diff options
author | Florian Dold <florian.dold@gmail.com> | 2019-06-26 23:43:47 +0200 |
---|---|---|
committer | Florian Dold <florian.dold@gmail.com> | 2019-06-26 23:43:47 +0200 |
commit | bb0c5ae74bd80516b769c00c81bedf11a4d3e9ed (patch) | |
tree | 48e3900b4361ef67e7ff18292a1f2d7f50071997 /etc/nginx/apps | |
parent | fee9c9c5ee14babc680214efb65e187a8765b601 (diff) | |
download | deployment-bb0c5ae74bd80516b769c00c81bedf11a4d3e9ed.tar.gz deployment-bb0c5ae74bd80516b769c00c81bedf11a4d3e9ed.tar.bz2 deployment-bb0c5ae74bd80516b769c00c81bedf11a4d3e9ed.zip |
We have /etc in a separate repo for the server now.
Diffstat (limited to 'etc/nginx/apps')
-rw-r--r-- | etc/nginx/apps/drupal/admin_basic_auth.conf | 12 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/cron_allowed_hosts.conf | 10 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal.conf | 347 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_boost.conf | 377 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_boost_escaped.conf | 382 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_cron_update.conf | 40 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_escaped.conf | 347 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_install.conf | 16 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/drupal_upload_progress.conf | 23 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/fastcgi_drupal.conf | 43 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf | 43 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/hotlinking_protection.conf | 10 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/map_cache.conf | 39 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/microcache_fcgi.conf | 39 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/microcache_fcgi_auth.conf | 51 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/microcache_proxy.conf | 53 | ||||
-rw-r--r-- | etc/nginx/apps/drupal/microcache_proxy_auth.conf | 54 |
17 files changed, 0 insertions, 1886 deletions
diff --git a/etc/nginx/apps/drupal/admin_basic_auth.conf b/etc/nginx/apps/drupal/admin_basic_auth.conf deleted file mode 100644 index cc796ce..0000000 --- a/etc/nginx/apps/drupal/admin_basic_auth.conf +++ /dev/null @@ -1,12 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -## Protect the /admin URIs with a basic auth. -location ^~ /admin { - auth_basic "Restricted access"; #realm - auth_basic_user_file .htpasswd-users; - - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; -} diff --git a/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/etc/nginx/apps/drupal/cron_allowed_hosts.conf deleted file mode 100644 index bdb3dd9..0000000 --- a/etc/nginx/apps/drupal/cron_allowed_hosts.conf +++ /dev/null @@ -1,10 +0,0 @@ -# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Configuration file for specifying which hosts can invoke Drupal's -### cron. This only applies if you're not using drush to run cron. - -geo $not_allowed_cron { - default 1; - ## Add your set of hosts. - 127.0.0.1 0; # allow the localhost - 192.168.1.0/24 0; # allow on an internal network -} diff --git a/etc/nginx/apps/drupal/drupal.conf b/etc/nginx/apps/drupal/drupal.conf deleted file mode 100644 index e65024f..0000000 --- a/etc/nginx/apps/drupal/drupal.conf +++ /dev/null @@ -1,347 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for Drupal. This configuration makes use of -### drush (http:///drupal.org/project/drush) for site maintenance -### and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the two lines below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## Support for the file_force module - ## http://drupal.org/project/file_force. - location ^~ /system/files_force/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the two lines below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## If accessing an image generated by Drupal 6 imagecache, serve it - ## directly if available, if not relay the request to Drupal to (re)generate - ## the image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri @drupal; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## http://drupal.org/node/371374. - location ~* /files/styles/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri @drupal; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { - access_log off; - try_files $uri @drupal; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { - access_log off; - try_files $uri @drupal; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { - - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; -# aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; -# aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - ## If pseudo streaming isn't working, try to comment - ## out in nginx.conf line with: - ## add_header X-Frame-Options SAMEORIGIN; - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { -# flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { -# mp4; -# mp4_buffer_size 1M; -# mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { -# mp4; -# mp4_buffer_size 1M; -# mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the two lines below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - } - } - - ## Replicate the Apache <FilesMatch> directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. - try_files $uri @drupal; -} - -########### Security measures ########## - -## Uncomment the line below if you want to enable basic auth for -## access to all /admin URIs. Note that this provides much better -## protection if use HTTPS. Since it can easily be eavesdropped if you -## use HTTP. -#include apps/drupal/admin_basic_auth.conf; - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location @drupal { - ## Include the FastCGI config. