Drupal News

Appnovation Technologies: Simple Website Approach Using a Headless CMS: Part 1

Planet Drupal -

Simple Website Approach Using a Headless CMS: Part 1 I strongly believe that the path for innovation requires a mix of experimentation, sweat, and failure. Without experimenting with new solutions, new technologies, new tools, we are limiting our ability to improve, arresting our potential to be better, to be faster, and sadly ensuring that we stay rooted in systems, processes and...

ARREA-Systems: Drupal 8 composer installation on EC2 with Ubuntu 18.04 LTS

Planet Drupal -

Drupal 8 composer installation on EC2 with Ubuntu 18.04 LTS Fri, 09/21/2018 - 21:31 In this post we will share our experience with installing a Drupal 8 application on an Amazon EC2 server with latest Ubuntu 18.04 LTS. Installing Drupal with composer greatly simplify system maintenance and further update.

OpenSense Labs: CMS Comparison 2018: Drupal vs Umbraco

Planet Drupal -

CMS Comparison 2018: Drupal vs Umbraco Akshita Fri, 09/21/2018 - 19:01

Like every organization, you want yours to build around consistent and successful marketing operations. The choice of your CMS has a lot to do with the execution of the successful marketing campaigns. 

Dynamic organizational goals need dynamic sites. Which raises the bar high when selecting the CMS of your choice. 

Comes along the cost involved in all aspects. 

In the comparison series, today, we have Drupal (open source software) vs Umbraco (proprietary software).

Here’s to choose between Drupal and Umbraco. Which one serves your needs better? Read on to know more. 

But first, let’s have a look at the market share of each CMS. 

Market Share of Umbraco vs Drupal  Source: W3TechsSource: W3TechsSource: Similartech


Drupal has better usage coverage in more websites categories. Including Business & Industry, Arts & Entertainment, People & Society, Career & Education, and 242 other categories. In other words Umbraco hasn't got a lead over Drupal in any websites category.

Let’s get to the actual comparison. 

Round One: The Cost

Umbraco is actually an open source but it heavily relies on proprietary software. Umbraco add-ons range from free to a licensing fee either per domain, per server, or a lifetime license. The licensing is covered under MIT license which means you can do whatever you want as long as you include the original copyright and license notice in any copy of the software/source. 

Drupal, on the other hand, is an open source software. Free to use, re-use, and distribute. Drupal modules (add ons) are free too. 

The Drupal.org (official Drupal website) writes it as “...It's built on principles like collaboration, globalism, and innovation. It's distributed under the terms of the GNU General Public License (GPL). There are no licensing fees, ever. Drupal will always be free.”

Drupal Wins!


Round Two: Editing Experience

At the heart of marketing lies content. 

A marketing CMS streamlines the work involved in creating new content in unprecedented ways. That is why your CMS needs to offer the right and intuitive kind of editing experience. 

Creating content is easy in Drupal. Authoring with WYSIWYG features is designed to keep content creation neat and ordered. It provides the preview and drag-and-drop image uploads option. And when you need to make quick changes with in-context editing it is easier. 

Not just this, it is available in 100 languages. You don’t have to limit your audience to one specific demography or language. 

With the help of a CKEditor feature built specifically for Drupal, you can more easily control details like image alignment and captions right from the palm of your hand.

By default, the editor enforces clean markup and has formatting tools disabled. In case you are looking to change the settings or editing buttons you just need to use a drag-and-drop configuration UI for adding and removing editor buttons.

Editing is indeed intuitive in Umbraco. 

It is easier to just add the content and rearrange it accordingly. Working on Drupal’s text editor for more than a year, it has been a breath of fresh air (no offense, Drupal community). Adding multimedia content is easy.

Not just this, you can also see the preview of your content on different sites with Umbraco’ unique Responsive Preview. Even before it is live. 

This ensures that the visitors experience the content the way you want them to. Adjustments are easy to make too. 

Another thing that adds is that as an editor you can always rollback to an older version. It’s like an infinite undo button. (@Drupal we need this.)

The built-in Umbraco Image Cropper ensures that your images are presented as you want. With the focal point you simply point and click on the most important thing in the image and the image is automatically resized and cropped so as to fit perfectly on any device while ensuring that the most important thing stays in focus. 

Drupal’s Focal Point module promises similar functionality but it needs to be added later. 

Both offer the option to schedule the content. 

Umbraco Wins! 


Round Three: Practicing Accessibility

It is very important that as an organization you don’t happen to miss any of your audience, not even by ignorance. 

Drupal 8 provides web accessibility out-of-the-box and it is mandatory. Not just this you could even mark content regions with attributes with HTML5 semantic markup. 

Navigation is simpler by identifying menus, banners, and ancillary content areas, and letting keyboard users move through them more easily. Drupal 8 puts these methods to work in a new admin toolbar that adapts to different screen widths, and is easier for people with screen readers to use.

Umbraco, although, provides accessibility features like alt text sadly they are optional. Accessibility is something that should be part of the general web development practices, and clearly Drupal ensures the discrimination doesn’t happen, as a choice. 

Drupal Wins!


