summaryrefslogtreecommitdiff
path: root/guix/etc/nginx
diff options
context:
space:
mode:
authorNils Gillmann <ng0@n0.is>2018-09-27 19:24:10 +0000
committerNils Gillmann <ng0@n0.is>2018-09-27 19:24:10 +0000
commit430db6a55226ea4a9c33e322edc4a3a7b325393c (patch)
treed9d0a25b6b3103bcda84d0aa32c007fa3c2d1302 /guix/etc/nginx
parent82741d1288c8755bfdf57d0e0ce77d6ee121b913 (diff)
downloaddeployment-430db6a55226ea4a9c33e322edc4a3a7b325393c.tar.gz
deployment-430db6a55226ea4a9c33e322edc4a3a7b325393c.tar.bz2
deployment-430db6a55226ea4a9c33e322edc4a3a7b325393c.zip
complications with the way guix builds are made lead me to work on the content of etc in a copied, not symlinked location.
Signed-off-by: Nils Gillmann <ng0@n0.is>
Diffstat (limited to 'guix/etc/nginx')
-rw-r--r--guix/etc/nginx/apps/drupal/admin_basic_auth.conf12
-rw-r--r--guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf10
-rw-r--r--guix/etc/nginx/apps/drupal/drupal.conf347
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_boost.conf377
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf382
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_cron_update.conf40
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_escaped.conf347
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_install.conf16
-rw-r--r--guix/etc/nginx/apps/drupal/drupal_upload_progress.conf23
-rw-r--r--guix/etc/nginx/apps/drupal/fastcgi_drupal.conf43
-rw-r--r--guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf43
-rw-r--r--guix/etc/nginx/apps/drupal/hotlinking_protection.conf10
-rw-r--r--guix/etc/nginx/apps/drupal/map_cache.conf39
-rw-r--r--guix/etc/nginx/apps/drupal/microcache_fcgi.conf39
-rw-r--r--guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf51
-rw-r--r--guix/etc/nginx/apps/drupal/microcache_proxy.conf53
-rw-r--r--guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf54
-rw-r--r--guix/etc/nginx/conf.d/favicon_robots11
-rw-r--r--guix/etc/nginx/conf.d/talerssl14
-rw-r--r--guix/etc/nginx/fastcgi.conf26
-rw-r--r--guix/etc/nginx/fastcgi_params25
-rw-r--r--guix/etc/nginx/koi-utf109
-rw-r--r--guix/etc/nginx/koi-win103
-rw-r--r--guix/etc/nginx/mime.types89
-rw-r--r--guix/etc/nginx/nginx.conf79
-rw-r--r--guix/etc/nginx/proxy_params4
-rw-r--r--guix/etc/nginx/scgi_params17
-rw-r--r--guix/etc/nginx/sites-available/blog-demo.site43
-rw-r--r--guix/etc/nginx/sites-available/default.site86
-rw-r--r--guix/etc/nginx/sites-available/drupal-demo-ssl.site49
-rw-r--r--guix/etc/nginx/sites-available/drupal-demo.site40
-rw-r--r--guix/etc/nginx/sites-available/ghm_videos.site25
-rw-r--r--guix/etc/nginx/sites-available/www.git-ssl.site25
-rw-r--r--guix/etc/nginx/sites-available/www.git.site24
-rw-r--r--guix/etc/nginx/sites-enabled/api-ssl.site9
-rw-r--r--guix/etc/nginx/sites-enabled/api.site8
-rw-r--r--guix/etc/nginx/sites-enabled/buildbot-ssl.site23
-rw-r--r--guix/etc/nginx/sites-enabled/buildbot.site14
-rw-r--r--guix/etc/nginx/sites-enabled/decentralise-ssl.site14
-rw-r--r--guix/etc/nginx/sites-enabled/decentralise.site13
-rw-r--r--guix/etc/nginx/sites-enabled/default.site18
-rw-r--r--guix/etc/nginx/sites-enabled/demo.site159
-rw-r--r--guix/etc/nginx/sites-enabled/docs-ssl.site69
-rw-r--r--guix/etc/nginx/sites-enabled/docs.site7
-rw-r--r--guix/etc/nginx/sites-enabled/env.site85
-rw-r--r--guix/etc/nginx/sites-enabled/gauger-ssl.site18
-rw-r--r--guix/etc/nginx/sites-enabled/gauger.site17
-rw-r--r--guix/etc/nginx/sites-enabled/git-ssl.site31
-rw-r--r--guix/etc/nginx/sites-enabled/git.site10
-rw-r--r--guix/etc/nginx/sites-enabled/intranet-ssl.site15
-rw-r--r--guix/etc/nginx/sites-enabled/intranet.site10
-rw-r--r--guix/etc/nginx/sites-enabled/lcov-ssl.site20
-rw-r--r--guix/etc/nginx/sites-enabled/lcov.site19
-rw-r--r--guix/etc/nginx/sites-enabled/sandbox.site20
-rw-r--r--guix/etc/nginx/sites-enabled/test.site379
-rw-r--r--guix/etc/nginx/sites-enabled/trollslayer.site16
-rw-r--r--guix/etc/nginx/sites-enabled/www-ssl.site59
-rw-r--r--guix/etc/nginx/sites-enabled/www-stage.site78
-rw-r--r--guix/etc/nginx/sites-enabled/www.git-ssl.site11
-rw-r--r--guix/etc/nginx/sites-enabled/www.git.site10
-rw-r--r--guix/etc/nginx/sites-enabled/www.site13
-rw-r--r--guix/etc/nginx/uwsgi_params17
-rw-r--r--guix/etc/nginx/win-utf125
63 files changed, 3942 insertions, 0 deletions
diff --git a/guix/etc/nginx/apps/drupal/admin_basic_auth.conf b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
new file mode 100644
index 0000000..cc796ce
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
@@ -0,0 +1,12 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+## Protect the /admin URIs with a basic auth.
+location ^~ /admin {
+ auth_basic "Restricted access"; #realm
+ auth_basic_user_file .htpasswd-users;
+
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+}
diff --git a/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
new file mode 100644
index 0000000..bdb3dd9
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for specifying which hosts can invoke Drupal's
+### cron. This only applies if you're not using drush to run cron.
+
+geo $not_allowed_cron {
+ default 1;
+ ## Add your set of hosts.
+ 127.0.0.1 0; # allow the localhost
+ 192.168.1.0/24 0; # allow on an internal network
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal.conf b/guix/etc/nginx/apps/drupal/drupal.conf
new file mode 100644
index 0000000..e65024f
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+### drush updb to run any DB updates required by the code upgrades
+### that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+### installing the site) and update.php: all updates are now
+### handled through drush.
+
+## The 'default' location.
+location / {
+
+ ## Drupal 404 from can impact performance. If using a module like
+ ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+ ## relay the handling of 404's to Drupal.
+ ## error_page 404 /index.php;
+
+ ## Using a nested location is the 'correct' way to use regexes.
+
+ ## Regular private file serving (i.e. handled by Drupal).
+ location ^~ /system/files/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the two lines below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## Trying to access private files directly returns a 404.
+ location ^~ /sites/default/files/private/ {
+ internal;
+ }
+
+ ## Support for the file_force module
+ ## http://drupal.org/project/file_force.
+ location ^~ /system/files_force/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the two lines below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## If accessing an image generated by Drupal 6 imagecache, serve it
+ ## directly if available, if not relay the request to Drupal to (re)generate
+ ## the image.
+ location ~* /imagecache/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $uri @drupal;
+ }
+
+ ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+ ## http://drupal.org/node/371374.
+ location ~* /files/styles/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $uri @drupal;
+ }
+
+ ## Advanced Aggregation module CSS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_css/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+ access_log off;
+ try_files $uri @drupal;
+ }
+ }
+
+ ## Advanced Aggregation module JS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_js/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+ access_log off;
+ try_files $uri @drupal;
+ }
+ }
+
+ ## All static files will be served directly.
+ location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+
+ access_log off;
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ ## Set the OS file cache.
+ open_file_cache max=3000 inactive=120s;
+ open_file_cache_valid 45s;
+ open_file_cache_min_uses 2;
+ open_file_cache_errors off;
+ }
+
+ ## PDFs and powerpoint files handling.
+ location ~* ^.+\.(?:pdf|pptx?)$ {
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+ location ^~ /sites/default/files/audio/mp3 {
+ location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+# aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/ogg {
+ location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+# aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ ## Pseudo streaming of FLV files:
+ ## http://wiki.nginx.org/HttpFlvStreamModule.
+ ## If pseudo streaming isn't working, try to comment
+ ## out in nginx.conf line with:
+ ## add_header X-Frame-Options SAMEORIGIN;
+ location ^~ /sites/default/files/video/flv {
+ location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+# flv;
+ }
+ }
+
+ ## Pseudo streaming of H264/AAC files. This requires an Nginx
+ ## version greater or equal to 1.0.7 for the stable branch and
+ ## greater or equal to 1.1.3 for the development branch.
+ ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+ location ^~ /sites/default/files/video/mp4 { # videos
+ location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+# mp4;
+# mp4_buffer_size 1M;
+# mp4_max_buffer_size 5M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/m4a { # audios
+ location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+# mp4;
+# mp4_buffer_size 1M;
+# mp4_max_buffer_size 5M;
+ }
+ }
+
+ ## Advanced Help module makes each module provided README available.
+ location ^~ /help/ {
+ location ~* ^/help/[^/]*/README\.txt$ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the two lines below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+ }
+ }
+
+ ## Replicate the Apache <FilesMatch> directive of Drupal standard
+ ## .htaccess. Disable access to any code files. Return a 404 to curtail
+ ## information disclosure. Hide also the text files.
+ location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+ return 404;
+ }
+
+ ## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
+ try_files $uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+ ## Include the FastCGI config.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FastCGI microcache.