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## FastCGI microcache. -# include apps/drupal/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include apps/drupal/microcache_fcgi_auth.conf; - - ## If proxying to apache comment the two lines above and - ## uncomment the two lines below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## Proxy microcache. - #include apps/drupal/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NginxUploadProgress modules. -# track_uploads uploads 60s; -} - -location @drupal-no-args { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; - - ## FastCGI microcache. -# include apps/drupal/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include apps/drupal/microcache_fcgi_auth.conf; - - ## If proxying to apache comment the two lines above and - ## uncomment the two lines below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## Proxy microcache. - #include apps/drupal/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; -} - -## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return -## 404 as not to disclose information. -location ^~ /.bzr { - return 404; -} - -location ^~ /.git { - return 404; -} - -location ^~ /.hg { - return 404; -} - -location ^~ /.svn { - return 404; -} - -location ^~ /.cvs { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; - ## Add support for the robotstxt module - ## http://drupal.org/project/robotstxt. - try_files $uri @drupal-no-args; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri @drupal-no-args; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri @drupal-no-args; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} - diff --git a/etc/nginx/apps/drupal/drupal_boost.conf b/etc/nginx/apps/drupal/drupal_boost.conf deleted file mode 100644 index 1cb10e1..0000000 --- a/etc/nginx/apps/drupal/drupal_boost.conf +++ /dev/null @@ -1,377 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush (http:///drupal.org/project/drush) -### for site maintenance and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## Support for the file_force module - ## http://drupal.org/project/file_force. - location ^~ /system/files_force/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$no_slash_uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## If accessing an image generated by Drupal 6 imagecache, serve it - ## directly if available, if not relay the request to Drupal to (re)generate - ## the image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri @drupal; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## http://drupal.org/node/371374. - location ~* /files/styles/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri @drupal; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { - access_log off; - try_files $uri @drupal; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { - access_log off; - try_files $uri @drupal; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - ## If pseudo streaming isn't working, try to comment - ## out in nginx.conf line with: - ## add_header X-Frame-Options SAMEORIGIN; - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$uri; - } - } - - ## Replicate the Apache <FilesMatch> directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the @cache if not found. - try_files $uri @cache; -} - -## We define a named location for the cache. -location @cache { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @drupal; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - # Now for some header tweaking. We use a date that differs - # from stock Drupal. Everyone seems to be using their - # birthdate. Why go against the grain? - add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; - # We bypass all delays in the post-check and pre-check - # parameters of Cache-Control. Both set to 0. - add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - # Funny...perhaps. Egocentric? Damn right!; - add_header X-Header "Boost Helás Avril 1.0"; - ## Boost doesn't set a charset. - charset utf-8; - - # We try each boost URI in succession, if every one of them - # fails then relay to Drupal. - try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal; -} - -########### Security measures ########## - -## Uncomment the line below if you want to enable basic auth for -## access to all /admin URIs. Note that this provides much better -## protection if use HTTPS. Since it can easily be eavesdropped if you -## use HTTP. -#include apps/drupal/admin_basic_auth.conf; - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location @drupal { - ## Include the FastCGI config. