drupal.conf (11459B)
1 # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- 2 ### Nginx configuration for Drupal. This configuration makes use of 3 ### drush (http:///drupal.org/project/drush) for site maintenance 4 ### and like tasks: 5 ### 6 ### 1. Run the cronjobs. 7 ### 2. Run the DB and code updates: drush up or drush upc followed by 8 ### drush updb to run any DB updates required by the code upgrades 9 ### that were performed. 10 ### 3. Disabling of xmlrpc.xml, install.php (needed only for 11 ### installing the site) and update.php: all updates are now 12 ### handled through drush. 13 14 ## The 'default' location. 15 location / { 16 17 ## Drupal 404 from can impact performance. If using a module like 18 ## search404 then 404's *have *to be handled by Drupal. Uncomment to 19 ## relay the handling of 404's to Drupal. 20 ## error_page 404 /index.php; 21 22 ## Using a nested location is the 'correct' way to use regexes. 23 24 ## Regular private file serving (i.e. handled by Drupal). 25 location ^~ /system/files/ { 26 ## Include the specific FastCGI configuration. This is for a 27 ## FCGI backend like php-cgi or php-fpm. 28 include apps/drupal/fastcgi_drupal.conf; 29 fastcgi_pass phpcgi; 30 31 ## If proxying to apache comment the two lines above and 32 ## uncomment the two lines below. 33 #proxy_pass http://phpapache/index.php?q=$uri; 34 #proxy_set_header Connection ''; 35 36 ## For not signaling a 404 in the error log whenever the 37 ## system/files directory is accessed add the line below. 38 ## Note that the 404 is the intended behavior. 39 log_not_found off; 40 } 41 42 ## Trying to access private files directly returns a 404. 43 location ^~ /sites/default/files/private/ { 44 internal; 45 } 46 47 ## Support for the file_force module 48 ## http://drupal.org/project/file_force. 49 location ^~ /system/files_force/ { 50 ## Include the specific FastCGI configuration. This is for a 51 ## FCGI backend like php-cgi or php-fpm. 52 include apps/drupal/fastcgi_drupal.conf; 53 fastcgi_pass phpcgi; 54 55 ## If proxying to apache comment the two lines above and 56 ## uncomment the two lines below. 57 #proxy_pass http://phpapache/index.php?q=$uri; 58 #proxy_set_header Connection ''; 59 60 ## For not signaling a 404 in the error log whenever the 61 ## system/files directory is accessed add the line below. 62 ## Note that the 404 is the intended behavior. 63 log_not_found off; 64 } 65 66 ## If accessing an image generated by Drupal 6 imagecache, serve it 67 ## directly if available, if not relay the request to Drupal to (re)generate 68 ## the image. 69 location ~* /imagecache/ { 70 ## Image hotlinking protection. If you want hotlinking 71 ## protection for your images uncomment the following line. 72 #include apps/drupal/hotlinking_protection.conf; 73 74 access_log off; 75 expires 30d; 76 try_files $uri @drupal; 77 } 78 79 ## Drupal 7 generated image handling, i.e., imagecache in core. See: 80 ## http://drupal.org/node/371374. 81 location ~* /files/styles/ { 82 ## Image hotlinking protection. If you want hotlinking 83 ## protection for your images uncomment the following line. 84 #include apps/drupal/hotlinking_protection.conf; 85 86 access_log off; 87 expires 30d; 88 try_files $uri @drupal; 89 } 90 91 ## Advanced Aggregation module CSS 92 ## support. http://drupal.org/project/advagg. 93 location ^~ /sites/default/files/advagg_css/ { 94 expires max; 95 add_header ETag ''; 96 add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; 97 add_header Accept-Ranges ''; 98 99 location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { 100 access_log off; 101 try_files $uri @drupal; 102 } 103 } 104 105 ## Advanced Aggregation module JS 106 ## support. http://drupal.org/project/advagg. 107 location ^~ /sites/default/files/advagg_js/ { 108 expires max; 109 add_header ETag ''; 110 add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; 111 add_header Accept-Ranges ''; 112 113 location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { 114 access_log off; 115 try_files $uri @drupal; 116 } 117 } 118 119 ## All static files will be served directly. 120 location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { 121 122 access_log off; 123 expires 30d; 124 ## No need to bleed constant updates. Send the all shebang in one 125 ## fell swoop. 126 tcp_nodelay off; 127 ## Set the OS file cache. 128 open_file_cache max=3000 inactive=120s; 129 open_file_cache_valid 45s; 130 open_file_cache_min_uses 2; 131 open_file_cache_errors off; 132 } 133 134 ## PDFs and powerpoint files handling. 135 location ~* ^.+\.(?:pdf|pptx?)$ { 136 expires 30d; 137 ## No need to bleed constant updates. Send the all shebang in one 138 ## fell swoop. 139 tcp_nodelay off; 140 } 141 142 ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. 143 location ^~ /sites/default/files/audio/mp3 { 144 location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { 145 directio 4k; # for XFS 146 ## If you're using ext3 or similar uncomment the line below and comment the above. 147 #directio 512; # for ext3 or similar (block alignments) 148 tcp_nopush off; 149 # aio on; 150 output_buffers 1 2M; 151 } 152 } 153 154 location ^~ /sites/default/files/audio/ogg { 155 location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { 156 directio 4k; # for XFS 157 ## If you're using ext3 or similar uncomment the line below and comment the above. 158 #directio 512; # for ext3 or similar (block alignments) 159 tcp_nopush off; 160 # aio on; 161 output_buffers 1 2M; 162 } 163 } 164 165 ## Pseudo streaming of FLV files: 166 ## http://wiki.nginx.org/HttpFlvStreamModule. 