+# include apps/drupal/microcache_fcgi.conf;
+ ## FCGI microcache for authenticated users also.
+ #include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the two lines below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## Proxy microcache.
+ #include apps/drupal/microcache_proxy.conf;
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+
+ ## Filefield Upload progress
+ ## http://drupal.org/project/filefield_nginx_progress support
+ ## through the NginxUploadProgress modules.
+# track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_no_args_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FastCGI microcache.
+# include apps/drupal/microcache_fcgi.conf;
+ ## FCGI microcache for authenticated users also.
+ #include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the two lines below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## Proxy microcache.
+ #include apps/drupal/microcache_proxy.conf;
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+ return 404;
+}
+
+location ^~ /.git {
+ return 404;
+}
+
+location ^~ /.hg {
+ return 404;
+}
+
+location ^~ /.svn {
+ return 404;
+}
+
+location ^~ /.cvs {
+ return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+ return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+ return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+ access_log off;
+ ## Add support for the robotstxt module
+ ## http://drupal.org/project/robotstxt.
+ try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+ try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+ try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+ expires 30d;
+ try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+ expires 30d;
+ empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+ return 404;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_boost.conf b/guix/etc/nginx/apps/drupal/drupal_boost.conf
new file mode 100644
index 0000000..1cb10e1
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_boost.conf
@@ -0,0 +1,377 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+### drush updb to run any DB updates required by the code upgrades
+### that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+### installing the site) and update.php: all updates are now
+### handled through drush.
+
+## The 'default' location.
+location / {
+
+ ## Drupal 404 from can impact performance. If using a module like
+ ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+ ## relay the handling of 404's to Drupal.
+ ## error_page 404 /index.php;
+
+ ## Using a nested location is the 'correct' way to use regexes.
+
+ ## Regular private file serving (i.e. handled by Drupal).
+ location ^~ /system/files/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## Trying to access private files directly returns a 404.
+ location ^~ /sites/default/files/private/ {
+ internal;
+ }
+
+ ## Support for the file_force module
+ ## http://drupal.org/project/file_force.
+ location ^~ /system/files_force/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## If accessing an image generated by Drupal 6 imagecache, serve it
+ ## directly if available, if not relay the request to Drupal to (re)generate
+ ## the image.
+ location ~* /imagecache/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $uri @drupal;
+ }
+
+ ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+ ## http://drupal.org/node/371374.
+ location ~* /files/styles/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $uri @drupal;
+ }
+
+ ## Advanced Aggregation module CSS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_css/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+ access_log off;
+ try_files $uri @drupal;
+ }
+ }
+
+ ## Advanced Aggregation module JS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_js/ {
+ add_header Pragma '';
+ add_header Cache-Control 'public, max-age=946080000';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+ access_log off;
+ try_files $uri @drupal;
+ }
+ }
+
+ ## All static files will be served directly.
+ location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+ access_log off;
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## PDFs and powerpoint files handling.
+ location ~* ^.+\.(?:pdf|pptx?)$ {
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+ location ^~ /sites/default/files/audio/mp3 {
+ location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/ogg {
+ location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ ## Pseudo streaming of FLV files:
+ ## http://wiki.nginx.org/HttpFlvStreamModule.
+ ## If pseudo streaming isn't working, try to comment
+ ## out in nginx.conf line with:
+ ## add_header X-Frame-Options SAMEORIGIN;
+ location ^~ /sites/default/files/video/flv {
+ location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+ flv;
+ }
+ }
+
+ ## Pseudo streaming of H264/AAC files. This requires an Nginx
+ ## version greater or equal to 1.0.7 for the stable branch and
+ ## greater or equal to 1.1.3 for the development branch.
+ ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+ location ^~ /sites/default/files/video/mp4 { # videos
+ location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/m4a { # audios
+ location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ ## Advanced Help module makes each module provided README available.
+ location ^~ /help/ {
+ location ~* ^/help/[^/]*/README\.txt$ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ }
+ }
+
+ ## Replicate the Apache <FilesMatch> directive of Drupal standard
+ ## .htaccess. Disable access to any code files. Return a 404 to curtail
+ ## information disclosure. Hide also the text files.
+ location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+ return 404;
+ }
+
+ ## First we try the URI and relay to the @cache if not found.
+ try_files $uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+ ## Boost compresses can the pages so we check it. Comment it out
+ ## if you don't have it enabled in Boost.
+ gzip_static on;
+
+ ## Error page handler for the case where $no_cache is 1. POST
+ ## request or authenticated.
+ error_page 418 = @drupal;
+
+ ## If $no_cache is 1 then it means that either we have a session
+ ## cookie or that the request method is POST. So serve the dynamic
+ ## page.
+ if ($no_cache) {
+ return 418; # I'm a teapot/I can't get no cachifaction
+ }
+
+ ## No caching for POST requests.
+ if ($request_method = POST) {
+ return 418;
+ }
+
+ # Now for some header tweaking. We use a date that differs
+ # from stock Drupal. Everyone seems to be using their
+ # birthdate. Why go against the grain?
+ add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+ # We bypass all delays in the post-check and pre-check
+ # parameters of Cache-Control. Both set to 0.
+ add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+ # Funny...perhaps. Egocentric? Damn right!;
+ add_header X-Header "Boost Helás Avril 1.0";
+ ## Boost doesn't set a charset.
+ charset utf-8;
+
+ # We try each boost URI in succession, if every one of them
+ # fails then relay to Drupal.
+ try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+ ## Include the FastCGI config.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FCGI microcache for authenticated users also.
+ include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache/index.php?q=$uri&$args;
+ #proxy_set_header Connection '';
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+
+ ## Filefield Upload progress
+ ## http://drupal.org/project/filefield_nginx_progress support
+ ## through the NginxUploadProgress modules.
+ track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_no_args_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FCGI microcache for authenticated users also.
+ include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$uri;
+ #proxy_set_header Connection '';
+
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+ return 404;
+}
+
+location ^~ /.git {
+ return 404;
+}
+
+location ^~ /.hg {
+ return 404;
+}
+
+location ^~ /.svn {
+ return 404;
+}
+
+location ^~ /.cvs {
+ return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+ return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+ return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+ access_log off;
+ ## Add support for the robotstxt module
+ ## http://drupal.org/project/robotstxt.
+ try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+ try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+ try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+ expires 30d;
+ try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+ expires 30d;
+ empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+ return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+ fastcgi_pass phpcgi;
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
new file mode 100644
index 0000000..36f5d98
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
@@ -0,0 +1,382 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+### drush updb to run any DB updates required by the code upgrades
+### that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+### installing the site) and update.php: all updates are now
+### handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+ ## Drupal 404 from can impact performance. If using a module like
+ ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+ ## relay the handling of 404's to Drupal.
+ ## error_page 404 /index.php;
+
+ ## Using a nested location is the 'correct' way to use regexes.
+
+ ## Regular private file serving (i.e. handled by Drupal).
+ location ^~ /system/files/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## Trying to access private files directly returns a 404.
+ location ^~ /sites/default/files/private/ {
+ internal;
+ }
+
+ ## Support for the file_force module
+ ## http://drupal.org/project/file_force.
+ location ^~ /system/files_force/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## If accessing an image generated by Drupal 6 imagecache, serve it
+ ## directly if available, if not relay the request to Drupal to (re)generate
+ ## the image.
+ location ~* /imagecache/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $escaped_uri @drupal;
+ }
+
+ ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+ ## http://drupal.org/node/371374.
+ location ~* /files/styles/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $escaped_uri @drupal;
+ }
+
+ ## Advanced Aggregation module CSS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_css/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+ access_log off;
+ try_files $escaped_uri @drupal;
+ }
+ }
+
+ ## Advanced Aggregation module JS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_js/ {
+ add_header Pragma '';
+ add_header Cache-Control 'public, max-age=946080000';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+ access_log off;
+ try_files $escaped_uri @drupal;
+ }
+ }
+
+ ## All static files will be served directly.
+ location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+ access_log off;
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## PDFs and powerpoint files handling.
+ location ~* ^.+\.(?:pdf|pptx?)$ {
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+ location ^~ /sites/default/files/audio/mp3 {
+ location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/ogg {
+ location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ ## Pseudo streaming of FLV files:
+ ## http://wiki.nginx.org/HttpFlvStreamModule.
+ ## If pseudo streaming isn't working, try to comment
+ ## out in nginx.conf line with:
+ ## add_header X-Frame-Options SAMEORIGIN;
+ location ^~ /sites/default/files/video/flv {
+ location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+ flv;
+ }
+ }
+
+ ## Pseudo streaming of H264/AAC files. This requires an Nginx
+ ## version greater or equal to 1.0.7 for the stable branch and
+ ## greater or equal to 1.1.3 for the development branch.
+ ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+ location ^~ /sites/default/files/video/mp4 { # videos
+ location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/m4a { # audios
+ location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ ## Advanced Help module makes each module provided README available.
+ location ^~ /help/ {
+ location ~* ^/help/[^/]*/README\.txt$ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ #proxy_set_header Connection '';
+ }
+ }
+
+ ## Replicate the Apache <FilesMatch> directive of Drupal standard
+ ## .htaccess. Disable access to any code files. Return a 404 to curtail
+ ## information disclosure. Hide also the text files.
+ location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+ return 404;
+ }
+
+ ## First we try the URI and relay to the @cache if not found.
+ try_files $escaped_uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+ ## Boost compresses can the pages so we check it. Comment it out
+ ## if you don't have it enabled in Boost.
+ gzip_static on;
+
+ ## Error page handler for the case where $no_cache is 1. POST
+ ## request or authenticated.
+ error_page 418 = @drupal;
+
+ ## If $no_cache is 1 then it means that either we have a session
+ ## cookie or that the request method is POST. So serve the dynamic
+ ## page.
+ if ($no_cache) {
+ return 418; # I'm a teapot/I can't get no cachifaction
+ }
+
+ ## No caching for POST requests.
