complications with the way guix builds are made lead me to work on the content of etc in a copied, not symlinked location.

Signed-off-by: Nils Gillmann <ng0@n0.is>

17 files changed, 1886 insertions, 0 deletions

diff --git a/guix/etc/nginx/apps/drupal/admin_basic_auth.conf b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
new file mode 100644
index 0000000..cc796ce
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
@@ -0,0 +1,12 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+## Protect the /admin URIs with a basic auth.
+location ^~ /admin {
+    auth_basic "Restricted access"; #realm
+    auth_basic_user_file .htpasswd-users;
+
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+}
diff --git a/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
new file mode 100644
index 0000000..bdb3dd9
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for specifying which hosts can invoke Drupal's
+### cron. This only applies if you're not using drush to run cron.
+
+geo $not_allowed_cron {
+    default 1;
+    ## Add your set of hosts.
+    127.0.0.1 0; # allow the localhost
+    192.168.1.0/24 0; # allow on an internal network
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal.conf b/guix/etc/nginx/apps/drupal/drupal.conf
new file mode 100644
index 0000000..e65024f
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the two lines below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the two lines below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+        ## Set the OS file cache.
+        open_file_cache max=3000 inactive=120s;
+        open_file_cache_valid 45s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+#            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+#            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+#            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+#            mp4;
+#            mp4_buffer_size 1M;
+#            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+#            mp4;
+#            mp4_buffer_size 1M;
+#            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the two lines below.
+            #proxy_pass http://phpapache/index.php?q=$uri;
+            #proxy_set_header Connection '';
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
+    try_files $uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+#    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the two lines below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+#    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+#    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the two lines below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_boost.conf b/guix/etc/nginx/apps/drupal/drupal_boost.conf
new file mode 100644
index 0000000..1cb10e1
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_boost.conf
@@ -0,0 +1,377 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        add_header Pragma '';
+        add_header Cache-Control 'public, max-age=946080000';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$uri;
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the @cache if not found.
+    try_files $uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+    ## Boost compresses can the pages so we check it. Comment it out
+    ## if you don't have it enabled in Boost.
+    gzip_static on;
+
+    ## Error page handler for the case where $no_cache is 1. POST
+    ## request or authenticated.
+    error_page 418 = @drupal;
+
+    ## If $no_cache is 1 then it means that either we have a session
+    ## cookie or that the request method is POST. So serve the dynamic
+    ## page.
+    if ($no_cache) {
+        return 418; # I'm a teapot/I can't get no cachifaction
+    }
+
+    ## No caching for POST requests.
+    if ($request_method = POST) {
+        return 418;
+    }
+
+    # Now for some header tweaking. We use a date that differs
+    # from stock Drupal. Everyone seems to be using their
+    # birthdate. Why go against the grain?
+    add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+    # We bypass all delays in the post-check and pre-check
+    # parameters of Cache-Control. Both set to 0.
+    add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+    # Funny...perhaps. Egocentric? Damn right!;
+    add_header X-Header "Boost Helás Avril 1.0";
+    ## Boost doesn't set a charset.
+    charset utf-8;
+
+    # We try each boost URI in succession, if every one of them
+    # fails then relay to Drupal.
+    try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
new file mode 100644
index 0000000..36f5d98
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
@@ -0,0 +1,382 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        add_header Pragma '';
+        add_header Cache-Control 'public, max-age=946080000';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+            #proxy_set_header Connection '';
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the @cache if not found.
+    try_files $escaped_uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+    ## Boost compresses can the pages so we check it. Comment it out
+    ## if you don't have it enabled in Boost.
+    gzip_static on;
+
+    ## Error page handler for the case where $no_cache is 1. POST
+    ## request or authenticated.
+    error_page 418 = @drupal;
+
+    ## If $no_cache is 1 then it means that either we have a session
+    ## cookie or that the request method is POST. So serve the dynamic
+    ## page.
+    if ($no_cache) {
+        return 418; # I'm a teapot/I can't get no cachifaction
+    }
+
+    ## No caching for POST requests.
+    if ($request_method = POST) {
+        return 418;
+    }
+
+    # Now for some header tweaking. We use a date that differs
+    # from stock Drupal. Everyone seems to be using their
+    # birthdate. Why go against the grain?
+    add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+    # We bypass all delays in the post-check and pre-check
+    # parameters of Cache-Control. Both set to 0.
+    add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+    # Funny...perhaps. Egocentric? Damn right!;
+    add_header X-Header "Boost Helás Avril 1.0";
+    ## Boost doesn't set a charset.
+    charset utf-8;
+
+    # We try each boost URI in succession, if every one of them
+    # fails then relay to Drupal.
+    try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+    #proxy_set_header Connection '';
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_cron_update.conf b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
new file mode 100644
index 0000000..55500e9
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
@@ -0,0 +1,40 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for Drupal if you're not using drush to update your site or run cron.
+
+## XMLRPC. Comment out if not enabled.
+location = /xmlrpc.php {
+    fastcgi_pass phpcgi;
+    # To use Apache for serving PHP uncomment the line bellow and
