diff --git a/README.md b/README.md index 6753d59f..ccadb846 100644 --- a/README.md +++ b/README.md @@ -21,31 +21,24 @@ greater security. This configuration started life as a fork of - [yhager's](github.com/yhager/nginx_drupal) configuration, tempered - by [omega8cc](http://github.com/omega8cc/nginx-for-drupal) and - [Brian Mercer](http://test.brianmercer.com/content/nginx-configuration-drupal) - (dead link) configurations. - - I've since then changed it substantially. Tried to remove as best - as I can the traces of bad habits promoted by Apache's - configuration logic. Namely the use of a `.htaccess` and what it - entails in terms or _reverse logic_ on the server - configuration. I've incorporated tidbits and advices gotten, - mostly, from the nginx mailing list and the + [Perusio's](https://github.com/perusio/drupal-with-nginx) configuration. + + I've since then changed it somewhat. Mainly by adding or improving support for some additional Drupal modules, as well as, removing Drupal 6 branch which in the wake of Drupal 8 release, I now consider completely obsolete. + I've incorporated tidbits and advices gotten mostly, from the nginx mailing list and the [nginx Wiki](http://wiki.nginx.org). ## I'm in a hurry just show me how to install it -Jump **immediately** to the [installation](drupal-with-nginx#installation). +Jump **immediately** to the [installation](#installation). I'll read up on all other stuff **later**. ## Layout - The configuration comes in **two** flavors: +The configuration comes in **two** flavors: - 1. Drupal 6. + 1. Drupal 6. - 2. Drupal 7. + 2. Drupal 7. Furthermore there are **two** options for each configuration: @@ -61,7 +54,7 @@ Furthermore there are **two** options for each configuration: example aliases file `example.aliases.drushrc.php` that comes under the `examples` directory in the drush distribution. - Example: You create the aliases for example.com and example.org, + Example: You create the aliases for example.com and example.net, with aliases `@excom` and `@exnet` respectively. Your crontab should contain something like: @@ -81,6 +74,22 @@ Furthermore there are **two** options for each configuration: script. If using `drush.php` then add `php` in front of the `/path/to/drush.php`. +## Branching + +The configuration has 3 main branches: + + 1. A [D7](https://github.com/perusio/drupal-with-nginx/tree/D7) branch + if you're running **Drupal 7** sites only on a given machine **use + this branch**. + + 2. A [D6](https://github.com/perusio/drupal-with-nginx/tree/D6) branch + if you're running **Drupal 6** sites only on a given machine **use + this branch**. + + 3. A [master](https://github.com/perusio/drupal-with-nginx) branch if + you're running **both Drupal 6 and Drupal 7** sites on a given + machine **use this branch**. + ## Escaped URIs It happens that some sites have URIs that use @@ -106,47 +115,36 @@ version. ## Configuration Selection Algorithm 1. I'm **not** using [Boost](http://drupal.org/project/boost): - * On **drupal 7** use the `drupal.conf` config in your vhost (`server` block): `include apps/drupals/drupal.conf;`. - * On **drupal 7** having to serve URIs that need to be **escaped**, e.g., that have `+` and/or `?` then use the `drupal_escaped.conf` config in your vhost (`server` block): `include apps/drupal/drupal_escaped.conf`. - * On **drupal 6** use the `drupal6.conf` config in your vhost (`server` block): `include apps/drupals/drupal6.conf;`. - * On **drupal 6** if having to serve URIs that need to be **escaped**, e.g., that have `+` and/or `?` then use the `drupal6_escaped.conf` config in your vhost (`server` block): `include apps/drupal/drupal6_escaped.conf`. - 2. I'm using [Boost](http://drupal.org/project/boost) for caching on my drupal site. - * On **drupal 7** use the `drupal_boost.conf` config in your vhost (`server` block): `include apps/drupal/drupal_boost.conf;`. - * On **drupal 7** if having to serve URIs that need to be **escaped**, e.g., that have `+` and/or `?` then use the `drupal_boost_escaped.conf` config in your vhost (`server` block): `include apps/drupal/drupal_boost_escaped.conf`. - * On **drupal 6** use the `drupal_boost6.conf` config in your vhost (`server` block): `include apps/drupal/drupal_boost6.conf;`. - * On **drupal 6** if having to serve URIs that need to be **escaped**, e.g., that have `+` and/or `?` then use the `drupal_boost6_escaped.conf` config in your vhost (`server` block): `include apps/drupal/drupal_boost6_escaped.conf`. - 3. I'm **not using drush** for updating and running cron. Additionally you should also include the `drupal_cron_update.conf` config in your vhost (`server` block): `include apps/drupal/drupal_cron_update.conf;` - 4. I'm using **drupal 8**. Just use the drupal 7 configuration. The only thing that changes so far is the location of `install.php`. @@ -267,7 +265,9 @@ This is strictly a **drupal 6** issue. 20. [ETag](https://en.wikipedia.org/wiki/HTTP_ETag) support. This requires a Nginx version greater or equal to **1.3.3**. - 21. Support for drupal 8. + 21. Support for drupal 8. + + 22. Support for the [`file_force`](http:/drupal.org/project/file_force) module. ## Secure HTTP aka SSL/TLS support @@ -357,10 +357,15 @@ This is strictly a **drupal 6** issue. then accordingly change its name in drupal_boost.conf. 4. Support for - [X-Frame-Options](https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header) + [`X-Frame-Options`](https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header) HTTP header to avoid Clickjacking attacks. + + 5. Support for + [`X-Content-Options`](http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true) + for avoiding MIME type deviation from the declared + `Content-Type`. - 5. Protection of the upload directory. You can try to bypass the + 6. Protection of the upload directory. You can try to bypass the UNIX `file` utility or the PHP `Fileinfo` extension and upload a fake jpeg: @@ -383,23 +388,25 @@ This is strictly a **drupal 6** issue. it always from within the Nginx config. You cannot access it directly from outside. - 6. Use of [Strict Transport Security](http://www.chromium.org/sts + 7. Use of [Strict Transport Security](http://www.chromium.org/sts "STS at chromium.org") for enhanced security. It forces during the specified period for the configured domain to be contacted only over HTTPS. Requires a modern browser to be of use, i.e., **Chrome/Chromium**, **Firefox 4** or **Firefox with NoScript**. - 7. DoS prevention with a _low_ number of connections by client + 8. DoS prevention with a _low_ number of connections by client allowed: **32**. This number can be adjusted as you see fit. - 8. The Drupal specific headers like `X-Drupal-Cache` provided by + 9. The Drupal specific headers like `X-Drupal-Cache` provided by [pressflow](https://github.com/pressflow/6) or the `X-Generator` header that Drupal 7 sets are both **hidden**. - 9. Limitation of allowed HTTP methods. Out of the box only `GET`, + 10. Limitation of allowed HTTP methods. Out of the box only `GET`, `HEAD` and `POST`are allowed. + 11. Protection of the `/admin` URIs with Basic Auth. + ## Private file handling This config assumes that **private** files are stored under a directory @@ -539,6 +546,19 @@ This is strictly a **drupal 6** issue. directive and enumerate the client IPs that are allowed to use the *extra* methods like `PUT`. +## Protection of the `/admin` URIs using Basic Auth + + Just uncomment the line that includes the + `apps/drupal/admin_basic_auth.conf` file. Now whenever you got to a + `/admin` URI the server will prompt you for a username/password + pair. Note that by default this config provides no + username/password values for the `.htpasswd-users` file. This is to + avoid the creeping of laziness and that 80% of the sites that have + the `/admin` URIs protected have the same username/password. + + Note that this is much more effective if at least all your logged + in traffic goes over SSL (HTTPS). + ## Multisite support [Drupal multisite](http://drupal.org/documentation/install/multi-site) @@ -738,13 +758,29 @@ replace** the indicated address by **your** address. For Nginx versions greater or equal than 1.3.4 IPv6 and IPv4 sockets are **separate** by default. +Note also that socket options like `ipv6only=on` can only be specified +**once**. Hence the use of different IPv6 addresses for the server +block that redirects from `www` to the base domain in both HTTP and +HTTPS servers. + ## Installation 1. Move the old `/etc/nginx` directory to `/etc/nginx.old`. 