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include apps/drupal/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache/index.php?q=$uri&$args; - #proxy_set_header Connection ''; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NginxUploadProgress modules. - track_uploads uploads 60s; -} - -location @drupal-no-args { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include apps/drupal/microcache_fcgi_auth.conf; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$uri; - #proxy_set_header Connection ''; - - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; -} - -## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return -## 404 as not to disclose information. -location ^~ /.bzr { - return 404; -} - -location ^~ /.git { - return 404; -} - -location ^~ /.hg { - return 404; -} - -location ^~ /.svn { - return 404; -} - -location ^~ /.cvs { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; - ## Add support for the robotstxt module - ## http://drupal.org/project/robotstxt. - try_files $uri @drupal-no-args; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri @drupal-no-args; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri @drupal-no-args; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} - -## Boost stats. -location = /boost_stats.php { - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} - diff --git a/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/etc/nginx/apps/drupal/drupal_boost_escaped.conf deleted file mode 100644 index 36f5d98..0000000 --- a/etc/nginx/apps/drupal/drupal_boost_escaped.conf +++ /dev/null @@ -1,382 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush (http:///drupal.org/project/drush) -### for site maintenance and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## To avoid the ugly rewrite we use Lua to escape the URI. -set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## Support for the file_force module - ## http://drupal.org/project/file_force. - location ^~ /system/files_force/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$no_slash_uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## If accessing an image generated by Drupal 6 imagecache, serve it - ## directly if available, if not relay the request to Drupal to (re)generate - ## the image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $escaped_uri @drupal; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## http://drupal.org/node/371374. - location ~* /files/styles/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $escaped_uri @drupal; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { - access_log off; - try_files $escaped_uri @drupal; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { - access_log off; - try_files $escaped_uri @drupal; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - ## If pseudo streaming isn't working, try to comment - ## out in nginx.conf line with: - ## add_header X-Frame-Options SAMEORIGIN; - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - #proxy_set_header Connection ''; - } - } - - ## Replicate the Apache <FilesMatch> directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the @cache if not found. - try_files $escaped_uri @cache; -} - -## We define a named location for the cache. -location @cache { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @drupal; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - # Now for some header tweaking. We use a date that differs - # from stock Drupal. Everyone seems to be using their - # birthdate. Why go against the grain? - add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; - # We bypass all delays in the post-check and pre-check - # parameters of Cache-Control. Both set to 0. - add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - # Funny...perhaps. Egocentric? Damn right!; - add_header X-Header "Boost Helás Avril 1.0"; - ## Boost doesn't set a charset. - charset utf-8; - - # We try each boost URI in succession, if every one of them - # fails then relay to Drupal. - try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal; -} - -########### Security measures ########## - -## Uncomment the line below if you want to enable basic auth for -## access to all /admin URIs. Note that this provides much better -## protection if use HTTPS. Since it can easily be eavesdropped if you -## use HTTP. -#include apps/drupal/admin_basic_auth.conf; - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location @drupal { - ## Include the FastCGI config. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include apps/drupal/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; - #proxy_set_header Connection ''; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NginxUploadProgress modules. - track_uploads uploads 60s; -} - -location @drupal-no-args { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include apps/drupal/microcache_fcgi_auth.conf; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - #proxy_set_header Connection ''; - - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; -} - -## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return -## 404 as not to disclose information. -location ^~ /.bzr { - return 404; -} - -location ^~ /.git { - return 404; -} - -location ^~ /.hg { - return 404; -} - -location ^~ /.svn { - return 404; -} - -location ^~ /.cvs { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; - ## Add support