Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

The Firewall module acts as a self-controlled web application firewall, allowing administrators to define rules for controlling inbound access based on hostnames, paths, HTTP methods, and parameter combinations. This enables granular control over different subdomains or public-facing paths within a Drupal site.

The Firewall module allows you to control inbound access based on rules with host, paths, methods, and parameter combination. It's a kind of self controlled "Web application firewall".

WARNING: This module is on early stage of development and there might be API changes etc. So the code can and should only be downloaded for testing by coders. When some review and bugfixing is done there will be a dev release.

Features

The first idea behind this module is restrict access to a full featured Drupal via different hosts for example in this way:

  • "admin.example.com" can be added to bypass list and should be secured by server controlled authentication or e.g. shield module if not available.
  • "editor.example.com" can also be protected by server. But there you can also add firewall rules to deny access to "/admin" paths and redirect zo admin.example.com.
  • "public.example.com" can get a firewall rule to allow all GET requests. But you can limit PUSH requests to single paths like /form/contact and allow only a list of parameters that are allowed to send.
    With the possibility to bypass via client IP you can allow access to special API paths and block them in "public.example.com".

Post-Installation

The configuration is only possible via settings.php to keep it very lightweight because of the Middleware situation. Keep sure that all host you would give access are not protected via core trusted_hosts setting.

Example config can be found on README.md

Activity

Total releases
1
First release
Apr 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 1
Maintenance
Dormant

Releases

Version Type Release date
1.0.x-dev Dev Apr 10, 2025