Round Four: Community support

The Drupal Community is one of the largest open source communities in the world. The community support involves documentation creation, sharing networking opportunities, and more. The sheer commitment to the open source spirit pushes the Drupal project forward.

Around 1,300 agencies provide Drupal services across the globe (according to Drupal.org) and more than 3,200 contributors are working right now to improve the platform. 

Community support of Umbraco is no different. The official website tells us that they currently have an active community of over 200,000 “Umbracians” worldwide ready to share their experience and knowledge with others.

They take pride that the online community transcends to and becomes real gatherings all over the world in the form of local Umbraco meetups and even Festivals. 

It’s a Tie!
 

Round Five: Installation Profile

Getting started with the Umbraco? It provides you with two options - Clean website and the one with a demo. However good the intentions were a clean slate can be a bit overwhelming for some, especially if they’re new to Umbraco (did I copy that?)

Drupal - the latest 8.6 version provides with a starter kit - a basic site with a sleek minimalistic design of a food magazine. Learn and play with it. Set the features as you want. 

This makes it easy to customize and see how Drupal features set in. See if it fits your needs. 

Drupal Wins!


Round Six: Headless/ API first

An API first or Headless CMS simply lets you hit publish and your changes will automatically update on mobile apps, on store displays, flat screens, websites, even on smart watches. 

A feature that you can’t afford to miss especially when there are numerous screen types today. 

Umbraco promises that its headless “helps you edit the content easily in one place, and it is updated across your webshop, website, campaign sites and on displays on every screen.” 
 
Umbraco Headless helps you enable power for other types of websites with Umbraco such as Single Page Application or websites running on a different platform than .NET. 

Problem? 

The community is very close to having everything in place for the official launch of Umbraco Headless. It is not yet launched. All Hype, Nothing Fruitful

Drupal 8 core has out-of-the-box REST API that allows operators to interact with content entities like taxonomy terms, nodes, users, and comments.

Drupal 8 has Contenta (a Drupal distribution) and Reservoir are two of the API first initiative. Various contributed modules allow you to add web services to a Drupal installation without the need for writing code. 

For instance, Developers can use Services module and the RESTful Web Services module to configure a server for enabling the Drupal installation to push or allow data that is to be pulled as needed with the help of REST API. No matter whether the action is a push or pull, Drupal is the services layer. 

Drupal Wins! 


Round Seven: Training and Understanding 

Umbraco.TV will help you go from zero to Umbraco hero at a pace that suits you. Our easy to follow online training videos + written docs will give you the fundamental knowledge to start building awesome Umbraco websites, without burning a hole in your pocket!

Drupal has a steep learning curve. True that! 

But the content is easily available on the web. You can access learning material on Acquia, OSTraining, and Drupalize.me. Leaving Drupalize.me aside both the sources are free and available for all. 

It’s a Tie!


Round Eight: Hosting and Deployment

Drupal is hosting-service agnostic which can be deployed to any hosting service that supports PHP-based web applications. It stores the site configuration data in a consistent manner. It is easy to move configuration between environments like development, test and production environments.

Umbraco solutions are typically hosted by Microsoft Azure. To aid in deployment to Azure, Umbraco comes with an Azure toolkit consisting of ready-to-run command scripts, performance optimisation configurations, security essentials and many more. 

Being hosting-service agnostic, Drupal does the better job in this category.

Drupal Wins!


Conclusion

Every CMS has its own set of advantages. The choice of CMS is generally influenced by what your web project’s requirements are. The questions that follow are: What functionality or features are needed? 

In my opinion, Drupal has a bonus point for maintaining a modules directory that lets you search and manage the content. 

It's easier to customize components—views, lists, blocks, admin tools, and more—than ever before. Control how data is displayed without using a single line of code.

Drop a mail at [email protected] to discuss your business goals.

blog banner blog image Blog Type Articles Is it a good read ? On

OPTASY: Media Handling in Drupal 8.6.0: 4 New Features that Will Enhance Your Media Management Experience in Drupal

Planet Drupal -

Media Handling in Drupal 8.6.0: 4 New Features that Will Enhance Your Media Management Experience in Drupal silviu.serdaru Fri, 09/21/2018 - 11:05

The media management experience had been one of the well-known sources of frustration for Drupal content editors for a long time. For, let's face it: Drupal's out-of-the-box media support was just... basic. But not anymore: there are new exciting features for media handling in Drupal 8.6.0 that will dramatically change the way you manage your media assets on your Drupal website!

Now, let's take a sneak peek at these most-anticipated media handling features that Drupal 8.6.0 comes equipped with:
 

Chocolate Lily: Managing Shared Configuration Part 5: Updating from Extensions

Planet Drupal -

This is the fifth installment in a series presenting work on shared configuration that comes out of the Drutopia initiative and related efforts. To catch up, see Part 1, Configuration Providers, Part 2, Configuration Snapshots, Part 3, Respecting Customizations, and Part 4, Configuration Alters.

In this installment we'll start to pull it all together.

Paraphrasing a bit from Part 1, we described a key problem this way:

How can I update my site so that I have all the latest configuration changes from a distribution--while still retaining any customizations I made?

