] = array(
'^drupal\.local$',
'^localhost$'
);

This fixed the issue. when you add this make sure you have \followed by . in the domain name.

Good luck.

I'm having the same problem

Smeep commented 17 September 2017 at 17:44

I've got the same problem, I've tried all of the above. My code currently looks like this:

$settings['trusted_host_patterns'] = array(
'^wingchunwalsall\.co\.uk$',
'^.+\.wingchunwalsall\.co\.uk$',
'^localhost$',
'^localhost\.*',
'\.local$',
);

Am I missing something obvious? I've been working on this for days, and I can't create content/view my account etc without an error!

trusted_host_patterns

niek_kloots commented 13 January 2018 at 08:43

Have you tried adding these lines at the end of the settings.php?

In my case putting the code at the end removed the problems.

https://kloebb.nl and https://noww.nl

That worked for me!

RickZebra commented 23 July 2018 at 02:01

I can confirm, the only thing that worked for me was retyping the lines. Thanks!

Just to add a few examples

estevao.santos commented 29 October 2017 at 13:07

Just to add a few examples that might help those who are strugling with this. (you can use https://regex101.com/ to help you validate your regex expressions).

Regex Introduction

^ asserts position at start of the string (or line)
$ asserts position at the end of the string (or line)
+ matches the preceding character between one and unlimited times, as many times as possible (greedy)
+? matches the preceding character between one and unlimited times, as few times as possible (lazy)
. matches a single non whitespace character
For instance, it matches a or b but doesn't match or \n
\. (escaped) literal dot
Since . (dot) has special meaning, if you want to match the character dot you need to escaped it with backslash
(...) anything between parenthesis is a (capturing) group
(abc) demarks abc as a capturing group
? makes the preceding character or group optional
for instance...

abc? matches both ab and abc

a(bc)? matches both a and abc, but not ab like previous case
| alternative (OR): matches left or right of the |
abc|def matches abc or def

b(a|i)t matches bat or bit

Some Trusted Host Patterns examples

$settings['trusted_host_patterns'] = [
  '^mydomain\.com$',               // mydomain.com
  '^mydomain\.(com|org)$',         // mydomain.com AND mydomain.org
  '^(www\.)?mydomain\.com$',       // mydomain.com AND www.mydomain.com
  '^(.+?\.)?mydomain\.com$',       // mydomain.com AND ANY subdomain (ex: foobar.mydomain.com)
  '^(.+?\.)?mydomain\.(com|org)$', // mydomain.com AND mydomain.org AND ANY subdomain of those two
];

note: don't use all patterns (since most are cumulative). Pick just the one that suits your needs

how to change setting Trusted Host error in settings.php

drupaldonna commented 15 February 2018 at 17:43

I all but gave up trying to do this. This video from drupaltutor.com saved me. https://youtu.be/FxIginfXTIU

Steps: go to

Control Panel

File manager

Public.html

sites

- right mouse on default and change permissions to (put a CHECK-MARK IN "WRITE") bottom will be 7 5 5 and save

double click to open folder

CLICK on and RIGHT mouse on settings.php

change permissions to (ADD A CHECK-MARK IN "WRITE") bottom will be 7 5 5 and SAVE

SINGLE click on setting.php look up top and see edit , CLICK EDIT

around 2/3 down THE PAGE (mine is at line 711)...look for Trusted host configuration. SEE BELOW

=================================
*
* Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host
* header spoofing.
*
* To enable the trusted host mechanism, you enable your allowable hosts
* in $settings['trusted_host_patterns']. This should be an array of regular
* expression patterns, without delimiters, representing the hosts you would
* like to allow.
*
* For example:
* @code
* $settings['trusted_host_patterns'] = array(
* '^www\.example\.com$',
* );
* @endcode
* will allow the site to only run from www.example.com.

===============================

COPY THE CODE BELOW AND PAST AT THE BOTTOM OF THE PAGE

* $settings['trusted_host_patterns'] = array(
* '^www\.example\.com$',
* );

TAKE OUT THE * ON EACH LINE

  $settings['trusted_host_patterns'] = array(
   '^www\.example\.com$',
  );

MINE IS NOBMA.ORG NO www

NOW PLACE YOUR WEBSITE url IN PLACE OF THE example/com

- mine is '^NOBMA\.ORG$',

SAVE

CHANGE THE PERMISSIONS on default folderand settings.php back by removing the check mark in "write" and save.

the error should be gone. If not you have the website name or the code in those 3 lines incorrect.

FIXED Now go pat yourself on the back for being awesome.

drupaldonna, THANK YOU. Your

cocofried commented 23 June 2018 at 18:25

drupaldonna, THANK YOU. Your guide helped me remove the errors out on a drupal multisite and I have no code knowledge.

I tried all the others input and it did not work for me. I think that going step by step as you wrote, including changing the setting.php under the sites/ sitename "the default and change permissions to (put a CHECK-MARK IN "WRITE") bottom will be 7 5 5 and save" made the difference.

