Allow cron.php in nginx configuration so that wget works out of the box

This is by design, because we don't want to open cron.php for remote abuse, so its location is restricted to the server IP in Barracuda/Octopus, but we can't do the same in the vanilla Provision, unless we will simply add cron.php to the list of allowed PHP files by default.

Also, the wget method is not yet fully supported in the Aegir main branch #1090678: wget cron method broken for d7 sites, so I'm changing this to feature request, as it is not a bug now.

Moving to provision, as it belongs there.

The wget cron method is broken so we don't support it by design in the vanilla Provision in Nginx.
It will be added when the broken feature will be fixed.
This is a feature request, not a bug - the bug is elsewhere.

Please don't change issue status.

Again, please don't change the status, it is not a bug, it is a result of decision made, as explained above.
Wget cron method is not supported yet in Nginx by design.
If you don't like the decision, please submit a patch for review.

I think this is a valid request. If we are opened to having patches submitted for review, we should not say we will not fix this. So I am marking this as opened. I also agree that if the UI provides the option of enabling the wget method, it should work, so this could also be perceived as a bug.

Finally, I personnally believe this should work out of the box (as Drupal does allow cron.php out of the box) and if Barracuda feels this is wrong, it should be hardened there, and eventually factored into provision. But we should not cripple the implementation out of the box, especially if it confuses users (see POLA).

As I wrote already before, I will be happy to add support for wget cron method when it will be fixed in head, not before.

I believe that the correct way to fix this wtf should be to hide this option in the front-end until it is properly fixed and working also for D7.

The source of confusion is not a lack of wget cron method support in the Nginx config, it is the visibility of broken feature in the front-end.

So it looks like the related patch is already in head: http://drupal.org/node/1090678#comment-4418516

I will submit my Nginx config patch for review soon.

The patch needs review:

Add support for wget cron in the Nginx configuration.
http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/14da680

That looks good - @crea, can you try the patch?

We can't force restriction by IP address because Provision has no idea on what IP to allow - the server can be on a local network with NAT, the server can have many IPs etc so it is not a Provision/Aegir job to restrict access to cron.php. This is an admin job and can be automated with other tools, like Barracuda and Octopus.

No, it is not a good idea to use basic auth - this way you will deny access to cron.php for wget completely and only manual cron after authentication will work.

Note also, that currently we include just the same level of basic configuration, and Apache version also has unrestricted access to cron.php allowed. The rest is left for the server admin.

I agree with omega8cc here, and D7 adds the cron_key so that in theory it's harder for other people to run cron on other people's sites.

This is not an Aegir job to secure the access to cron.php, so I don't plan to add anything here.

Also, I don't think anyone will ever think about working on over-complicated stuff with introducing support for auth based cron access in Aegir, when D7 has already its own method, now supported also in the Aegir head.

Marking as RTBC, as it is known to work fine.

If anyone has more ideas related to cron support, please open another feature request.

patch merged in 7.x and 6.x.