+ if ($request_method = POST) {
+ return 418;
+ }
+
+ # Now for some header tweaking. We use a date that differs
+ # from stock Drupal. Everyone seems to be using their
+ # birthdate. Why go against the grain?
+ add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+ # We bypass all delays in the post-check and pre-check
+ # parameters of Cache-Control. Both set to 0.
+ add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+ # Funny...perhaps. Egocentric? Damn right!;
+ add_header X-Header "Boost Helás Avril 1.0";
+ ## Boost doesn't set a charset.
+ charset utf-8;
+
+ # We try each boost URI in succession, if every one of them
+ # fails then relay to Drupal.
+ try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+ ## Include the FastCGI config.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FCGI microcache for authenticated users also.
+ include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+ #proxy_set_header Connection '';
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+
+ ## Filefield Upload progress
+ ## http://drupal.org/project/filefield_nginx_progress support
+ ## through the NginxUploadProgress modules.
+ track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_no_args_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FCGI microcache for authenticated users also.
+ include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ #proxy_set_header Connection '';
+
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+ return 404;
+}
+
+location ^~ /.git {
+ return 404;
+}
+
+location ^~ /.hg {
+ return 404;
+}
+
+location ^~ /.svn {
+ return 404;
+}
+
+location ^~ /.cvs {
+ return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+ return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+ return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+ access_log off;
+ ## Add support for the robotstxt module
+ ## http://drupal.org/project/robotstxt.
+ try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+ try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+ try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+ expires 30d;
+ try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+ expires 30d;
+ empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+ return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+ fastcgi_pass phpcgi;
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+ #proxy_set_header Connection '';
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_cron_update.conf b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
new file mode 100644
index 0000000..55500e9
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
@@ -0,0 +1,40 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for Drupal if you're not using drush to update your site or run cron.
+
+## XMLRPC. Comment out if not enabled.
+location = /xmlrpc.php {
+ fastcgi_pass phpcgi;
+ # To use Apache for serving PHP uncomment the line bellow and
+ # comment out the above.
+ #proxy_pass http://phpapache;
+}
+
+## Restrict cron access to a specific host.
+location = /cron.php {
+ ## If not allowed to run cron then issue a 404 and redirect to the
+ ## site root.
+ if ($not_allowed_cron) {
+ return 404 /;
+ }
+ fastcgi_pass phpcgi;
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+}
+
+## Run the update from the web interface with Drupal 7.
+location = /authorize.php {
+ fastcgi_pass phpcgi;
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+}
+
+location = /update.php {
+ auth_basic "Restricted Access"; # auth realm
+ auth_basic_user_file .htpasswd-users; # htpasswd file
+ fastcgi_pass phpcgi;
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_escaped.conf
new file mode 100644
index 0000000..db08cc0
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_escaped.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+### drush updb to run any DB updates required by the code upgrades
+### that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+### installing the site) and update.php: all updates are now
+### handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+ ## Drupal 404 from can impact performance. If using a module like
+ ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+ ## relay the handling of 404's to Drupal.
+ ## error_page 404 /index.php;
+
+ ## Using a nested location is the 'correct' way to use regexes.
+
+ ## Regular private file serving (i.e. handled by Drupal).
+ location ^~ /system/files/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## Trying to access private files directly returns a 404.
+ location ^~ /sites/default/files/private/ {
+ internal;
+ }
+
+ ## Support for the file_force module
+ ## http://drupal.org/project/file_force.
+ location ^~ /system/files_force/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+ #proxy_set_header Connection '';
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## If accessing an image generated by Drupal 6 imagecache, serve it
+ ## directly if available, if not relay the request to Drupal to (re)generate
+ ## the image.
+ location ~* /imagecache/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $escaped_uri @drupal;
+ }
+
+ ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+ ## http://drupal.org/node/371374.
+ location ~* /files/styles/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include apps/drupal/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $escaped_uri @drupal;
+ }
+
+ ## Advanced Aggregation module CSS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_css/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+ access_log off;
+ try_files $escaped_uri @drupal;
+ }
+ }
+
+ ## Advanced Aggregation module JS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_js/ {
+ expires max;
+ add_header ETag '';
+ add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+ add_header Accept-Ranges '';
+
+ location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+ access_log off;
+ try_files $escaped_uri @drupal;
+ }
+ }
+
+ ## All static files will be served directly.
+ location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+ access_log off;
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ ## Set the OS file cache.
+ open_file_cache max=3000 inactive=120s;
+ open_file_cache_valid 45s;
+ open_file_cache_min_uses 2;
+ open_file_cache_errors off;
+ }
+
+ ## PDFs and powerpoint files handling.
+ location ~* ^.+\.(?:pdf|pptx?)$ {
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+ location ^~ /sites/default/files/audio/mp3 {
+ location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/ogg {
+ location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ ## Pseudo streaming of FLV files:
+ ## http://wiki.nginx.org/HttpFlvStreamModule.
+ ## If pseudo streaming isn't working, try to comment
+ ## out in nginx.conf line with:
+ ## add_header X-Frame-Options SAMEORIGIN;
+ location ^~ /sites/default/files/video/flv {
+ location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+ flv;
+ }
+ }
+
+ ## Pseudo streaming of H264/AAC files. This requires an Nginx
+ ## version greater or equal to 1.0.7 for the stable branch and
+ ## greater or equal to 1.1.3 for the development branch.
+ ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+ location ^~ /sites/default/files/video/mp4 { # videos
+ location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/m4a { # audios
+ location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ ## Advanced Help module makes each module provided README available.
+ location ^~ /help/ {
+ location ~* ^/help/[^/]*/README\.txt$ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ }
+ }
+
+ ## Replicate the Apache <FilesMatch> directive of Drupal standard
+ ## .htaccess. Disable access to any code files. Return a 404 to curtail
+ ## information disclosure. Hide also the text files.
+ location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+ return 404;
+ }
+
+ ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found.
+ try_files $escaped_uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+ ## Include the FastCGI config.
+ include apps/drupal/fastcgi_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FastCGI microcache.
+ include apps/drupal/microcache_fcgi.conf;
+ ## FCGI microcache for authenticated users also.
+ #include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+ #proxy_set_header Connection '';
+ ## Proxy microcache.
+ #include apps/drupal/microcache_proxy.conf;
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+
+ ## Filefield Upload progress
+ ## http://drupal.org/project/filefield_nginx_progress support
+ ## through the NginxUploadProgress modules.
+ track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include apps/drupal/fastcgi_no_args_drupal.conf;
+ fastcgi_pass phpcgi;
+
+ ## FastCGI microcache.
+ include apps/drupal/microcache_fcgi.conf;
+ ## FCGI microcache for authenticated users also.
+ #include apps/drupal/microcache_fcgi_auth.conf;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+ #proxy_set_header Connection '';
+
+ ## Proxy microcache.
+ #include apps/drupal/microcache_proxy.conf;
+ ## Proxy microcache for authenticated users also.
+ #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+ return 404;
+}
+
+location ^~ /.git {
+ return 404;
+}
+
+location ^~ /.hg {
+ return 404;
+}
+
+location ^~ /.svn {
+ return 404;
+}
+
+location ^~ /.cvs {
+ return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+ return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+ return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+ access_log off;
+ ## Add support for the robotstxt module
+ ## http://drupal.org/project/robotstxt.
+ try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+ try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+ try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+ expires 30d;
+ try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+ expires 30d;
+ empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+ return 404;
+}
+
diff --git a/guix/etc/nginx/apps/drupal/drupal_install.conf b/guix/etc/nginx/apps/drupal/drupal_install.conf
new file mode 100644
index 0000000..1f4f11b
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_install.conf
@@ -0,0 +1,16 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Directives for installing drupal. This is for drupal 6 and 7.
+
+location = /install.php {
+ auth_basic "Restricted Access"; # auth realm
+ auth_basic_user_file .htpasswd-users; # htpasswd file
+ fastcgi_pass phpcgi;
+}
+
+## This is for drupal 8. There's a new location for the install file.
+location = /core/install.php {
+ auth_basic "Restricted Access"; # auth realm
+ auth_basic_user_file .htpasswd-users; # htpasswd file
+ fastcgi_pass phpcgi;
+}
diff --git a/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
new file mode 100644
index 0000000..843fb06
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
@@ -0,0 +1,23 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*-
+
+### Drupal 7 configuration for the Nginx Upload Progress module:
+### https://github.com/masterzen/nginx-upload-progress-module
+### This requires the Filefield Nginx Progress module:
+### http://drupal.org/project/filefield_nginx_progress.
+
+## The Nginx module wants ?X-Progress-ID query parameter so
+## that it report the progress of the upload through a GET
+## request. But the drupal form element makes use of clean
+## URLs in the POST.
+
+location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
+ rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
+}
+
+## Now the above rewrite must be matched by a location that
+## activates it and references the above defined upload
+## tracking zone.
+location ^~ /progress {
+ upload_progress_json_output;
+ report_uploads uploads;
+}
diff --git a/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
new file mode 100644
index 0000000..be59f85
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param QUERY_STRING q=$uri&$args;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME /index.php;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11. See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
new file mode 100644
index 0000000..683e4ce
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param QUERY_STRING q=$uri;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME /index.php;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11. See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/guix/etc/nginx/apps/drupal/hotlinking_protection.conf b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
new file mode 100644
index 0000000..f2926e1
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Hotlinking protection for images. Include it in any context you
+### want. Adjust the list of allowed referers to your liking.
+
+valid_referers none blocked *.example.com *.google.com my.site.com;
+
+if ($invalid_referer) {
+ return 200 "No image hotlinking allowed!\n";
+}
diff --git a/guix/etc/nginx/apps/drupal/map_cache.conf b/guix/etc/nginx/apps/drupal/map_cache.conf
new file mode 100644
index 0000000..8166fcd
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/map_cache.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*-
+
+### Testing if we should be serving content from cache or not. This is
+### needed for any Drupal setup that uses an external cache.
