diff options
65 files changed, 4124 insertions, 0 deletions
diff --git a/guix/etc/aliases b/guix/etc/aliases new file mode 100644 index 0000000..cfa1be0 --- /dev/null +++ b/guix/etc/aliases @@ -0,0 +1,109 @@ +# See man 5 aliases for format +postmaster: root +root: admin + +# Executive team +ceo: leon +cto: grothoff +cfo: clevel +clevel: ceo,cto + +# Generic contact address +contact: mail +mail: ceo,cto,sva + +# All system admins +admin: grothoff,dold,stanisci + +# Contact for translators +translation-volunteer: admin + +# Feedback +demo-feedback: admin +wallet: florian,tg +taler-bb: mstan +buildfailures: mstan,florian,grothoff + +# Special +protonmail: grothoff + +# ??? +msw: tg + +# For investors +invest: grothoff + +# Twitter registration (ask grothoff for PW if desired) +twitter: grothoff + +# Web server +www-data: grothoff,marcello + +# Language teams +it: marcello,fabrizio.biondi@inria.fr +fr: marcello, cecile.gayet95@gmail.com +de: grothoff,florian,sva,skuegel@web.de +es: martin.olivera@gmail.com,chicadelaire@gmail.com,fumiko@futeisha.org,severo@rednegra.net +cz: skuegel@web.de +tn: os@vink-io.com +ru: axel.denielt@gmail.com + +# All language teams (to notify about new text) +translation-updates: it,de,fr,es,cz,tn,ru + +################################################## + +# Personal aliases +nana: nana_void@riseup.net +nk: nana +karlstetter: nana +nana.karlstetter: nana + +grothoff: grothoff@gnunet.org +christian: grothoff +christian.grothoff: grothoff +cg: grothoff + +leon: leon.schumacher@digitalekho.com +schumacher: leon +leon.schumacher: leon +ls: leon + +michael: michael.widmer@brinogroup.ch +widmer: michael +mw: michael +michael.widmer: michael + +tg: *@tg-x.net + +sva: g@besva.de +laengle: sva +bernadette: sva +bernadette.laengle: sva + +totakura: totakura@gnunet.org +sreeharsha.totakura: totakura + +dold: dold@in.tum.de +florian: dold +florian.dold: dold + +carlo: lynX@the.internet.is.psyced.org + +ben: benedikt.mueller@sys24.org +mueller: ben +ben.mueller: ben + +onete: cristina.onete@gmail.com +cristina: onete +cristina.onete: onete + +burdges: burdges@gnunet.org +jeff: burdges +jeff.burdges: burdges + +mstan: marcello.stanisci@inria.fr +marcello: mstan +stanisci: mstan + + diff --git a/guix/etc/cgitrc b/guix/etc/cgitrc new file mode 100644 index 0000000..4ddaf0c --- /dev/null +++ b/guix/etc/cgitrc @@ -0,0 +1,73 @@ +# +# cgit config +# see cgitrc(5) for details +#readme=:README +virtual-root=/ +#cache-size=1000 + +# Highlight source code with python pygments-based highlighter +source-filter=/home/git/bin/cgit-syntax-highlighting.sh + +# Format org-mode, markdown, restructuredtext, manpages, text files, and html files +about-filter=/home/git/bin/cgit-about-formatting.sh +#about-filter=/usr/lib/cgit/filters/about-formatting.sh + +enable-filter-overrides=1 + +css=/cgit/cgit.css +logo=/cgit/cgit.png + +strict-export=git-daemon-export-ok +scan-path=/home/git/repositories + +clone-prefix=https://git.taler.net git://git.taler.net ssh://git@taler.net + +snapshots=tar.gz zip + +root-title=TALER Git Repositories +root-desc=Source code of various TALER-related projects +root-readme=/home/git/repositories/README.html +footer=/home/git/repositories/FOOTER.html + +readme=:README.org +readme=:readme.org +readme=:README.md +readme=:readme.md +readme=:README.mkd +readme=:readme.mkd +readme=:README.rst +readme=:readme.rst +readme=:README.html +readme=:readme.html +readme=:README.htm +readme=:readme.htm +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.org +readme=:install.org +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + + +# MIME types for serving raw content +mimetype.html=text/html +mimetype.gif=image/gif +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.png=image/png +mimetype.svg=image/svg+xml +mimetype.pdf=application/pdf diff --git a/guix/etc/nginx/apps/drupal/admin_basic_auth.conf b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf new file mode 100644 index 0000000..cc796ce --- /dev/null +++ b/guix/etc/nginx/apps/drupal/admin_basic_auth.conf @@ -0,0 +1,12 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## Protect the /admin URIs with a basic auth. +location ^~ /admin { + auth_basic "Restricted access"; #realm + auth_basic_user_file .htpasswd-users; + + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; +} diff --git a/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf new file mode 100644 index 0000000..bdb3dd9 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for specifying which hosts can invoke Drupal's +### cron. This only applies if you're not using drush to run cron. + +geo $not_allowed_cron { + default 1; + ## Add your set of hosts. + 127.0.0.1 0; # allow the localhost + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/guix/etc/nginx/apps/drupal/drupal.conf b/guix/etc/nginx/apps/drupal/drupal.conf new file mode 100644 index 0000000..e65024f --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { +# flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. + try_files $uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. +# track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/guix/etc/nginx/apps/drupal/drupal_boost.conf b/guix/etc/nginx/apps/drupal/drupal_boost.conf new file mode 100644 index 0000000..1cb10e1 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_boost.conf @@ -0,0 +1,377 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + diff --git a/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf new file mode 100644 index 0000000..36f5d98 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf @@ -0,0 +1,382 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $escaped_uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; + #proxy_set_header Connection ''; +} + diff --git a/guix/etc/nginx/apps/drupal/drupal_cron_update.conf b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf new file mode 100644 index 0000000..55500e9 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_cron_update.conf @@ -0,0 +1,40 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for Drupal if you're not using drush to update your site or run cron. + +## XMLRPC. Comment out if not enabled. +location = /xmlrpc.php { + fastcgi_pass phpcgi; + # To use Apache for serving PHP uncomment the line bellow and + # comment out the above. + #proxy_pass http://phpapache; +} + +## Restrict cron access to a specific host. +location = /cron.php { + ## If not allowed to run cron then issue a 404 and redirect to the + ## site root. + if ($not_allowed_cron) { + return 404 /; + } + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +## Run the update from the web interface with Drupal 7. +location = /authorize.