* Drupal site-specific configuration file.
* This file may have been set to read-only by the Drupal installation program.
* If you make changes to this file, be sure to protect it again after making
* your modifications. Failure to remove write permissions to this file is a
* In order to use the selection rules below the multisite aliasing file named
* sites/sites.php must be present. Its optional settings will be loaded, and
* the aliases in the array $sites will override the default directory rules
* below. See sites/example.sites.php for more information about aliases.
* The configuration directory will be discovered by stripping the website's
* hostname from left to right and pathname from right to left. The first
* configuration file found will be used and any others will be ignored. If no
* other configuration file is found then the default configuration file at
* 'sites/default' will be used.
* For example, for a fictitious site installed at
* https://www.drupal.org:8080/my-site/test/, the 'settings.php' file is searched
* for in the following directories:
* - sites/8080.www.drupal.org.my-site.test
* - sites/www.drupal.org.my-site.test
* - sites/drupal.org.my-site.test
* - sites/org.my-site.test
* - sites/8080.www.drupal.org.my-site
* - sites/www.drupal.org.my-site
* - sites/drupal.org.my-site
* - sites/8080.www.drupal.org
* Note that if you are installing on a non-standard port number, prefix the
* hostname with that number. For example,
* https://www.drupal.org:8080/my-site/test/ could be loaded from
* sites/8080.www.drupal.org.my-site.test/.
* @see \Drupal\Core\DrupalKernel::getSitePath()
* In addition to customizing application settings through variables in
* settings.php, you can create a services.yml file in the same directory to
* register custom, site-specific service definitions and/or swap out default
* implementations with custom ones.
* The $databases array specifies the database connection or
* connections that Drupal may use. Drupal is able to connect
* to multiple databases, including multiple types of databases,
* during the same request.
* One example of the simplest connection array is shown below. To use the
* sample settings, copy and uncomment the code below between the @code and
* @endcode lines and paste it after the $databases declaration. You will need
* to replace the database username and password and possibly the host and port
* with the appropriate credentials for your database system.
* The next section describes how to customize the $databases array for more
* $databases['default']['default'] = [
* 'database' => 'database_name',
* 'username' => 'sql_username',
* 'password' => 'sql_password',
* 'collation' => 'utf8mb4_general_ci',
* Customizing database settings.
* Many of the values of the $databases array can be customized for your
* particular database system. Refer to the sample in the section above as a
* The "driver" property indicates what Drupal database driver the
* connection should use. This is usually the same as the name of the
* database type, such as mysql or sqlite, but not always. The other
* properties will vary depending on the driver. For SQLite, you must
* specify a database file name in a directory that is writable by the
* webserver. For most other drivers, you must specify a
* username, password, host, and database name.
* Drupal core implements drivers for mysql, pgsql, and sqlite. Other drivers
* can be provided by contributed or custom modules. To use a contributed or
* custom driver, the "namespace" property must be set to the namespace of the
* driver. The code in this namespace must be autoloadable prior to connecting
* to the database, and therefore, prior to when module root namespaces are
* added to the autoloader. To add the driver's namespace to the autoloader,
* set the "autoload" property to the PSR-4 base directory of the driver's
* namespace. This is optional for projects managed with Composer if the
* driver's namespace is in Composer's autoloader.
* For each database, you may optionally specify multiple "target" databases.
* A target database allows Drupal to try to send certain queries to a
* different database if it can but fall back to the default connection if not.
* That is useful for primary/replica replication, as Drupal may try to connect
* to a replica server when appropriate and if one is not available will simply
* fall back to the single primary server (The terms primary/replica are
* traditionally referred to as master/slave in database server documentation).
* The general format for the $databases array is as follows:
* $databases['default']['default'] = $info_array;
* $databases['default']['replica'][] = $info_array;
* $databases['default']['replica'][] = $info_array;
* $databases['extra']['default'] = $info_array;
* In the above example, $info_array is an array of settings described above.
* The first line sets a "default" database that has one primary database
* (the second level default). The second and third lines create an array
* of potential replica databases. Drupal will select one at random for a given
* request as needed. The fourth line creates a new database with a name of
* For MySQL, MariaDB or equivalent databases the 'isolation_level' option can
* be set. The recommended transaction isolation level for Drupal sites is
* 'READ COMMITTED'. The 'REPEATABLE READ' option is supported but can result
* in deadlocks, the other two options are 'READ UNCOMMITTED' and 'SERIALIZABLE'.
* They are available but not supported; use them at your own risk. For more
* https://dev.mysql.com/doc/refman/8.0/en/innodb-transaction-isolation-levels.html
* On your settings.php, change the isolation level:
* $databases['default']['default']['init_commands'] = [
* 'isolation_level' => 'SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED',
* You can optionally set a prefix for all database table names by using the
* 'prefix' setting. If a prefix is specified, the table name will be prepended
* with its value. Be sure to use valid database characters only, usually
* alphanumeric and underscore. If no prefix is desired, do not set the 'prefix'
* key or set its value to an empty string ''.