+
+## Let Ajax calls go through.
+map $uri $no_cache_ajax {
+ default 0;
+ /system/ajax 1;
+}
+
+## Testing for the session cookie being present. If there is then no
+## caching is to be done. Note that this is for someone using either
+## Drupal 7 pressflow or stock Drupal 6 core with no_anon
+## (http://drupal.org/project/no_anon).
+map $http_cookie $no_cache_cookie {
+ default 0;
+ ~SESS 1; # PHP session cookie
+}
+
+## Combine both results to get the cache bypassing mapping.
+map $no_cache_ajax$no_cache_cookie $no_cache {
+ default 1;
+ 00 0;
+}
+
+## If you're using stock Drupal 6 without no_anon, i.e., there's a
+## session cookie being served even to anonymous users, then uncomment
+## the three lines below and comment the above map directive
+# map $http_cookie $no_cache {
+# default 0;
+# ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost
+# }
+
+## Set a cache_uid variable for authenticated users.
+map $http_cookie $cache_uid {
+ default nil; # hommage to Lisp :)
+ ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id;
+}
diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
new file mode 100644
index 0000000..e7e8184
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 1s seconds.
+fastcgi_cache_valid 200 301 1s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+fastcgi_cache_bypass $no_cache;
+fastcgi_no_cache $no_cache;
+
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
new file mode 100644
index 0000000..7b2b7c3
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
@@ -0,0 +1,51 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15s.
+fastcgi_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors use whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+fastcgi_pass_header Set-Cookie;
+fastcgi_pass_header Cookie;
+## Bypass the cache.
+# fastcgi_cache_bypass $no_auth_cache;
+# fastcgi_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy.conf b/guix/etc/nginx/apps/drupal/microcache_proxy.conf
new file mode 100644
index 0000000..6708684
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_proxy.conf
@@ -0,0 +1,53 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+proxy_cache_bypass $no_cache;
+proxy_no_cache $no_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
new file mode 100644
index 0000000..e351b1b
--- /dev/null
+++ b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
@@ -0,0 +1,54 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $cache_uid@$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+proxy_pass_header Set-Cookie;
+proxy_pass_header Cookie;
+## Bypass the cache.
+proxy_cache_bypass $no_auth_cache;
+proxy_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.
diff --git a/guix/etc/nginx/conf.d/favicon_robots b/guix/etc/nginx/conf.d/favicon_robots
new file mode 100644
index 0000000..3c6e417
--- /dev/null
+++ b/guix/etc/nginx/conf.d/favicon_robots
@@ -0,0 +1,11 @@
+location = /robots.txt {
+ root /var/www/robots-favicon;
+}
+
+location = /favicon.ico {
+ root /var/www/robots-favicon;
+}
+
+location = /static/web-common/favicon-taler.ico {
+ alias /var/www/robots-favicon/favicon.ico;
+}
diff --git a/guix/etc/nginx/conf.d/talerssl b/guix/etc/nginx/conf.d/talerssl
new file mode 100644
index 0000000..3c33de6
--- /dev/null
+++ b/guix/etc/nginx/conf.d/talerssl
@@ -0,0 +1,14 @@
+ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options "nosniff";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://buildbot.taler.net";
+add_header Referrer-Policy "same-origin";
diff --git a/guix/etc/nginx/fastcgi.conf b/guix/etc/nginx/fastcgi.conf
new file mode 100644
index 0000000..091738c
--- /dev/null
+++ b/guix/etc/nginx/fastcgi.conf
@@ -0,0 +1,26 @@
+
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/guix/etc/nginx/fastcgi_params b/guix/etc/nginx/fastcgi_params
new file mode 100644
index 0000000..28decb9
--- /dev/null
+++ b/guix/etc/nginx/fastcgi_params
@@ -0,0 +1,25 @@
+
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/guix/etc/nginx/koi-utf b/guix/etc/nginx/koi-utf
new file mode 100644
index 0000000..e7974ff
--- /dev/null
+++ b/guix/etc/nginx/koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters. Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map koi8-r utf-8 {
+
+ 80 E282AC ; # euro
+
+ 95 E280A2 ; # bullet
+
+ 9A C2A0 ; # &nbsp;
+
+ 9E C2B7 ; # &middot;
+
+ A3 D191 ; # small yo
+ A4 D194 ; # small Ukrainian ye
+
+ A6 D196 ; # small Ukrainian i
+ A7 D197 ; # small Ukrainian yi
+
+ AD D291 ; # small Ukrainian soft g
+ AE D19E ; # small Byelorussian short u
+
+ B0 C2B0 ; # &deg;
+
+ B3 D081 ; # capital YO
+ B4 D084 ; # capital Ukrainian YE
+
+ B6 D086 ; # capital Ukrainian I
+ B7 D087 ; # capital Ukrainian YI
+
+ B9 E28496 ; # numero sign
+
+ BD D290 ; # capital Ukrainian soft G
+ BE D18E ; # capital Byelorussian short U
+
+ BF C2A9 ; # (C)
+
+ C0 D18E ; # small yu
+ C1 D0B0 ; # small a
+ C2 D0B1 ; # small b
+ C3 D186 ; # small ts
+ C4 D0B4 ; # small d
+ C5 D0B5 ; # small ye
+ C6 D184 ; # small f
+ C7 D0B3 ; # small g
+ C8 D185 ; # small kh
+ C9 D0B8 ; # small i
+ CA D0B9 ; # small j
+ CB D0BA ; # small k
+ CC D0BB ; # small l
+ CD D0BC ; # small m
+ CE D0BD ; # small n
+ CF D0BE ; # small o
+
+ D0 D0BF ; # small p
+ D1 D18F ; # small ya
+ D2 D180 ; # small r
+ D3 D181 ; # small s
+ D4 D182 ; # small t
+ D5 D183 ; # small u
+ D6 D0B6 ; # small zh
+ D7 D0B2 ; # small v
+ D8 D18C ; # small soft sign
+ D9 D18B ; # small y
+ DA D0B7 ; # small z
+ DB D188 ; # small sh
+ DC D18D ; # small e
+ DD D189 ; # small shch
+ DE D187 ; # small ch
+ DF D18A ; # small hard sign
+
+ E0 D0AE ; # capital YU
+ E1 D090 ; # capital A
+ E2 D091 ; # capital B
+ E3 D0A6 ; # capital TS
+ E4 D094 ; # capital D
+ E5 D095 ; # capital YE
+ E6 D0A4 ; # capital F
+ E7 D093 ; # capital G
+ E8 D0A5 ; # capital KH
+ E9 D098 ; # capital I
+ EA D099 ; # capital J
+ EB D09A ; # capital K
+ EC D09B ; # capital L
+ ED D09C ; # capital M
+ EE D09D ; # capital N
+ EF D09E ; # capital O
+
+ F0 D09F ; # capital P
+ F1 D0AF ; # capital YA
+ F2 D0A0 ; # capital R
+ F3 D0A1 ; # capital S
+ F4 D0A2 ; # capital T
+ F5 D0A3 ; # capital U
+ F6 D096 ; # capital ZH
+ F7 D092 ; # capital V
+ F8 D0AC ; # capital soft sign
+ F9 D0AB ; # capital Y
+ FA D097 ; # capital Z
+ FB D0A8 ; # capital SH
+ FC D0AD ; # capital E
+ FD D0A9 ; # capital SHCH
+ FE D0A7 ; # capital CH
+ FF D0AA ; # capital hard sign
+}
diff --git a/guix/etc/nginx/koi-win b/guix/etc/nginx/koi-win
new file mode 100644
index 0000000..72afabe
--- /dev/null
+++ b/guix/etc/nginx/koi-win
@@ -0,0 +1,103 @@
+
+charset_map koi8-r windows-1251 {
+
+ 80 88 ; # euro
+
+ 95 95 ; # bullet
+
+ 9A A0 ; # &nbsp;
+
+ 9E B7 ; # &middot;
+
+ A3 B8 ; # small yo
+ A4 BA ; # small Ukrainian ye
+
+ A6 B3 ; # small Ukrainian i
+ A7 BF ; # small Ukrainian yi
+
+ AD B4 ; # small Ukrainian soft g
+ AE A2 ; # small Byelorussian short u
+
+ B0 B0 ; # &deg;
+
+ B3 A8 ; # capital YO
+ B4 AA ; # capital Ukrainian YE
+
+ B6 B2 ; # capital Ukrainian I
+ B7 AF ; # capital Ukrainian YI
+
+ B9 B9 ; # numero sign
+
+ BD A5 ; # capital Ukrainian soft G
+ BE A1 ; # capital Byelorussian short U
+
+ BF A9 ; # (C)
+
+ C0 FE ; # small yu
+ C1 E0 ; # small a
+ C2 E1 ; # small b
+ C3 F6 ; # small ts
+ C4 E4 ; # small d
+ C5 E5 ; # small ye
+ C6 F4 ; # small f
+ C7 E3 ; # small g
+ C8 F5 ; # small kh
+ C9 E8 ; # small i
+ CA E9 ; # small j
+ CB EA ; # small k
+ CC EB ; # small l
+ CD EC ; # small m
+ CE ED ; # small n
+ CF EE ; # small o
+
+ D0 EF ; # small p
+ D1 FF ; # small ya
+ D2 F0 ; # small r
+ D3 F1 ; # small s
+ D4 F2 ; # small t
+ D5 F3 ; # small u
+ D6 E6 ; # small zh
+ D7 E2 ; # small v
+ D8 FC ; # small soft sign
+ D9 FB ; # small y
+ DA E7 ; # small z
+ DB F8 ; # small sh
+ DC FD ; # small e
+ DD F9 ; # small shch
+ DE F7 ; # small ch
+ DF FA ; # small hard sign
+
+ E0 DE ; # capital YU
+ E1 C0 ; # capital A
+ E2 C1 ; # capital B
+ E3 D6 ; # capital TS
+ E4 C4 ; # capital D
+ E5 C5 ; # capital YE
+ E6 D4 ; # capital F
+ E7 C3 ; # capital G
+ E8 D5 ; # capital KH
+ E9 C8 ; # capital I
+ EA C9 ; # capital J
+ EB CA ; # capital K
+ EC CB ; # capital L
+ ED CC ; # capital M
+ EE CD ; # capital N
+ EF CE ; # capital O
+
+ F0 CF ; # capital P
+ F1 DF ; # capital YA
+ F2 D0 ; # capital R
+ F3 D1 ; # capital S
+ F4 D2 ; # capital T
+ F5 D3 ; # capital U
+ F6 C6 ; # capital ZH
+ F7 C2 ; # capital V
+ F8 DC ; # capital soft sign
+ F9 DB ; # capital Y
+ FA C7 ; # capital Z
+ FB D8 ; # capital SH
+ FC DD ; # capital E
+ FD D9 ; # capital SHCH
+ FE D7 ; # capital CH
+ FF DA ; # capital hard sign
+}
diff --git a/guix/etc/nginx/mime.types b/guix/etc/nginx/mime.types
new file mode 100644
index 0000000..89be9a4
--- /dev/null
+++ b/guix/etc/nginx/mime.types
@@ -0,0 +1,89 @@
+
+types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+ image/svg+xml svg svgz;
+ image/webp webp;
+
+ application/font-woff woff;
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.wap.wmlc wmlc;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/guix/etc/nginx/nginx.conf b/guix/etc/nginx/nginx.conf
new file mode 100644
index 0000000..13e8724
--- /dev/null
+++ b/guix/etc/nginx/nginx.conf
@@ -0,0 +1,79 @@
+user nginx;
+worker_processes 4;
+pid /var/run/nginx.pid;
+
+include etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # Logging Settings
+ ##
+
+ log_format main '$remote_addr - $remote_user [$time_local] $host '
+ '"$request" $status $body_bytes_sent '
+ '"$http_referer" "$http_user_agent"';
+
+ access_log /var/log/nginx/access.log main;
+ error_log /var/log/nginx/error.log notice;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+ gzip_disable "msie6";
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+ # This isn't entirely correct since it does
+ # not consider the weighting of languages, but
+ # for now it's good enough.