2. Clone the git repository from github: - - git clone https://github.com/perusio/drupal-with-nginx.git + + git clone https://github.com/perusio/drupal-with-nginx.git /etc/nginx + + If you want to use only the Drupal specific version configuration + you must do one of the checkouts below: + + * For the **D7** branch (running **only** D7 sites on the same server): + + git checkout D7 + + * For the **D6** branch (running **only** D6 sites on the same server): + + git checkout D6 3. Edit the `sites-available/example.com.conf` configuration file to suit your requirements. Namely replacing example.com with **your** @@ -834,6 +870,13 @@ are **separate** by default. for Nginx to serve. +## Troubleshooting + +If by any reason you have some kind of error, please get a +[debug log](http://nginx.org/en/docs/debugging_log.html) and paste it +in a [Gist](https://gist.github.com) and **open an issue** on the +github issue queue for the module. + ## Acessing the php-fpm status and ping pages You can get the @@ -876,7 +919,7 @@ are **separate** by default. own. Generally the APT machinery will sort out for you any dependencies issues that might exist. -## Ad and Aditional modules support +## Ad and Additional modules support The config is quite tight in the sense that if you have something that is not contemplated in the **exact** match locations, diff --git a/apps/drupal/admin_basic_auth.conf b/apps/drupal/admin_basic_auth.conf new file mode 100644 index 00000000..cc796ce0 --- /dev/null +++ b/apps/drupal/admin_basic_auth.conf @@ -0,0 +1,12 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## Protect the /admin URIs with a basic auth. +location ^~ /admin { + auth_basic "Restricted access"; #realm + auth_basic_user_file .htpasswd-users; + + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; +} diff --git a/cron_allowed_hosts.conf b/apps/drupal/cron_allowed_hosts.conf similarity index 86% rename from cron_allowed_hosts.conf rename to apps/drupal/cron_allowed_hosts.conf index cd2d30ab..bdb3dd9c 100644 --- a/cron_allowed_hosts.conf +++ b/apps/drupal/cron_allowed_hosts.conf @@ -6,5 +6,5 @@ geo $not_allowed_cron { default 1; ## Add your set of hosts. 127.0.0.1 0; # allow the localhost - 192.168.1.0/24 0; # (V)LAN hosts allowed + 192.168.1.0/24 0; # allow on an internal network } diff --git a/apps/drupal/drupal.conf b/apps/drupal/drupal.conf index 1f286c5b..0679bf48 100644 --- a/apps/drupal/drupal.conf +++ b/apps/drupal/drupal.conf @@ -25,12 +25,13 @@ location / { location ^~ /system/files/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and - ## uncomment the line below. + ## uncomment the two lines below. #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. @@ -43,12 +44,44 @@ location / { internal; } - ## Drupal 7 image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. location ~* /files/styles/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; + #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; @@ -58,11 +91,13 @@ location / { ## Advanced Aggregation module CSS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $uri @drupal; } } @@ -70,17 +105,20 @@ location / { ## Advanced Aggregation module JS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $uri @drupal; } } ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|ico|png|html|xml)$ { + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one @@ -127,7 +165,7 @@ location / { ## Pseudo streaming of FLV files: ## http://wiki.nginx.org/HttpFlvStreamModule. ## If pseudo streaming isn't working, try to comment - ## out line 115 in nginx.conf: + ## out in nginx.conf line with: ## add_header X-Frame-Options SAMEORIGIN; location ^~ /sites/default/files/video/flv { location ~* ^/sites/default/files/video/flv/.*\.flv$ { @@ -142,7 +180,7 @@ location / { location ^~ /sites/default/files/video/mp4 { # videos location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -150,7 +188,7 @@ location / { location ^~ /sites/default/files/audio/m4a { # audios location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -160,19 +198,20 @@ location / { location ~* ^/help/[^/]*/README\.txt$ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and - ## uncomment the line below. + ## uncomment the two lines below. #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; } } ## Replicate the Apache directive of Drupal standard ## .htaccess. Disable access to any code files. Return a 404 to curtail ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { return 404; } @@ -182,59 +221,84 @@ location / { ########### Security measures ########## +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location @drupal { ## Include the FastCGI config. - include fastcgi_drupal.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## FastCGI microcache. - include sites-available/microcache_fcgi.conf; + include apps/drupal/microcache_fcgi.conf; ## FCGI microcache for authenticated users also. - #include sites-available/microcache_fcgi_auth.conf; + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache/index.php?q=$uri&$args; ## Proxy microcache. - #include sites-available/microcache_proxy.conf; + #include apps/drupal/microcache_proxy.conf; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; ## Filefield Upload progress ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. + ## through the NginxUploadProgress modules. track_uploads uploads 60s; } location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_no_args_drupal.conf; fastcgi_pass phpcgi; ## FastCGI microcache. - include sites-available/microcache_fcgi.conf; + include apps/drupal/microcache_fcgi.conf; ## FCGI microcache for authenticated users also. - #include sites-available/microcache_fcgi_auth.conf; + #include apps/drupal/microcache_fcgi_auth.conf; ## If proxying to apache comment the two lines above and - ## uncomment the line below. + ## uncomment the two lines below. #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; ## Proxy microcache. - #include sites-available/microcache_proxy.conf; + #include apps/drupal/microcache_proxy.conf; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; } -## Disallow access to .git directory: return 404 as not to disclose -## information. location ^~ /.git { return 404; } +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + ## Disallow access to patches directory. location ^~ /patches { return 404; @@ -248,6 +312,9 @@ location ^~ /backup { ## Disable access logs for robots.txt. location = /robots.txt { access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; } ## RSS feed support. @@ -277,3 +344,4 @@ location @empty { location ~* ^.+\.php$ { return 404; } + diff --git a/apps/drupal/drupal6.conf b/apps/drupal/drupal6.conf deleted file mode 100644 index 4aa3a2da..00000000 --- a/apps/drupal/drupal6.conf +++ /dev/null @@ -1,277 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for Drupal. This configuration makes use of -### drush (http:///drupal.org/project/drush) for site maintenance -### and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Use index.html whenever there's no index.php. - location = / { - error_page 404 =200 /index.html; - } - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$no_slash_uri; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include apps/drupal/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. - location ~* /files/styles/ { - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - } - } - - ## Replicate the Apache directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the /index.php?q=$no_slash_uri&$args if not found. - try_files $uri /index.php?q=$no_slash_uri&$args; -} - -########### Security measures ########## - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location = /index.php { - ## This is marked internal - ## http://wiki.nginx.org/HttpCoreModule#internal as pro-active - ## security practice. No direct access to index.php is allowed all - ## accesses are made by Nginx from other locations or internal - ## redirect. - internal; - fastcgi_pass phpcgi; - - ## FastCGI microcache. - include apps/drupal/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include apps/drupal/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; - ## Proxy microcache. - #include apps/drupal/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include apps/drupal/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. - track_uploads uploads 60s; -} - -## Disallow access to .git directory: return 404 as not to disclose -## information. -location ^~ /.git { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri /index.php?q=$uri; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri /index.php?q=$uri; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} diff --git a/apps/drupal/drupal6_escaped.conf b/apps/drupal/drupal6_escaped.conf deleted file mode 100644 index bce7de8e..00000000 --- a/apps/drupal/drupal6_escaped.conf +++ /dev/null @@ -1,277 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for Drupal. This configuration makes use of -### drush (http:///drupal.org/project/drush) for site maintenance -### and like tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## Use index.html whenever there's no index.php. - location = / { - error_page 404 =200 /index.html; - } - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache/index.php?q=$no_slash_escaped_uri; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. - location ~* /files/styles/ { - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - } - } - - ## Replicate the Apache directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the /index.php?q=$no_slash_escaped_uri&$args if not found. - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; -} - -########### Security measures ########## - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location = /index.php { - ## This is marked internal - ## http://wiki.nginx.org/HttpCoreModule#internal as pro-active - ## security practice. No direct access to index.php is allowed all - ## accesses are made by Nginx from other locations or internal - ## redirect. - internal; - fastcgi_pass phpcgi; - - ## FastCGI microcache. - include sites-available/microcache_fcgi.conf; - ## FCGI microcache for authenticated users also. - #include sites-available/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; - ## Proxy microcache. - #include sites-available/microcache_proxy.conf; - ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. - track_uploads uploads 60s; -} - -## Disallow access to .git directory: return 404 as not to disclose -## information. -location ^~ /.git { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri /index.php?q=$uri; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri /index.php?q=$uri; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} diff --git a/apps/drupal/drupal6_upload_progress.conf b/apps/drupal/drupal6_upload_progress.conf deleted file mode 100644 index eed919fc..00000000 --- a/apps/drupal/drupal6_upload_progress.conf +++ /dev/null @@ -1,24 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- - -### Drupal 6 configuration for the Nginx Upload Progress module: -### https://github.com/masterzen/nginx-upload-progress-module -### This requires the Filefield Nginx Progress module: -### http://drupal.org/project/filefield_nginx_progress. - -## The Nginx module wants ?X-Progress-ID query parameter so -## that it report the progress of the upload through a GET -## request. But the drupal form element makes use of clean -## URLs in the POST. -location ~ (?.