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +location = /update.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} diff --git a/guix/etc/nginx/apps/drupal/drupal_escaped.conf b/guix/etc/nginx/apps/drupal/drupal_escaped.conf new file mode 100644 index 0000000..db08cc0 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_escaped.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found. + try_files $escaped_uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/guix/etc/nginx/apps/drupal/drupal_install.conf b/guix/etc/nginx/apps/drupal/drupal_install.conf new file mode 100644 index 0000000..1f4f11b --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_install.conf @@ -0,0 +1,16 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Directives for installing drupal. This is for drupal 6 and 7. + +location = /install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} + +## This is for drupal 8. There's a new location for the install file. +location = /core/install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} diff --git a/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf new file mode 100644 index 0000000..843fb06 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf @@ -0,0 +1,23 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Drupal 7 configuration for the Nginx Upload Progress module: +### https://github.com/masterzen/nginx-upload-progress-module +### This requires the Filefield Nginx Progress module: +### http://drupal.org/project/filefield_nginx_progress. + +## The Nginx module wants ?X-Progress-ID query parameter so +## that it report the progress of the upload through a GET +## request. But the drupal form element makes use of clean +## URLs in the POST. + +location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) { + rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; +} + +## Now the above rewrite must be matched by a location that +## activates it and references the above defined upload +## tracking zone. +location ^~ /progress { + upload_progress_json_output; + report_uploads uploads; +} diff --git a/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf new file mode 100644 index 0000000..be59f85 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri&$args; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf new file mode 100644 index 0000000..683e4ce --- /dev/null +++ b/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/guix/etc/nginx/apps/drupal/hotlinking_protection.conf b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf new file mode 100644 index 0000000..f2926e1 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/hotlinking_protection.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Hotlinking protection for images. Include it in any context you +### want. Adjust the list of allowed referers to your liking. + +valid_referers none blocked *.example.com *.google.com my.site.com; + +if ($invalid_referer) { + return 200 "No image hotlinking allowed!\n"; +} diff --git a/guix/etc/nginx/apps/drupal/map_cache.conf b/guix/etc/nginx/apps/drupal/map_cache.conf new file mode 100644 index 0000000..8166fcd --- /dev/null +++ b/guix/etc/nginx/apps/drupal/map_cache.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Testing if we should be serving content from cache or not. This is +### needed for any Drupal setup that uses an external cache. + +## Let Ajax calls go through. +map $uri $no_cache_ajax { + default 0; + /system/ajax 1; +} + +## Testing for the session cookie being present. If there is then no +## caching is to be done. Note that this is for someone using either +## Drupal 7 pressflow or stock Drupal 6 core with no_anon +## (http://drupal.org/project/no_anon). +map $http_cookie $no_cache_cookie { + default 0; + ~SESS 1; # PHP session cookie +} + +## Combine both results to get the cache bypassing mapping. +map $no_cache_ajax$no_cache_cookie $no_cache { + default 1; + 00 0; +} + +## If you're using stock Drupal 6 without no_anon, i.e., there's a +## session cookie being served even to anonymous users, then uncomment +## the three lines below and comment the above map directive +# map $http_cookie $no_cache { +# default 0; +# ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost +# } + +## Set a cache_uid variable for authenticated users. +map $http_cookie $cache_uid { + default nil; # hommage to Lisp :) + ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id; +} diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf new file mode 100644 index 0000000..e7e8184 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/microcache_fcgi.