+ map $http_accept_language $index_redirect_uri {
+ default "en";
+ # prefer language that's first in the list
+ ~^en "en";
+ ~^de "de";
+ ~^fr "fr";
+ ~^es "it";
+ # if none matches, take one later in the list
+ ~,en "en";
+ ~,de "de";
+ ~,fr "fr";
+ ~,es "it";
+ }
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include etc/nginx/conf.d/*.conf;
+ include etc/nginx/sites-enabled/*.site;
+}
diff --git a/guix/etc/nginx/proxy_params b/guix/etc/nginx/proxy_params
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/guix/etc/nginx/proxy_params
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/guix/etc/nginx/scgi_params b/guix/etc/nginx/scgi_params
new file mode 100644
index 0000000..6d4ce4f
--- /dev/null
+++ b/guix/etc/nginx/scgi_params
@@ -0,0 +1,17 @@
+
+scgi_param REQUEST_METHOD $request_method;
+scgi_param REQUEST_URI $request_uri;
+scgi_param QUERY_STRING $query_string;
+scgi_param CONTENT_TYPE $content_type;
+
+scgi_param DOCUMENT_URI $document_uri;
+scgi_param DOCUMENT_ROOT $document_root;
+scgi_param SCGI 1;
+scgi_param SERVER_PROTOCOL $server_protocol;
+scgi_param REQUEST_SCHEME $scheme;
+scgi_param HTTPS $https if_not_empty;
+
+scgi_param REMOTE_ADDR $remote_addr;
+scgi_param REMOTE_PORT $remote_port;
+scgi_param SERVER_PORT $server_port;
+scgi_param SERVER_NAME $server_name;
diff --git a/guix/etc/nginx/sites-available/blog-demo.site b/guix/etc/nginx/sites-available/blog-demo.site
new file mode 100644
index 0000000..a48a036
--- /dev/null
+++ b/guix/etc/nginx/sites-available/blog-demo.site
@@ -0,0 +1,43 @@
+server {
+ listen 80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ server_name blog.demo.taler.net;
+
+ root /home/demo/merchant/src/frontend_blog;
+ index index.html;
+
+ # Make site accessible from http://localhost/
+
+ location / {
+ try_files $uri $uri/ =404;
+ rewrite /taler/pay /pay.php;
+ rewrite /taler/contract /generate_taler_contract.php;
+
+ }
+
+ location /fullfillment {
+ rewrite /(.*) /$1.php;
+
+ }
+
+ location /articles {
+
+ internal;
+ }
+
+ location ~ \.php$ {
+
+ fastcgi_pass unix:/var/run/php5-fpm.sock;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ include fastcgi_params;
+
+ }
+
+ location /backend {
+ rewrite /backend/(.*) /$1 break;
+ proxy_pass http://127.0.0.1:19966;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
diff --git a/guix/etc/nginx/sites-available/default.site b/guix/etc/nginx/sites-available/default.site
new file mode 100644
index 0000000..79e41e8
--- /dev/null
+++ b/guix/etc/nginx/sites-available/default.site
@@ -0,0 +1,86 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ # SSL configuration
+ #
+ # listen 443 ssl default_server;
+ # listen [::]:443 ssl default_server;
+ #
+ # Note: You should disable gzip for SSL traffic.
+ # See: https://bugs.debian.org/773332
+ #
+ # Read up on ssl_ciphers to ensure a secure configuration.
+ # See: https://bugs.debian.org/765782
+ #
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ #
+ # include snippets/snakeoil.conf;
+
+ root /var/www/html;
+
+ # Add index.php to the list if you are using PHP
+ index index.html index.htm index.nginx-debian.html;
+
+ server_name _;
+
+ location / {
+ # First attempt to serve request as file, then
+ # as directory, then fall back to displaying a 404.
+ try_files $uri $uri/ =404;
+ }
+
+ # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+ #
+ #location ~ \.php$ {
+ # include snippets/fastcgi-php.conf;
+ #
+ # # With php5-cgi alone:
+ # fastcgi_pass 127.0.0.1:9000;
+ # # With php5-fpm:
+ # fastcgi_pass unix:/var/run/php5-fpm.sock;
+ #}
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+# listen 80;
+# listen [::]:80;
+#
+# server_name example.com;
+#
+# root /var/www/example.com;
+# index index.html;
+#
+# location / {
+# try_files $uri $uri/ =404;
+# }
+#}
diff --git a/guix/etc/nginx/sites-available/drupal-demo-ssl.site b/guix/etc/nginx/sites-available/drupal-demo-ssl.site
new file mode 100644
index 0000000..400020e
--- /dev/null
+++ b/guix/etc/nginx/sites-available/drupal-demo-ssl.site
@@ -0,0 +1,49 @@
+server {
+ listen 443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ server_name drupal.demo.taler.net;
+
+ root /home/demo/drupal-demo;
+
+ ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+ ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+ add_header Strict-Transport-Security "max-age=63072000; preload";
+
+ # Make site accessible from http://localhost/
+
+# location / {
+# try_files $uri $uri/ =404;
+# rewrite /taler/pay /pay.php;
+# rewrite /taler/contract /generate_taler_contract.php;
+# }
+
+# location /fullfillment {
+# rewrite /(.*) /$1.php;
+# }
+
+ location ~ \.php$ {
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php5-fpm.sock;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ include fastcgi_params;
+ }
+
+# location /backend {
+# rewrite /backend/(.*) /$1 break;
+# proxy_pass http://127.0.0.1:19966;
+# proxy_redirect off;
+# proxy_set_header Host $host;
+# }
+
+ client_max_body_size 10M;
+ client_body_buffer_size 128k;
+
+ include apps/drupal/drupal.conf;
+}
diff --git a/guix/etc/nginx/sites-available/drupal-demo.site b/guix/etc/nginx/sites-available/drupal-demo.site
new file mode 100644
index 0000000..d91c3f7
--- /dev/null
+++ b/guix/etc/nginx/sites-available/drupal-demo.site
@@ -0,0 +1,40 @@
+server {
+ listen 80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ server_name drupal.demo.taler.net;
+
+ root /home/demo/drupal-demo;
+
+ # Make site accessible from http://localhost/
+
+# location / {
+# try_files $uri $uri/ =404;
+# rewrite /taler/pay /pay.php;
+# rewrite /taler/contract /generate_taler_contract.php;
+# }
+
+# location /fullfillment {
+# rewrite /(.*) /$1.php;
+# }
+
+
+ location ~ \.php$ {
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php5-fpm.sock;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ include fastcgi_params;
+ }
+
+# location /backend {
+# rewrite /backend/(.*) /$1 break;
+# proxy_pass http://127.0.0.1:19966;
+# proxy_redirect off;
+# proxy_set_header Host $host;
+# }
+
+ client_max_body_size 10M;
+ client_body_buffer_size 128k;
+
+ include apps/drupal/drupal.conf;
+}
diff --git a/guix/etc/nginx/sites-available/ghm_videos.site b/guix/etc/nginx/sites-available/ghm_videos.site
new file mode 100644
index 0000000..c438e7f
--- /dev/null
+++ b/guix/etc/nginx/sites-available/ghm_videos.site
@@ -0,0 +1,25 @@
+server {
+ listen 80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/taler.net;
+
+ # Make site accessible from http://localhost/
+ server_name taler.net;
+ server_name www.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+
+# location / {
+# autoindex off;
+# ssi on;
+## ssi_last_modified on;
+# rewrite /citizens /citizens.html break;
+# rewrite /developers /developers.html break;
+# rewrite /merchants /merchants.html break;
+# rewrite /governments /governments.html break;
+# rewrite /investors /investors.html break;
+# rewrite /about /about.html break;
+# rewrite /news /news.html break;
+# }
+}
diff --git a/guix/etc/nginx/sites-available/www.git-ssl.site b/guix/etc/nginx/sites-available/www.git-ssl.site
new file mode 100644
index 0000000..4ac7cfa
--- /dev/null
+++ b/guix/etc/nginx/sites-available/www.git-ssl.site
@@ -0,0 +1,25 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ # Make site accessible from http://localhost/
+ server_name www.git.taler.net;
+
+ include conf.d/talerssl;
+
+ location /index.cgi {
+ root /usr/share/gitweb/;
+
+ include fastcgi_params;
+ gzip off;
+ fastcgi_param SCRIPT_NAME $uri;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ location / {
+ root /usr/share/gitweb/;
+ index index.cgi;
+ }
+}
diff --git a/guix/etc/nginx/sites-available/www.git.site b/guix/etc/nginx/sites-available/www.git.site
new file mode 100644
index 0000000..26679be
--- /dev/null
+++ b/guix/etc/nginx/sites-available/www.git.site
@@ -0,0 +1,24 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ # Make site accessible from http://localhost/
+ server_name www.git.taler.net;
+
+
+ location /index.cgi {
+ root /usr/share/gitweb/;
+
