drupal_escaped.conf (11611B)
1 # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- 2 ### Nginx configuration for Drupal. This configuration makes use of 3 ### drush (http:///drupal.org/project/drush) for site maintenance 4 ### and like tasks: 5 ### 6 ### 1. Run the cronjobs. 7 ### 2. Run the DB and code updates: drush up or drush upc followed by 8 ### drush updb to run any DB updates required by the code upgrades 9 ### that were performed. 10 ### 3. Disabling of xmlrpc.xml, install.php (needed only for 11 ### installing the site) and update.php: all updates are now 12 ### handled through drush. 13 14 ## To avoid the ugly rewrite we use Lua to escape the URI. 15 set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; 16 17 ## The 'default' location. 18 location / { 19 20 ## Drupal 404 from can impact performance. If using a module like 21 ## search404 then 404's *have *to be handled by Drupal. Uncomment to 22 ## relay the handling of 404's to Drupal. 23 ## error_page 404 /index.php; 24 25 ## Using a nested location is the 'correct' way to use regexes. 26 27 ## Regular private file serving (i.e. handled by Drupal). 28 location ^~ /system/files/ { 29 ## Include the specific FastCGI configuration. This is for a 30 ## FCGI backend like php-cgi or php-fpm. 31 include apps/drupal/fastcgi_drupal.conf; 32 fastcgi_pass phpcgi; 33 34 ## If proxying to apache comment the two lines above and 35 ## uncomment the line below. 36 #proxy_pass http://phpapache/index.php?q=$escaped_uri; 37 #proxy_set_header Connection ''; 38 39 ## For not signaling a 404 in the error log whenever the 40 ## system/files directory is accessed add the line below. 41 ## Note that the 404 is the intended behavior. 42 log_not_found off; 43 } 44 45 ## Trying to access private files directly returns a 404. 46 location ^~ /sites/default/files/private/ { 47 internal; 48 } 49 50 ## Support for the file_force module 51 ## http://drupal.org/project/file_force. 52 location ^~ /system/files_force/ { 53 ## Include the specific FastCGI configuration. This is for a 54 ## FCGI backend like php-cgi or php-fpm. 55 include apps/drupal/fastcgi_drupal.conf; 56 fastcgi_pass phpcgi; 57 58 ## If proxying to apache comment the two lines above and 59 ## uncomment the line below. 60 #proxy_pass http://phpapache/index.php?q=$no_slash_uri; 61 #proxy_set_header Connection ''; 62 63 ## For not signaling a 404 in the error log whenever the 64 ## system/files directory is accessed add the line below. 65 ## Note that the 404 is the intended behavior. 66 log_not_found off; 67 } 68 69 ## If accessing an image generated by Drupal 6 imagecache, serve it 70 ## directly if available, if not relay the request to Drupal to (re)generate 71 ## the image. 72 location ~* /imagecache/ { 73 ## Image hotlinking protection. If you want hotlinking 74 ## protection for your images uncomment the following line. 75 #include apps/drupal/hotlinking_protection.conf; 76 77 access_log off; 78 expires 30d; 79 try_files $escaped_uri @drupal; 80 } 81 82 ## Drupal 7 generated image handling, i.e., imagecache in core. See: 83 ## http://drupal.org/node/371374. 84 location ~* /files/styles/ { 85 ## Image hotlinking protection. If you want hotlinking 86 ## protection for your images uncomment the following line. 87 #include apps/drupal/hotlinking_protection.conf; 88 89 access_log off; 90 expires 30d; 91 try_files $escaped_uri @drupal; 92 } 93 94 ## Advanced Aggregation module CSS 95 ## support. http://drupal.org/project/advagg. 96 location ^~ /sites/default/files/advagg_css/ { 97 expires max; 98 add_header ETag ''; 99 add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; 100 add_header Accept-Ranges ''; 101 102 location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { 103 access_log off; 104 try_files $escaped_uri @drupal; 105 } 106 } 107 108 ## Advanced Aggregation module JS 109 ## support. http://drupal.org/project/advagg. 