$settings['trusted_host_patterns'] = array(
'^sitename\.com$',
'^www\.sitename\.com$',
);

Trusted Host errors

drupaldonna commented 24 June 2018 at 02:28

Oh good. I was hoping it would help someone else.

Keep at it.

Donna

Hi, i need a little help here

c.e.a commented 14 September 2018 at 22:13

Hi, i need a little help here please !

I am running a Drupal 8.6 website on the subdomain me.goodname.com and it is worth to mention that the domain name goodname.com is running another Drupal 7 website which is not connected at all with the subdomaine me.goodname.com.

So my cpanel structure is a below:

-- (home)
------ (username)
------------ (public_html)
------------------- (me.goodname.com)
--------------------------- folders & files of drupal 8 website.
------------------- (goodname.com)
--------------------------- folders & files of drupal 7 website.

For the subdomain me.goodname.com, i create a redirect rule in .htaccess file to redirect www.me.goodname.com to me.goodname.com.

I understand that in the trusted_host_patterns of the me.goodname.com subdomain, i must mention both subdomains with www and without it.

So what will be the trusted_host_patterns for the subdomain me.goodname.com

Does the below settings good ?

$settings['trusted_host_patterns'] = array(
  '^www\.me.goodname\.com$',
  '^me.goodname\.com$',
);

Thank you for any help,

Trusted host patterns response to goodname.com

drupaldonna commented 14 September 2018 at 23:21

I'm afraid I may not be much help to you. The bulk of my web design is in the winter because we own a fishing resort and I'm so busy during the summer I don't have time to play with Drupal so my brain isn't in web design mode right now.

However, I assume that what you did is not working so this is what I would change.

Assuming you copied the code exactly from the sample .....I think you need a slash in front of each dot. I'd give that a try.

I would have to re-read the instructions to know whether you need both domain names but it wouldn't hurt to try it. You can always remove or change it.

$settings['trusted_host_patterns'] = array(
'^www\.me\.goodname\.com$',
'^me\.goodname\.com$',
);

Donna

Thank you for your kind help

c.e.a commented 14 September 2018 at 23:27

Thank you for your kind help/reply, i will take into consideration your advise and try it.

Drupal Donna is correct,

jaypan

Victoria, BC

commented 15 September 2018 at 01:17

Drupal Donna is correct, there needs to be a backslash before every period. This is called 'escaping' the character.

The key is in the name trusted host patterns. A 'pattern' is a 'regular expression' (aka regex). What is happening with Drupal and the trusted host patterns is that you declare these patterns in your settings.php file, which tells Drupal when someone accesses Drupal, it must be a domain name that 'matches' these patterns, otherwise the request should be rejected. In other words, these are the hosts (domain names) that we trust. This is a security measure.

When a new request is made to Drupal, one of the first things that happens is that Drupal retrieves the domain name that is being used to access Drupal (for example www.example.com), then checks if that domain name matches any of the patterns in the Trusted Host Patterns. A 'match' means the domain is trusted (for the above example, the pattern would be ^www\.example\.com$). If a match is found, Drupal allows the request to proceed.

In regular expressions, a period is used as a 'wild card', which means any character will count as a match for that position. For example, the pattern a.c would match the strings abc, a1c, axc, as it will accept any value where the wild card (period) is. But the pattern a\.c (with the period 'escaped') will only match the string a.c, which has a period in the middle position. Checking abc or a1c against that pattern would result in a non-match.

When checking domain names, we want to ensure that a period is in the position where a period is supposed to be. This is what the backslash does when it precedes the period. It 'escapes' the period, meaning that the regular expression checks for a period in that position, rather than checking for a wildcard in that position.

...for a bit of a technical explanation as to the background of trusted host patterns and how they work.

Contact me to contract me for D7 -> D10/11 migrations.

Thank you a million times for

c.e.a commented 15 September 2018 at 02:09

Thank you a million times for such wonderful detailed explanation.

When checking domain names, we want to ensure that a period is in the position where a period is supposed to be. This is what the backslash does when it precedes the period. It 'escapes' the period, meaning that the regular expression checks for a period in that position, rather than checking for a wildcard in that position.

This exactly what was going on with my website and I didn't know that until now.

I am using Acquia Dev Desktop for the Dev Environment of my Prod website (me.goodname.com) and using Acquia Dev Desktop I can access my local website on

me.goodname.dd:8083

so in my settings.php, I added the below codes to get rid of the error displayed on the status report page:

/**
* Enable the website to run locally on localhost using Acquia Dev Desktop.
* Use this pattern '^sitename.dd$',
*/
$settings['trusted_host_patterns'] = array(
 '^me.goodname.dd$',
);

and everything is working good with no error displayed.

However, after I understand your comment, I updated the code to become:

/**
* Enable the website to run locally on localhost using Acquia Dev Desktop.
*/
$settings['trusted_host_patterns'] = array(
 '^me\.goodname\.dd$',
);

and also now all is working good and without displayed errors.

As per your comment and as per I understand, I will keep the code with a backslash that precedes the period so the access will be granted only through me.goodname.dd on local server and me.goodname.com on web server.