In Part 1 we mentioned Fabian Bircher's widely used Configuration Split module and its enabling API module, Config Filter, returning in Part 3 to give a more detailed introduction. In Part 2, we summarized the API and accompanying user interface that core provides for staging configuration. Here we'll take a deep dive into how we can merge in configuration updates from installed extensions through an approach that's built on Config Filter and closely parallels core's configuration staging.

Mediacurrent: The State of Drupal in 2019

Planet Drupal -

As we enter the month of September and start planning for 2019, it’s a good time to take stock of where Drupal is as a project and see where it’s headed next year and beyond.

Dries Buytaert, founder of Drupal, recently wrote his thoughts around the timeline for Drupal 9 and “end of life” for Drupal 7 and 8. We will look at current Drupal 8 adoption and assess where we sit in 2019 as well.

An important part of this discussion that deserves attention is the rise of Javascript as a programming language, in particular, the rise of React.js. This technology has put CMSs like Drupal in an interesting position. We will look at how React/Javascript are evolving the web and assess what that means for the future of Drupal.

Finally, we will wrap up with thoughts on what these changes mean for both developers and organizations that use Drupal today or evaluating Drupal.

Drupal 8 Adoption

As mentioned previously, Dries has offered his thoughts on the proposed timeline for Drupal 9 in a recent blog entry on his website (see below).

In early September Drupal 8 released version 8.6.0 which included major improvements to the layout system, new media features, and better migration support. This is in addition to many other improvements that have been released since Drupal 8.0 was first unveiled in late 2015.

In terms of adoption, Drupal has picked up steam with 51% growth from April 2017 to April 2018.

Dries Keynote Drupalcon 2018

As encouraging is that news is, it’s still should be noted that Drupal 7’s popularity still far exceeds Drupal 8 both in current usage (800k compared to 210k+ sites) and in terms of growth year over year. 

Drupal’s weekly project usage from August, 2018

Drupal 7 will reach its end of life likely around November 2021 with paid support extending the lifetime with commercial support (as was the case with Drupal 6). Will Drupal 8 reach the level of usage and popularity D7 has? Perhaps not but that is largely due to focus on more robust, “enterprise” level features.

Drupal as a CMS sits largely in between Wordpress and enterprise proprietary CMSs like Adobe CMS and Sitecore in the marketplace. With the release of Drupal 8, the project moved more into the direction of enterprise features (which could explain some of the fall-off in adoption).

Pantheon had two excellent presentations (also at Drupalcon Nashville) that dive deeper into Drupal’s position in relation to other projects, most notably Wordpress. I would recommend watching WordPress vs Drupal: How the website industry is evolving and What's possible with WordPress 5.0 for more information on this topic.

According to builtwith.com, Drupal still has a sizable chunk of Alexa’s Top Million Sites. It should also be noted that Drupal does better the higher you go up the list of those sites which underscores the project’s focus on the enterprise.

CMS market share (builtwith.com)

 

Drupal usage statistics (builtwith.com)

With the release of Drupal 8, Drupal’s target audience started consolidating more towards the enterprise user. In the future Drupal’s success as a project will be tied more closely to performance against platforms like Adobe CMS and Sitecore in the marketplace.

React (and Javascript) Take Over the World

The thing about Javascript is that it’s been around forever (in tech terms) but recently has taken off. I won’t detail all the reasons here. Seth Brown from Lullabot has one of the best write-ups I have seen from a Drupal community perspective. In short, the ability now to run Javascript both in the browser and on the server (Node.js) has led the surge in Javascript development. Github shows us that more projects are built with Javascript than any other technology and Stack Overflow’s survey tells us that Javascript is the current language of choice.

Stack Overflow 2018 survey results

Github projects 2018

Dries recognizes the importance of Javascript and has spoken about this recently at MIT. In a bit, we will look at some of Dries’ ideas for the future in relation to the Drupal project.

A few years ago we saw several Javascript frameworks pop up. These became very popular for single page applications (SPA) but also had broader appeal because they could make any website feel more interactive. React.js & Ember.js were both released in 2015 and Angular.js is older but has started getting more attention around the same time.

A big issue that needed to be solved with these frameworks was how to address SEO. Initially, these frameworks only rendered the page in the browser which meant site content was largely hidden from search engines. For SPA’s this was not necessarily a deal breaker but this limited the broader adoption of this technology.

Only fairly recently have we seen solutions that are able to use the same framework to serve pages both in the browser and on the server. Why do I bring this up? Because this has been one of the more difficult challenges and React.js addresses it better than any other framework. There are many reasons why React.js adoption is exploding but this is why I believe React is king.

The State of Javascript report from 2017 is often referenced to illustrate React’s popularity (see below):

John Hannah also has some great graphs on javascriptreport.com that demonstrate React’s dominance in this space (see below).

Npm downloads by technology (1 month)

Npm downloads by technology (1 year)

Finally it should be noted that Facebook’s technology, GraphQL paired with React.js is also on the rise and intertwined with the growth of this technology. GraphQL will come into play when we look at how CMSs are adapting to the surge in Javascript and Frontend frameworks.