*)/x-progress-id:(?\w*) { - rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; -} - -## Now the above rewrite must be matched by a location that -## activates it and references the above defined upload -## tracking zone. -location ^~ /progress { - ## Comment out the line below if you're using a version - ## of the Nginx Upload Progress module less than 0.9.0. - upload_progress_java_output; # this for version 0.9.0 of the module - report_uploads uploads; -} diff --git a/apps/drupal/drupal_boost.conf b/apps/drupal/drupal_boost.conf index a353e5af..1cb10e16 100644 --- a/apps/drupal/drupal_boost.conf +++ b/apps/drupal/drupal_boost.conf @@ -1,8 +1,7 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- ### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush -### (http:///drupal.org/project/drush) for site maintenance and like -### tasks: +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: ### ### 1. Run the cronjobs. ### 2. Run the DB and code updates: drush up or drush upc followed by @@ -26,12 +25,13 @@ location / { location ^~ /system/files/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. @@ -44,13 +44,32 @@ location / { internal; } - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. location ~* /imagecache/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; + #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; @@ -58,8 +77,12 @@ location / { } ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. + ## http://drupal.org/node/371374. location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + access_log off; expires 30d; try_files $uri @drupal; @@ -68,11 +91,13 @@ location / { ## Advanced Aggregation module CSS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $uri @drupal; } } @@ -80,17 +105,18 @@ location / { ## Advanced Aggregation module JS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $uri @drupal; } } ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpg|jpeg|gif|ico|png|html|xml)$ { + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one @@ -131,6 +157,9 @@ location / { ## Pseudo streaming of FLV files: ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; location ^~ /sites/default/files/video/flv { location ~* ^/sites/default/files/video/flv/.*\.flv$ { flv; @@ -144,7 +173,7 @@ location / { location ^~ /sites/default/files/video/mp4 { # videos location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -152,7 +181,7 @@ location / { location ^~ /sites/default/files/audio/m4a { # audios location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -162,7 +191,7 @@ location / { location ~* ^/help/[^/]*/README\.txt$ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and @@ -174,7 +203,7 @@ location / { ## Replicate the Apache directive of Drupal standard ## .htaccess. Disable access to any code files. Return a 404 to curtail ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { return 404; } @@ -214,7 +243,7 @@ location @cache { # Funny...perhaps. Egocentric? Damn right!; add_header X-Header "Boost Helás Avril 1.0"; ## Boost doesn't set a charset. - charset utf8; + charset utf-8; # We try each boost URI in succession, if every one of them # fails then relay to Drupal. @@ -223,51 +252,75 @@ location @cache { ########### Security measures ########## +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location @drupal { ## Include the FastCGI config. - include fastcgi_drupal.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; + include apps/drupal/microcache_fcgi_auth.conf; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache/index.php?q=$uri&$args; + #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; ## Filefield Upload progress ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. + ## through the NginxUploadProgress modules. track_uploads uploads 60s; } location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_no_args_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; + include apps/drupal/microcache_fcgi_auth.conf; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; } -## Disallow access to .git directory: return 404 as not to disclose -## information. location ^~ /.git { return 404; } +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + ## Disallow access to patches directory. location ^~ /patches { return 404; @@ -281,6 +334,9 @@ location ^~ /backup { ## Disable access logs for robots.txt. location = /robots.txt { access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; } ## RSS feed support. @@ -318,3 +374,4 @@ location = /boost_stats.php { ## comment out the above. #proxy_pass http://phpapache; } + diff --git a/apps/drupal/drupal_boost6.conf b/apps/drupal/drupal_boost6.conf deleted file mode 100644 index 8ab9894f..00000000 --- a/apps/drupal/drupal_boost6.conf +++ /dev/null @@ -1,349 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush -### (http:///drupal.org/project/drush) for site maintenance and like -### tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## We have to check for boost generated files for the '/' URI. - ## Also try to use index.html whenever there's no index.php. - location = / { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @no_cache; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - try_files /cache/normal/$host/_${args}.html /cache/perm/$host/_.css /cache/perm/$host/_.js /cache/$host/0/.html /cache/$host/0/index.html /index.php; - } - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. - location ~* /files/styles/ { - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_uri&$args; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - } - } - - ## Replicate the Apache directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the @cache if not found. - try_files $uri @cache; -} - -## We define a named location for the cache. -location @cache { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @no_cache; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - # Now for some header tweaking. We use a date that differs - # from stock Drupal. Everyone seems to be using their - # birthdate. Why go against the grain? - add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; - # We bypass all delays in the post-check and pre-check - # parameters of Cache-Control. Both set to 0. - add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - # Funny...perhaps. Egocentric? Damn right!; - add_header X-Header "Boost Helás Avril 1.0"; - ## Boost doesn't set a charset. - charset utf8; - - # We try each boost URI in succession, if every one of them - # fails then relay to Drupal. - try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html /index.php?q=$no_slash_uri&$args; -} - -## We need another named location for the rewrite to work otherwise we -## get the unclean URLs in all their glory. -location @no_cache { - try_files $uri /index.php?q=$no_slash_uri&$args; -} - -########### Security measures ########## - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location = /index.php { - ## This is marked internal - ## http://wiki.nginx.org/HttpCoreModule#internal as pro-active - ## security practice. No direct access to index.php is allowed all - ## accesses are made by Nginx from other locations or internal - ## redirect. - internal; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; - ## Proxy microcache for autenticated users. - #include sites-available/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. - track_uploads uploads 60s; -} - -## Boost stats. -location = /boost_stats.php { - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} - - -## Disallow access to .git directory: return 404 as not to disclose -## information. -location ^~ /.git { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri /index.php?q=$no_slash_uri; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri /index.php?q=$no_slash_uri; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} diff --git a/apps/drupal/drupal_boost6_escaped.conf b/apps/drupal/drupal_boost6_escaped.conf deleted file mode 100644 index ac935e29..00000000 --- a/apps/drupal/drupal_boost6_escaped.conf +++ /dev/null @@ -1,349 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush -### (http:///drupal.org/project/drush) for site maintenance