110 location ^~ /sites/default/files/advagg_js/ { 111 expires max; 112 add_header ETag ''; 113 add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; 114 add_header Accept-Ranges ''; 115 116 location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { 117 access_log off; 118 try_files $escaped_uri @drupal; 119 } 120 } 121 122 ## All static files will be served directly. 123 location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { 124 access_log off; 125 expires 30d; 126 ## No need to bleed constant updates. Send the all shebang in one 127 ## fell swoop. 128 tcp_nodelay off; 129 ## Set the OS file cache. 130 open_file_cache max=3000 inactive=120s; 131 open_file_cache_valid 45s; 132 open_file_cache_min_uses 2; 133 open_file_cache_errors off; 134 } 135 136 ## PDFs and powerpoint files handling. 137 location ~* ^.+\.(?:pdf|pptx?)$ { 138 expires 30d; 139 ## No need to bleed constant updates. Send the all shebang in one 140 ## fell swoop. 141 tcp_nodelay off; 142 } 143 144 ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. 145 location ^~ /sites/default/files/audio/mp3 { 146 location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { 147 directio 4k; # for XFS 148 ## If you're using ext3 or similar uncomment the line below and comment the above. 149 #directio 512; # for ext3 or similar (block alignments) 150 tcp_nopush off; 151 aio on; 152 output_buffers 1 2M; 153 } 154 } 155 156 location ^~ /sites/default/files/audio/ogg { 157 location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { 158 directio 4k; # for XFS 159 ## If you're using ext3 or similar uncomment the line below and comment the above. 160 #directio 512; # for ext3 or similar (block alignments) 161 tcp_nopush off; 162 aio on; 163 output_buffers 1 2M; 164 } 165 } 166 167 ## Pseudo streaming of FLV files: 168 ## http://wiki.nginx.org/HttpFlvStreamModule. 169 ## If pseudo streaming isn't working, try to comment 170 ## out in nginx.conf line with: 171 ## add_header X-Frame-Options SAMEORIGIN; 172 location ^~ /sites/default/files/video/flv { 173 location ~* ^/sites/default/files/video/flv/.*\.flv$ { 174 flv; 175 } 176 } 177 178 ## Pseudo streaming of H264/AAC files. This requires an Nginx 179 ## version greater or equal to 1.0.7 for the stable branch and 180 ## greater or equal to 1.1.3 for the development branch. 181 ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. 182 location ^~ /sites/default/files/video/mp4 { # videos 183 location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { 184 mp4; 185 mp4_buffer_size 1M; 186 mp4_max_buffer_size 5M; 187 } 188 } 189 190 location ^~ /sites/default/files/audio/m4a { # audios 191 location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { 192 mp4; 193 mp4_buffer_size 1M; 194 mp4_max_buffer_size 5M; 195 } 196 } 197 198 ## Advanced Help module makes each module provided README available. 199 location ^~ /help/ { 200 location ~* ^/help/[^/]*/README\.txt$ { 201 ## Include the specific FastCGI configuration. This is for a 202 ## FCGI backend like php-cgi or php-fpm. 203 include apps/drupal/fastcgi_drupal.conf; 204 fastcgi_pass phpcgi; 205 206 ## If proxying to apache comment the two lines above and 207 ## uncomment the line below. 208 #proxy_pass http://phpapache/index.php?q=$escaped_uri; 209 } 210 } 211 212 ## Replicate the Apache <FilesMatch> directive of Drupal standard 213 ## .htaccess. Disable access to any code files. Return a 404 to curtail 214 ## information disclosure. Hide also the text files. 