1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
|
# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
### Nginx configuration for Drupal. This configuration makes use of
### drush (http:///drupal.org/project/drush) for site maintenance
### and like tasks:
###
### 1. Run the cronjobs.
### 2. Run the DB and code updates: drush up or drush upc followed by
### drush updb to run any DB updates required by the code upgrades
### that were performed.
### 3. Disabling of xmlrpc.xml, install.php (needed only for
### installing the site) and update.php: all updates are now
### handled through drush.
## To avoid the ugly rewrite we use Lua to escape the URI.
set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
## The 'default' location.
location / {
## Drupal 404 from can impact performance. If using a module like
## search404 then 404's *have *to be handled by Drupal. Uncomment to
## relay the handling of 404's to Drupal.
## error_page 404 /index.php;
## Using a nested location is the 'correct' way to use regexes.
## Regular private file serving (i.e. handled by Drupal).
location ^~ /system/files/ {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include apps/drupal/fastcgi_drupal.conf;
fastcgi_pass phpcgi;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$escaped_uri;
#proxy_set_header Connection '';
## For not signaling a 404 in the error log whenever the
## system/files directory is accessed add the line below.
## Note that the 404 is the intended behavior.
log_not_found off;
}
## Trying to access private files directly returns a 404.
location ^~ /sites/default/files/private/ {
internal;
}
## Support for the file_force module
## http://drupal.org/project/file_force.
location ^~ /system/files_force/ {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include apps/drupal/fastcgi_drupal.conf;
fastcgi_pass phpcgi;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$no_slash_uri;
#proxy_set_header Connection '';
## For not signaling a 404 in the error log whenever the
## system/files directory is accessed add the line below.
## Note that the 404 is the intended behavior.
log_not_found off;
}
## If accessing an image generated by Drupal 6 imagecache, serve it
## directly if available, if not relay the request to Drupal to (re)generate
## the image.
location ~* /imagecache/ {
## Image hotlinking protection. If you want hotlinking
## protection for your images uncomment the following line.
#include apps/drupal/hotlinking_protection.conf;
access_log off;
expires 30d;
try_files $escaped_uri @drupal;
}
## Drupal 7 generated image handling, i.e., imagecache in core. See:
## http://drupal.org/node/371374.
location ~* /files/styles/ {
## Image hotlinking protection. If you want hotlinking
## protection for your images uncomment the following line.
#include apps/drupal/hotlinking_protection.conf;
access_log off;
expires 30d;
try_files $escaped_uri @drupal;
}
## Advanced Aggregation module CSS
## support. http://drupal.org/project/advagg.
location ^~ /sites/default/files/advagg_css/ {
expires max;
add_header ETag '';
add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
add_header Accept-Ranges '';
location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
access_log off;
try_files $escaped_uri @drupal;
}
}
## Advanced Aggregation module JS
## support. http://drupal.org/project/advagg.
location ^~ /sites/default/files/advagg_js/ {
expires max;
add_header ETag '';
add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
add_header Accept-Ranges '';
location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
access_log off;
try_files $escaped_uri @drupal;
}
}
## All static files will be served directly.
location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
access_log off;
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## PDFs and powerpoint files handling.
location ~* ^.+\.(?:pdf|pptx?)$ {
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
}
## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
location ^~ /sites/default/files/audio/mp3 {
location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
directio 4k; # for XFS
## If you're using ext3 or similar uncomment the line below and comment the above.
#directio 512; # for ext3 or similar (block alignments)
tcp_nopush off;
aio on;
output_buffers 1 2M;
}
}
location ^~ /sites/default/files/audio/ogg {
location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
directio 4k; # for XFS
## If you're using ext3 or similar uncomment the line below and comment the above.
#directio 512; # for ext3 or similar (block alignments)
tcp_nopush off;
aio on;
output_buffers 1 2M;