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 1s seconds. +fastcgi_cache_valid 200 301 1s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +## Bypass the cache. +fastcgi_cache_bypass $no_cache; +fastcgi_no_cache $no_cache; + +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf new file mode 100644 index 0000000..7b2b7c3 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf @@ -0,0 +1,51 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 15s. +fastcgi_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors use whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +## Bypass the cache. +# fastcgi_cache_bypass $no_auth_cache; +# fastcgi_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy.conf b/guix/etc/nginx/apps/drupal/microcache_proxy.conf new file mode 100644 index 0000000..6708684 --- /dev/null +++ b/guix/etc/nginx/apps/drupal/microcache_proxy.conf @@ -0,0 +1,53 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +## Bypass the cache. +proxy_cache_bypass $no_cache; +proxy_no_cache $no_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf new file mode 100644 index 0000000..e351b1b --- /dev/null +++ b/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf @@ -0,0 +1,54 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $cache_uid@$host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +proxy_pass_header Set-Cookie; +proxy_pass_header Cookie; +## Bypass the cache. +proxy_cache_bypass $no_auth_cache; +proxy_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/guix/etc/nginx/conf.d/favicon_robots b/guix/etc/nginx/conf.d/favicon_robots new file mode 100644 index 0000000..3c6e417 --- /dev/null +++ b/guix/etc/nginx/conf.d/favicon_robots @@ -0,0 +1,11 @@ +location = /robots.txt { + root /var/www/robots-favicon; +} + +location = /favicon.ico { + root /var/www/robots-favicon; +} + +location = /static/web-common/favicon-taler.ico { + alias /var/www/robots-favicon/favicon.ico; +} diff --git a/guix/etc/nginx/conf.d/talerssl b/guix/etc/nginx/conf.d/talerssl new file mode 100644 index 0000000..3c33de6 --- /dev/null +++ b/guix/etc/nginx/conf.d/talerssl @@ -0,0 +1,14 @@ +ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_dhparam /etc/ssl/certs/dhparam.pem; +ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options "nosniff"; +add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://buildbot.taler.net"; +add_header Referrer-Policy "same-origin"; diff --git a/guix/etc/nginx/fastcgi.conf b/guix/etc/nginx/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/guix/etc/nginx/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/guix/etc/nginx/fastcgi_params b/guix/etc/nginx/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/guix/etc/nginx/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/guix/etc/nginx/koi-utf b/guix/etc/nginx/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/guix/etc/nginx/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; # + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/guix/etc/nginx/koi-win b/guix/etc/nginx/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/guix/etc/nginx/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; # + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/guix/etc/nginx/mime.types b/guix/etc/nginx/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/guix/etc/nginx/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/guix/etc/nginx/nginx.conf b/guix/etc/nginx/nginx.conf new file mode 100644 index 0000000..13e8724 --- /dev/null +++ b/guix/etc/nginx/nginx.conf @@ -0,0 +1,79 @@ +user nginx; +worker_processes 4; +pid /var/run/nginx.pid; + +include etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + log_format main '$remote_addr - $remote_user [$time_local] $host ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log notice; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + # This isn't entirely correct since it does + # not consider the weighting of languages, but + # for now it's good enough. + map $http_accept_language $index_redirect_uri { + default "en"; + # prefer language that's first in the list + ~^en "en"; + ~^de "de"; + ~^fr "fr"; + ~^es "it"; + # if none matches, take one later in the list + ~,en "en"; + ~,de "de"; + ~,fr "fr"; + ~,es "it"; + } + + ## + # Virtual Host Configs + ## + + include etc/nginx/conf.d/*.conf; + include etc/nginx/sites-enabled/*.site; +} diff --git a/guix/etc/nginx/proxy_params b/guix/etc/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/guix/etc/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/guix/etc/nginx/scgi_params b/guix/etc/nginx/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/guix/etc/nginx/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/guix/etc/nginx/sites-available/blog-demo.site b/guix/etc/nginx/sites-available/blog-demo.site new file mode 100644 index 0000000..a48a036 --- /dev/null +++ b/guix/etc/nginx/sites-available/blog-demo.site @@ -0,0 +1,43 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name blog.demo.taler.net; + + root /home/demo/merchant/src/frontend_blog; + index index.html; + + # Make site accessible from http://localhost/ + + location / { + try_files $uri $uri/ =404; + rewrite /taler/pay /pay.php; + rewrite /taler/contract /generate_taler_contract.php; + + } + + location /fullfillment { + rewrite /(.*) /$1.php; + + } + + location /articles { + + internal; + } + + location ~ \.php$ { + + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + + } + + location /backend { + rewrite /backend/(.*) /$1 break; + proxy_pass http://127.0.0.1:19966; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/guix/etc/nginx/sites-available/default.site b/guix/etc/nginx/sites-available/default.site new file mode 100644 index 0000000..79e41e8 --- /dev/null +++ b/guix/etc/nginx/sites-available/default.site @@ -0,0 +1,86 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + # fastcgi_pass unix:/var/run/php5-fpm.sock; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/guix/etc/nginx/sites-available/drupal-demo-ssl.site b/guix/etc/nginx/sites-available/drupal-demo-ssl.site new file mode 100644 index 0000000..400020e --- /dev/null +++ b/guix/etc/nginx/sites-available/drupal-demo-ssl.site @@ -0,0 +1,49 @@ +server { + listen 443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name drupal.demo.taler.net; + + root /home/demo/drupal-demo; + + ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + + add_header Strict-Transport-Security "max-age=63072000; preload"; + + # Make site accessible from http://localhost/ + +# location / { +# try_files $uri $uri/ =404; +# rewrite /taler/pay /pay.php; +# rewrite /taler/contract /generate_taler_contract.php; +# } + +# location /fullfillment { +# rewrite /(.