Pantheon YAML Configuration Files

Learn how to manage advanced site configuration

Discuss in our Forum Discuss in Slack

Hook into platform workflows and manage advanced site configuration via the pantheon.yml file. Add it to the root of your site's codebase, and deploy it along with the rest of your code.

Find or Create pantheon.yml

Your site's pantheon.yml configuration file can be found in the root of your site's code repository. If you have a local git clone of your site, this is the project root. When looking at the site over an SFTP connection, look in the code directory.

If the pantheon.yml file is not present, you may create one.

For reference implementations see example.pantheon.yml and Quicksilver Example Scripts.

Quicksilver Cloud Hooks Training

Set up existing scripts and write your own with help from our experts. Pantheon delivers on-demand training to help development teams master our platform and improve their internal WebOps.

Advanced Site Configuration

Include api_version

Define the api_version property in order for pantheon.yml to be valid:

pantheon.yml
api_version: 1

Protected Web Paths

Protect files and directories inside of your docroot from public web access with protected_web_paths. For example, the following ensures that a visitor to https://example.com/example.txt or https://example.com/example_directory/any_nested_file receives Access Denied (403):

pantheon.yml
protected_web_paths:
  - /example.txt
  - /example_directory

The pantheon.upstream.yml file provided by your upstream might define protected web paths. If it does, all of the paths listed in the upstream and all of the paths listed in your pantheon.yml file will be protected. If you wish to remove protection from any path listed in the upstream, set the protected_web_paths_override property.

Considerations

  • Specify the exact path; path is case-sensitive
  • No regex or wildcards allowed
  • Paths begin with a leading / and are relative to your docroot
  • Limited to 24 protected paths
  • You may not be able to protect files or paths with special characters
  • Wait a few seconds for changes to take effect

Protected Web Paths Override

To disable all of the protected web paths defined by your site's upstream and all protected paths defined by the Pantheon platform, set the protected_web_paths_override property to true:

pantheon.yml
protected_web_paths_override: true

Considerations

The standard protected web paths can be important to the security of your site. If you override protection with this property, be sure to copy all of the standard protected web paths into your pantheon.yml file, and only remove those that you are certain are safe to expose.

For a list of standard protected paths, see the pantheon.upstream.yml for:

Enforce HTTPS + HSTS

HTTPS adds a layer of encryption that prevents others from snooping on or tampering with traffic to your site. HTTP Strict Transport Security (HSTS) instructs browsers to only connect via HTTPS and helps protect websites against protocol downgrade attacks and cookie hijacking.

Pantheon sites (using the default Pantheon upstreams) created or updated on or after September 30 2019 default to enforcing HTTPS via a redirect and a short, 5-minute duration, HSTS header. You can override the default with the enforce_https directive in a site-specific pantheon.yml file.

 Note

Before adjusting enforce_https, review and understand the configuration options and all considerations to avoid unintended consequences.

If you use a plugin or module to set your HSTS header, it will create a duplicate header. Disable enforce_https in pantheon.yml to avoid an invalid policy.

Use of the HSTS header is defined by the enforce_https directive, and takes five possible values which are handled by Pantheon as shown below:

enforce_https:RedirectHSTSStrict-Transport-SecurityincludeSubdomainspreload
offDisabledNot set by Pantheon
transitional (default)Enforcedmax-age=300
transitional+subdomainsEnforcedmax-age=300
full Enforcedmax-age=31622400
full+subdomains Enforcedmax-age=31622400

For example, to set enforce_https as off:

enforce_https: off

Considerations

  • Use of full or full+subdomains should be treated as a commitment. HSTS headers are cached by browsers for the duration of the max-age period. If your site is unable to serve HTTPS (e.g. by moving to a host that doesn't support HTTPS), visitors will be unable to access your site.
  • Any option with +subdomains should only be used if you want to enforce HTTPS for all subdomains, even those not connected to Pantheon.
  • To prepare your site to serve all content via HTTPS, follow the Switching Sites from HTTP to HTTPS doc.

Test Your Site's HSTS Configuration for an A+ Rating

SSL Labs provides a free, online service that you can use to test your Site's configuration. In order to obtain an A+ rating, a long-duration HSTS header using the full or full+subdomains value is required.

  1. To test your configuration, select a short-duration HSTS header (transitional or transitional+subdomains), before committing to the long-duration HSTS header.

  2. When you're comfortable that HSTS works as expected in the Live environment, send the long-duration HSTS header by moving to full or full+subdomains.

Nested Docroot

Nest your docroot one level beneath your code repository in a directory named web:

pantheon.yml
web_docroot: true

The name of the nested directory is not configurable.

For more information, see Serving Sites from the Web Subdirectory.

PHP Version

Override the upstream's default PHP version with the php_version property. PHP version is managed in version control and deployed along with the rest of your site's code to encourage testing before making a change on your Live site.