and like -### tasks: -### -### 1. Run the cronjobs. -### 2. Run the DB and code updates: drush up or drush upc followed by -### drush updb to run any DB updates required by the code upgrades -### that were performed. -### 3. Disabling of xmlrpc.xml, install.php (needed only for -### installing the site) and update.php: all updates are now -### handled through drush. - -## The 'default' location. -location / { - - ## Drupal 404 from can impact performance. If using a module like - ## search404 then 404's *have *to be handled by Drupal. Uncomment to - ## relay the handling of 404's to Drupal. - ## error_page 404 /index.php; - - ## We have to check for boost generated files for the '/' URI. - ## Also try to use index.html whenever there's no index.php. - location = / { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @no_cache; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - try_files /cache/normal/$host/_${args}.html /cache/perm/$host/_.css /cache/perm/$host/_.js /cache/$host/0/.html /cache/$host/0/index.html /index.php; - } - - ## Using a nested location is the 'correct' way to use regexes. - - ## Regular private file serving (i.e. handled by Drupal). - location ^~ /system/files/ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - - ## For not signaling a 404 in the error log whenever the - ## system/files directory is accessed add the line below. - ## Note that the 404 is the intended behavior. - log_not_found off; - } - - ## Trying to access private files directly returns a 404. - location ^~ /sites/default/files/private/ { - internal; - } - - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. - location ~* /imagecache/ { - ## Image hotlinking protection. If you want hotlinking - ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; - - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - - ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. - location ~* /files/styles/ { - access_log off; - expires 30d; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - - ## Advanced Aggregation module CSS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - } - - ## Advanced Aggregation module JS - ## support. http://drupal.org/project/advagg. - location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { - access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; - } - } - - ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml)$ { - access_log off; - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - ## ETag support. This requires an Nginx version >= 1.3.3. - etag on; - } - - ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. - location ^~ /sites/default/files/audio/mp3 { - location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - location ^~ /sites/default/files/audio/ogg { - location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { - directio 4k; # for XFS - ## If you're using ext3 or similar uncomment the line below and comment the above. - #directio 512; # for ext3 or similar (block alignments) - tcp_nopush off; - aio on; - output_buffers 1 2M; - } - } - - ## Pseudo streaming of FLV files: - ## http://wiki.nginx.org/HttpFlvStreamModule. - location ^~ /sites/default/files/video/flv { - location ~* ^/sites/default/files/video/flv/.*\.flv$ { - flv; - } - } - - ## Pseudo streaming of H264/AAC files. This requires an Nginx - ## version greater or equal to 1.0.7 for the stable branch and - ## greater or equal to 1.1.3 for the development branch. - ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. - location ^~ /sites/default/files/video/mp4 { # videos - location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - location ^~ /sites/default/files/audio/m4a { # audios - location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { - mp4; - mp4_buffer_size 1M; - mp4_max_buffer_size 5M; - } - } - - ## Advanced Help module makes each module provided README available. - location ^~ /help/ { - location ~* ^/help/[^/]*/README\.txt$ { - ## Include the specific FastCGI configuration. This is for a - ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; - fastcgi_pass phpcgi; - - ## If proxying to apache comment the two lines above and - ## uncomment the line below. - #proxy_pass http://phpapache; - } - } - - ## Replicate the Apache directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - - ## First we try the URI and relay to the @cache if not found. - try_files $uri @cache; -} - -## We define a named location for the cache. -location @cache { - ## Boost compresses can the pages so we check it. Comment it out - ## if you don't have it enabled in Boost. - gzip_static on; - - ## Error page handler for the case where $no_cache is 1. POST - ## request or authenticated. - error_page 418 = @no_cache; - - ## If $no_cache is 1 then it means that either we have a session - ## cookie or that the request method is POST. So serve the dynamic - ## page. - if ($no_cache) { - return 418; # I'm a teapot/I can't get no cachifaction - } - - ## No caching for POST requests. - if ($request_method = POST) { - return 418; - } - - # Now for some header tweaking. We use a date that differs - # from stock Drupal. Everyone seems to be using their - # birthdate. Why go against the grain? - add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; - # We bypass all delays in the post-check and pre-check - # parameters of Cache-Control. Both set to 0. - add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - # Funny...perhaps. Egocentric? Damn right!; - add_header X-Header "Boost Helás Avril 1.0"; - ## Boost doesn't set a charset. - charset utf8; - - # We try each boost URI in succession, if every one of them - # fails then relay to Drupal. - try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html /index.php?q=$no_slash_escaped_uri&$args; -} - -## We need another named location for the rewrite to work otherwise we -## get the unclean URLs in all their glory. -location @no_cache { - try_files $uri /index.php?q=$no_slash_escaped_uri&$args; -} - -########### Security measures ########## - -## Restrict access to the strictly necessary PHP files. Reducing the -## scope for exploits. Handling of PHP code and the Drupal event loop. -location = /index.php { - ## This is marked internal - ## http://wiki.nginx.org/HttpCoreModule#internal as pro-active - ## security practice. No direct access to index.php is allowed all - ## accesses are made by Nginx from other locations or internal - ## redirect. - internal; - fastcgi_pass phpcgi; - - ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; - - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; - ## Proxy microcache for autenticated users. - #include sites-available/microcache_proxy_auth.conf; - - ## Filefield Upload progress - ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. - track_uploads uploads 60s; -} - -## Boost stats. -location = /boost_stats.php { - fastcgi_pass phpcgi; - ## To use Apache for serving PHP uncomment the line bellow and - ## comment out the above. - #proxy_pass http://phpapache; -} - - -## Disallow access to .git directory: return 404 as not to disclose -## information. -location ^~ /.git { - return 404; -} - -## Disallow access to patches directory. -location ^~ /patches { - return 404; -} - -## Disallow access to drush backup directory. -location ^~ /backup { - return 404; -} - -## Disable access logs for robots.txt. -location = /robots.txt { - access_log off; -} - -## RSS feed support. -location = /rss.xml { - try_files $uri /index.php?q=$no_slash_escaped_uri; -} - -## XML Sitemap support. -location = /sitemap.xml { - try_files $uri /index.php?q=$no_slash_escaped_uri; -} - -## Support for favicon. Return an 1x1 transparent GIF if it doesn't -## exist. -location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; -} - -## Return an in memory 1x1 transparent GIF. -location @empty { - expires 30d; - empty_gif; -} - -## Any other attempt to access PHP files returns a 404. -location ~* ^.+\.php$ { - return 404; -} diff --git a/apps/drupal/drupal_boost_escaped.conf b/apps/drupal/drupal_boost_escaped.conf index c108a228..36f5d986 100644 --- a/apps/drupal/drupal_boost_escaped.conf +++ b/apps/drupal/drupal_boost_escaped.conf @@ -1,8 +1,7 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- ### Nginx configuration for using Boost with Drupal. This -### configuration makes use of drush -### (http:///drupal.org/project/drush) for site maintenance and like -### tasks: +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: ### ### 1. Run the cronjobs. ### 2. Run the DB and code updates: drush up or drush upc followed by @@ -12,6 +11,9 @@ ### installing the site) and update.php: all updates are now ### handled through drush. +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + ## The 'default' location. location / { @@ -26,12 +28,13 @@ location / { location ^~ /system/files/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. @@ -44,13 +47,32 @@ location / { internal; } - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. location ~* /imagecache/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; + #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; @@ -58,8 +80,12 @@ location / { } ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. + ## http://drupal.org/node/371374. location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + access_log off; expires 30d; try_files $escaped_uri @drupal; @@ -68,11 +94,13 @@ location / { ## Advanced Aggregation module CSS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $escaped_uri @drupal; } } @@ -80,17 +108,18 @@ location / { ## Advanced Aggregation module JS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $escaped_uri @drupal; } } ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpg|jpeg|gif|ico|png|html|xml)$ { + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one @@ -131,6 +160,9 @@ location / { ## Pseudo streaming of FLV files: ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; location ^~ /sites/default/files/video/flv { location ~* ^/sites/default/files/video/flv/.