+    # comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+## Restrict cron access to a specific host.
+location = /cron.php {
+    ## If not allowed to run cron then issue a 404 and redirect to the
+    ## site root.
+    if ($not_allowed_cron) {
+        return 404 /;
+    }
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+## Run the update from the web interface with Drupal 7.
+location = /authorize.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+location = /update.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_escaped.conf
new file mode 100644
index 0000000..db08cc0
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_escaped.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+        ## Set the OS file cache.
+        open_file_cache max=3000 inactive=120s;
+        open_file_cache_valid 45s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found.
+    try_files $escaped_uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_install.conf b/guix/etc/nginx/apps/drupal/drupal_install.conf
new file mode 100644
index 0000000..1f4f11b
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_install.conf
@@ -0,0 +1,16 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Directives for installing drupal. This is for drupal 6 and 7.
+
+location = /install.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+}
+
+## This is for drupal 8. There's a new location for the install file.
+location = /core/install.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
new file mode 100644
index 0000000..843fb06
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
@@ -0,0 +1,23 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-current-dictionary: american -*-
+
+### Drupal 7 configuration for the Nginx Upload Progress module:
+### https://github.com/masterzen/nginx-upload-progress-module
+### This requires the Filefield Nginx Progress module:
+### http://drupal.org/project/filefield_nginx_progress.
+
+## The Nginx module wants ?X-Progress-ID query parameter so
+## that it report the progress of the upload through a GET
+## request. But the drupal form element makes use of clean
+## URLs in the POST.
+
+location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
+    rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
+}
+
+## Now the above rewrite must be matched by a location that
+## activates it and references the above defined upload
+## tracking zone.
+location ^~ /progress {
+    upload_progress_json_output;
+    report_uploads uploads;
+}
diff --git a/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
new file mode 100644
index 0000000..be59f85
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param QUERY_STRING q=$uri&$args;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME /index.php;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter.  This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11.  See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
new file mode 100644
index 0000000..683e4ce
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param  QUERY_STRING       q=$uri;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        /index.php;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter.  This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11.  See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/guix/etc/nginx/apps/drupal/hotlinking_protection.conf b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
new file mode 100644
index 0000000..f2926e1
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Hotlinking protection for images. Include it in any context you
+### want. Adjust the list of allowed referers to your liking.
+
+valid_referers none blocked *.example.com *.google.com my.site.com;
+
+if ($invalid_referer) {
+    return 200 "No image hotlinking allowed!\n";
+}
diff --git a/guix/etc/nginx/apps/drupal/map_cache.conf b/guix/etc/nginx/apps/drupal/map_cache.conf
new file mode 100644
index 0000000..8166fcd
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/map_cache.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-current-dictionary: american -*-
+
+### Testing if we should be serving content from cache or not. This is
+### needed for any Drupal setup that uses an external cache.
+
+## Let Ajax calls go through.
+map $uri $no_cache_ajax {
+    default 0;
+    /system/ajax 1;
+}
+
+## Testing for the session cookie being present. If there is then no
+## caching is to be done. Note that this is for someone using either
+## Drupal 7 pressflow or stock Drupal 6 core with no_anon
+## (http://drupal.org/project/no_anon).
+map $http_cookie $no_cache_cookie {
+    default 0;
+    ~SESS 1; # PHP session cookie
+}
+
+## Combine both results to get the cache bypassing mapping.
+map $no_cache_ajax$no_cache_cookie $no_cache {
+    default 1;
+    00 0;
+}
+
+## If you're using stock Drupal 6 without no_anon, i.e., there's a
+## session cookie being served even to anonymous users, then uncomment
+## the three lines below and comment the above map directive
+# map $http_cookie $no_cache {
+#     default 0;
+#     ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost
+# }
+
+## Set a cache_uid variable for authenticated users.
+map $http_cookie $cache_uid {
+    default nil; # hommage to Lisp :)
+    ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id;
+}
diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
new file mode 100644
index 0000000..e7e8184
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 1s seconds.
+fastcgi_cache_valid 200 301 1s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+fastcgi_cache_bypass $no_cache;
+fastcgi_no_cache $no_cache;
+
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
new file mode 100644
index 0000000..7b2b7c3
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
@@ -0,0 +1,51 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15s.
+fastcgi_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors use whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+fastcgi_pass_header Set-Cookie;
+fastcgi_pass_header Cookie;
+## Bypass the cache.
+# fastcgi_cache_bypass $no_auth_cache;
+# fastcgi_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy.conf b/guix/etc/nginx/apps/drupal/microcache_proxy.conf
new file mode 100644
index 0000000..6708684
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_proxy.conf
@@ -0,0 +1,53 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+proxy_cache_bypass $no_cache;
+proxy_no_cache $no_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
new file mode 100644
index 0000000..e351b1b
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
@@ -0,0 +1,54 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $cache_uid@$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+proxy_pass_header Set-Cookie;
+proxy_pass_header Cookie;
+## Bypass the cache.
+proxy_cache_bypass $no_auth_cache;
+proxy_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.