+ include fastcgi_params;
+ gzip off;
+ fastcgi_param SCRIPT_NAME $uri;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ location / {
+ root /usr/share/gitweb/;
+ index index.cgi;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/api-ssl.site b/guix/etc/nginx/sites-enabled/api-ssl.site
new file mode 100644
index 0000000..6f5fd69
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/api-ssl.site
@@ -0,0 +1,9 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ server_name api.taler.net
+ www.api.taler.net;
+ rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/api.site b/guix/etc/nginx/sites-enabled/api.site
new file mode 100644
index 0000000..21e7efe
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/api.site
@@ -0,0 +1,8 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name api.taler.net
+ www.api.taler.net;
+
+ rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/buildbot-ssl.site b/guix/etc/nginx/sites-enabled/buildbot-ssl.site
new file mode 100644
index 0000000..ba998bb
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/buildbot-ssl.site
@@ -0,0 +1,23 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/buildbot/;
+
+ # Make site accessible from http://localhost/
+ server_name buildbot.taler.net;
+ server_name www.buildbot.taler.net;
+ server_name bb.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ proxy_pass http://127.0.0.1:8010;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/buildbot.site b/guix/etc/nginx/sites-enabled/buildbot.site
new file mode 100644
index 0000000..77eb805
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/buildbot.site
@@ -0,0 +1,14 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/buildbot/;
+
+ # Make site accessible from http://localhost/
+ server_name buildbot.taler.net;
+ server_name www.buildbot.taler.net;
+ server_name bb.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/decentralise-ssl.site b/guix/etc/nginx/sites-enabled/decentralise-ssl.site
new file mode 100644
index 0000000..9dd0470
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/decentralise-ssl.site
@@ -0,0 +1,14 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/decentralise;
+
+ # Make site accessible from http://localhost/
+ server_name www.decentralise.rennes.inria.fr;
+ server_name decentralise.rennes.inria.fr;
+ include conf.d/talerssl;
+
+ rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/guix/etc/nginx/sites-enabled/decentralise.site b/guix/etc/nginx/sites-enabled/decentralise.site
new file mode 100644
index 0000000..b92fb0f
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/decentralise.site
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/decentralise;
+
+ # Make site accessible from http://localhost/
+ server_name www.decentralise.rennes.inria.fr;
+ server_name decentralise.rennes.inria.fr;
+
+ rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/guix/etc/nginx/sites-enabled/default.site b/guix/etc/nginx/sites-enabled/default.site
new file mode 100644
index 0000000..e295383
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/default.site
@@ -0,0 +1,18 @@
+# matched when no other server name matches
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ # server name must simply something invalid ...
+ server_name _;
+ # drop connection, special nginx status code
+ return 444;
+}
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ include conf.d/talerssl;
+ # server name must simply something invalid ...
+ server_name _;
+ # drop connection, special nginx status code
+ return 444;
+}
diff --git a/guix/etc/nginx/sites-enabled/demo.site b/guix/etc/nginx/sites-enabled/demo.site
new file mode 100644
index 0000000..16d9698
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/demo.site
@@ -0,0 +1,159 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name demo.taler.net
+ bank.demo.taler.net
+ shop.demo.taler.net
+ donations.demo.taler.net
+ survey.demo.taler.net
+ auditor.demo.taler.net
+ exchange.demo.taler.net;
+
+ # 301-based ridirects allows the user agent to *change* the
+ # method used in the second request. This breaks all the API
+ # using POST, as some user agents do the second request using
+ # GET. 307 is meant to tell the user agent to not change the
+ # method in the second request.
+ if ($request_method = POST) { return 307 https://$host$request_uri; }
+ return 301 https://$host$request_uri;
+
+}
+
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name auditor.demo.taler.net;
+ include conf.d/talerssl;
+ location / {
+ rewrite ^/$ /en/ redirect;
+ rewrite ^/(..)/$ /$1/index.html break;
+ recursive_error_pages on;
+ root /home/demo/auditor;
+ }
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name demo.taler.net www.demo.taler.net;
+ rewrite /javascript /javascript.html break;
+ include conf.d/talerssl;
+ location / {
+ rewrite ^/$ /en/ redirect;
+ rewrite ^/(..)/$ /$1/index.html break;
+ root /home/demo/landing/demo;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name exchange.demo.taler.net;
+ root /dev/null;
+ include conf.d/talerssl;
+
+ location /admin {
+ proxy_pass http://unix:/home/demo/sockets/exchange-admin.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location / {
+ proxy_pass http://unix:/home/demo/sockets/exchange.http:/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
+
+server {
+ listen 443 ssl;
+ listen 80;
+ listen [::]:443 ssl;
+ listen [::]:80;
+ server_name backend.demo.taler.net;
+ include conf.d/talerssl;
+
+ location /public {
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ proxy_pass http://unix:/home/demo/sockets/merchant.http:/public;
+ }
+
+ location / {
+ # match the ApiKey part ignoring case, and the actual key
+ # with case-sensitivity on.
+ if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+ return 401;
+ }
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ proxy_pass http://unix:/home/demo/sockets/merchant.http:/;
+ }
+}
+
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name donations.demo.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ uwsgi_pass unix:/home/demo/sockets/donations.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name shop.demo.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ uwsgi_pass unix:/home/demo/sockets/shop.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name survey.demo.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ include conf.d/talerssl;
+
+ location / {
+ uwsgi_pass unix:/home/demo/sockets/survey.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name bank.demo.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ uwsgi_pass unix:/home/demo/sockets/bank.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/docs-ssl.site b/guix/etc/nginx/sites-enabled/docs-ssl.site
new file mode 100644
index 0000000..923d703
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/docs-ssl.site
@@ -0,0 +1,69 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ # Temporary, as this doesn't do i18n
+ root /home/docbuilder/build/docs-landing/;
+
+ # Make site accessible from http://localhost/
+ server_name docs.taler.net
+ www.docs.taler.net;
+
+ include conf.d/talerssl;
+
+ location / {
+ autoindex off;
+ ssi off;
+# ssi_last_modified on;
+
+
+ rewrite ^/$ /$index_redirect_uri/ redirect;
+ rewrite ^/(..)/$ /$1/index.html break;
+ }
+
+
+ location /code/exchange {
+ alias /home/docbuilder/build/exchange/doxygen;
+ }
+
+ location /code/merchant {
+ alias /home/docbuilder/build/merchant-backend/doxygen;
+ }
+
+ location /onboarding {
+ alias /home/docbuilder/build/onboarding/;
+ }
+
+ location /bank {
+ alias /home/docbuilder/build/bank/manual;
+ }
+
+ location /backoffice {
+ alias /home/docbuilder/build/backoffice/;
+ }
+
+ location /exchange {
+ alias /home/docbuilder/build/exchange/manual;
+ }
+
+ location /merchant/backend {
+ alias /home/docbuilder/build/merchant-backend/manual;
+ }
+
+ location /merchant/frontend {
+ alias /home/docbuilder/build/merchant-frontend/;
+ }
+
+ location /api {
+ autoindex off;
+ alias /home/docbuilder/build/api/html;
+ }
+
+ # Associated to /api route.
