# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- ### Nginx configuration for using Boost with Drupal. This ### configuration makes use of drush (http:///drupal.org/project/drush) ### for site maintenance and like tasks: ### ### 1. Run the cronjobs. ### 2. Run the DB and code updates: drush up or drush upc followed by ### drush updb to run any DB updates required by the code upgrades ### that were performed. ### 3. Disabling of xmlrpc.xml, install.php (needed only for ### installing the site) and update.php: all updates are now ### handled through drush. ## To avoid the ugly rewrite we use Lua to escape the URI. set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; ## The 'default' location. location / { ## Drupal 404 from can impact performance. If using a module like ## search404 then 404's *have *to be handled by Drupal. Uncomment to ## relay the handling of 404's to Drupal. ## error_page 404 /index.php; ## Using a nested location is the 'correct' way to use regexes. ## Regular private file serving (i.e. handled by Drupal). location ^~ /system/files/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. ## Note that the 404 is the intended behavior. log_not_found off; } ## Trying to access private files directly returns a 404. location ^~ /sites/default/files/private/ { internal; } ## Support for the file_force module ## http://drupal.org/project/file_force. location ^~ /system/files_force/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$no_slash_uri; #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. ## Note that the 404 is the intended behavior. log_not_found off; } ## If accessing an image generated by Drupal 6 imagecache, serve it ## directly if available, if not relay the request to Drupal to (re)generate ## the image. location ~* /imagecache/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; try_files $escaped_uri @drupal; } ## Drupal 7 generated image handling, i.e., imagecache in core. See: ## http://drupal.org/node/371374. location ~* /files/styles/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; try_files $escaped_uri @drupal; } ## Advanced Aggregation module CSS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_css/ { expires max; add_header ETag ''; add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; add_header Accept-Ranges ''; location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { access_log off; try_files $escaped_uri @drupal; } } ## Advanced Aggregation module JS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_js/ { add_header Pragma ''; add_header Cache-Control 'public, max-age=946080000'; add_header Accept-Ranges ''; location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { access_log off; try_files $escaped_uri @drupal; } } ## All static files will be served directly. location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one ## fell swoop. tcp_nodelay off; } ## PDFs and powerpoint files handling. location ~* ^.+\.(?:pdf|pptx?)$ { expires 30d; ## No need to bleed constant updates. Send the all shebang in one ## fell swoop. tcp_nodelay off; } ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. location ^~ /sites/default/files/audio/mp3 { location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { directio 4k; # for XFS ## If you're using ext3 or similar uncomment the line below and comment the above. #directio 512; # for ext3 or similar (block alignments) tcp_nopush off; aio on; output_buffers 1 2M; } } location ^~ /sites/default/files/audio/ogg { location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { directio 4k; # for XFS ## If you're using ext3 or similar uncomment the line below and comment the above. #directio 512; # for ext3 or similar (block alignments) tcp_nopush off; aio on; output_buffers 1 2M; } } ## Pseudo streaming of FLV files: ## http://wiki.nginx.org/HttpFlvStreamModule. ## If pseudo streaming isn't working, try to comment ## out in nginx.conf line with: ## add_header X-Frame-Options SAMEORIGIN; location ^~ /sites/default/files/video/flv { location ~* ^/sites/default/files/video/flv/.*\.flv$ { flv; } } ## Pseudo streaming of H264/AAC files. This requires an Nginx ## version greater or equal to 1.0.7 for the stable branch and ## greater or equal to 1.1.3 for the development branch. ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. location ^~ /sites/default/files/video/mp4 { # videos location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { mp4; mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } location ^~ /sites/default/files/audio/m4a { # audios location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { mp4; mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } ## Advanced Help module makes each module provided README available. location ^~ /help/ { location ~* ^/help/[^/]*/README\.txt$ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; #proxy_set_header Connection ''; } } ## Replicate the Apache directive of Drupal standard ## .htaccess. Disable access to any code files. Return a 404 to curtail ## information disclosure. Hide also the text files. location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { return 404; } ## First we try the URI and relay to the @cache if not found. try_files $escaped_uri @cache; } ## We define a named location for the cache. location @cache { ## Boost compresses can the pages so we check it. Comment it out ## if you don't have it enabled in Boost. gzip_static on; ## Error page handler for the case where $no_cache is 1. POST ## request or authenticated. error_page 418 = @drupal; ## If $no_cache is 1 then it means that either we have a session ## cookie or that the request method is POST. So serve the dynamic ## page. if ($no_cache) { return 418; # I'm a teapot/I can't get no cachifaction } ## No caching for POST requests. if ($request_method = POST) { return 418; } # Now for some header tweaking. We use a date that differs # from stock Drupal. Everyone seems to be using their # birthdate. Why go against the grain? add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; # We bypass all delays in the post-check and pre-check # parameters of Cache-Control. Both set to 0. add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; # Funny...perhaps. Egocentric? Damn right!; add_header X-Header "Boost Helás Avril 1.0"; ## Boost doesn't set a charset. charset utf-8; # We try each boost URI in succession, if every one of them # fails then relay to Drupal. try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal; } ########### Security measures ########## ## Uncomment the line below if you want to enable basic auth for ## access to all /admin URIs. Note that this provides much better ## protection if use HTTPS. Since it can easily be eavesdropped if you ## use HTTP. #include apps/drupal/admin_basic_auth.conf; ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location @drupal { ## Include the FastCGI config. include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. #include apps/drupal/microcache_proxy_auth.conf; ## Filefield Upload progress ## http://drupal.org/project/filefield_nginx_progress support ## through the NginxUploadProgress modules. track_uploads uploads 60s; } location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_no_args_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. #include apps/drupal/microcache_proxy_auth.conf; } ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return ## 404 as not to disclose information. location ^~ /.bzr { return 404; } location ^~ /.git { return 404; } location ^~ /.hg { return 404; } location ^~ /.svn { return 404; } location ^~ /.cvs { return 404; } ## Disallow access to patches directory. location ^~ /patches { return 404; } ## Disallow access to drush backup directory. location ^~ /backup { return 404; } ## Disable access logs for robots.txt. location = /robots.txt { access_log off; ## Add support for the robotstxt module ## http://drupal.org/project/robotstxt. try_files $uri @drupal-no-args; } ## RSS feed support. location = /rss.xml { try_files $escaped_uri @drupal-no-args; } ## XML Sitemap support. location = /sitemap.xml { try_files $escaped_uri @drupal-no-args; } ## Support for favicon. Return an 1x1 transparent GIF if it doesn't ## exist. location = /favicon.ico { expires 30d; try_files /favicon.ico @empty; } ## Return an in memory 1x1 transparent GIF. location @empty { expires 30d; empty_gif; } ## Any other attempt to access PHP files returns a 404. location ~* ^.+\.php$ { return 404; } ## Boost stats. location = /boost_stats.php { fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; #proxy_set_header Connection ''; }