* For example, to have all database table prefixed with 'main_', set:
* Advanced users can add or override initial commands to execute when
* connecting to the database server, as well as PDO connection settings. For
* example, to enable MySQL SELECT queries to exceed the max_join_size system
* variable, and to reduce the database connection timeout to 5 seconds:
* $databases['default']['default'] = [
* 'big_selects' => 'SET SQL_BIG_SELECTS=1',
* PDO::ATTR_TIMEOUT => 5,
* WARNING: The above defaults are designed for database portability. Changing
* them may cause unexpected behavior, including potential data loss. See
* https://www.drupal.org/docs/8/api/database-api/database-configuration for
* more information on these defaults and the potential issues.
* More details can be found in the constructor methods for each driver:
* - \Drupal\mysql\Driver\Database\mysql\Connection::__construct()
* - \Drupal\pgsql\Driver\Database\pgsql\Connection::__construct()
* - \Drupal\sqlite\Driver\Database\sqlite\Connection::__construct()
* Sample Database configuration format for PostgreSQL (pgsql):
* $databases['default']['default'] = [
* 'database' => 'database_name',
* 'username' => 'sql_username',
* 'password' => 'sql_password',
* Sample Database configuration format for SQLite (sqlite):
* $databases['default']['default'] = [
* 'database' => '/path/to/database_filename',
* Sample Database configuration format for a driver in a contributed module:
* $databases['default']['default'] = [
* 'driver' => 'my_driver',
* 'namespace' => 'Drupal\my_module\Driver\Database\my_driver',
* 'autoload' => 'modules/my_module/src/Driver/Database/my_driver/',
* 'database' => 'database_name',
* 'username' => 'sql_username',
* 'password' => 'sql_password',
* Sample Database configuration format for a driver that is extending another
* $databases['default']['default'] = [
* 'driver' => 'my_driver',
* 'namespace' => 'Drupal\my_module\Driver\Database\my_driver',
* 'autoload' => 'modules/my_module/src/Driver/Database/my_driver/',
* 'database' => 'database_name',
* 'username' => 'sql_username',
* 'password' => 'sql_password',
* 'namespace' => 'Drupal\parent_module',
* 'autoload' => 'core/modules/parent_module/src/',
* Location of the site configuration files.
* The $settings['config_sync_directory'] specifies the location of file system
* directory used for syncing configuration data. On install, the directory is
* created. This is used for configuration imports.
* The default location for this directory is inside a randomly-named
* directory in the public files path. The setting below allows you to set
# $settings['config_sync_directory'] = '/directory/outside/webroot';
* $settings contains environment-specific configuration, such as the files
* directory and reverse proxy address, and temporary configuration, such as
* @see \Drupal\Core\Site\Settings::get()
* Salt for one-time login links, cancel links, form tokens, etc.
* This variable will be set to a random value by the installer. All one-time
* login links will be invalidated if the value is changed. Note that if your
* site is deployed on a cluster of web servers, you must ensure that this
* variable has the same value on each server.
* For enhanced security, you may set this variable to the contents of a file
* outside your document root, and vary the value across environments (like
* production and development); you should also ensure that this file is not
* stored with backups of your database.
* $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
$settings['hash_salt'] = '[[hash_salt]]';
* Drupal's dependency injection container will be automatically invalidated and
* rebuilt when the Drupal core version changes. When updating contributed or
* custom code that changes the container, changing this identifier will also
* allow the container to be invalidated as soon as code is deployed.
# $settings['deployment_identifier'] = \Drupal::VERSION;
* Access control for update.php script.
* If you are updating your Drupal installation using the update.php script but
* are not logged in using either an account with the "Administer software
* updates" permission or the site maintenance account (the account that was
* created during installation), you will need to modify the access check
* statement below. Change the FALSE to a TRUE to disable the access check.
* After finishing the upgrade, be sure to open this file again and change the
$settings['update_free_access'] = FALSE;
* Fallback to HTTP for Update Manager and for fetching security advisories.
* If your site fails to connect to updates.drupal.org over HTTPS (either when
* fetching data on available updates, or when fetching the feed of critical
* security announcements), you may uncomment this setting and set it to TRUE to
* allow an insecure fallback to HTTP. Note that doing so will open your site up
* to a potential man-in-the-middle attack. You should instead attempt to
* resolve the issues before enabling this option.