*\.flv$ { flv; @@ -144,7 +176,7 @@ location / { location ^~ /sites/default/files/video/mp4 { # videos location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -152,7 +184,7 @@ location / { location ^~ /sites/default/files/audio/m4a { # audios location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -162,19 +194,20 @@ location / { location ~* ^/help/[^/]*/README\.txt$ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; } } ## Replicate the Apache directive of Drupal standard ## .htaccess. Disable access to any code files. Return a 404 to curtail ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { return 404; } @@ -214,7 +247,7 @@ location @cache { # Funny...perhaps. Egocentric? Damn right!; add_header X-Header "Boost Helás Avril 1.0"; ## Boost doesn't set a charset. - charset utf8; + charset utf-8; # We try each boost URI in succession, if every one of them # fails then relay to Drupal. @@ -223,51 +256,75 @@ location @cache { ########### Security measures ########## +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location @drupal { ## Include the FastCGI config. - include fastcgi_drupal.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; + include apps/drupal/microcache_fcgi_auth.conf; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; ## Filefield Upload progress ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. + ## through the NginxUploadProgress modules. track_uploads uploads 60s; } location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_no_args_drupal.conf; fastcgi_pass phpcgi; ## FCGI microcache for authenticated users also. - include sites-available/microcache_fcgi_auth.conf; + include apps/drupal/microcache_fcgi_auth.conf; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; } -## Disallow access to .git directory: return 404 as not to disclose -## information. location ^~ /.git { return 404; } +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + ## Disallow access to patches directory. location ^~ /patches { return 404; @@ -281,6 +338,9 @@ location ^~ /backup { ## Disable access logs for robots.txt. location = /robots.txt { access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; } ## RSS feed support. @@ -317,4 +377,6 @@ location = /boost_stats.php { ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; + #proxy_set_header Connection ''; } + diff --git a/apps/drupal/drupal_escaped.conf b/apps/drupal/drupal_escaped.conf index ea59c2d6..db08cc01 100644 --- a/apps/drupal/drupal_escaped.conf +++ b/apps/drupal/drupal_escaped.conf @@ -11,6 +11,9 @@ ### installing the site) and update.php: all updates are now ### handled through drush. +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + ## The 'default' location. location / { @@ -25,12 +28,13 @@ location / { location ^~ /system/files/ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; ## For not signaling a 404 in the error log whenever the ## system/files directory is accessed add the line below. @@ -43,13 +47,32 @@ location / { internal; } - ## If accessing an image generated by imagecache, serve it directly if - ## available, if not relay the request to Drupal to (re)generate the - ## image. + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. location ~* /imagecache/ { ## Image hotlinking protection. If you want hotlinking ## protection for your images uncomment the following line. - #include sites-available/hotlinking_protection.conf; + #include apps/drupal/hotlinking_protection.conf; access_log off; expires 30d; @@ -57,8 +80,12 @@ location / { } ## Drupal 7 generated image handling, i.e., imagecache in core. See: - ## https://drupal.org/node/371374. + ## http://drupal.org/node/371374. location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + access_log off; expires 30d; try_files $escaped_uri @drupal; @@ -67,11 +94,13 @@ location / { ## Advanced Aggregation module CSS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_css/ { - location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $escaped_uri @drupal; } } @@ -79,17 +108,19 @@ location / { ## Advanced Aggregation module JS ## support. http://drupal.org/project/advagg. location ^~ /sites/default/files/advagg_js/ { - location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { access_log off; - add_header Pragma ''; - add_header Cache-Control 'public, max-age=946080000'; - add_header Accept-Ranges ''; try_files $escaped_uri @drupal; } } ## All static files will be served directly. - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|ico|png|html|xml)$ { + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one @@ -136,7 +167,7 @@ location / { ## Pseudo streaming of FLV files: ## http://wiki.nginx.org/HttpFlvStreamModule. ## If pseudo streaming isn't working, try to comment - ## out line 115 in nginx.conf: + ## out in nginx.conf line with: ## add_header X-Frame-Options SAMEORIGIN; location ^~ /sites/default/files/video/flv { location ~* ^/sites/default/files/video/flv/.*\.flv$ { @@ -151,7 +182,7 @@ location / { location ^~ /sites/default/files/video/mp4 { # videos location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -159,7 +190,7 @@ location / { location ^~ /sites/default/files/audio/m4a { # audios location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { mp4; - mp4_buffer_size 1M; + mp4_buffer_size 1M; mp4_max_buffer_size 5M; } } @@ -169,7 +200,7 @@ location / { location ~* ^/help/[^/]*/README\.txt$ { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## If proxying to apache comment the two lines above and @@ -181,7 +212,7 @@ location / { ## Replicate the Apache directive of Drupal standard ## .htaccess. Disable access to any code files. Return a 404 to curtail ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { return 404; } @@ -191,59 +222,83 @@ location / { ########### Security measures ########## +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location @drupal { ## Include the FastCGI config. - include fastcgi_drupal.conf; + include apps/drupal/fastcgi_drupal.conf; fastcgi_pass phpcgi; ## FastCGI microcache. - include sites-available/microcache_fcgi.conf; + include apps/drupal/microcache_fcgi.conf; ## FCGI microcache for authenticated users also. - #include sites-available/microcache_fcgi_auth.conf; + #include apps/drupal/microcache_fcgi_auth.conf; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; ## Proxy microcache. - #include sites-available/microcache_proxy.conf; + #include apps/drupal/microcache_proxy.conf; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; ## Filefield Upload progress ## http://drupal.org/project/filefield_nginx_progress support - ## through the NgninxUploadProgress modules. + ## through the NginxUploadProgress modules. track_uploads uploads 60s; } location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. - include fastcgi_private_files.conf; + include apps/drupal/fastcgi_no_args_drupal.conf; fastcgi_pass phpcgi; ## FastCGI microcache. - include sites-available/microcache_fcgi.conf; + include apps/drupal/microcache_fcgi.conf; ## FCGI microcache for authenticated users also. - #include sites-available/microcache_fcgi_auth.conf; + #include apps/drupal/microcache_fcgi_auth.conf; ## If proxying to apache comment the two lines above and ## uncomment the line below. #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; ## Proxy microcache. - #include sites-available/microcache_proxy.conf; + #include apps/drupal/microcache_proxy.conf; ## Proxy microcache for authenticated users also. - #include sites-available/microcache_proxy_auth.conf; + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; } -## Disallow access to .git directory: return 404 as not to disclose -## information. location ^~ /.git { return 404; } +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + ## Disallow access to patches directory. location ^~ /patches { return 404; @@ -257,6 +312,9 @@ location ^~ /backup { ## Disable access logs for robots.txt. location = /robots.txt { access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; } ## RSS feed support. @@ -286,3 +344,4 @@ location @empty { location ~* ^.