HI
We have an unusual situation where we are updating a large Drupal 6 site that is using the fantastic wrapper module (https://drupal.org/project/wrapper) but its just not cost effective to port this large module to Drupal 7. So we have been looking for alternatives, I have posted on the govt groups (https://groups.drupal.org/node/304778), but thought I should get best practise ideas as far as security goes for keeping the Drupal 6 instance secure, at least short term and running the wrapper as it does at the moment. Then use our Drupal 7 instance to talk to the D6 instance and get the wrapped pages. We however need to have a secure way to use this Drupal 6 instance beyond the cut off of support when D8 comes out. We have thought of configuring an Apache reverse proxy on the server to communicate from the Drupal 7 instance to the Drupal 6 instance and the D6 instance will of course not be viewable or accessible externally only through D7 and the proxy.
Any ideas would be appreciated! Especially ways to protect the D6 instance going forward.
Thanks
Comments
Some loose ideas
Put the access to the Drupal 6 site admin behind a Basic Auth over SSL.
Disable all unused modules.
Make the site unacessible from the outside. Make it acessible only from
the D7 site using an API if possible.
Make both sites live on the same VLAN.
Constrain the access to the D6 site to be done over the VLAN by blocking
all other accesses at the server level.
Constrain the PHP scripts execution on both the D6 and D7 site.
Parse the returned HTML for XSS vulns.
For a start...