From 8a1178cb9785495784ef200757e5b8a61772290a Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Tue, 1 Mar 2016 23:32:25 +0100 Subject: missing drupal stuff --- etc/nginx/apps/drupal/admin_basic_auth.conf | 12 + etc/nginx/apps/drupal/cron_allowed_hosts.conf | 10 + etc/nginx/apps/drupal/drupal.conf | 347 ++++++++++++++++++++ etc/nginx/apps/drupal/drupal_boost.conf | 377 +++++++++++++++++++++ etc/nginx/apps/drupal/drupal_boost_escaped.conf | 382 ++++++++++++++++++++++ etc/nginx/apps/drupal/drupal_cron_update.conf | 40 +++ etc/nginx/apps/drupal/drupal_escaped.conf | 347 ++++++++++++++++++++ etc/nginx/apps/drupal/drupal_install.conf | 16 + etc/nginx/apps/drupal/drupal_upload_progress.conf | 23 ++ etc/nginx/apps/drupal/fastcgi_drupal.conf | 43 +++ etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf | 43 +++ etc/nginx/apps/drupal/hotlinking_protection.conf | 10 + etc/nginx/apps/drupal/map_cache.conf | 39 +++ etc/nginx/apps/drupal/microcache_fcgi.conf | 39 +++ etc/nginx/apps/drupal/microcache_fcgi_auth.conf | 51 +++ etc/nginx/apps/drupal/microcache_proxy.conf | 53 +++ etc/nginx/apps/drupal/microcache_proxy_auth.conf | 54 +++ 17 files changed, 1886 insertions(+) create mode 100644 etc/nginx/apps/drupal/admin_basic_auth.conf create mode 100644 etc/nginx/apps/drupal/cron_allowed_hosts.conf create mode 100644 etc/nginx/apps/drupal/drupal.conf create mode 100644 etc/nginx/apps/drupal/drupal_boost.conf create mode 100644 etc/nginx/apps/drupal/drupal_boost_escaped.conf create mode 100644 etc/nginx/apps/drupal/drupal_cron_update.conf create mode 100644 etc/nginx/apps/drupal/drupal_escaped.conf create mode 100644 etc/nginx/apps/drupal/drupal_install.conf create mode 100644 etc/nginx/apps/drupal/drupal_upload_progress.conf create mode 100644 etc/nginx/apps/drupal/fastcgi_drupal.conf create mode 100644 etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf create mode 100644 etc/nginx/apps/drupal/hotlinking_protection.conf create mode 100644 etc/nginx/apps/drupal/map_cache.conf create mode 100644 etc/nginx/apps/drupal/microcache_fcgi.conf create mode 100644 etc/nginx/apps/drupal/microcache_fcgi_auth.conf create mode 100644 etc/nginx/apps/drupal/microcache_proxy.conf create mode 100644 etc/nginx/apps/drupal/microcache_proxy_auth.conf (limited to 'etc/nginx/apps') diff --git a/etc/nginx/apps/drupal/admin_basic_auth.conf b/etc/nginx/apps/drupal/admin_basic_auth.conf new file mode 100644 index 0000000..cc796ce --- /dev/null +++ b/etc/nginx/apps/drupal/admin_basic_auth.conf @@ -0,0 +1,12 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## Protect the /admin URIs with a basic auth. +location ^~ /admin { + auth_basic "Restricted access"; #realm + auth_basic_user_file .htpasswd-users; + + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; +} diff --git a/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/etc/nginx/apps/drupal/cron_allowed_hosts.conf new file mode 100644 index 0000000..bdb3dd9 --- /dev/null +++ b/etc/nginx/apps/drupal/cron_allowed_hosts.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for specifying which hosts can invoke Drupal's +### cron. This only applies if you're not using drush to run cron. + +geo $not_allowed_cron { + default 1; + ## Add your set of hosts. + 127.0.0.1 0; # allow the localhost + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/etc/nginx/apps/drupal/drupal.conf b/etc/nginx/apps/drupal/drupal.conf new file mode 100644 index 0000000..e65024f --- /dev/null +++ b/etc/nginx/apps/drupal/drupal.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { +# flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. + try_files $uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. +# track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/etc/nginx/apps/drupal/drupal_boost.conf b/etc/nginx/apps/drupal/drupal_boost.conf new file mode 100644 index 0000000..1cb10e1 --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_boost.conf @@ -0,0 +1,377 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + } + } + + ## Replicate the Apache directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + diff --git a/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/etc/nginx/apps/drupal/drupal_boost_escaped.conf new file mode 100644 index 0000000..36f5d98 --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_boost_escaped.conf @@ -0,0 +1,382 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $escaped_uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; + #proxy_set_header Connection ''; +} + diff --git a/etc/nginx/apps/drupal/drupal_cron_update.conf b/etc/nginx/apps/drupal/drupal_cron_update.conf new file mode 100644 index 0000000..55500e9 --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_cron_update.conf @@ -0,0 +1,40 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for Drupal if you're not using drush to update your site or run cron. + +## XMLRPC. Comment out if not enabled. +location = /xmlrpc.php { + fastcgi_pass phpcgi; + # To use Apache for serving PHP uncomment the line bellow and + # comment out the above. + #proxy_pass http://phpapache; +} + +## Restrict cron access to a specific host. +location = /cron.php { + ## If not allowed to run cron then issue a 404 and redirect to the + ## site root. + if ($not_allowed_cron) { + return 404 /; + } + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +## Run the update from the web interface with Drupal 7. +location = /authorize.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +location = /update.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} diff --git a/etc/nginx/apps/drupal/drupal_escaped.conf b/etc/nginx/apps/drupal/drupal_escaped.conf new file mode 100644 index 0000000..db08cc0 --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_escaped.