*) /$1.php; +# } + + location ~ \.php$ { + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + +# location /backend { +# rewrite /backend/(.*) /$1 break; +# proxy_pass http://127.0.0.1:19966; +# proxy_redirect off; +# proxy_set_header Host $host; +# } + + client_max_body_size 10M; + client_body_buffer_size 128k; + + include apps/drupal/drupal.conf; +} diff --git a/guix/etc/nginx/sites-available/drupal-demo.site b/guix/etc/nginx/sites-available/drupal-demo.site new file mode 100644 index 0000000..d91c3f7 --- /dev/null +++ b/guix/etc/nginx/sites-available/drupal-demo.site @@ -0,0 +1,40 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name drupal.demo.taler.net; + + root /home/demo/drupal-demo; + + # Make site accessible from http://localhost/ + +# location / { +# try_files $uri $uri/ =404; +# rewrite /taler/pay /pay.php; +# rewrite /taler/contract /generate_taler_contract.php; +# } + +# location /fullfillment { +# rewrite /(.*) /$1.php; +# } + + + location ~ \.php$ { + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + +# location /backend { +# rewrite /backend/(.*) /$1 break; +# proxy_pass http://127.0.0.1:19966; +# proxy_redirect off; +# proxy_set_header Host $host; +# } + + client_max_body_size 10M; + client_body_buffer_size 128k; + + include apps/drupal/drupal.conf; +} diff --git a/guix/etc/nginx/sites-available/ghm_videos.site b/guix/etc/nginx/sites-available/ghm_videos.site new file mode 100644 index 0000000..c438e7f --- /dev/null +++ b/guix/etc/nginx/sites-available/ghm_videos.site @@ -0,0 +1,25 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/taler.net; + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; + +# location / { +# autoindex off; +# ssi on; +## ssi_last_modified on; +# rewrite /citizens /citizens.html break; +# rewrite /developers /developers.html break; +# rewrite /merchants /merchants.html break; +# rewrite /governments /governments.html break; +# rewrite /investors /investors.html break; +# rewrite /about /about.html break; +# rewrite /news /news.html break; +# } +} diff --git a/guix/etc/nginx/sites-available/www.git-ssl.site b/guix/etc/nginx/sites-available/www.git-ssl.site new file mode 100644 index 0000000..4ac7cfa --- /dev/null +++ b/guix/etc/nginx/sites-available/www.git-ssl.site @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name www.git.taler.net; + + include conf.d/talerssl; + + location /index.cgi { + root /usr/share/gitweb/; + + include fastcgi_params; + gzip off; + fastcgi_param SCRIPT_NAME $uri; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location / { + root /usr/share/gitweb/; + index index.cgi; + } +} diff --git a/guix/etc/nginx/sites-available/www.git.site b/guix/etc/nginx/sites-available/www.git.site new file mode 100644 index 0000000..26679be --- /dev/null +++ b/guix/etc/nginx/sites-available/www.git.site @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name www.git.taler.net; + + + location /index.cgi { + root /usr/share/gitweb/; + + include fastcgi_params; + gzip off; + fastcgi_param SCRIPT_NAME $uri; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location / { + root /usr/share/gitweb/; + index index.cgi; + } +} diff --git a/guix/etc/nginx/sites-enabled/api-ssl.site b/guix/etc/nginx/sites-enabled/api-ssl.site new file mode 100644 index 0000000..6f5fd69 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/api-ssl.site @@ -0,0 +1,9 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name api.taler.net + www.api.taler.net; + rewrite ^ https://docs.taler.net$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/api.site b/guix/etc/nginx/sites-enabled/api.site new file mode 100644 index 0000000..21e7efe --- /dev/null +++ b/guix/etc/nginx/sites-enabled/api.site @@ -0,0 +1,8 @@ +server { + listen 80; + listen [::]:80; + server_name api.taler.net + www.api.taler.net; + + rewrite ^ https://docs.taler.net$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/buildbot-ssl.site b/guix/etc/nginx/sites-enabled/buildbot-ssl.site new file mode 100644 index 0000000..ba998bb --- /dev/null +++ b/guix/etc/nginx/sites-enabled/buildbot-ssl.site @@ -0,0 +1,23 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/buildbot/; + + # Make site accessible from http://localhost/ + server_name buildbot.taler.net; + server_name www.buildbot.taler.net; + server_name bb.taler.net; + include conf.d/talerssl; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/buildbot.site b/guix/etc/nginx/sites-enabled/buildbot.site new file mode 100644 index 0000000..77eb805 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/buildbot.site @@ -0,0 +1,14 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/buildbot/; + + # Make site accessible from http://localhost/ + server_name buildbot.taler.net; + server_name www.buildbot.taler.net; + server_name bb.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/decentralise-ssl.site b/guix/etc/nginx/sites-enabled/decentralise-ssl.site new file mode 100644 index 0000000..9dd0470 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/decentralise-ssl.site @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/decentralise; + + # Make site accessible from http://localhost/ + server_name www.decentralise.rennes.inria.fr; + server_name decentralise.rennes.inria.fr; + include conf.d/talerssl; + + rewrite / http://www.inria.fr/en/teams/decentralise redirect; +} diff --git a/guix/etc/nginx/sites-enabled/decentralise.site b/guix/etc/nginx/sites-enabled/decentralise.site new file mode 100644 index 0000000..b92fb0f --- /dev/null +++ b/guix/etc/nginx/sites-enabled/decentralise.site @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/decentralise; + + # Make site accessible from http://localhost/ + server_name www.decentralise.rennes.inria.fr; + server_name decentralise.rennes.inria.fr; + + rewrite / http://www.inria.fr/en/teams/decentralise redirect; +} diff --git a/guix/etc/nginx/sites-enabled/default.site b/guix/etc/nginx/sites-enabled/default.site new file mode 100644 index 0000000..e295383 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/default.site @@ -0,0 +1,18 @@ +# matched when no other server name matches +server { + listen 80 default_server; + listen [::]:80 default_server; + # server name must simply something invalid ... + server_name _; + # drop connection, special nginx status code + return 444; +} +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + include conf.d/talerssl; + # server name must simply something invalid ... + server_name _; + # drop connection, special nginx status code + return 444; +} diff --git a/guix/etc/nginx/sites-enabled/demo.site b/guix/etc/nginx/sites-enabled/demo.site new file mode 100644 index 0000000..16d9698 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/demo.site @@ -0,0 +1,159 @@ +server { + listen 80; + listen [::]:80; + server_name demo.taler.net + bank.demo.taler.net + shop.demo.taler.net + donations.demo.taler.net + survey.demo.taler.net + auditor.demo.taler.net + exchange.demo.taler.net; + + # 301-based ridirects allows the user agent to *change* the + # method used in the second request. This breaks all the API + # using POST, as some user agents do the second request using + # GET. 307 is meant to tell the user agent to not change the + # method in the second request. + if ($request_method = POST) { return 307 https://$host$request_uri; } + return 301 https://$host$request_uri; + +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name auditor.demo.taler.net; + include conf.d/talerssl; + location / { + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + root /home/demo/auditor; + } + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name demo.taler.net www.demo.taler.net; + rewrite /javascript /javascript.html break; + include conf.d/talerssl; + location / { + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + root /home/demo/landing/demo; + } + + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name exchange.demo.taler.net; + root /dev/null; + include conf.d/talerssl; + + location /admin { + proxy_pass http://unix:/home/demo/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + proxy_pass http://unix:/home/demo/sockets/exchange.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + +server { + listen 443 ssl; + listen 80; + listen [::]:443 ssl; + listen [::]:80; + server_name backend.demo.taler.net; + include conf.d/talerssl; + + location /public { + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.demo.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/demo/sockets/merchant.http:/public; + } + + location / { + # match the ApiKey part ignoring case, and the actual key + # with case-sensitivity on. + if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") { + return 401; + } + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.demo.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/demo/sockets/merchant.http:/; + } +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name donations.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name shop.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name survey.demo.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name bank.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/docs-ssl.site b/guix/etc/nginx/sites-enabled/docs-ssl.site new file mode 100644 index 0000000..923d703 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/docs-ssl.site @@ -0,0 +1,69 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Temporary, as this doesn't do i18n + root /home/docbuilder/build/docs-landing/; + + # Make site accessible from http://localhost/ + server_name docs.taler.net + www.docs.taler.net; + + include conf.d/talerssl; + + location / { + autoindex off; + ssi off; +# ssi_last_modified on; + + + rewrite ^/$ /$index_redirect_uri/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + } + + + location /code/exchange { + alias /home/docbuilder/build/exchange/doxygen; + } + + location /code/merchant { + alias /home/docbuilder/build/merchant-backend/doxygen; + } + + location /onboarding { + alias /home/docbuilder/build/onboarding/; + } + + location /bank { + alias /home/docbuilder/build/bank/manual; + } + + location /backoffice { + alias /home/docbuilder/build/backoffice/; + } + + location /exchange { + alias /home/docbuilder/build/exchange/manual; + } + + location /merchant/backend { + alias /home/docbuilder/build/merchant-backend/manual; + } + + location /merchant/frontend { + alias /home/docbuilder/build/merchant-frontend/; + } + + location /api { + autoindex off; + alias /home/docbuilder/build/api/html; + } + + # Associated to /api route. + location /_static { + alias /home/docbuilder/api/html/_static; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/docs.site b/guix/etc/nginx/sites-enabled/docs.site new file mode 100644 index 0000000..8e01608 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/docs.site @@ -0,0 +1,7 @@ +server { + listen 80; + listen [::]:80; + server_name docs.taler.net; + + rewrite ^ https://$host$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/env.site b/guix/etc/nginx/sites-enabled/env.site new file mode 100644 index 0000000..fbe31aa --- /dev/null +++ b/guix/etc/nginx/sites-enabled/env.site @@ -0,0 +1,85 @@ +server { + listen 80; + listen [::]:80; + server_name env.taler.net; + rewrite ^ https://$host$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name env.taler.net; + include conf.d/talerssl; + root /dev/null; + # rewrite_log on; + + # add trailing slashes to apps + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)$ /$user/$app/ redirect; + # add trailing slashes to user + rewrite ^/(?