* @see https://www.drupal.org/docs/system-requirements/php-requirements#openssl
* @see https://en.wikipedia.org/wiki/Man-in-the-middle_attack
* @see \Drupal\update\UpdateFetcher
* @see \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
# $settings['update_fetch_with_http_fallback'] = TRUE;
* External access proxy settings:
* If your site must access the Internet via a web proxy then you can enter the
* proxy settings here. Set the full URL of the proxy, including the port, in
* - $settings['http_client_config']['proxy']['http']: The proxy URL for HTTP
* - $settings['http_client_config']['proxy']['https']: The proxy URL for HTTPS
* You can pass in the user name and password for basic authentication in the
* URLs in these settings.
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['no'] = ['127.0.0.1', 'localhost'];
* Reverse Proxy Configuration:
* Reverse proxy servers are often used to enhance the performance
* of heavily visited sites and may also provide other site caching,
* security, or encryption benefits. In an environment where Drupal
* is behind a reverse proxy, the real IP address of the client should
* be determined such that the correct client IP address is available
* to Drupal's logging and access management systems. In the most simple
* scenario, the proxy server will add an X-Forwarded-For header to the request
* that contains the client IP address. However, HTTP headers are vulnerable to
* spoofing, where a malicious client could bypass restrictions by setting the
* X-Forwarded-For header directly. Therefore, Drupal's proxy configuration
* requires the IP addresses of all remote proxies to be specified in
* $settings['reverse_proxy_addresses'] to work correctly.
* Enable this setting to get Drupal to determine the client IP from the
* X-Forwarded-For header. If you are unsure about this setting, do not have a
* reverse proxy, or Drupal operates in a shared hosting environment, this
* setting should remain commented out.
* In order for this setting to be used you must specify every possible
* reverse proxy IP address in $settings['reverse_proxy_addresses'].
* If a complete list of reverse proxies is not available in your
* environment (for example, if you use a CDN) you may set the
* $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
* Be aware, however, that it is likely that this would allow IP
* address spoofing unless more advanced precautions are taken.
# $settings['reverse_proxy'] = TRUE;
* Reverse proxy addresses.
* Specify every reverse proxy IP address in your environment, as an array of
* IPv4/IPv6 addresses or subnets in CIDR notation. This setting is required if
* $settings['reverse_proxy'] is TRUE.
# $settings['reverse_proxy_addresses'] = ['a.b.c.d', 'e.f.g.h/24', ...];
* Reverse proxy trusted headers.
* Sets which headers to trust from your reverse proxy.
* - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
* - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
* - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
* - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
* - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
* Note the default value of
* \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
* is not secure by default. The value should be set to only the specific
* headers the reverse proxy uses. For example:
* \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
* This would trust the following headers:
* @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
* @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
* @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
* @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
* @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
* @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies
# $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;
* By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page
* views. This tells a HTTP proxy that it may return a page from its local
* cache without contacting the web server, if the user sends the same Cookie
* header as the user who originally requested the cached page. Without "Vary:
* Cookie", authenticated users would also be served the anonymous page from
* the cache. If the site has mostly anonymous users except a few known
* editors/administrators, the Vary header can be omitted. This allows for
* better caching in HTTP proxies (including reverse proxies), i.e. even if
* clients send different cookies, they still get content served from the cache.
* However, authenticated users should access the site directly (i.e. not use an
* HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid
* getting cached pages from the proxy.
# $settings['omit_vary_cookie'] = TRUE;
* Cache TTL for client error (4xx) responses.
* Items cached per-URL tend to result in a large number of cache items, and
* this can be problematic on 404 pages which by their nature are unbounded. A
* fixed TTL can be set for these items, defaulting to one hour, so that cache
* backends which do not support LRU can purge older entries. To disable caching
* of client error responses set the value to 0. Currently applies only to
# $settings['cache_ttl_4xx'] = 3600;
* Expiration of cached forms.
* Drupal's Form API stores details of forms in a cache and these entries are
* kept for at least 6 hours by default. Expired entries are cleared by cron.
* @see \Drupal\Core\Form\FormCache::setCache()
# $settings['form_cache_expiration'] = 21600;
* If the APCu extension is detected, the classloader will be optimized to use
* it. Set to FALSE to disable this.
* @see https://getcomposer.org/doc/articles/autoloader-optimization.md
# $settings['class_loader_auto_detect'] = FALSE;
* Authorized file system operations:
* The Update Manager module included with Drupal provides a mechanism for
* site administrators to securely install missing updates for the site
* directly through the web user interface. On securely-configured servers,
* the Update manager will require the administrator to provide SSH or FTP
* credentials before allowing the installation to proceed; this allows the
* site to update the new files as the user who owns all the Drupal files,
* instead of as the user the webserver is running as. On servers where the
* webserver user is itself the owner of the Drupal files, the administrator
* will not be prompted for SSH or FTP credentials (note that these server
* setups are common on shared hosting, but are inherently insecure).
* Some sites might wish to disable the above functionality, and only update
* the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
* @see https://www.drupal.org/node/244924
* Remove the leading hash signs to disable.
# $settings['allow_authorize_operations'] = FALSE;
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