+\.php$ { return 404; } + diff --git a/apps/drupal/fastcgi_drupal.conf b/apps/drupal/fastcgi_drupal.conf new file mode 100644 index 00000000..be59f851 --- /dev/null +++ b/apps/drupal/fastcgi_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri&$args; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/fastcgi_private_files.conf b/apps/drupal/fastcgi_no_args_drupal.conf similarity index 76% rename from fastcgi_private_files.conf rename to apps/drupal/fastcgi_no_args_drupal.conf index ae1ca214..683e4ceb 100644 --- a/fastcgi_private_files.conf +++ b/apps/drupal/fastcgi_no_args_drupal.conf @@ -23,11 +23,19 @@ fastcgi_param SERVER_NAME $server_name; ## PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + ## 2. Nginx FCGI specific directives. fastcgi_buffers 256 4k; fastcgi_intercept_errors on; ## Allow 4 hrs - pass timeout responsibility to upstream. -fastcgi_read_timeout 14400; +fastcgi_read_timeout 14400; fastcgi_index index.php; ## Hide the X-Drupal-Cache header provided by Pressflow. fastcgi_hide_header 'X-Drupal-Cache'; diff --git a/apps/drupal/hotlinking_protection.conf b/apps/drupal/hotlinking_protection.conf index ebffd47d..f2926e12 100644 --- a/apps/drupal/hotlinking_protection.conf +++ b/apps/drupal/hotlinking_protection.conf @@ -3,7 +3,7 @@ ### Hotlinking protection for images. Include it in any context you ### want. Adjust the list of allowed referers to your liking. -valid_referers none blocked *.example.* *.google.* my.site.com; +valid_referers none blocked *.example.com *.google.com my.site.com; if ($invalid_referer) { return 200 "No image hotlinking allowed!\n"; diff --git a/map_cache.conf b/apps/drupal/map_cache.conf similarity index 74% rename from map_cache.conf rename to apps/drupal/map_cache.conf index 51f2bb1e..8166fcdf 100644 --- a/map_cache.conf +++ b/apps/drupal/map_cache.conf @@ -1,17 +1,29 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- ### Testing if we should be serving content from cache or not. This is -### needed for any Drupal setup that uses and external cache. +### needed for any Drupal setup that uses an external cache. + +## Let Ajax calls go through. +map $uri $no_cache_ajax { + default 0; + /system/ajax 1; +} ## Testing for the session cookie being present. If there is then no ## caching is to be done. Note that this is for someone using either ## Drupal 7 pressflow or stock Drupal 6 core with no_anon ## (http://drupal.org/project/no_anon). -map $http_cookie $no_cache { +map $http_cookie $no_cache_cookie { default 0; ~SESS 1; # PHP session cookie } +## Combine both results to get the cache bypassing mapping. +map $no_cache_ajax$no_cache_cookie $no_cache { + default 1; + 00 0; +} + ## If you're using stock Drupal 6 without no_anon, i.e., there's a ## session cookie being served even to anonymous users, then uncomment ## the three lines below and comment the above map directive diff --git a/apps/drupal/microcache_fcgi.conf b/apps/drupal/microcache_fcgi.conf index 57310089..ea4e3f77 100644 --- a/apps/drupal/microcache_fcgi.conf +++ b/apps/drupal/microcache_fcgi.conf @@ -6,10 +6,10 @@ ## The cache zone referenced. fastcgi_cache microcache; ## The cache key. -fastcgi_cache_key $host$request_uri; +fastcgi_cache_key $scheme$request_method$host$request_uri; ## For 200 and 301 make the cache valid for 1s seconds. -fastcgi_cache_valid 200 301 15s; +fastcgi_cache_valid 200 301 1s; ## For 302 make it valid for 1 minute. fastcgi_cache_valid 302 1m; ## For 404 make it valid 1 second. @@ -20,7 +20,7 @@ fastcgi_cache_use_stale error timeout invalid_header updating http_500; ## The Cache-Control and Expires headers should be delivered untouched ## from the upstream to the client. fastcgi_ignore_headers Cache-Control Expires; -## If we have a cookie we should bypass the cache. The same if we have a +## Bypass the cache. fastcgi_cache_bypass $no_cache; fastcgi_no_cache $no_cache; ## Add a cache miss/hit status header. @@ -28,6 +28,25 @@ add_header X-Micro-Cache $upstream_cache_status; ## To avoid any interaction with the cache control headers we expire ## everything on this location immediately. expires epoch; +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## Strict Transport Security header for enhanced security. See +## http://www.chromium.org/sts. I've set it to 2 hours; set it to +## whichever age you want. +## Uncomment the line below if you're using HTTPS. +#add_header Strict-Transport-Security max-age=7200; + ## If you're using a Nginx version greater than 1.1.11 then uncomment ## the line below. See: ## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock @@ -36,4 +55,4 @@ expires epoch; #fastcgi_cache_lock on; ## The default timeout, i.e., the time to way before forwarding the ## second request upstream if no reply as arrived in the meantime is 5s. -# fastcgi_cache_lock_timeout 8000; # in miliseconds. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/apps/drupal/microcache_fcgi_auth.conf b/apps/drupal/microcache_fcgi_auth.conf index 18c4f4ce..6a481581 100644 --- a/apps/drupal/microcache_fcgi_auth.conf +++ b/apps/drupal/microcache_fcgi_auth.conf @@ -3,7 +3,7 @@ ## The cache zone referenced. fastcgi_cache microcache; ## The cache key. -fastcgi_cache_key $cache_uid@$host$request_uri; +fastcgi_cache_key $cache_uid@$scheme$host$request_uri; ## For 200 and 301 make the cache valid for 15s. fastcgi_cache_valid 200 301 15s; @@ -18,7 +18,7 @@ fastcgi_cache_use_stale error timeout invalid_header updating http_500; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; -## If we have a cookie we should bypass the cache. The same if we have a +## Bypass the cache. # fastcgi_cache_bypass $no_auth_cache; # fastcgi_no_cache $no_auth_cache; ## Add a cache miss/hit status header. @@ -26,6 +26,20 @@ add_header X-Micro-Cache $upstream_cache_status; ## To avoid any interaction with the cache control headers we expire ## everything on this location immediately. expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + ## If you're using a Nginx version greater than 1.1.11 then uncomment ## the line below. See: ## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock @@ -34,4 +48,4 @@ expires epoch; #fastcgi_cache_lock on; ## The default timeout, i.e., the time to way before forwarding the ## second request upstream if no reply as arrived in the meantime is 5s. -# fastcgi_cache_lock_timeout 8000; # in miliseconds. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/apps/drupal/microcache_proxy.conf b/apps/drupal/microcache_proxy.conf index 879eebc6..67086848 100644 --- a/apps/drupal/microcache_proxy.conf +++ b/apps/drupal/microcache_proxy.conf @@ -20,7 +20,7 @@ proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 ht ## The Cache-Control and Expires headers should be delivered untouched ## from the upstream to the client. proxy_ignore_headers Cache-Control Expires; -## If we have a cookie we should bypass the cache. The same if we have a +## Bypass the cache. proxy_cache_bypass $no_cache; proxy_no_cache $no_cache; ## Add a cache miss/hit status header. @@ -28,6 +28,20 @@ add_header X-Micro-Cache $upstream_cache_status; ## To avoid any interaction with the cache control headers we expire ## everything on this location immediately. expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + ## If you're using a Nginx version greater than 1.1.11 then uncomment ## the line below. See: ## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. diff --git a/apps/drupal/microcache_proxy_auth.conf b/apps/drupal/microcache_proxy_auth.conf index a7b8f6fd..e351b1bc 100644 --- a/apps/drupal/microcache_proxy_auth.conf +++ b/apps/drupal/microcache_proxy_auth.conf @@ -22,14 +22,27 @@ proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 ht proxy_ignore_headers Cache-Control Expires; proxy_pass_header Set-Cookie; proxy_pass_header Cookie; -## If we have a cookie we should bypass the cache. The same if we have a -# proxy_cache_bypass $no_auth_cache; -# proxy_no_cache $no_auth_cache; +## Bypass the cache. +proxy_cache_bypass $no_auth_cache; +proxy_no_cache $no_auth_cache; ## Add a cache miss/hit status header. add_header X-Micro-Cache $upstream_cache_status; ## To avoid any interaction with the cache control headers we expire ## everything on this location immediately. expires epoch; +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + ## If you're using a Nginx version greater than 1.1.11 then uncomment ## the line below. See: ## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. diff --git a/blacklist.conf b/blacklist.conf index 209b498b..819a82e9 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -7,6 +7,7 @@ ## Add here all user agents that are to be blocked. map $http_user_agent $bad_bot { default 0; + ~*^Lynx 0; # Let Lynx go through libwww-perl 1; ~(?i)(httrack|htmlparser|libwww) 1; } @@ -14,7 +15,7 @@ map $http_user_agent $bad_bot { ## Add here all referrers that are to blocked. map $http_referer $bad_referer { default 0; - ~(?i)(babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica) 1; + ~(?i)(adult|babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica) 1; } ## Add here all hosts that should be spared any referrer checking. diff --git a/dh_param.pem b/dh_param.pem new file mode 100644 index 00000000..45af4740 --- /dev/null +++ b/dh_param.