215 location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { 216 return 404; 217 } 218 219 ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found. 220 try_files $escaped_uri @drupal; 221 } 222 223 ########### Security measures ########## 224 225 ## Uncomment the line below if you want to enable basic auth for 226 ## access to all /admin URIs. Note that this provides much better 227 ## protection if use HTTPS. Since it can easily be eavesdropped if you 228 ## use HTTP. 229 #include apps/drupal/admin_basic_auth.conf; 230 231 ## Restrict access to the strictly necessary PHP files. Reducing the 232 ## scope for exploits. Handling of PHP code and the Drupal event loop. 233 location @drupal { 234 ## Include the FastCGI config. 235 include apps/drupal/fastcgi_drupal.conf; 236 fastcgi_pass phpcgi; 237 238 ## FastCGI microcache. 239 include apps/drupal/microcache_fcgi.conf; 240 ## FCGI microcache for authenticated users also. 241 #include apps/drupal/microcache_fcgi_auth.conf; 242 243 ## To use Apache for serving PHP uncomment the line bellow and 244 ## comment out the above. 245 #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; 246 #proxy_set_header Connection ''; 247 ## Proxy microcache. 248 #include apps/drupal/microcache_proxy.conf; 249 ## Proxy microcache for authenticated users also. 250 #include apps/drupal/microcache_proxy_auth.conf; 251 252 ## Filefield Upload progress 253 ## http://drupal.org/project/filefield_nginx_progress support 254 ## through the NginxUploadProgress modules. 255 track_uploads uploads 60s; 256 } 257 258 location @drupal-no-args { 259 ## Include the specific FastCGI configuration. This is for a 260 ## FCGI backend like php-cgi or php-fpm. 261 include apps/drupal/fastcgi_no_args_drupal.conf; 262 fastcgi_pass phpcgi; 263 264 ## FastCGI microcache. 265 include apps/drupal/microcache_fcgi.conf; 266 ## FCGI microcache for authenticated users also. 267 #include apps/drupal/microcache_fcgi_auth.conf; 268 269 ## If proxying to apache comment the two lines above and 270 ## uncomment the line below. 271 #proxy_pass http://phpapache/index.php?q=$escaped_uri; 272 #proxy_set_header Connection ''; 273 274 ## Proxy microcache. 275 #include apps/drupal/microcache_proxy.conf; 276 ## Proxy microcache for authenticated users also. 277 #include apps/drupal/microcache_proxy_auth.conf; 278 } 279 280 ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return 281 ## 404 as not to disclose information. 282 location ^~ /.bzr { 283 return 404; 284 } 285 286 location ^~ /.git { 287 return 404; 288 } 289 290 location ^~ /.hg { 291 return 404; 292 } 293 294 location ^~ /.svn { 295 return 404; 296 } 297 298 location ^~ /.cvs { 299 return 404; 300 } 301 302 ## Disallow access to patches directory. 303 location ^~ /patches { 304 return 404; 305 } 306 307 ## Disallow access to drush backup directory. 308 location ^~ /backup { 309 return 404; 310 } 311 312 ## Disable access logs for robots.txt. 313 location = /robots.txt { 314 access_log off; 315 ## Add support for the robotstxt module 316 ## http://drupal.org/project/robotstxt. 317 try_files $uri @drupal-no-args; 318 } 319 320 ## RSS feed support. 321 location = /rss.xml { 322 try_files $escaped_uri @drupal-no-args; 323 } 324 325 ## XML Sitemap support. 326 location = /sitemap.xml { 327 try_files $escaped_uri @drupal-no-args; 328 } 329 330 ## Support for favicon. Return an 1x1 transparent GIF if it doesn't 331 ## exist. 332 location = /favicon.ico { 333 expires 30d; 334 try_files /favicon.ico @empty; 335 } 336 337 ## Return an in memory 1x1 transparent GIF. 338 location @empty { 339 expires 30d; 340 empty_gif; 341 } 342 343 ## Any other attempt to access PHP files returns a 404. 344 location ~* ^.+\.php$ { 345 return 404; 346 } 347