for the robotstxt module - ## http://drupal.org/project/robotstxt. - try_files $uri @drupal-no-args; -} - -## RSS feed support. -location = /rss.xml { - try_files $escaped_uri @drupal-no-args; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $escaped_uri @drupal-no-args; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} - -## Boost stats. -location = /boost_stats.php { - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; - #proxy_set_header Connection ''; -} - diff --git a/etc/nginx/apps/drupal/drupal_cron_update.conf b/etc/nginx/apps/drupal/drupal_cron_update.conf deleted file mode 100644 index 55500e9..0000000 --- a/etc/nginx/apps/drupal/drupal_cron_update.conf +++ /dev/null @@ -1,40 +0,0 @@ -# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Configuration file for Drupal if you're not using drush to update your site or run cron. - -## XMLRPC. Comment out if not enabled. -location = /xmlrpc.php { - fastcgi_pass phpcgi; - # To use Apache for serving PHP uncomment the line bellow and - # comment out the above. - #proxy_pass http://phpapache; -} - -## Restrict cron access to a specific host. -location = /cron.php { - ## If not allowed to run cron then issue a 404 and redirect to the - ## site root. - if ($not_allowed_cron) { - return 404 /; - } - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} - -## Run the update from the web interface with Drupal 7. -location = /authorize.php { - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} - -location = /update.php { - auth_basic "Restricted Access"; # auth realm - auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} diff --git a/etc/nginx/apps/drupal/drupal_escaped.conf b/etc/nginx/apps/drupal/drupal_escaped.conf deleted file mode 100644 index db08cc0..0000000 --- a/etc/nginx/apps/drupal/drupal_escaped.conf +++ /dev/null @@ -1,347 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for Drupal. This configuration makes use of -### drush (http:///drupal.org/project/drush) for site maintenance -### and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## To avoid the ugly rewrite we use Lua to escape the URI. -set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## Support for the file_force module - ## http://drupal.org/project/file_force. - location ^~ /system/files_force/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$no_slash_uri; - #proxy_set_header Connection ''; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## If accessing an image generated by Drupal 6 imagecache, serve it - ## directly if available, if not relay the request to Drupal to (re)generate - ## the image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $escaped_uri @drupal; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## http://drupal.org/node/371374. - location ~* /files/styles/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $escaped_uri @drupal; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { - access_log off; - try_files $escaped_uri @drupal; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - - location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { - access_log off; - try_files $escaped_uri @drupal; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - ## If pseudo streaming isn't working, try to comment - ## out in nginx.conf line with: - ## add_header X-Frame-Options SAMEORIGIN; - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - } - } - - ## Replicate the Apache <FilesMatch> directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found. - try_files $escaped_uri @drupal; -} - -########### Security measures ########## - -## Uncomment the line below if you want to enable basic auth for -## access to all /admin URIs. Note that this provides much better -## protection if use HTTPS. Since it can easily be eavesdropped if you -## use HTTP. -#include apps/drupal/admin_basic_auth.conf; - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location @drupal { - ## Include the FastCGI config. - include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; - - ## FastCGI microcache. - include apps/drupal/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include apps/drupal/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; - #proxy_set_header Connection ''; - ## Proxy microcache. - #include apps/drupal/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NginxUploadProgress modules. - track_uploads uploads 60s; -} - -location @drupal-no-args { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; - - ## FastCGI microcache. - include apps/drupal/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include apps/drupal/microcache_fcgi_auth.conf; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$escaped_uri; - #proxy_set_header Connection ''; - - ## Proxy microcache. - #include apps/drupal/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; -} - -## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return -## 404 as not to disclose information. -location ^~ /.bzr { - return 404; -} - -location ^~ /.git { - return 404; -} - -location ^~ /.hg { - return 404; -} - -location ^~ /.svn { - return 404; -} - -location ^~ /.cvs { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; - ## Add support for the robotstxt module - ## http://drupal.org/project/robotstxt. - try_files $uri @drupal-no-args; -} - -## RSS feed support. -location = /rss.xml { - try_files $escaped_uri @drupal-no-args; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $escaped_uri @drupal-no-args; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} - diff --git a/etc/nginx/apps/drupal/drupal_install.conf b/etc/nginx/apps/drupal/drupal_install.conf deleted file mode 100644 index 1f4f11b..0000000 --- a/etc/nginx/apps/drupal/drupal_install.conf +++ /dev/null @@ -1,16 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Directives for installing drupal. This is for drupal 6 and 7. - -location = /install.php { - auth_basic "Restricted Access"; # auth realm - auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; -} - -## This is for drupal 8. There's a new location for the install file. -location = /core/install.php { - auth_basic "Restricted Access"; # auth realm - auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; -} diff --git a/etc/nginx/apps/drupal/drupal_upload_progress.conf b/etc/nginx/apps/drupal/drupal_upload_progress.conf deleted file mode 100644 index 843fb06..0000000 --- a/etc/nginx/apps/drupal/drupal_upload_progress.conf +++ /dev/null @@ -1,23 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- - -### Drupal 7 configuration for the Nginx Upload Progress module: -### https://github.com/masterzen/nginx-upload-progress-module -### This requires the Filefield Nginx Progress module: -### http://drupal.org/project/filefield_nginx_progress. - -## The Nginx module wants ?X-Progress-ID query parameter so -## that it report the progress of the upload through a GET -## request. But the drupal form element makes use of clean -## URLs in the POST. - -location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) { - rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; -} - -## Now the above rewrite must be matched by a location that -## activates it and references the above defined upload -## tracking zone. -location ^~ /progress { - upload_progress_json_output; - report_uploads uploads; -} diff --git a/etc/nginx/apps/drupal/fastcgi_drupal.conf b/etc/nginx/apps/drupal/fastcgi_drupal.conf deleted file mode 100644 index be59f85..0000000 --- a/etc/nginx/apps/drupal/fastcgi_drupal.conf +++ /dev/null @@ -1,43 +0,0 @@ -#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### fastcgi configuration for serving private files. -## 1. Parameters. -fastcgi_param QUERY_STRING q=$uri&$args; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME /index.php; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; -## PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; -fastcgi_param SCRIPT_FILENAME $document_root/index.php; -## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or -## later. The if_not_empty flag was introduced in 1.1.11. See: -## http://nginx.org/en/CHANGES. If using a version that doesn't -## support this comment out the line below. -fastcgi_param HTTPS $fastcgi_https if_not_empty; -## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. -#fastcgi_param HTTPS $fastcgi_https; - -## 2. Nginx FCGI specific directives. -fastcgi_buffers 256 4k; -fastcgi_intercept_errors on; -## Allow 4 hrs - pass timeout responsibility to upstream. -fastcgi_read_timeout 14400; -fastcgi_index index.php; -## Hide the X-Drupal-Cache header provided by Pressflow. -fastcgi_hide_header 'X-Drupal-Cache'; -## Hide the Drupal 7 header X-Generator. -fastcgi_hide_header 'X-Generator'; diff --git a/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf deleted file mode 100644 index 683e4ce..0000000 --- a/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf +++ /dev/null @@ -1,43 +0,0 @@ -#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### fastcgi configuration for serving private files. -## 1. Parameters. -fastcgi_param QUERY_STRING q=$uri; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME /index.php; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; -## PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; -fastcgi_param SCRIPT_FILENAME $document_root/index.php; -## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or -## later. The if_not_empty flag was introduced in 1.1.11. See: -## http://nginx.org/en/CHANGES. If using a version that doesn't -## support this comment out the line below. -fastcgi_param HTTPS $fastcgi_https if_not_empty; -## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. -#fastcgi_param HTTPS $fastcgi_https; - -## 2. Nginx FCGI specific directives. -fastcgi_buffers 256 4k; -fastcgi_intercept_errors on; -## Allow 4 hrs - pass timeout responsibility to upstream. -fastcgi_read_timeout 14400; -fastcgi_index index.php; -## Hide the X-Drupal-Cache header provided by Pressflow. -fastcgi_hide_header 'X-Drupal-Cache'; -## Hide the Drupal 7 header X-Generator. -fastcgi_hide_header 'X-Generator'; diff --git a/etc/nginx/apps/drupal/hotlinking_protection.conf b/etc/nginx/apps/drupal/hotlinking_protection.conf deleted file mode 100644 index f2926e1..0000000 --- a/etc/nginx/apps/drupal/hotlinking_protection.conf +++ /dev/null @@ -1,10 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Hotlinking protection for images. Include it in any context you -### want. Adjust the list of allowed referers to your liking. - -valid_referers none blocked *.example.com *.google.com my.site.com; - -if ($invalid_referer) { - return 200 "No image hotlinking allowed!