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAkD39jm2I+Sr1j1+YPB5TbgUvIWUv3Gzj1s1rtpuZJUhCQ8MElafR +XrjrNXtgN8yjX6J5+Nuj0G9SytrvtKU9T3pLDVjZiV2l0m+/pvzaW3qCSlegpA/S +bkIQPg4n7CP/dhs7JcQD0Ny6TX9iYioDz5/kGfrBHTfAW8A6gPinAiC/+8Osz6mP +UghuQPkFVxJmleIdGU7ll3tAKARJpe8HyHNMNoRGbWTCH1mc8Z/la0E7xjs5R2mh +rYxofg/TMFJyvnnjtTLRQ9edvdA+K9JNsF23t8qvY78ppHNEP7u1PA7ORtePagJk +vcSF5yMYeDzUQLWpOuK5B0yHtltZzANH6wIBAg== +-----END DH PARAMETERS----- diff --git a/drupal7_escaped_uri.conf b/drupal7_escaped_uri.conf deleted file mode 100644 index baaa204b..00000000 --- a/drupal7_escaped_uri.conf +++ /dev/null @@ -1,4 +0,0 @@ -# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -## To avoid the ugly rewrite we use Lua to escape the URI. -set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; diff --git a/fastcgi.conf b/fastcgi.conf index 6811393f..def7d176 100644 --- a/fastcgi.conf +++ b/fastcgi.conf @@ -4,7 +4,7 @@ include fastcgi_params; fastcgi_buffers 256 4k; fastcgi_intercept_errors on; ## allow 4 hrs - pass timeout responsibility to upstream. -fastcgi_read_timeout 14400; +fastcgi_read_timeout 14400; fastcgi_index index.php; ## Hide the X-Drupal-Cache header provided by Pressflow. fastcgi_hide_header 'X-Drupal-Cache'; diff --git a/fastcgi_drupal.conf b/fastcgi_drupal.conf deleted file mode 100644 index a15c0aa4..00000000 --- a/fastcgi_drupal.conf +++ /dev/null @@ -1,35 +0,0 @@ -#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### fastcgi configuration for serving private files. -## 1. Parameters. -fastcgi_param QUERY_STRING q=$uri&$args; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME /index.php; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; -## PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; -fastcgi_param SCRIPT_FILENAME $document_root/index.php; -## 2. Nginx FCGI specific directives. -fastcgi_buffers 256 4k; -fastcgi_intercept_errors on; -## Allow 4 hrs - pass timeout responsibility to upstream. -fastcgi_read_timeout 14400; -fastcgi_index index.php; -## Hide the X-Drupal-Cache header provided by Pressflow. -fastcgi_hide_header 'X-Drupal-Cache'; -## Hide the Drupal 7 header X-Generator. -fastcgi_hide_header 'X-Generator'; diff --git a/fastcgi_params b/fastcgi_params index 2b4e11df..ff643d35 100644 --- a/fastcgi_params +++ b/fastcgi_params @@ -1,32 +1,32 @@ -# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- ### fastcgi parameters. -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; ## PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; +fastcgi_param REDIRECT_STATUS 200; ## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or ## later. The if_not_empty flag was introduced in 1.1.11. See: ## http://nginx.org/en/CHANGES. If using a version that doesn't ## support this comment out the line below. -fastcgi_param HTTPS $https if_not_empty; +fastcgi_param HTTPS $fastcgi_https if_not_empty; ## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. -#fastcgi_param HTTPS $https; +#fastcgi_param HTTPS $fastcgi_https; diff --git a/koi-win b/koi-win index 72afabe8..2656e1a5 100644 --- a/koi-win +++ b/koi-win @@ -1,4 +1,3 @@ - charset_map koi8-r windows-1251 { 80 88 ; # euro diff --git a/map_drupal6.conf b/map_drupal6.conf deleted file mode 100644 index a5b645e0..00000000 --- a/map_drupal6.conf +++ /dev/null @@ -1,7 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Defines the $no_slash_uri variable for drupal 6. See https://drupal.org/node/827236. - -map $uri $no_slash_uri { - ~^/(?.*)$ $no_slash; -} diff --git a/map_drupal6_escaped.conf b/map_drupal6_escaped.conf deleted file mode 100644 index 6c003507..00000000 --- a/map_drupal6_escaped.conf +++ /dev/null @@ -1,16 +0,0 @@ -# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Defines the $no_slash_uri variable for drupal 6. See https://drupal.org/node/827236. - -map $uri $no_slash_uri { - ~^/(?.*)$ $no_slash; -} - -## If your URIs have unsafe characters, i.e., it has characters that -## require percent encoding, then you need to escape the URI. Nginx -## doesn't encode the characters, unless it's on a rewrite or on regex -## based location when capturing. - -## To avoid the ugly rewrite we use Lua to escape the URI. -set_by_lua $no_slash_escaped_uri - 'return ngx.escape_uri(ngx.var.no_slash_uri)'; diff --git a/mime.types b/mime.types index f37e9302..78c205e3 100644 --- a/mime.types +++ b/mime.types @@ -2,11 +2,12 @@ types { text/html html htm shtml; text/css css; - text/xml xml rss; + text/xml xml; image/gif gif; image/jpeg jpeg jpg; - application/x-javascript js; + application/javascript js; application/atom+xml atom; + application/rss+xml rss; text/mathml mml; text/plain txt; @@ -21,8 +22,10 @@ types { image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; + image/webp webp; application/java-archive jar war ear; + application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; @@ -32,6 +35,8 @@ types { application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.wap.xhtml+xml xhtml; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; @@ -49,27 +54,72 @@ types { application/x-xpinstall xpi; application/zip zip; + application/vnd.oasis.opendocument.chart odc; + application/vnd.oasis.opendocument.chart-template otc; + application/vnd.oasis.opendocument.database odb; + application/vnd.oasis.opendocument.formula odf; + application/vnd.oasis.opendocument.formula-template odft; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.graphics-template otg; + application/vnd.oasis.opendocument.image odi; + application/vnd.oasis.opendocument.image-template oti; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.presentation-template otp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.spreadsheet-template ots; + application/vnd.oasis.opendocument.text-master otm; + application/vnd.oasis.opendocument.text odt; + application/vnd.oasis.opendocument.text-template ott; + application/vnd.oasis.opendocument.text-web oth; + application/vnd.openofficeorg.extension oxt; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx; + application/vnd.openxmlformats-officedocument.presentationml.slide sldx; + application/vnd.openxmlformats-officedocument.presentationml.template potx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx; + application/vnd.sun.xml.calc sxc; + application/vnd.sun.xml.calc.template stc; + application/vnd.sun.xml.draw sxd; + application/vnd.sun.xml.draw.template std; + application/vnd.sun.xml.impress sxi; + application/vnd.sun.xml.impress.template sti; + application/vnd.sun.xml.math sxm; + application/vnd.sun.xml.writer.global sxg; + application/vnd.sun.xml.writer sxw; + application/vnd.sun.xml.writer.template stw; + # Mime types for web fonts. Stolen from here: # http://seconddrawer.com.au/blog/ in part. application/x-font-ttf ttf; font/opentype otf; application/vnd.ms-fontobject eot; - application/x-woff woff; + application/font-woff woff; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; + application/octet-stream vcf; audio/midi mid midi kar; - audio/mpeg mp3; + audio/mpeg mpga mpega mp2 mp3; + audio/ogg ogg; + audio/x-m4a m4a; audio/x-realaudio ra; + audio/webm weba; video/3gpp 3gpp 3gp; - video/mpeg mpeg mpg; + video/mp4 mp4; + video/mpeg mpeg mpg mpe; + video/ogg ogv; video/quicktime mov; + video/webm webm; video/x-flv flv; + video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; diff --git a/nginx.conf b/nginx.conf index 03d85910..2da6d130 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,6 +1,10 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- user www-data; -worker_processes 4; + +## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment +## the line below and set it to the number of cores of the +## server. Otherwise nginx will determine it automatically. +#worker_processes 4; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; @@ -8,32 +12,29 @@ pid /var/run/nginx.pid; worker_rlimit_nofile 8192; events { - worker_connections 4096; - ## epoll is preferred on 2.6 Linux - ## kernels. Cf. http://www.kegel.com/c10k.html#nb.epoll - use epoll; + worker_connections 4096; ## Accept as many connections as possible. multi_accept on; } http { ## MIME types. - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; ## FastCGI. - include /etc/nginx/fastcgi.conf; + include /etc/nginx/fastcgi.conf; ## Default log and error files. - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; ## Use sendfile() syscall to speed up I/O operations and speed up ## static file serving. - sendfile on; + sendfile on; ## Handling of IPs in proxied and load balancing situations. - set_real_ip_from 0.0.0.0/32; # all addresses get a real IP. - real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy + set_real_ip_from 0.0.0.0/32; # all addresses get a real IP. + real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy ## Define a zone for limiting the number of simultaneous ## connections nginx accepts. 