React and the CMS

Is React compatible with CMSs of ‘ole (e.g. Wordpress, Drupal, etc.)? Well, yes and no. You can integrate React.js with a Drupal or Wordpress theme like you can many other technologies. In fact, it’s very likely that Drupal’s admin interface will run on React at some point in the future. There is already an effort underway by core maintainers to do so. Whether or not the admin will be fully decoupled is an open question. 

Another example of React admin integration is none other than Wordpress’ implementation of React.js to create the much anticipated Gutenberg WYSIWYG editor.

Gutenberg editor

In terms of websites in the wild using React with Drupal, there have been solutions out there (TWC, NBA, and others) for many years that use Drupal in a “progressively decoupled” way. The “progressive” approach will still exist as an option in years to come. Dries wrote about this recently in his blog post entitled “How to decouple Drupal in 2018.”

The problem I have with this type of solution is that sometimes you get the best (and worst) of both worlds trying to bolt on a Javascript framework onto a classic templating system. The truth is that Drupal’s templating theme layer is going to have trouble adapting to the new world we now live in (addressed in detail at Drupalcon’s “Farewell to Twig”). 

The real power of React is when you can combine it with GraphQL, React router and other pieces to create a highly performant, interactive experience that users will demand in years to come. To accomplish this type of app-like experience, developers are increasingly looking to API’s to address this dilemma, which we will examine next.

CMS as an API

The last couple of years there have been many Cloud CMS-as-an-API services pop up that have been generating some attention (Contentful might be the most popular). At this time it doesn’t appear that these API’s have disrupted market share for Wordpress & Drupal but they do signify a movement towards the idea of using a CMS as a content service. 

The “Decoupled” movement in the Drupal community (previously known as “Headless”) has been a big topic of conversation for a couple of years now. Mediacurrent’s own Matt Davis has helped organize two “Decoupled Days” events to help the Drupal community consolidate ideas and approaches. Projects like Contenta CMS have helped advance solutions around a decoupled architecture. Dries has also addressed Drupal’s progress towards an “API-first” approach recently on his blog.

While cloud services like Contentful are intriguing there is still no better content modeling tool that Drupal. Additionally, Drupal 8 is already well underway to support JSON API and GraphQL, with the potential to move those modules into core in the near future.

As I look at the landscape of the modern technology stack, I believe Drupal will flourish in the enterprise space as a strong content API paired with the leading Javascript Frontend. React & GraphQL have emerged as the leading candidates to be that Frontend of record.

Next, we will look at a relatively new entrant to the family, JAM stacks, and see where they fit in with Drupal (if at all?) in the future.

JAMStacks - The Silver Bullet?

The popularity of Netlify hosting and static generators has created some buzz in the Drupal community, particularly Gatsby.js, which we will examine in a moment.

Netlify provides some great tooling for static hosted sites and even offers its own cloud CMS. Mediacurrent actually hosts our own website (Mediacurrent.com) on Netlify. Mediacurrent.com runs on Jekyll which integrates with a Drupal 8 backend so we are well aware of some of the benefits and drawbacks of running a static site.

Where Drupal fits into the JAM stack is as the ‘A’ (for API), with ‘J’ being the Javascript Frontend (i.e. React) and ‘M’ being the statically generated markup. Back in 2016 we liked this idea and settled on Jekyll as the tool of choice for our rebuild as it was the most popular and well supported project at the time.

Since then Gatsby.js has risen dramatically in popularity and has a robust source plugin system that enables it to be used as a Frontend for many platforms including Drupal and Wordpress.

The creator of Gatsby, former Drupal developer Kyle Matthews recently spoke on the subject at Decoupled Days 2018. While it’s hard to know if JAM stacks like Gatsby having staying power in the years ahead they do have a lot of appeal in that they simplify many of the decoupled “hard problems” developers commonly run into. The question of scalability is an important one yet to be answered completely but the upside is tremendous. In a nutshell, Gatsby provides an amazingly performant, React/GraphQL solution that can pull in content from practically any source (including Drupal).

Do JAM stacks like Gatsby have staying power? Will these close the complexity gap that blocks more sites (large or not) from decoupling? We will have to stay tuned but the possibilities are intriguing.

Looking Ahead

We have examined the state of Drupal as a project, future release plans and how it is adapting towards a future that is “API First” that also fits well with the React world in which we now live. 

The main takeaway I would offer here is that Drupal, while still an amazing tool for managing content, is better suited as a technology paired with a leading Frontend like React. With the web evolving from monolithic systems to more of a services-type approach, it makes sense to use a best-in-class content modeling tool like Drupal with a best-in-class FE framework like React.js. 

What does that mean for the average Drupal developer? My advice to Drupal developers is to “Learn Javascript, deeply.” There is no time like the present to get more familiar with the latest and greatest technology including GraphQL.

For organizations evaluating Drupal, I do think the “Decoupled” approach should be strongly considered when planning your next redesign or build. That being said, it’s important to have an understanding of how the pieces fit together as well as the challenges and risk to any approach. This article attempts to present a high-level overview of the technology landscape and where it’s headed but every organization’s needs are unique. At Mediacurrent we work with clients to educate them on the best solution for their organization. 