167 ## If pseudo streaming isn't working, try to comment 168 ## out in nginx.conf line with: 169 ## add_header X-Frame-Options SAMEORIGIN; 170 location ^~ /sites/default/files/video/flv { 171 location ~* ^/sites/default/files/video/flv/.*\.flv$ { 172 # flv; 173 } 174 } 175 176 ## Pseudo streaming of H264/AAC files. This requires an Nginx 177 ## version greater or equal to 1.0.7 for the stable branch and 178 ## greater or equal to 1.1.3 for the development branch. 179 ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. 180 location ^~ /sites/default/files/video/mp4 { # videos 181 location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { 182 # mp4; 183 # mp4_buffer_size 1M; 184 # mp4_max_buffer_size 5M; 185 } 186 } 187 188 location ^~ /sites/default/files/audio/m4a { # audios 189 location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { 190 # mp4; 191 # mp4_buffer_size 1M; 192 # mp4_max_buffer_size 5M; 193 } 194 } 195 196 ## Advanced Help module makes each module provided README available. 197 location ^~ /help/ { 198 location ~* ^/help/[^/]*/README\.txt$ { 199 ## Include the specific FastCGI configuration. This is for a 200 ## FCGI backend like php-cgi or php-fpm. 201 include apps/drupal/fastcgi_drupal.conf; 202 fastcgi_pass phpcgi; 203 204 ## If proxying to apache comment the two lines above and 205 ## uncomment the two lines below. 206 #proxy_pass http://phpapache/index.php?q=$uri; 207 #proxy_set_header Connection ''; 208 } 209 } 210 211 ## Replicate the Apache <FilesMatch> directive of Drupal standard 212 ## .htaccess. Disable access to any code files. Return a 404 to curtail 213 ## information disclosure. Hide also the text files. 214 location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { 215 return 404; 216 } 217 218 ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. 219 try_files $uri @drupal; 220 } 221 222 ########### Security measures ########## 223 224 ## Uncomment the line below if you want to enable basic auth for 225 ## access to all /admin URIs. Note that this provides much better 226 ## protection if use HTTPS. Since it can easily be eavesdropped if you 227 ## use HTTP. 228 #include apps/drupal/admin_basic_auth.conf; 229 230 ## Restrict access to the strictly necessary PHP files. Reducing the 231 ## scope for exploits. Handling of PHP code and the Drupal event loop. 232 location @drupal { 233 ## Include the FastCGI config. 234 include apps/drupal/fastcgi_drupal.conf; 235 fastcgi_pass phpcgi; 236 237 ## FastCGI microcache. 238 # include apps/drupal/microcache_fcgi.conf; 239 ## FCGI microcache for authenticated users also. 240 #include apps/drupal/microcache_fcgi_auth.conf; 241 242 ## If proxying to apache comment the two lines above and 243 ## uncomment the two lines below. 244 #proxy_pass http://phpapache/index.php?q=$uri; 245 #proxy_set_header Connection ''; 246 247 ## Proxy microcache. 248 #include apps/drupal/microcache_proxy.conf; 249 ## Proxy microcache for authenticated users also. 250 #include apps/drupal/microcache_proxy_auth.conf; 251 252 ## Filefield Upload progress 253 ## http://drupal.org/project/filefield_nginx_progress support 254 ## through the NginxUploadProgress modules. 255 # track_uploads uploads 60s; 256 } 257 258 location @drupal-no-args { 259 ## Include the specific FastCGI configuration. This is for a 260 ## FCGI backend like php-cgi or php-fpm. 261 include apps/drupal/fastcgi_no_args_drupal.conf; 262 fastcgi_pass phpcgi; 263 264 ## FastCGI microcache. 265 # include apps/drupal/microcache_fcgi.conf; 266 ## FCGI microcache for authenticated users also. 267 #include apps/drupal/microcache_fcgi_auth.conf; 268 269 ## If proxying to apache comment the two lines above and 270 ## uncomment the two lines below. 271 #proxy_pass http://phpapache/index.php?q=$uri; 272 #proxy_set_header Connection ''; 273 274 ## Proxy microcache. 275 #include apps/drupal/microcache_proxy.conf; 276 ## Proxy microcache for authenticated users also. 277 #include apps/drupal/microcache_proxy_auth.conf; 278 } 279 280 ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return 281 ## 404 as not to disclose information. 282 location ^~ /.bzr { 283 return 404; 284 } 285 286 location ^~ /.git { 287 return 404; 288 } 289 290 location ^~ /.hg { 291 return 404; 292 } 293 294 location ^~ /.svn { 295 return 404; 296 } 297 298 location ^~ /.cvs { 299 return 404; 300 } 301 302 ## Disallow access to patches directory. 303 location ^~ /patches { 304 return 404; 305 } 306 307 ## Disallow access to drush backup directory. 308 location ^~ /backup { 309 return 404; 310 } 311 312 ## Disable access logs for robots.txt. 313 location = /robots.txt { 314 access_log off; 315 ## Add support for the robotstxt module 316 ## http://drupal.org/project/robotstxt. 317 try_files $uri @drupal-no-args; 318 } 319 320 ## RSS feed support. 321 location = /rss.xml { 322 try_files $uri @drupal-no-args; 323 } 324 325 ## XML Sitemap support. 326 location = /sitemap.xml { 327 try_files $uri @drupal-no-args; 328 } 329 330 ## Support for favicon. Return an 1x1 transparent GIF if it doesn't 331 ## exist. 332 location = /favicon.ico { 333 expires 30d; 334 try_files /favicon.ico @empty; 335 } 336 337 ## Return an in memory 1x1 transparent GIF. 338 location @empty { 339 expires 30d; 340 empty_gif; 341 } 342 343 ## Any other attempt to access PHP files returns a 404. 344 location ~* ^.+\.php$ { 345 return 404; 346 } 347