\n"; -} diff --git a/etc/nginx/apps/drupal/map_cache.conf b/etc/nginx/apps/drupal/map_cache.conf deleted file mode 100644 index 8166fcd..0000000 --- a/etc/nginx/apps/drupal/map_cache.conf +++ /dev/null @@ -1,39 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- - -### Testing if we should be serving content from cache or not. This is -### needed for any Drupal setup that uses an external cache. - -## Let Ajax calls go through. -map $uri $no_cache_ajax { - default 0; - /system/ajax 1; -} - -## Testing for the session cookie being present. If there is then no -## caching is to be done. Note that this is for someone using either -## Drupal 7 pressflow or stock Drupal 6 core with no_anon -## (http://drupal.org/project/no_anon). -map $http_cookie $no_cache_cookie { - default 0; - ~SESS 1; # PHP session cookie -} - -## Combine both results to get the cache bypassing mapping. -map $no_cache_ajax$no_cache_cookie $no_cache { - default 1; - 00 0; -} - -## If you're using stock Drupal 6 without no_anon, i.e., there's a -## session cookie being served even to anonymous users, then uncomment -## the three lines below and comment the above map directive -# map $http_cookie $no_cache { -# default 0; -# ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost -# } - -## Set a cache_uid variable for authenticated users. -map $http_cookie $cache_uid { - default nil; # hommage to Lisp :) - ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id; -} diff --git a/etc/nginx/apps/drupal/microcache_fcgi.conf b/etc/nginx/apps/drupal/microcache_fcgi.conf deleted file mode 100644 index e7e8184..0000000 --- a/etc/nginx/apps/drupal/microcache_fcgi.conf +++ /dev/null @@ -1,39 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Implementation of the microcache concept as presented here: -### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n - -## The cache zone referenced. -fastcgi_cache microcache; -## The cache key. -fastcgi_cache_key $scheme$request_method$host$request_uri; - -## For 200 and 301 make the cache valid for 1s seconds. -fastcgi_cache_valid 200 301 1s; -## For 302 make it valid for 1 minute. -fastcgi_cache_valid 302 1m; -## For 404 make it valid 1 second. -fastcgi_cache_valid 404 1s; -## If there are any upstream errors or the item has expired use -## whatever it is available. -fastcgi_cache_use_stale error timeout invalid_header updating http_500; -## The Cache-Control and Expires headers should be delivered untouched -## from the upstream to the client. -fastcgi_ignore_headers Cache-Control Expires; -## Bypass the cache. -fastcgi_cache_bypass $no_cache; -fastcgi_no_cache $no_cache; - -## To avoid any interaction with the cache control headers we expire -## everything on this location immediately. -expires epoch; - -## If you're using a Nginx version greater than 1.1.11 then uncomment -## the line below. See: -## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock -## Cache locking mechanism for protecting the backend of too many -## simultaneous requests. -#fastcgi_cache_lock on; -## The default timeout, i.e., the time to way before forwarding the -## second request upstream if no reply as arrived in the meantime is 5s. -#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/etc/nginx/apps/drupal/microcache_fcgi_auth.conf deleted file mode 100644 index 7b2b7c3..0000000 --- a/etc/nginx/apps/drupal/microcache_fcgi_auth.conf +++ /dev/null @@ -1,51 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -## The cache zone referenced. -fastcgi_cache microcache; -## The cache key. -fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri; - -## For 200 and 301 make the cache valid for 15s. -fastcgi_cache_valid 200 301 15s; -## For 302 make it valid for 1 minute. -fastcgi_cache_valid 302 1m; -## For 404 make it valid 1 second. -fastcgi_cache_valid 404 1s; -## If there are any upstream errors use whatever it is available. -fastcgi_cache_use_stale error timeout invalid_header updating http_500; -## The Cache-Control and Expires headers should be delivered untouched -## from the upstream to the client. -fastcgi_ignore_headers Cache-Control Expires; -fastcgi_pass_header Set-Cookie; -fastcgi_pass_header Cookie; -## Bypass the cache. -# fastcgi_cache_bypass $no_auth_cache; -# fastcgi_no_cache $no_auth_cache; -## Add a cache miss/hit status header. -add_header X-Micro-Cache $upstream_cache_status; -## To avoid any interaction with the cache control headers we expire -## everything on this location immediately. -expires epoch; - -## Enable clickjacking protection in modern browsers. Available in -## IE8 also. See -## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header -## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). -## Uncomment the line below if you're not using media streaming. -## For sites *not* using frames uncomment the line below. -#add_header X-Frame-Options DENY; -## For sites *using* frames uncomment the line below. -#add_header X-Frame-Options SAMEORIGIN; - -## Block MIME type sniffing