<user>[a-zA-Z0-9-_]+)$ /$user/ redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/$ /$user/en/ redirect; + + # aliases to get from one page to the other + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/landing /$user/ redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/bank /$user/bank redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/shop /$user/shop redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/donations /$user/donations redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/survey /$user/survey redirect; + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/exchange/(?<req>.*) { + proxy_pass http://unix:/home/$user/sockets/exchange.http:/$req$is_args$args; + proxy_redirect off; + proxy_set_header Host $host; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/merchant-backend/(?<req>.*) { + proxy_pass http://unix:/home/$user/sockets/merchant.http:/$req; + proxy_redirect off; + proxy_set_header Host $host; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/bank(?<req>/?.*|)$ { + uwsgi_pass unix:/home/$user/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/bank/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/shop(?<req>/?.*|)$ { + uwsgi_pass unix:/home/$user/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/shop/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/donations(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/donations/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)(?<req>/.*|)$ { + # add index.html + rewrite ^/(.*)/(..)/$ /$1/$2/index.html last; + # strip /user/ + rewrite ^/([a-zA-Z0-9-_]+)/(.*)$ /$2 break; + root /home/$user/landing/demo; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/auditor(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/auditor.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/survey(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/"; + uwsgi_param PATH_INFO "$req"; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/gauger-ssl.site b/guix/etc/nginx/sites-enabled/gauger-ssl.site new file mode 100644 index 0000000..e889b59 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/gauger-ssl.site @@ -0,0 +1,18 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/gauger/; + + # Make site accessible from http://localhost/ + server_name gauger.taler.net; + server_name www.gauger.taler.net; + include conf.d/talerssl; + + location / { + proxy_pass http://localhost:1801; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/guix/etc/nginx/sites-enabled/gauger.site b/guix/etc/nginx/sites-enabled/gauger.site new file mode 100644 index 0000000..967f9e9 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/gauger.site @@ -0,0 +1,17 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/gauger/; + + # Make site accessible from http://localhost/ + server_name gauger.taler.net; + server_name www.gauger.taler.net; + + location / { + proxy_pass http://localhost:1801; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/guix/etc/nginx/sites-enabled/git-ssl.site b/guix/etc/nginx/sites-enabled/git-ssl.site new file mode 100644 index 0000000..673ced5 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/git-ssl.site @@ -0,0 +1,31 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name git.taler.net; + include conf.d/talerssl; + + access_log /var/log/nginx/git.taler.net_access.log; + error_log /var/log/nginx/git.taler.net_error.log notice; + + location ~ ^(.*?)\.git/(HEAD|info/refs|objects/.*|git-upload-pack)$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /home/git/repositories; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location /cgit { + root /var/www; + } + + location / { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } +} diff --git a/guix/etc/nginx/sites-enabled/git.site b/guix/etc/nginx/sites-enabled/git.site new file mode 100644 index 0000000..4c0c9ea --- /dev/null +++ b/guix/etc/nginx/sites-enabled/git.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name git.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/intranet-ssl.site b/guix/etc/nginx/sites-enabled/intranet-ssl.site new file mode 100644 index 0000000..3390403 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/intranet-ssl.site @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name intranet.taler.net; + include conf.d/talerssl; + location / { + proxy_pass http://127.0.0.1:8018; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header HTTPS on; + } +} diff --git a/guix/etc/nginx/sites-enabled/intranet.site b/guix/etc/nginx/sites-enabled/intranet.site new file mode 100644 index 0000000..66217db --- /dev/null +++ b/guix/etc/nginx/sites-enabled/intranet.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name intranet.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/guix/etc/nginx/sites-enabled/lcov-ssl.site b/guix/etc/nginx/sites-enabled/lcov-ssl.site new file mode 100644 index 0000000..0620bfe --- /dev/null +++ b/guix/etc/nginx/sites-enabled/lcov-ssl.site @@ -0,0 +1,20 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/lcov.taler.net/; + + # Make site accessible from http://localhost/ + server_name lcov.taler.net; + server_name www.lcov.taler.net; + include conf.d/talerssl; + + location / { + autoindex on; + ssi off; +# ssi_last_modified on; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/lcov.site b/guix/etc/nginx/sites-enabled/lcov.site new file mode 100644 index 0000000..979c387 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/lcov.site @@ -0,0 +1,19 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/lcov.taler.net/; + + # Make site accessible from http://localhost/ + server_name lcov.taler.net; + server_name www.lcov.taler.net; + + location / { + autoindex on; + ssi off; +# ssi_last_modified on; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/sandbox.site b/guix/etc/nginx/sites-enabled/sandbox.site new file mode 100644 index 0000000..9e32b17 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/sandbox.site @@ -0,0 +1,20 @@ +server { + listen 80; + listen [::]:80; + server_name sandbox.taler.net *.sandbox.taler.net; + rewrite ^ https://$host$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name sandbox.taler.net; + include conf.d/talerssl; + + location / { + root /home/sandbox/sandbox_landing/; + autoindex off; + index index.html; + } +} diff --git a/guix/etc/nginx/sites-enabled/test.site b/guix/etc/nginx/sites-enabled/test.site new file mode 100644 index 0000000..7c4f847 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/test.site @@ -0,0 +1,379 @@ +server { + listen 80; + listen [::]:80; + server_name test.taler.net + bank.test.taler.net + shop.test.taler.net + donations.test.taler.net + survey.test.taler.net + auditor.test.taler.net + exchange.test.taler.net + backoffice.test.taler.net; + + # 301-based ridirects allows the user agent to *change* the + # method used in the second request. This breaks all the API + # using POST, as some user agents do the second request using + # GET. 307 is meant to tell the user agent to not change the + # method in the second request. + if ($request_method = POST) { return 307 https://$host$request_uri; } + return 301 https://$host$request_uri; +} + +server { + server_name test.taler.net www.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + rewrite /javascript /javascript.html break; + include conf.d/talerssl; + location @green { + add_header X-Taler-Deployment-Color green; + root /home/test-green/landing/demo; + } + location @blue { + add_header X-Taler-Deployment-Color blue; + root /home/test-blue/landing/demo; + } + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + root /home/test/landing/demo; + } + include conf.d/favicon_robots; +} + + +server { + server_name auditor.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + location @green { + add_header X-Taler-Deployment-Color green; + root /home/test-green/auditor; + } + location @blue { + add_header X-Taler-Deployment-Color blue; + root /home/test-blue/auditor; + } + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + root /home/test/auditor; + } + include conf.d/favicon_robots; +} + + +server { + server_name exchange.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + location @blue-admin { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + location @green-admin { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location @blue { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/exchange.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location @green { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/exchange.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location /admin { + error_page 418 = @blue-admin; + error_page 419 = @green-admin; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_pass http://unix:/home/test/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_pass http://unix:/home/test/sockets/exchange.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + + +server { + server_name shop.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name playground.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name backend.test.taler.net; + listen 443 ssl; + listen 80; + listen [::]:443 ssl; + listen [::]:80; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/merchant.http; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + } + location @green { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/merchant.http; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + } + + location /public { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/test/sockets/merchant.http:/public; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + + # match the ApiKey part ignoring case, and the actual key + # with case-sensitivity on. + if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") { + return 401; + } + + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/test/sockets/merchant.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + + +server { + server_name survey.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/test/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + } +} + +server { + server_name donations.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name bank.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + +server { + server_name backoffice.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} diff --git a/guix/etc/nginx/sites-enabled/trollslayer.site b/guix/etc/nginx/sites-enabled/trollslayer.site new file mode 100644 index 0000000..1767fe6 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/trollslayer.site @@ -0,0 +1,16 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/trollslayer/; + + # Make site accessible from http://localhost/ + server_name trollslayer.decentralise.rennes.inria.fr; + + location / { + proxy_pass http://gnunet.org:20070/shell/; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/guix/etc/nginx/sites-enabled/www-ssl.site b/guix/etc/nginx/sites-enabled/www-ssl.site new file mode 100644 index 0000000..d7776b3 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/www-ssl.site @@ -0,0 +1,59 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + #listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + include conf.d/talerssl; + + location / { + root /home/docbuilder/www.taler.net; + autoindex off; + ssi on; + #ssi_last_modified on; + + rewrite ^/$ /$index_redirect_uri/ redirect; + + rewrite ^/(..)/$ /$1/index.html break; + + rewrite ^/(help/empty-wallet)$ /$1.html break; + rewrite ^/wallet-installation\.html$ /en/wallet.html redirect; + # just to get around cached old redirect + rewrite ^/wallet\.en\.html$ /en/wallet.html redirect; + rewrite ^/wallet$ /en/wallet.html redirect; + rewrite ^/press$ /en/press.html redirect; + } + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; + + + # Note: this will go to /var/www/(videos|releases), which we took out of Git + location /videos { + root /var/www; + expires max; + } + + location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ { + root /var/www; + expires max; + } + + location /releases { + root /var/www; + autoindex on; + } + + location /files { + root /var/www; + } +} diff --git a/guix/etc/nginx/sites-enabled/www-stage.site b/guix/etc/nginx/sites-enabled/www-stage.site new file mode 100644 index 0000000..e8a988b --- /dev/null +++ b/guix/etc/nginx/sites-enabled/www-stage.site @@ -0,0 +1,78 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /home/docbuilder/stage.taler.net; + + # Make site accessible from http://localhost/ + server_name stage.