+ location /_static {
+ alias /home/docbuilder/api/html/_static;
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/docs.site b/guix/etc/nginx/sites-enabled/docs.site
new file mode 100644
index 0000000..8e01608
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/docs.site
@@ -0,0 +1,7 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name docs.taler.net;
+
+ rewrite ^ https://$host$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/env.site b/guix/etc/nginx/sites-enabled/env.site
new file mode 100644
index 0000000..fbe31aa
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/env.site
@@ -0,0 +1,85 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name env.taler.net;
+ rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name env.taler.net;
+ include conf.d/talerssl;
+ root /dev/null;
+ # rewrite_log on;
+
+ # add trailing slashes to apps
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)$ /$user/$app/ redirect;
+ # add trailing slashes to user
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)$ /$user/ redirect;
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/$ /$user/en/ redirect;
+
+ # aliases to get from one page to the other
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/landing /$user/ redirect;
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/bank /$user/bank redirect;
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/shop /$user/shop redirect;
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/donations /$user/donations redirect;
+ rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/survey /$user/survey redirect;
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/exchange/(?<req>.*) {
+ proxy_pass http://unix:/home/$user/sockets/exchange.http:/$req$is_args$args;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/merchant-backend/(?<req>.*) {
+ proxy_pass http://unix:/home/$user/sockets/merchant.http:/$req;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/bank(?<req>/?.*|)$ {
+ uwsgi_pass unix:/home/$user/sockets/bank.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ uwsgi_param SCRIPT_NAME "/$user/bank/";
+ uwsgi_param PATH_INFO "$req";
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/shop(?<req>/?.*|)$ {
+ uwsgi_pass unix:/home/$user/sockets/shop.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ uwsgi_param SCRIPT_NAME "/$user/shop/";
+ uwsgi_param PATH_INFO "$req";
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/donations(?<req>/.*|)$ {
+ uwsgi_pass unix:/home/$user/sockets/donations.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ uwsgi_param SCRIPT_NAME "/$user/donations/";
+ uwsgi_param PATH_INFO "$req";
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)(?<req>/.*|)$ {
+ # add index.html
+ rewrite ^/(.*)/(..)/$ /$1/$2/index.html last;
+ # strip /user/
+ rewrite ^/([a-zA-Z0-9-_]+)/(.*)$ /$2 break;
+ root /home/$user/landing/demo;
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/auditor(?<req>/.*|)$ {
+ uwsgi_pass unix:/home/$user/sockets/auditor.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ uwsgi_param SCRIPT_NAME "/$user/";
+ uwsgi_param PATH_INFO "$req";
+ }
+
+ location ~ ^/(?<user>[a-zA-Z0-9-_]+)/survey(?<req>/.*|)$ {
+ uwsgi_pass unix:/home/$user/sockets/survey.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ uwsgi_param SCRIPT_NAME "/$user/";
+ uwsgi_param PATH_INFO "$req";
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/gauger-ssl.site b/guix/etc/nginx/sites-enabled/gauger-ssl.site
new file mode 100644
index 0000000..e889b59
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/gauger-ssl.site
@@ -0,0 +1,18 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/gauger/;
+
+ # Make site accessible from http://localhost/
+ server_name gauger.taler.net;
+ server_name www.gauger.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ proxy_pass http://localhost:1801;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/gauger.site b/guix/etc/nginx/sites-enabled/gauger.site
new file mode 100644
index 0000000..967f9e9
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/gauger.site
@@ -0,0 +1,17 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/gauger/;
+
+ # Make site accessible from http://localhost/
+ server_name gauger.taler.net;
+ server_name www.gauger.taler.net;
+
+ location / {
+ proxy_pass http://localhost:1801;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/git-ssl.site b/guix/etc/nginx/sites-enabled/git-ssl.site
new file mode 100644
index 0000000..673ced5
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/git-ssl.site
@@ -0,0 +1,31 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/git;
+ server_name git.taler.net;
+ include conf.d/talerssl;
+
+ access_log /var/log/nginx/git.taler.net_access.log;
+ error_log /var/log/nginx/git.taler.net_error.log notice;
+
+ location ~ ^(.*?)\.git/(HEAD|info/refs|objects/.*|git-upload-pack)$ {
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ fastcgi_param GIT_PROJECT_ROOT /home/git/repositories;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ location /cgit {
+ root /var/www;
+ }
+
+ location / {
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /var/www/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/git.site b/guix/etc/nginx/sites-enabled/git.site
new file mode 100644
index 0000000..4c0c9ea
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/git.site
@@ -0,0 +1,10 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/git;
+ server_name git.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/intranet-ssl.site b/guix/etc/nginx/sites-enabled/intranet-ssl.site
new file mode 100644
index 0000000..3390403
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/intranet-ssl.site
@@ -0,0 +1,15 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/git;
+ server_name intranet.taler.net;
+ include conf.d/talerssl;
+ location / {
+ proxy_pass http://127.0.0.1:8018;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header HTTPS on;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/intranet.site b/guix/etc/nginx/sites-enabled/intranet.site
new file mode 100644
index 0000000..66217db
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/intranet.site
@@ -0,0 +1,10 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ # Make site accessible from http://localhost/
+ server_name intranet.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/lcov-ssl.site b/guix/etc/nginx/sites-enabled/lcov-ssl.site
new file mode 100644
index 0000000..0620bfe
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/lcov-ssl.site
@@ -0,0 +1,20 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/lcov.taler.net/;
+
+ # Make site accessible from http://localhost/
+ server_name lcov.taler.net;
+ server_name www.lcov.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ autoindex on;
+ ssi off;
+# ssi_last_modified on;
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/lcov.site b/guix/etc/nginx/sites-enabled/lcov.site
new file mode 100644
index 0000000..979c387
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/lcov.site
@@ -0,0 +1,19 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/lcov.taler.net/;
+
+ # Make site accessible from http://localhost/
+ server_name lcov.taler.net;
+ server_name www.lcov.taler.net;
+
+ location / {
+ autoindex on;
+ ssi off;
+# ssi_last_modified on;
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/sandbox.site b/guix/etc/nginx/sites-enabled/sandbox.site
new file mode 100644
index 0000000..9e32b17
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/sandbox.site
@@ -0,0 +1,20 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name sandbox.taler.net *.sandbox.taler.net;
+ rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name sandbox.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ root /home/sandbox/sandbox_landing/;
+ autoindex off;
+ index index.html;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/test.site b/guix/etc/nginx/sites-enabled/test.site
new file mode 100644
index 0000000..7c4f847
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/test.site
@@ -0,0 +1,379 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name test.taler.net
+ bank.test.taler.net
+ shop.test.taler.net
+ donations.test.taler.net
+ survey.test.taler.net
+ auditor.test.taler.net
+ exchange.test.taler.net
+ backoffice.test.taler.net;
+
+ # 301-based ridirects allows the user agent to *change* the
+ # method used in the second request. This breaks all the API
+ # using POST, as some user agents do the second request using
+ # GET. 307 is meant to tell the user agent to not change the
+ # method in the second request.
+ if ($request_method = POST) { return 307 https://$host$request_uri; }
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name test.taler.net www.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ rewrite /javascript /javascript.html break;
+ include conf.d/talerssl;
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ root /home/test-green/landing/demo;
+ }
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ root /home/test-blue/landing/demo;
+ }
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ rewrite ^/$ /en/ redirect;
+ rewrite ^/(..)/$ /$1/index.html break;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ root /home/test/landing/demo;
+ }
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name auditor.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ root /dev/null;
+ include conf.d/talerssl;
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ root /home/test-green/auditor;
+ }
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ root /home/test-blue/auditor;
+ }
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ rewrite ^/$ /en/ redirect;
+ rewrite ^/(..)/$ /$1/index.html break;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ root /home/test/auditor;
+ }
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name exchange.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ root /dev/null;
+ include conf.d/talerssl;
+ location @blue-admin {
+ add_header X-Taler-Deployment-Color blue;
+ proxy_pass http://unix:/home/test-blue/sockets/exchange-admin.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+ location @green-admin {
+ add_header X-Taler-Deployment-Color green;
+ proxy_pass http://unix:/home/test-green/sockets/exchange-admin.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ proxy_pass http://unix:/home/test-blue/sockets/exchange.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ proxy_pass http://unix:/home/test-green/sockets/exchange.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location /admin {
+ error_page 418 = @blue-admin;
+ error_page 419 = @green-admin;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ proxy_pass http://unix:/home/test/sockets/exchange-admin.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location / {
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ proxy_pass http://unix:/home/test/sockets/exchange.http:/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
+
+
+server {
+ server_name shop.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ root /dev/null;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ uwsgi_pass unix:/home/test-blue/sockets/shop.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ uwsgi_pass unix:/home/test-green/sockets/shop.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ uwsgi_pass unix:/home/test/sockets/shop.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name playground.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ root /dev/null;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ uwsgi_pass unix:/home/test-blue/sockets/playground.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ uwsgi_pass unix:/home/test-green/sockets/playground.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ uwsgi_pass unix:/home/test/sockets/playground.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name backend.test.taler.net;
+ listen 443 ssl;
+ listen 80;
+ listen [::]:443 ssl;
+ listen [::]:80;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ proxy_pass http://unix:/home/test-blue/sockets/merchant.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ proxy_pass http://unix:/home/test-green/sockets/merchant.http;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ }
+
+ location /public {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ proxy_pass http://unix:/home/test/sockets/merchant.http:/public;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+
+ # match the ApiKey part ignoring case, and the actual key
+ # with case-sensitivity on.