Because I noticed that on my Dev Website (locally), the website is accessed using any of the below codes:

$settings['trusted_host_patterns'] = array(
 '^me.goodname.dd$',
);

or

$settings['trusted_host_patterns'] = array(
 '^me\.goodname.dd$',
);

or

$settings['trusted_host_patterns'] = array(
 '^me\.goodname\.dd$',
);

But I believe as per your comment, '^me\.goodname\.dd$', is the best option to be used in term of security.

Thank you,

I believe as per your comment

jaypan

Victoria, BC

commented 15 September 2018 at 05:12

I believe as per your comment, '^me\.goodname\.dd$', is the best option to be used in term of security.

That's correct.

Contact me to contract me for D7 -> D10/11 migrations.

Thank you once again for your

c.e.a commented 15 September 2018 at 08:55

Thank you once again for your help !

Looks good, could be improved

mmjvb commented 15 September 2018 at 02:11

That matches www.me.goodname.com and me.goodname.com in addition to meagoodname.com and a lot of others. Which confirms the requirement to use \. to only accept the domain goodname. See regular expressions in pattern matching for Perl for information.

No need to have two patterns to allow for the optional www.
'^(www\.)?me\.goodname\.com$' should be enough. Making www. in front optional
'^(www\.|)me\.goodname\.com$' is an alternative. Probably used with a list of sub domains: www.,site1.,site2. Separate them with | and include the last | to make it optional.

Not fully aware of this security measurement but on local I set
$settings['trusted_host_patterns'] = ['.*'];
to get rid of the error. My local site is only available from my machine, not the intranet nor the internet.

Thank you for your humble

c.e.a commented 15 September 2018 at 02:21

Thank you for your humble reply.

No need to have two patterns to allow for the optional www.
'^(www\.)?me\.goodname\.com$' should be enough. Making www. in front optional

It is good to know about such option, I will try it as soon as my I first push my website to the production environment.

Installation now broken :(

nedolaanen commented 29 October 2018 at 10:16

OK, so I got the error message saying it was recommended to use trusted_host_patterns. I added the code below to my settings.php and it didn't work properly.

$settings['trusted_host_patterns'] = array(
'^www\.nedolaanen\.nl$',
'^nedolaanen\.nl$',
);

So I removed the code, returning to my original code (which worked fine) and now I can not log on anymore. I keep getting the following error in my browser. Even when I log on from another device and even after I truncated my cache tables.

The website encountered an unexpected error. Please try again later.

Now what do I do? I'm not happy. I regret following Drupals recommendation. I'm not able to restart the webservice on the server, because I have no access.

OK, somehow my settings.php

nedolaanen commented 29 October 2018 at 10:34

OK, somehow my settings.php got broken. I had to download it, open it in another editor, copy all text and paste that in a new file. Then renamen the new file to settings.php and upload it. Then after setting the correct file permissions on settings.php AND the permissions on the directory above I finally got it to work again. It was probably an up-download error.

Thanks @drupaldonna!

mtdaveo commented 6 April 2019 at 02:14

Thanks @drupaldonna!

How to configure trusted host

drupaldonna commented 6 April 2019 at 18:42

My pleasure. :o)

Donna

web directory (composer install)

Basiel commented 11 December 2019 at 18:51

Hi,

Normally this works fine, but now is the first time I use a full composer install Drupal, with a "web" directory.
I can't seem to get this to work. I always get the error "The provided host name is not valid for this server.".
I suppose this is due to this "web" directory, or could this be something else ? At the moment i tried the following settings ;

$settings['trusted_host_patterns'] = array(
'^digiwestbe.webhosting\web\.be$',
'^.+\.digiwestbe.webhosting\web\.be$',
);

I tried with and without the "web", but I always get the same result.

Thank you for your help,

best regads
basiel

trusted hosting

niek_kloots commented 11 December 2019 at 19:04

You will have to ask your hoster what settings you need and where.

At my hoster all the above won't work any more.

All I have to do now is to check the box before enable ssl and the box before no www in my Plex

https://kloebb.nl and https://noww.nl

Trusted host pattern is about domains, not folders

mmjvb commented 11 December 2019 at 22:03

So, what is your domain? The \ is for escaping the special character .
digiwestbe.webhosting.be would become '^digiwestbe\.webhosting\.be$'
To allow anything '.*', obviously that provides no protection.

Trusted hosts provided using variables

lucian.ilea commented 7 January 2022 at 12:23

Hi all!

I am having a hard time understanding what am I doing wrong in the following context:

I want to add a trusted host into my settings.php file, based on the environment I am in - dev, stage, prod.

Here is a snipped from my settings.php that doesn't work:

$trusted_hosts = '^test\.example\.com$';
$settings['trusted_host_patterns'] = [
  $trusted_hosts,
];

And here is one that does...

$settings['trusted_host_patterns'] = [
  '^test\.example\.com$',
];

The returned $settings['trusted_host_patterns'] is identical in both cases.

What am I doing wrong?

Thank you!

How to Configure Trusted Host Patterns?

Comments

Regex Introduction

Some Trusted Host Patterns examples

New forum topics