}
}
## Pseudo streaming of FLV files:
## http://wiki.nginx.org/HttpFlvStreamModule.
## If pseudo streaming isn't working, try to comment
## out in nginx.conf line with:
## add_header X-Frame-Options SAMEORIGIN;
location ^~ /sites/default/files/video/flv {
location ~* ^/sites/default/files/video/flv/.*\.flv$ {
flv;
}
}
## Pseudo streaming of H264/AAC files. This requires an Nginx
## version greater or equal to 1.0.7 for the stable branch and
## greater or equal to 1.1.3 for the development branch.
## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
location ^~ /sites/default/files/video/mp4 { # videos
location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
mp4;
mp4_buffer_size 1M;
mp4_max_buffer_size 5M;
}
}
location ^~ /sites/default/files/audio/m4a { # audios
location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
mp4;
mp4_buffer_size 1M;
mp4_max_buffer_size 5M;
}
}
## Advanced Help module makes each module provided README available.
location ^~ /help/ {
location ~* ^/help/[^/]*/README\.txt$ {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include apps/drupal/fastcgi_drupal.conf;
fastcgi_pass phpcgi;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$escaped_uri;
}
}
## Replicate the Apache <FilesMatch> directive of Drupal standard
## .htaccess. Disable access to any code files. Return a 404 to curtail
## information disclosure. Hide also the text files.
location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
return 404;
}
## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found.
try_files $escaped_uri @drupal;
}
########### Security measures ##########
## Uncomment the line below if you want to enable basic auth for
## access to all /admin URIs. Note that this provides much better
## protection if use HTTPS. Since it can easily be eavesdropped if you
## use HTTP.
#include apps/drupal/admin_basic_auth.conf;
## Restrict access to the strictly necessary PHP files. Reducing the
## scope for exploits. Handling of PHP code and the Drupal event loop.
location @drupal {
## Include the FastCGI config.
include apps/drupal/fastcgi_drupal.conf;
fastcgi_pass phpcgi;
## FastCGI microcache.
include apps/drupal/microcache_fcgi.conf;
## FCGI microcache for authenticated users also.
#include apps/drupal/microcache_fcgi_auth.conf;
## To use Apache for serving PHP uncomment the line bellow and
## comment out the above.
#proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
#proxy_set_header Connection '';
## Proxy microcache.
#include apps/drupal/microcache_proxy.conf;
## Proxy microcache for authenticated users also.
#include apps/drupal/microcache_proxy_auth.conf;
## Filefield Upload progress
## http://drupal.org/project/filefield_nginx_progress support
## through the NginxUploadProgress modules.
track_uploads uploads 60s;
}
location @drupal-no-args {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include apps/drupal/fastcgi_no_args_drupal.conf;
fastcgi_pass phpcgi;
## FastCGI microcache.
include apps/drupal/microcache_fcgi.conf;
## FCGI microcache for authenticated users also.
#include apps/drupal/microcache_fcgi_auth.conf;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$escaped_uri;
#proxy_set_header Connection '';
## Proxy microcache.
#include apps/drupal/microcache_proxy.conf;
## Proxy microcache for authenticated users also.
#include apps/drupal/microcache_proxy_auth.conf;
}
## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
## 404 as not to disclose information.
location ^~ /.bzr {
return 404;
}
location ^~ /.git {
return 404;
}
location ^~ /.hg {
return 404;
}
location ^~ /.svn {
return 404;
}
location ^~ /.cvs {
return 404;
}
## Disallow access to patches directory.
location ^~ /patches {
return 404;
}
## Disallow access to drush backup directory.
location ^~ /backup {
return 404;
}
## Disable access logs for robots.txt.
location = /robots.txt {
access_log off;
## Add support for the robotstxt module
## http://drupal.org/project/robotstxt.
try_files $uri @drupal-no-args;
}
## RSS feed support.
location = /rss.xml {
try_files $escaped_uri @drupal-no-args;
}
## XML Sitemap support.
location = /sitemap.xml {
try_files $escaped_uri @drupal-no-args;
}
## Support for favicon. Return an 1x1 transparent GIF if it doesn't
## exist.
location = /favicon.ico {
expires 30d;
try_files /favicon.ico @empty;
}
## Return an in memory 1x1 transparent GIF.
location @empty {
expires 30d;
empty_gif;
}
## Any other attempt to access PHP files returns a 404.
location ~* ^.+\.php$ {
return 404;
}
|