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + #listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + + # Make site accessible from http://localhost/ + server_name stage.taler.net; + include conf.d/talerssl; + + location / { + root /home/docbuilder/stage.taler.net; + autoindex off; + + rewrite ^/$ /$index_redirect_uri/ redirect; + + rewrite ^/(..)/$ /$1/index.html break; + + rewrite ^/(help/empty-wallet)$ /$1.html break; + rewrite ^/wallet-installation\.html$ /en/wallet.html redirect; + # just to get around cached old redirect + rewrite ^/wallet\.en\.html$ /en/wallet.html redirect; + rewrite ^/wallet$ /en/wallet.html redirect; + rewrite ^/press$ /en/press.html redirect; + + } + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; + + + # Note: this will go to /var/www/(videos|releases), which we took out of Git + location /videos { + root /var/www; + expires max; + } + + location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ { + root /var/www; + expires max; + } + + # FIXME: this location newest files are from Oct'16 + location /releases { + root /var/www; + autoindex on; + } + + location /files { + root /var/www; + } + + location ~* \.(png|jpg|jpeg|gif|ico|svg|js|css)$ { + root /home/docbuilder/stage.taler.net; + expires 1y; + } + + +} diff --git a/guix/etc/nginx/sites-enabled/www.git-ssl.site b/guix/etc/nginx/sites-enabled/www.git-ssl.site new file mode 100644 index 0000000..5ba4831 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/www.git-ssl.site @@ -0,0 +1,11 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name www.git.taler.net; + include conf.d/talerssl; + + rewrite ^ https://git.taler.net/ permanent; +} diff --git a/guix/etc/nginx/sites-enabled/www.git.site b/guix/etc/nginx/sites-enabled/www.git.site new file mode 100644 index 0000000..645923f --- /dev/null +++ b/guix/etc/nginx/sites-enabled/www.git.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name www.git.taler.net; + + rewrite ^ https://git.taler.net/ permanent; +} diff --git a/guix/etc/nginx/sites-enabled/www.site b/guix/etc/nginx/sites-enabled/www.site new file mode 100644 index 0000000..ae178e5 --- /dev/null +++ b/guix/etc/nginx/sites-enabled/www.site @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /home/docbuilder/www.taler.net; + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/guix/etc/nginx/uwsgi_params b/guix/etc/nginx/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/guix/etc/nginx/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/guix/etc/nginx/win-utf b/guix/etc/nginx/win-utf new file mode 100644 index 0000000..774fd9f --- /dev/null +++ b/guix/etc/nginx/win-utf @@ -0,0 +1,125 @@ +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A; # single low-9 quotation mark + + 84 E2809E; # double low-9 quotation mark + 85 E280A6; # ellipsis + 86 E280A0; # dagger + 87 E280A1; # double dagger + 88 E282AC; # euro + 89 E280B0; # per mille + + 91 E28098; # left single quotation mark + 92 E28099; # right single quotation mark + 93 E2809C; # left double quotation mark + 94 E2809D; # right double quotation mark + 95 E280A2; # bullet + 96 E28093; # en dash + 97 E28094; # em dash + + 99 E284A2; # trade mark sign + + A0 C2A0; # + A1 D18E; # capital Byelorussian short U + A2 D19E; # small Byelorussian short u + + A4 C2A4; # currency sign + A5 D290; # capital Ukrainian soft G + A6 C2A6; # borken bar + A7 C2A7; # section sign + A8 D081; # capital YO + A9 C2A9; # (C) + AA D084; # capital Ukrainian YE + AB C2AB; # left-pointing double angle quotation mark + AC C2AC; # not sign + AD C2AD; # soft hypen + AE C2AE; # (R) + AF D087; # capital Ukrainian YI + + B0 C2B0; # ° + B1 C2B1; # plus-minus sign + B2 D086; # capital Ukrainian I + B3 D196; # small Ukrainian i + B4 D291; # small Ukrainian soft g + B5 C2B5; # micro sign + B6 C2B6; # pilcrow sign + B7 C2B7; # · + B8 D191; # small yo + B9 E28496; # numero sign + BA D194; # small Ukrainian ye + BB C2BB; # right-pointing double angle quotation mark + + BF D197; # small Ukrainian yi + + C0 D090; # capital A + C1 D091; # capital B + C2 D092; # capital V + C3 D093; # capital G + C4 D094; # capital D + C5 D095; # capital YE + C6 D096; # capital ZH + C7 D097; # capital Z + C8 D098; # capital I + C9 D099; # capital J + CA D09A; # capital K + CB D09B; # capital L + CC D09C; # capital M + CD D09D; # capital N + CE D09E; # capital O + CF D09F; # capital P + + D0 D0A0; # capital R + D1 D0A1; # capital S + D2 D0A2; # capital T + D3 D0A3; # capital U + D4 D0A4; # capital F + D5 D0A5; # capital KH + D6 D0A6; # capital TS + D7 D0A7; # capital CH + D8 D0A8; # capital SH + D9 D0A9; # capital SHCH + DA D0AA; # capital hard sign + DB D0AB; # capital Y + DC D0AC; # capital soft sign + DD D0AD; # capital E + DE D0AE; # capital YU + DF D0AF; # capital YA + + E0 D0B0; # small a + E1 D0B1; # small b + E2 D0B2; # small v + E3 D0B3; # small g + E4 D0B4; # small d + E5 D0B5; # small ye + E6 D0B6; # small zh + E7 D0B7; # small z + E8 D0B8; # small i + E9 D0B9; # small j + EA D0BA; # small k + EB D0BB; # small l + EC D0BC; # small m + ED D0BD; # small n + EE D0BE; # small o + EF D0BF; # small p + + F0 D180; # small r + F1 D181; # small s + F2 D182; # small t + F3 D183; # small u + F4 D184; # small f + F5 D185; # small kh + F6 D186; # small ts + F7 D187; # small ch + F8 D188; # small sh + F9 D189; # small shch + FA D18A; # small hard sign + FB D18B; # small y + FC D18C; # small soft sign + FD D18D; # small e + FE D18E; # small yu + FF D18F; # small ya +} |