Have questions or feedback? Hit me up at https://twitter.com/drupalninja/

Palantir: Workbench Tabs in Drupal 8

Planet Drupal -

Workbench Tabs in Drupal 8 brandt Thu, 09/20/2018 - 11:04 Bec White Sep 20, 2018

Workbench Tabs is here to help "Edit" tabs and Drupal messages into the Toolbar.

In his blog post outlining the roadmap to Drupal 9 published last week, Dries Buytaert states that “if you are on Drupal 8, you just have to keep your Drupal 8 site up-to-date and you'll be ready for Drupal 9.” The maturity of Drupal 8 and its solid upgrade path make this the time to migrate your site to Drupal 8.

We’re excited to announce that the Palantir team released a new Workbench module this month for Drupal 8 called Workbench Tabs. We have used this module to improve editorial usability on nearly all of our Drupal 8 projects, and it has been public on Github for a while now, but now it's available on Drupal.org!

What is Workbench?

Workbench is a suite of modules released by Palantir to help solve common editorial problems in Drupal. The core Workbench module is largely a collection of custom Views that create dashboards for content editors. Its widespread use by organizations in government, higher education, nonprofits, and media is a testament to the module suite, and its capabilities have been helping editorial teams manage workflows and permissions since Drupal 7.

What does Workbench Tabs do?

Workbench Tabs integrates local task tabs and Drupal messages into the Toolbar. What exactly does that mean?

  • Editorial usability is improved by placing the "Edit," "View," "Revisions," and "Delete" tabs in a consistent location
  • Custom themes don't need to place and style the local task tabs
  • Drupal messages will be separated from the content layout

 

++ to the Palantir team members that made this happen: Patrick, Ashley, Ken, Avi, and Bec.

Want to learn more about Workbench in Drupal 8? Drop us a line through our contact form, or reach out to us on Twitter @Palantir.

Community Development Drupal Workbench

mark.ie: Responsive Images with PatternLab and Drupal - the easy way

Planet Drupal -

Responsive Images with PatternLab and Drupal - the easy way

Responsive images in PatternLab get a bit of a bad rap sometimes, because they are tricky to have in PL and Drupal. Here's my "easy way" of achieving it.

markconroy Thu, 09/20/2018 - 16:39

This came up today in the DrupalTwig Slack (join it). A user wanted to know how to use responsive images with the Emulsify Drupal theme. I don't use the Emulsify theme (yet - I will soon), though Four Kitchens, the geniuses who created it, have responsive images built in. Recently I created my own - simple and rudimentary, but it works a treat.

I first create a "Responsive Image" pattern. In this I have two files - responsive-image.twig and responsive-image.yml. Here's the contents:

responsive-image.twig:

responsive-image.yml:

image_src_sets:
  join():
    - 'https://placeimg.com/500/500/nature 500w, '
    - 'https://placeimg.com/1000/750/nature 1000w, '
    - 'https://placeimg.com/1440/475/nature 1440w'

image_sizes: '(max-width: 600px) 100vw, (max-width: 960px) 100vw'

To use it in another component, I just call a variable and set that variable in the YML file.

For example, to call the hero image as a responsive image in my event component, I'll print this: {{ hero_image }}. Then in my corresponding event.yml file, I'll define the hero_image item like so:

hero_image:
  join():
    - include():
        pattern: 'basic-elements-responsive-image'
        with:
          image_src_sets:
            join():
              - 'https://placeimg.com/600/600/tech 500w, '
              - 'https://placeimg.com/1200/360/nature 1000w'

Then in my Drupal template I just swap my image field variable for the responsive image one, like this:

{% if node.field_hero_image.value %}
  {% set hero_image: content.field_hero_image %}
{% endif %}
{% include ... usual path to component stuff ... %}

Drupal then renders the image field using whatever settings I have given it in Drupal - presumably responsive image ones.

This post might not help you if you are using Emulsify, but it might help others who stumble upon it.

Specbee: The Experts Speak - What makes Drupal 8 so appealing?

Planet Drupal -

Drupal 8 is not just packed with features that alleviate digital experiences for the end user but is also making life easier for developers, content authors and site builders. So here are some insights from some of the top (and passionate) Drupal experts and developers on Drupal 8 and how it has significantly refined and eased the way they work.

Introducing the Cloudflare Onion Service

Cloudflare Blog -

  • When: a cold San Francisco summer afternoon
  • Where: Room 305, Cloudflare
  • Who: 2 from Cloudflare + 9 from the Tor Project

What could go wrong?

Bit of Background

Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS. Indeed, back in the old days some websites only used HTTP --- weird, right? “Opportunistic” here meant that the server advertised support for HTTP/2 via an HTTP Alternative Service header in the hopes that any browser that recognized the protocol could take advantage of those benefits in subsequent requests to that domain.

Around the same time, CEO Matthew Prince wrote about the importance and challenges of privacy on the Internet and tasked us to find a solution that provides convenience, security, and anonymity.

From neutralizing fingerprinting vectors and everyday browser trackers that Privacy Badger feeds on, all the way to mitigating correlation attacks that only big actors are capable of, guaranteeing privacy is a complicated challenge. Fortunately, the Tor Project addresses this extensive adversary model in Tor Browser.