+ if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+ return 401;
+ }
+
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+ proxy_set_header X-Forwarded-Proto "https";
+ proxy_pass http://unix:/home/test/sockets/merchant.http:/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
+
+
+server {
+ server_name survey.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ include conf.d/talerssl;
+
+ location / {
+ uwsgi_pass unix:/home/test/sockets/survey.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+}
+
+server {
+ server_name donations.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ uwsgi_pass unix:/home/test-blue/sockets/donations.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ uwsgi_pass unix:/home/test-green/sockets/donations.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ uwsgi_pass unix:/home/test/sockets/donations.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+
+server {
+ server_name bank.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ uwsgi_pass unix:/home/test-blue/sockets/bank.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ uwsgi_pass unix:/home/test-green/sockets/bank.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ uwsgi_pass unix:/home/test/sockets/bank.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
+
+server {
+ server_name backoffice.test.taler.net;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ include conf.d/talerssl;
+
+ location @blue {
+ add_header X-Taler-Deployment-Color blue;
+ uwsgi_pass unix:/home/test-blue/sockets/backoffice.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+ location @green {
+ add_header X-Taler-Deployment-Color green;
+ uwsgi_pass unix:/home/test-green/sockets/backoffice.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ location / {
+ # Redirection technique explainted at
+ # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+ error_page 418 = @blue;
+ error_page 419 = @green;
+ recursive_error_pages on;
+ if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+ if ($http_x_taler_deployment_color ~ "green") { return 419; }
+ uwsgi_pass unix:/home/test/sockets/backoffice.uwsgi;
+ include /etc/nginx/uwsgi_params;
+ }
+
+ include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/trollslayer.site b/guix/etc/nginx/sites-enabled/trollslayer.site
new file mode 100644
index 0000000..1767fe6
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/trollslayer.site
@@ -0,0 +1,16 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/www/trollslayer/;
+
+ # Make site accessible from http://localhost/
+ server_name trollslayer.decentralise.rennes.inria.fr;
+
+ location / {
+ proxy_pass http://gnunet.org:20070/shell/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/www-ssl.site b/guix/etc/nginx/sites-enabled/www-ssl.site
new file mode 100644
index 0000000..d7776b3
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www-ssl.site
@@ -0,0 +1,59 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ #listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+ # Make site accessible from http://localhost/
+ server_name taler.net;
+ server_name www.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ root /home/docbuilder/www.taler.net;
+ autoindex off;
+ ssi on;
+ #ssi_last_modified on;
+
+ rewrite ^/$ /$index_redirect_uri/ redirect;
+
+ rewrite ^/(..)/$ /$1/index.html break;
+
+ rewrite ^/(help/empty-wallet)$ /$1.html break;
+ rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+ # just to get around cached old redirect
+ rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+ rewrite ^/wallet$ /en/wallet.html redirect;
+ rewrite ^/press$ /en/press.html redirect;
+ }
+
+ gzip on;
+ gzip_disable "msie6";
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+ # Note: this will go to /var/www/(videos|releases), which we took out of Git
+ location /videos {
+ root /var/www;
+ expires max;
+ }
+
+ location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+ root /var/www;
+ expires max;
+ }
+
+ location /releases {
+ root /var/www;
+ autoindex on;
+ }
+
+ location /files {
+ root /var/www;
+ }
+}
diff --git a/guix/etc/nginx/sites-enabled/www-stage.site b/guix/etc/nginx/sites-enabled/www-stage.site
new file mode 100644
index 0000000..e8a988b
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www-stage.site
@@ -0,0 +1,78 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /home/docbuilder/stage.taler.net;
+
+ # Make site accessible from http://localhost/
+ server_name stage.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ #listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+ # Make site accessible from http://localhost/
+ server_name stage.taler.net;
+ include conf.d/talerssl;
+
+ location / {
+ root /home/docbuilder/stage.taler.net;
+ autoindex off;
+
+ rewrite ^/$ /$index_redirect_uri/ redirect;
+
+ rewrite ^/(..)/$ /$1/index.html break;
+
+ rewrite ^/(help/empty-wallet)$ /$1.html break;
+ rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+ # just to get around cached old redirect
+ rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+ rewrite ^/wallet$ /en/wallet.html redirect;
+ rewrite ^/press$ /en/press.html redirect;
+
+ }
+
+ gzip on;
+ gzip_disable "msie6";
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+ # Note: this will go to /var/www/(videos|releases), which we took out of Git
+ location /videos {
+ root /var/www;
+ expires max;
+ }
+
+ location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+ root /var/www;
+ expires max;
+ }
+
+ # FIXME: this location newest files are from Oct'16
+ location /releases {
+ root /var/www;
+ autoindex on;
+ }
+
+ location /files {
+ root /var/www;
+ }
+
+ location ~* \.(png|jpg|jpeg|gif|ico|svg|js|css)$ {
+ root /home/docbuilder/stage.taler.net;
+ expires 1y;
+ }
+
+
+}
diff --git a/guix/etc/nginx/sites-enabled/www.git-ssl.site b/guix/etc/nginx/sites-enabled/www.git-ssl.site
new file mode 100644
index 0000000..5ba4831
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.git-ssl.site
@@ -0,0 +1,11 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/git;
+ server_name www.git.taler.net;
+ include conf.d/talerssl;
+
+ rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/www.git.site b/guix/etc/nginx/sites-enabled/www.git.site
new file mode 100644
index 0000000..645923f
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.git.site
@@ -0,0 +1,10 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /var/git;
+ server_name www.git.taler.net;
+
+ rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/www.site b/guix/etc/nginx/sites-enabled/www.site
new file mode 100644
index 0000000..ae178e5
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.site
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80; ## listen for ipv4; this line is default and implied
+ # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+ root /home/docbuilder/www.taler.net;
+
+ # Make site accessible from http://localhost/
+ server_name taler.net;
+ server_name www.taler.net;
+
+ rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/uwsgi_params b/guix/etc/nginx/uwsgi_params
new file mode 100644
index 0000000..09c732c
--- /dev/null
+++ b/guix/etc/nginx/uwsgi_params
@@ -0,0 +1,17 @@
+
+uwsgi_param QUERY_STRING $query_string;
+uwsgi_param REQUEST_METHOD $request_method;
+uwsgi_param CONTENT_TYPE $content_type;
+uwsgi_param CONTENT_LENGTH $content_length;
+
+uwsgi_param REQUEST_URI $request_uri;
+uwsgi_param PATH_INFO $document_uri;
+uwsgi_param DOCUMENT_ROOT $document_root;
+uwsgi_param SERVER_PROTOCOL $server_protocol;
+uwsgi_param REQUEST_SCHEME $scheme;
+uwsgi_param HTTPS $https if_not_empty;
+
+uwsgi_param REMOTE_ADDR $remote_addr;
+uwsgi_param REMOTE_PORT $remote_port;
+uwsgi_param SERVER_PORT $server_port;
+uwsgi_param SERVER_NAME $server_name;
diff --git a/guix/etc/nginx/win-utf b/guix/etc/nginx/win-utf
new file mode 100644
index 0000000..774fd9f
--- /dev/null
+++ b/guix/etc/nginx/win-utf
@@ -0,0 +1,125 @@
+# This map is not a full windows-1251 <> utf8 map: it does not
+# contain Serbian and Macedonian letters. If you need a full map,
+# use contrib/unicode2nginx/win-utf map instead.
+
+charset_map windows-1251 utf-8 {
+
+ 82 E2809A; # single low-9 quotation mark
+
+ 84 E2809E; # double low-9 quotation mark
+ 85 E280A6; # ellipsis
+ 86 E280A0; # dagger
+ 87 E280A1; # double dagger
+ 88 E282AC; # euro
+ 89 E280B0; # per mille
+
+ 91 E28098; # left single quotation mark
+ 92 E28099; # right single quotation mark
+ 93 E2809C; # left double quotation mark
+ 94 E2809D; # right double quotation mark
+ 95 E280A2; # bullet
+ 96 E28093; # en dash
+ 97 E28094; # em dash
+
+ 99 E284A2; # trade mark sign
+
+ A0 C2A0; # &nbsp;
+ A1 D18E; # capital Byelorussian short U
+ A2 D19E; # small Byelorussian short u
+
+ A4 C2A4; # currency sign
+ A5 D290; # capital Ukrainian soft G
+ A6 C2A6; # borken bar
+ A7 C2A7; # section sign
+ A8 D081; # capital YO
+ A9 C2A9; # (C)
+ AA D084; # capital Ukrainian YE
+ AB C2AB; # left-pointing double angle quotation mark
+ AC C2AC; # not sign
+ AD C2AD; # soft hypen
+ AE C2AE; # (R)
+ AF D087; # capital Ukrainian YI
+
+ B0 C2B0; # &deg;
+ B1 C2B1; # plus-minus sign
+ B2 D086; # capital Ukrainian I
+ B3 D196; # small Ukrainian i
+ B4 D291; # small Ukrainian soft g
+ B5 C2B5; # micro sign
+ B6 C2B6; # pilcrow sign
+ B7 C2B7; # &middot;
+ B8 D191; # small yo
+ B9 E28496; # numero sign
+ BA D194; # small Ukrainian ye
+ BB C2BB; # right-pointing double angle quotation mark
+
+ BF D197; # small Ukrainian yi
+
+ C0 D090; # capital A
+ C1 D091; # capital B
+ C2 D092; # capital V
+ C3 D093; # capital G
+ C4 D094; # capital D
+ C5 D095; # capital YE
+ C6 D096; # capital ZH
+ C7 D097; # capital Z
+ C8 D098; # capital I
+ C9 D099; # capital J
+ CA D09A; # capital K
+ CB D09B; # capital L
+ CC D09C; # capital M
+ CD D09D; # capital N
+ CE D09E; # capital O
+ CF D09F; # capital P
+
+ D0 D0A0; # capital R
+ D1 D0A1; # capital S
+ D2 D0A2; # capital T
+ D3 D0A3; # capital U
+ D4 D0A4; # capital F
+ D5 D0A5; # capital KH
+ D6 D0A6; # capital TS
+ D7 D0A7; # capital CH
+ D8 D0A8; # capital SH
+ D9 D0A9; # capital SHCH
+ DA D0AA; # capital hard sign
+ DB D0AB; # capital Y
+ DC D0AC; # capital soft sign
+ DD D0AD; # capital E
+ DE D0AE; # capital YU
+ DF D0AF; # capital YA
+
+ E0 D0B0; # small a
+ E1 D0B1; # small b
+ E2 D0B2; # small v
+ E3 D0B3; # small g
+ E4 D0B4; # small d
+ E5 D0B5; # small ye
+ E6 D0B6; # small zh
+ E7 D0B7; # small z
+ E8 D0B8; # small i
+ E9 D0B9; # small j
+ EA D0BA; # small k
+ EB D0BB; # small l
+ EC D0BC; # small m
+ ED D0BD; # small n
+ EE D0BE; # small o
+ EF D0BF; # small p
+
+ F0 D180; # small r
+ F1 D181; # small s
+ F2 D182; # small t
+ F3 D183; # small u
+ F4 D184; # small f
+ F5 D185; # small kh
+ F6 D186; # small ts
+ F7 D187; # small ch
+ F8 D188; # small sh
+ F9 D189; # small shch
+ FA D18A; # small hard sign
+ FB D18B; # small y
+ FC D18C; # small soft sign
+ FD D18D; # small e
+ FE D18E; # small yu
+ FF D18F; # small ya
+}