on IE. -add_header X-Content-Options nosniff; - -## If you're using a Nginx version greater than 1.1.11 then uncomment -## the line below. See: -## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock -## Cache locking mechanism for protecting the backend of too many -## simultaneous requests. -#fastcgi_cache_lock on; -## The default timeout, i.e., the time to way before forwarding the -## second request upstream if no reply as arrived in the meantime is 5s. -#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_proxy.conf b/etc/nginx/apps/drupal/microcache_proxy.conf deleted file mode 100644 index 6708684..0000000 --- a/etc/nginx/apps/drupal/microcache_proxy.conf +++ /dev/null @@ -1,53 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Implementation of the microcache concept as presented here: -### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n - -## The cache zone referenced. -proxy_cache microcache; -## The cache key. -proxy_cache_key $host$request_uri; - -## For 200 and 301 make the cache valid for 15 seconds. -proxy_cache_valid 200 301 15s; -## For 302 make it valid for 1 minute. -proxy_cache_valid 302 1m; -## For 404 make it valid 1 second. -proxy_cache_valid 404 1s; -## If there are any upstream errors or the item has expired use -## whatever it is available. -proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; -## The Cache-Control and Expires headers should be delivered untouched -## from the upstream to the client. -proxy_ignore_headers Cache-Control Expires; -## Bypass the cache. -proxy_cache_bypass $no_cache; -proxy_no_cache $no_cache; -## Add a cache miss/hit status header. -add_header X-Micro-Cache $upstream_cache_status; -## To avoid any interaction with the cache control headers we expire -## everything on this location immediately. -expires epoch; - -## Enable clickjacking protection in modern browsers. Available in -## IE8 also. See -## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header -## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). -## Uncomment the line below if you're not using media streaming. -## For sites *not* using frames uncomment the line below. -#add_header X-Frame-Options DENY; -## For sites *using* frames uncomment the line below. -#add_header X-Frame-Options SAMEORIGIN; - -## Block MIME type sniffing on IE. -add_header X-Content-Options nosniff; - -## If you're using a Nginx version greater than 1.1.11 then uncomment -## the line below. See: -## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. -## Cache locking mechanism for protecting the backendof too many -## simultaneous requests. -#proxy_cache_lock on; -## The default timeout, i.e., the time to way before forwarding the -## second request upstream if no reply as arrived in the meantime is 5s. -# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/etc/nginx/apps/drupal/microcache_proxy_auth.conf deleted file mode 100644 index e351b1b..0000000 --- a/etc/nginx/apps/drupal/microcache_proxy_auth.conf +++ /dev/null @@ -1,54 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Implementation of the microcache concept as presented here: -### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n - -## The cache zone referenced. -proxy_cache microcache; -## The cache key. -proxy_cache_key $cache_uid@$host$request_uri; - -## For 200 and 301 make the cache valid for 15 seconds. -proxy_cache_valid 200 301 15s; -## For 302 make it valid for 1 minute. -proxy_cache_valid 302 1m; -## For 404 make it valid 1 second. -proxy_cache_valid 404 1s; -## If there are any upstream errors or the item has expired use -## whatever it is available. -proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; -## The Cache-Control and Expires headers should be delivered untouched -## from the upstream to the client. -proxy_ignore_headers Cache-Control Expires; -proxy_pass_header Set-Cookie; -proxy_pass_header Cookie; -## Bypass the cache. -proxy_cache_bypass $no_auth_cache; -proxy_no_cache $no_auth_cache; -## Add a cache miss/hit status header. -add_header X-Micro-Cache $upstream_cache_status; -## To avoid any interaction with the cache control headers we expire -## everything on this location immediately. -expires epoch; -## Enable clickjacking protection in modern browsers. Available in -## IE8 also. See -## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header -## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). -## Uncomment the line below if you're not using media streaming. -## For sites *not* using frames uncomment the line below. -#add_header X-Frame-Options DENY; -## For sites *using* frames uncomment the line below. -#add_header X-Frame-Options SAMEORIGIN; - -## Block MIME type sniffing on IE. -add_header X-Content-Options nosniff; - -## If you're using a Nginx version greater than 1.1.11 then uncomment -## the line below. See: -## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. -## Cache locking mechanism for protecting the backendof too many -## simultaneous requests. -#proxy_cache_lock on; -## The default timeout, i.e., the time to way before forwarding the -## second request upstream if no reply as arrived in the meantime is 5s. -# proxy_cache_lock_timeout 8000; # in miliseconds. |