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + } + } + + ## Replicate the Apache directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found. + try_files $escaped_uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/etc/nginx/apps/drupal/drupal_install.conf b/etc/nginx/apps/drupal/drupal_install.conf new file mode 100644 index 0000000..1f4f11b --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_install.conf @@ -0,0 +1,16 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Directives for installing drupal. This is for drupal 6 and 7. + +location = /install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} + +## This is for drupal 8. There's a new location for the install file. +location = /core/install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} diff --git a/etc/nginx/apps/drupal/drupal_upload_progress.conf b/etc/nginx/apps/drupal/drupal_upload_progress.conf new file mode 100644 index 0000000..843fb06 --- /dev/null +++ b/etc/nginx/apps/drupal/drupal_upload_progress.conf @@ -0,0 +1,23 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Drupal 7 configuration for the Nginx Upload Progress module: +### https://github.com/masterzen/nginx-upload-progress-module +### This requires the Filefield Nginx Progress module: +### http://drupal.org/project/filefield_nginx_progress. + +## The Nginx module wants ?X-Progress-ID query parameter so +## that it report the progress of the upload through a GET +## request. But the drupal form element makes use of clean +## URLs in the POST. + +location ~ (?.*)/x-progress-id:(?\d*) { + rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; +} + +## Now the above rewrite must be matched by a location that +## activates it and references the above defined upload +## tracking zone. +location ^~ /progress { + upload_progress_json_output; + report_uploads uploads; +} diff --git a/etc/nginx/apps/drupal/fastcgi_drupal.conf b/etc/nginx/apps/drupal/fastcgi_drupal.conf new file mode 100644 index 0000000..be59f85 --- /dev/null +++ b/etc/nginx/apps/drupal/fastcgi_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri&$args; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf new file mode 100644 index 0000000..683e4ce --- /dev/null +++ b/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/etc/nginx/apps/drupal/hotlinking_protection.conf b/etc/nginx/apps/drupal/hotlinking_protection.conf new file mode 100644 index 0000000..f2926e1 --- /dev/null +++ b/etc/nginx/apps/drupal/hotlinking_protection.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Hotlinking protection for images. Include it in any context you +### want. Adjust the list of allowed referers to your liking. + +valid_referers none blocked *.example.com *.google.com my.site.com; + +if ($invalid_referer) { + return 200 "No image hotlinking allowed!\n"; +} diff --git a/etc/nginx/apps/drupal/map_cache.conf b/etc/nginx/apps/drupal/map_cache.conf new file mode 100644 index 0000000..8166fcd --- /dev/null +++ b/etc/nginx/apps/drupal/map_cache.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Testing if we should be serving content from cache or not. This is +### needed for any Drupal setup that uses an external cache. + +## Let Ajax calls go through. +map $uri $no_cache_ajax { + default 0; + /system/ajax 1; +} + +## Testing for the session cookie being present. If there is then no +## caching is to be done. Note that this is for someone using either +## Drupal 7 pressflow or stock Drupal 6 core with no_anon +## (http://drupal.org/project/no_anon). +map $http_cookie $no_cache_cookie { + default 0; + ~SESS 1; # PHP session cookie +} + +## Combine both results to get the cache bypassing mapping. +map $no_cache_ajax$no_cache_cookie $no_cache { + default 1; + 00 0; +} + +## If you're using stock Drupal 6 without no_anon, i.e., there's a +## session cookie being served even to anonymous users, then uncomment +## the three lines below and comment the above map directive +# map $http_cookie $no_cache { +# default 0; +# ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost +# } + +## Set a cache_uid variable for authenticated users. +map $http_cookie $cache_uid { + default nil; # hommage to Lisp :) + ~SESS[[:alnum:]]+=(?[[:graph:]]+) $session_id; +} diff --git a/etc/nginx/apps/drupal/microcache_fcgi.conf b/etc/nginx/apps/drupal/microcache_fcgi.conf new file mode 100644 index 0000000..e7e8184 --- /dev/null +++ b/etc/nginx/apps/drupal/microcache_fcgi.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 1s seconds. +fastcgi_cache_valid 200 301 1s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +## Bypass the cache. +fastcgi_cache_bypass $no_cache; +fastcgi_no_cache $no_cache; + +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/etc/nginx/apps/drupal/microcache_fcgi_auth.conf new file mode 100644 index 0000000..7b2b7c3 --- /dev/null +++ b/etc/nginx/apps/drupal/microcache_fcgi_auth.conf @@ -0,0 +1,51 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 15s. +fastcgi_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors use whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +## Bypass the cache. +# fastcgi_cache_bypass $no_auth_cache; +# fastcgi_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_proxy.conf b/etc/nginx/apps/drupal/microcache_proxy.conf new file mode 100644 index 0000000..6708684 --- /dev/null +++ b/etc/nginx/apps/drupal/microcache_proxy.conf @@ -0,0 +1,53 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +## Bypass the cache. +proxy_cache_bypass $no_cache; +proxy_no_cache $no_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/etc/nginx/apps/drupal/microcache_proxy_auth.conf new file mode 100644 index 0000000..e351b1b --- /dev/null +++ b/etc/nginx/apps/drupal/microcache_proxy_auth.conf @@ -0,0 +1,54 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $cache_uid@$host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +proxy_pass_header Set-Cookie; +proxy_pass_header Cookie; +## Bypass the cache. +proxy_cache_bypass $no_auth_cache; +proxy_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. -- cgit v1.2.3