However, the Internet is full of bad actors, and distinguishing legitimate traffic from malicious traffic, which is one of Cloudflare’s core features, becomes much more difficult when the traffic is anonymous. In particular, many features that make Tor a great tool for privacy also make it a tool for hiding the source of malicious traffic. That is why many resort to using CAPTCHA challenges to make it more expensive to be a bot on the Tor network. There is, however, a collateral damage associated with using CAPTCHA challenges to stop bots: humans eyes also have to deal with them.

One way to minimize this is using privacy-preserving cryptographic signatures, aka blinded tokens, such as those that power Privacy Pass.

The other way is to use onions.

Here Come the Onions

Today’s edition of the Crypto Week introduces an “opportunistic” solution to this problem, so that under suitable conditions, anyone using Tor Browser 8.0 will benefit from improved security and performance when visiting Cloudflare websites without having to face a CAPTCHA. At the same time, this feature enables more fine-grained rate-limiting to prevent malicious traffic, and since the mechanics of the idea described here are not specific to Cloudflare, anyone can reuse this method on their own website.

Before we continue, if you need a refresher on what Tor is or why we are talking about onions, check out the Tor Project website or our own blog post on the DNS resolver onion from June.

As Matthew mentioned in his blog post, one way to sift through Tor traffic is to use the onion service protocol. Onion services are Tor nodes that advertise their public key, encoded as an address with .onion TLD, and use “rendezvous points” to establish connections entirely within the Tor network:

While onion services are designed to provide anonymity for content providers, media organizations use them to allow whistleblowers to communicate securely with them and Facebook uses one to tell Tor users from bots.

The technical reason why this works is that from an onion service’s point of view each individual Tor connection, or circuit, has a unique but ephemeral number associated to it, while from a normal server’s point of view all Tor requests made via one exit node share the same IP address. Using this circuit number, onion services can distinguish individual circuits and terminate those that seem to behave maliciously. To clarify, this does not mean that onion services can identify or track Tor users.

While bad actors can still establish a fresh circuit by repeating the rendezvous protocol, doing so involves a cryptographic key exchange that costs time and computation. Think of this like a cryptographic dial-up sequence. Spammers can dial our onion service over and over, but every time they have to repeat the key exchange.

Alternatively, finishing the rendezvous protocol can be thought of as a small proof of work required in order to use the Cloudflare Onion Service. This increases the cost of using our onion service for performing denial of service attacks.

Problem solved, right?

Not quite. As discussed when we introduced the hidden resolver, the problem of ensuring that a seemingly random .onion address is correct is a barrier to usable security. In that case, our solution was to purchase an Extended Validation (EV) certificate, which costs considerably more. Needless to say, this limits who can buy an HTTPS certificate for their onion service to a privileged few.

Some people disagree. In particular, the new generation of onion services resolves the weakness that Matthew pointed to as a possible reason why the CA/B Forum only permits EV certificates for onion services. This could mean that getting Domain Validation (DV) certificates for onion services could be possible soon. We certainly hope that’s the case.

Still, DV certificates lack the organization name (e.g. “Cloudflare, Inc.”) that appears in the address bar, and cryptographically relevant numbers are nearly impossible to remember or distinguish for humans. This brings us back to the problem of usable security, so we came up with a different idea.

Looking at onion addresses differently

Forget for a moment that we’re discussing anonymity. When you type “cloudflare.com” in a browser and press enter, your device first resolves that domain name into an IP address, then your browser asks the server for a certificate valid for “cloudflare.com” and attempts to establish an encrypted connection with the host. As long as the certificate is trusted by a certificate authority, there’s no reason to mind the IP address.

Roughly speaking, the idea here is to simply switch the IP address in the scenario above with an .onion address. As long as the certificate is valid, the .onion address itself need not be manually entered by a user or even be memorable. Indeed, the fact that the certificate was valid indicates that the .onion address was correct.

In particular, in the same way that a single IP address can serve millions of domains, a single .onion address should be able to serve any number of domains.

Except, DNS doesn’t work this way.

How does it work then?

Just as with Opportunistic Encryption, we can point users to the Cloudflare Onion Service using HTTP Alternative Services, a mechanism that allows servers to tell clients that the service they are accessing is available at another network location or over another protocol. For instance, when Tor Browser makes a request to “cloudflare.com,” Cloudflare adds an Alternative Service header to indicate that the site is available to access over HTTP/2 via our onion services.

In the same sense that Cloudflare owns the IP addresses that serve our customers’ websites, we run 10 .onion addresses. Think of them as 10 Cloudflare points of presence (or PoPs) within the Tor network. The exact header looks something like this, except with all 10 .onion addresses included, each starting with the prefix “cflare”:

alt-svc: h2="cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443"; ma=86400; persist=1

This simply indicates that the “cloudflare.com” can be authoritatively accessed using HTTP/2 (“h2”) via the onion service “cflare2n[...].onion”, over virtual port 443. The field “ma” (max-age) indicates how long in seconds the client should remember the existence of the alternative service and “persist” indicates whether alternative service cache should be cleared when the network is interrupted.