For example, to override the upstream default value at the site level to PHP 7:

pantheon.yml
php_version: 7.0

Considerations

  • Upgrading PHP Versions may require you to resolve compatibility issues with your site's codebase.
  • Drupal and PHP 7 require Drush 7 or greater.
  • From time to time, we will roll out a new default version of PHP, which will be available to apply as a one-click update in the Dashboard. If you are overriding the default, make sure to remove php_version from pantheon.yml as soon as possible to ensure you don't miss the latest recommended PHP version.
  • You'll always be able to test new default PHP version in Dev and Test before deploying Live.

Specify a Version of MariaDB

Last reviewed: Aug 05 2021

Specify the site's version of MariaDB to keep the software your site uses current and up to date, or set a specific version to avoid incompatibilities.

Enable automated backups and confirm that a backup has been created before you configure the database version. Push the changes to a Multidev and ensure that the site performs as expected.

Apply this change to an existing environment. If you try to create a new environment with the database key specified in pantheon.yml, the commit will be rejected with an error.

Use the database directive in pantheon.yml to choose a specific version of MariaDB:

pantheon.yml
database:
  version: 10.4

Keep in mind that some versions of Drupal and WordPress require a specific minimum or maximum version for compatibility.

This table shows the recommended MariaDB version for each CMS:

CMSRecommended MariaDB Version
Drupal < 7.7610.3
Drupal ≥ 7.7610.4
Drupal < 8.510.3
Drupal ≥ 8.610.4
Drupal ≥ 9.010.4
WordPress10.4

Users of Drupal 6 sites should consider upgrading to Drupal 7 for better support.

Drush Version

Add drush_version to the top level of the pantheon.yml file to configure the Drush version used when making calls remotely on Pantheon:

pantheon.yml
drush_version: 8

For more information and compatibility requirements, see Managing Drush Versions on Pantheon.

Filemount Path

Pantheon provides a cloud-based filesystem to store user-generated content and other website files. By default, we create a symlink to this filesystem at sites/default/files (Drupal) or wp-content/uploads (WordPress), but you can change the location with the filemount variable.

 Warning

We recommend only changing this setting when needed for Custom Upstream Configurations in pantheon.upstream.yml. For most cases, you can create an additional symlink in your code base.

The only valid filemount path other than the default path for each CMS is /files relative to your docroot:

pantheon.yml
filemount: /files

Complete the following before deploying filemount (required):

  1. Reconfigure Drupal 8, Drupal 7, or WordPress to use the new path

  2. Add path to the .gitignore file

  3. Configure a private subdirectory of the new path within protected_web_paths

Quicksilver Platform Integration Hooks

Use the pantheon.yml file to define scripts you want executed automatically when a particular workflow is triggered on Pantheon by you or a teammate. For example, you can write a script to post a message to Slack whenever code is pushed to the Site Dashboard.

For more information, see Automate your Workflow with Quicksilver Platform Integration Hooks and check our growing set of Platform Integration guides demonstrating Quicksilver hooks.

Custom Upstream Configurations

Add a pantheon.upstream.yml file to your organization's Custom Upstream to set default configurations for all downstream sites. The same properties described above can be used in this file. In addition, it is also possible to define a deploy_product Quicksilver hook here; however other Quicksilver workflows are not supported.

This file should only be edited in the Custom Upstream repository where it is defined. Similarly, the Custom Upstream repository should not define a pantheon.yml file; it should place all configuration settings in the upstream file instead.

When the same configuration value is defined in both files, the value from pantheon.yml will override the value from pantheon.upstream.yml at the site-level.

Troubleshooting

First, verify the syntax of entries in the file. Refer to the examples above for exact syntax, or try running the contents of your pantheon.yml file through a YAML linter.

"Changes to pantheon.yml detected, but there was an error while processing it"

The Platform will automatically reject a commit that includes a pantheon.yml error. The error message will resemble:

remote: PANTHEON ERROR:
remote:
remote: Changes to `pantheon.yml` detected, but there was an error while processing it:
remote:
remote:
remote: Version '2' is not a valid pantheon.yml version!
remote: Valid versions are: 1

While our parser will reject a pantheon.yml that is invalid, it won't necessarily give you the exact reason the file is invalid. Syntax errors are the most common issue.

Deploying Configuration Changes to Multidev

Changes made to pantheon.yml file on a branch are not detected when creating the Multidev environment for that branch. As a workaround, make some modification to pantheon.yml file and re-commit to the Multidev environment. You will then receive a notice indicating configuration changes have been detected and applied to the Multidev environment:

remote:
remote: PANTHEON NOTICE:
remote:
remote: Changes to `pantheon.yml` detected.
remote:
remote: Successfully applied `pantheon.yml` to the 'new-feature' environment.
remote:
remote:

Deploying Hotfixes

Changes made to pantheon.yml are not detected when deployed as a hotfix. As a workaround, make a modification to your pantheon.yml file in a development environment (e.g, add a code comment), then deploy up to production using the standard Pantheon workflow.

See Also