Once the browser receives this header, it attempts to make a new Tor circuit to the onion service advertised in the alt-svc header and confirm that the server listening on virtual port 443 can present a valid certificate for “cloudflare.com” — that is, the original hostname, not the .onion address.

The onion service then relays the Client Hello packet to a local server which can serve a certificate for “cloudflare.com.” This way the Tor daemon itself can be very minimal. Here is a sample configuration file:

SocksPort 0 HiddenServiceNonAnonymousMode 1 HiddenServiceSingleHopMode 1 HiddenServiceVersion 3 HiddenServicePort 443 SafeLogging 1 Log notice stdout

Be careful with using the configuration above, as it enables a non-anonymous setting for onion services that do not require anonymity for themselves. To clarify, this does not sacrifice privacy or anonymity of Tor users, just the server. Plus, it improves latency of the circuits.

If the certificate is signed by a trusted certificate authority, for any subsequent requests to “cloudflare.com” the browser will connect using HTTP/2 via the onion service, sidestepping the need for going through an exit node.

Here are the steps summarized one more time:

  1. A new Tor circuit is established;
  2. The browser sends a Client Hello to the onion service with SNI=cloudflare.com;
  3. The onion service relays the packet to a local server;
  4. The server replies with Server Hello for SNI=cloudflare.com;
  5. The onion service relays the packet to the browser;
  6. The browser verifies that the certificate is valid.

To reiterate, the certificate presented by the onion service only needs to be valid for the original hostname, meaning that the onion address need not be mentioned anywhere on the certificate. This is a huge benefit, because it allows you to, for instance, present a free Let’s Encrypt certificate for your .org domain rather than an expensive EV certificate.

Convenience, ✓

Distinguishing the Circuits

Remember that while one exit node can serve many many different clients, from Cloudflare’s point of view all of that traffic comes from one IP address. This pooling helps cover the malicious traffic among legitimate traffic, but isn’t essential in the security or privacy of Tor. In fact, it can potentially hurt users by exposing their traffic to bad exit nodes.

Remember that Tor circuits to onion services carry a circuit number which we can use to rate-limit the circuit. Now, the question is how to inform a server such as nginx of this number with minimal effort. As it turns out, with only a small tweak in the Tor binary, we can insert a Proxy Protocol header in the beginning of each packet that is forwarded to the server. This protocol is designed to help TCP proxies pass on parameters that can be lost in translation, such as source and destination IP addresses, and is already supported by nginx, Apache, Caddy, etc.

Luckily for us, the IPv6 space is so vast that we can encode the Tor circuit number as an IP address in an unused range and use the Proxy Protocol to send it to the server. Here is an example of the header that our Tor daemon would insert in the connection:

PROXY TCP6 2405:8100:8000:6366:1234:ABCD ::1 43981 443\r\n

In this case, 0x1234ABCD encodes the circuit number in the last 32 bits of the source IP address. The local Cloudflare server can then transparently use that IP to assign reputation, show CAPTCHAs, or block requests when needed.

Note that even though requests relayed by an onion service don’t carry an IP address, you will see an IP address like the one above with country code “T1” in your logs. This IP only specifies the circuit number seen by the onion service, not the actual user IP address. In fact, 2405:8100:8000::/48 is an unused subnet allocated to Cloudflare that we are not routing globally for this purpose.

This enables customers to continue detecting bots using IP reputation while sparing humans the trouble of clicking on CAPTCHA street signs over and over again.

Security, ✓

Why should I trust Cloudflare?

You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers, so you could audit this service using Certificate Transparency (which includes Nimbus, our certificate transparency log), to reveal any potential cheating.

Additionally, since Tor Browser 8.0 makes a new circuit for each hostname when connecting via an .onion alternative service, the circuit number cannot be used to link connections to two different sites together.

Note that all of this works without running any entry, relay, or exit nodes. Therefore the only requests that we see as a result of this feature are the requests that were headed for us anyway. In particular, since no new traffic is introduced, Cloudflare does not gain any more information about what people do on the internet.

Anonymity, ✓

Is it faster?

Tor isn’t known for being fast. One reason for that is the physical cost of having packets bounce around in a decentralized network. Connections made through the Cloudflare Onion Service don’t add to this cost because the number of hops is no more than usual.

Another reason is the bandwidth costs of exit node operators. This is an area that we hope this service can offer relief since it shifts traffic from exit nodes to our own servers, reducing exit node operation costs along with it.

BONUS: Performance, ✓

How do I enable it?

Onion Routing is now available to all Cloudflare customers, enabled by default for Free and Pro plans. The option is available in the Crypto tab of the Cloudflare dashboard.

Browser support

We recommend using Tor Browser 8.0, which is the first stable release based on Firefox 60 ESR, and supports .onion Alt-Svc headers as well as HTTP/2. The new Tor Browser for Android (alpha) also supports this feature. You can check whether your connection is routed through an onion service or not in the Developer Tools window under the Network tab. If you're using the Tor Browser and you don't see the Alt-Svc in the response headers, that means you're already using the .onion route. In future versions of Tor Browser you'll be able to see this in the UI.

We've got BIG NEWS. We gave Tor Browser a UX overhaul.

Tor Browser 8.0 has a new user onboarding experience, an updated landing page, additional language support, and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.https://t.co/fpCpSTXT2L pic.twitter.com/xbj9lKTApP

— The Tor Project (@torproject) September 5, 2018

There is also interest from other privacy-conscious browser vendors. Tom Lowenthal, Product Manager for Privacy & Security at Brave said:

Automatic upgrades to `.onion` sites will provide another layer of safety to Brave’s Private Browsing with Tor. We’re excited to implement this emerging standard.Any last words?

Similar to Opportunistic Encryption, Opportunistic Onions do not fully protect against attackers who can simply remove the alternative service header. Therefore it is important to use HTTPS Everywhere to secure the first request. Once a Tor circuit is established, subsequent requests should stay in the Tor network from source to destination.

As we maintain and improve this service we will share what we learn. In the meanwhile, feel free to try out this idea on Caddy and reach out to us with any comments or suggestions that you might have.

Acknowledgments

Patrick McManus of Mozilla for enabling support for .onion alternative services in Firefox; Arthur Edelstein of the Tor Project for reviewing and enabling HTTP/2 and HTTP Alternative Services in Tor Browser 8.0; Alexander Færøy and George Kadianakis of the Tor Project for adding support for Proxy Protocol in onion services; the entire Tor Project team for their invaluable assistance and discussions; and last, but not least, many folks at Cloudflare who helped with this project.

Addresses used by the Cloudflare Onion Servicecflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion cflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion cflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion

Subscribe to the blog for daily updates on our announcements.

OSTraining: How to Integrate a Calendar in Drupal 8

Planet Drupal -

One of our customers asked us how to integrate a calendar with events on their site.

The Calendar module is the most popular module in Drupal 7 with over 1 million downloads. Unfortunately, the module is still under development for Drupal 8.

Another option is the Full Calendar View module. This module is by far not as popular as Calendar, but it does its work well.

This tutorial will explain the usage of this module. Let’s start!

myDropWizard.com: So, When Do I REALLY Need to Upgrade From Drupal 7?

Planet Drupal -

Drupal 8 was released on November 19, 2015 - nearly three years ago. The drastic architectural changes created a difficult upgrade path for those running Drupal 7. With the huge amount of investment in Drupal 7 over the previous 5 years, this set off shockwaves of fear across the Drupal ecosystem. Recently, Dries Buytaert, the project lead for Drupal, announced the planned launch of Drupal 9 in 2020. That signals the "End of Life" of Drupal 7 in November 2021. When do I need to upgrade?

By the way, that is more than ten years after the release of the first version of Drupal 7!

It's also the date of the "End of Life" of Drupal 8 (more on that later).

TEN7 Blog's Drupal Posts: Episode 039: Drew Gorton

Planet Drupal -

Today, it is our privilege to be talking with Drew Gorton, Director of Developer Relations at Pantheon and long time web veteran. Here's what we're discussing in this podcast: Drew's history; Cherishing our kids; What is Prairie High School; Going to St. Olaf College; How to choose a college major or not; Teaching English in Japan; Learning to swim and function in an unknown culture; Starting a tech career in Japan of all places; Building world cultural exchange with websites; Building Gorton Studios; Access a database? We don't need no stinkin' ticket!; Contributing Backup and Migrate Drupal modules; NodeSquirrel; Becoming a part of the Pantheon family; The joy of leading wonderful teams; The joy of cooking; The nerd and his love of science fiction.

Nextide Blog: Automating HR Business Processes

Planet Drupal -

Gartner recently released an interesting tech note discussing how automated business processes and online integration and transformation of business workflow should be a focus for businesses. By 2022, 50% of digital business technology platform projects will connect events to business outcomes using event-driven intelligent business process management suite (iBPMS)-oriented frameworks - here is a link to the Gartner article.

Nextide Blog: Create a New Content Entity During Module Update

Planet Drupal -

As Drupal module maintainers, we at Nextide need to be constantly updating our modules to add new features or patch issues.  Whether your module is available for download or is a custom module for a client site, you can't expect users to uninstall and reinstall it to pick up new features.  If you have data or configuration changes, update hooks are mandatory to learn.  This post will show how we created a new content entity in a Drupal update hook.

Droptica: Droopler 1.3 allows you to make even better websites. See why it's worth using!

Planet Drupal -

At Droptica we have always wanted to solve the problem of time-consuming creation of Drupal 8-based small pages from scratch. Finally, we have been able to achieve satisfactory results with Droopler. Version 1.3 is even better. Why did we make Droopler? We regularly make small pages for our needs (for example for marketing campaigns or events like DrupalCamp Poland) as well as for our clients. Making a small website from scratch is time-consuming with Drupal 8, especially if you compare it to Drupal 7 or WordPress. It takes a lot of time to create a nice template that will work well on mobile devices, be easy to expand and comfortable to change.

Pages

Subscribe to Cruiskeen Consulting LLC aggregator - Drupal News