1m means 32000 simultaneous @@ -54,10 +55,10 @@ http { #limit_zone arbeit $binary_remote_addr 10m; ## Timeouts. - client_body_timeout 60; - client_header_timeout 60; - keepalive_timeout 10 10; - send_timeout 60; + client_body_timeout 60; + client_header_timeout 60; + keepalive_timeout 10 10; + send_timeout 60; ## Reset lingering timed out connections. Deflect DDoS. reset_timedout_connection on; @@ -66,22 +67,22 @@ http { client_max_body_size 10m; ## TCP options. - tcp_nodelay on; + tcp_nodelay on; ## Optimization of socket handling when using sendfile. - tcp_nopush on; + tcp_nopush on; ## Compression. - gzip on; - gzip_buffers 16 8k; - gzip_comp_level 1; + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 1; gzip_http_version 1.1; - gzip_min_length 10; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf; - gzip_vary on; - gzip_proxied any; # Compression for all requests. + gzip_min_length 10; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf; + gzip_vary on; + gzip_proxied any; # Compression for all requests. ## No need for regexps. See ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable - gzip_disable "msie6"; + gzip_disable msie6; ## Serve already compressed files directly, bypassing on-the-fly ## compression. @@ -97,8 +98,29 @@ http { ## here (in this context, for session resumption to work. See this ## thread on the Nginx mailing list: ## http://nginx.org/pipermail/nginx/2010-November/023736.html. - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; + ssl_session_cache shared:SSL:30m; + ssl_session_timeout 1d; + + ## The server dictates the choice of cipher suites. + ssl_prefer_server_ciphers on; + + ## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH + ## for crufty clients. + ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA; + + ## No SSL2 support. Legacy support of SSLv3. + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + + ## Pregenerated Diffie-Hellman parameters. + ssl_dhparam /etc/nginx/dh_param.pem; + + ## Curve to use for ECDH. + ssl_ecdh_curve secp521r1; + + ## Enable OCSP stapling. A better way to revocate server certificates. + ssl_stapling on; + ## Fill in with your own resolver. + resolver 8.8.8.8; ## Uncomment to increase map_hash_bucket_size. If start getting ## [emerg]: could not build the map_hash, you should increase @@ -106,29 +128,56 @@ http { ## logs. Cf. http://wiki.nginx.org/NginxOptimizations. #map_hash_bucket_size 192; + ## Uncomment one of the lines below if you start getting this message: + ## "[emerg] could not build the variables_hash, you should increase + ## either variables_hash_max_size: 512 or variables_hash_bucket_size: 64" + ## You only need to increase one. Increasing variables_hash_max_size to 1024 + ## was recommended in nginx forum by developers. + ## See this forum topic and responses + ## http://forum.nginx.org/read.php?2,192277,192286#msg-192286 + ## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size + ## The line variables_hash_bucket_size was added for completeness but not + ## changed from default. + #variables_hash_max_size 1024; # default 512 + #variables_hash_bucket_size 64; # default is 64 + ## For the filefield_nginx_progress module to work. From the ## README. Reserve 1MB under the name 'uploads' to track uploads. upload_progress uploads 1m; + ## Enable the builtin cross-site scripting (XSS) filter available + ## in modern browsers. Usually enabled by default we just + ## reinstate in case it has been somehow disabled for this + ## particular server instance. + ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers. + add_header X-XSS-Protection '1; mode=block'; + ## Enable clickjacking protection in modern browsers. Available in ## IE8 also. See ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header ## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). ## Uncomment the line below if you're not using media streaming. + ## For sites being framing on the same domqin uncomment the line below. #add_header X-Frame-Options SAMEORIGIN; + ## For sites accepting to be framed in any context comment the + ## line below. + add_header X-Frame-Options DENY; + + ## Block MIME type sniffing on IE. + add_header X-Content-Options nosniff; ## Include the upstream servers for PHP FastCGI handling config. ## This one uses the FCGI process listening on TCP sockets. include upstream_phpcgi_tcp.conf; - ## Include the map to block HTTP methods. - include map_block_http_methods.conf; - ## Include the upstream servers for PHP FastCGI handling ## configuration. This setup uses UNIX sockets for talking with the ## upstream. #include upstream_phpcgi_unix.conf; + ## Include the map to block HTTP methods. + include map_block_http_methods.conf; + ## If using Nginx version >= 1.1.11 then there's a $https variable ## that has the value 'on' if the used scheme is https and '' if not. ## See: http://trac.nginx.org/nginx/changeset/4380/nginx @@ -137,6 +186,13 @@ http { ## previous version then uncomment out the line below. #include map_https_fcgi.conf; + # Support the X-Forwarded-Proto header for fastcgi. + map $http_x_forwarded_proto $fastcgi_https { + default $https; + http ''; + https on; + } + ## Include the upstream servers for Apache handling the PHP ## processes. In this case Nginx functions as a reverse proxy. #include reverse_proxy.conf; @@ -152,26 +208,13 @@ http { ## If you want to run cron using Drupal cron.php. i.e., you're not ## using drush then uncomment the line below. Specify in ## cron_allowed_hosts.conf which hosts can invole cron. - # include cron_allowed_hosts.conf; + # include apps/drupal/cron_allowed_hosts.conf; ## Include blacklist for bad bot and referer blocking. include blacklist.conf; - ## Include the map directive that sets the $no_slash_uri variable for drupal 6. - ## You may comment out the line below if using drupal 7. - include map_drupal6.conf; - - ## If you have URIs that are not URL safe, i.e., that have to be - ## encoded using the percent encoding. You have to comment out the - ## line above and uncomment the one below. - #include map_drupal6_escaped.conf - - ## For drupal 7 with unsafe URIs uncomment the line below and - ## comment out the ones above. - #include drupal7_escaped_uri.conf; - ## Include the caching setup. Needed for using Drupal with an external cache. - include map_cache.conf; + include apps/drupal/map_cache.conf; ## Microcache zone definition for FastCGI. include fastcgi_microcache_zone.conf; diff --git a/php_fpm_status_vhost.conf b/php_fpm_status_vhost.conf index 28eb616e..1f6d218e 100644 --- a/php_fpm_status_vhost.conf +++ b/php_fpm_status_vhost.conf @@ -13,7 +13,7 @@ location = /fpm-status { if ($dont_show_fpm_status) { return 404; } - fastcgi_pass phpcgi; + fastcgi_pass www0; } ## The ping page is at /ping and returns the string configured at the php-fpm level. @@ -22,7 +22,7 @@ location = /ping { if ($dont_show_fpm_status) { return 404; } - fastcgi_pass phpcgi; + fastcgi_pass www0; } ## This is for the second pool. It assumes that you've configured @@ -36,7 +36,7 @@ location = /fpm-status-zwei { if ($dont_show_fpm_status) { return 404; } - fastcgi_pass phpcgi; + fastcgi_pass www1; } ## The ping page is at /ping and returns the string configured at the php-fpm level. @@ -45,7 +45,7 @@ location = /ping-zwei { if ($dont_show_fpm_status) { return 404; } - fastcgi_pass phpcgi; + fastcgi_pass www1; } ## This is for the third pool that acts as backup. It assumes that diff --git a/sites-available/000-default b/sites-available/000-default index 3c978f59..59622793 100644 --- a/sites-available/000-default +++ b/sites-available/000-default @@ -4,10 +4,10 @@ ### a suggestion by Maxim Dounin. Also suggested in ### http://nginx.org/en/docs/http/request_processing.html#how_to_prevent_undefined_server_names. server { - listen [::]:80 default_server; - # Uncomment the line below and comment the above if you're - # running a Nginx version less than 0.8.20. - # listen [::]:80 default; + listen 80 default_server; # IPv4 + ## Socket options can only be specified once, hence the different + ## address for the 'default' server. + listen [fe80::202:b3ff:fe1e:8328]:80 default_server ipv6only=on; # IPv6 server_name _; return 444; diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf index 071db51b..87775d81 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf @@ -19,7 +19,7 @@ server { listen 80; # IPv4 ## Replace the IPv6 address by your own address. The address below ## was stolen from the wikipedia page on IPv6. - listen [fe80::202:b3ff:fe1e:8329]:80 ipv6only=on; + listen [fe80::202:b3ff:fe1e:8330]:80 ipv6only=on; server_name example.com; limit_conn arbeit 32; @@ -62,9 +62,10 @@ server { include apps/drupal/drupal.conf; ################################################################ - ### Generic configuration: for most Drupal 6 sites. + ### Configuration for Drupal 7 sites to serve URIs that need + ### to be **escaped** ################################################################ - # include apps/drupal/drupal6.conf; + #include apps/drupal/drupal_escaped.conf; ################################################################# ### Configuration for Drupal 7 sites that use boost. @@ -72,9 +73,10 @@ server { #include apps/drupal/drupal_boost.conf; ################################################################# - ### Configuration for Drupal 6 sites that use boost. + ### Configuration for Drupal 7 sites that use boost if having + ### to serve URIs that need to be **escaped** ################################################################# - #include apps/drupal/drupal_boost6.conf; + #include apps/drupal/drupal_boost_escaped.conf; ################################################################# ### Configuration for updating the site via update.php and running @@ -83,15 +85,20 @@ server { ################################################################# #include apps/drupal/drupal_cron_update.conf; - ## For upload progress to work. From the README of the - ## filefield_nginx_progress module. - location ~ ^(.*)/x-progress-id:(\w*) { - return 302 $1?X-Progress-ID=$2; - } + ################################################################ + ### Installation handling. This should be commented out after + ### installation if on an already installed site there's no need + ### to touch it. If on a yet to be installed site. Uncomment the + ### line below and comment out after installation. Note that + ### there's a basic auth in front as secondary ligne of defense. + ################################################################ + #include apps/drupal/drupal_install.conf; - location ^~ /progress { - report_uploads uploads; - } + ################################################################# + ### Support for upload progress bar. Configurations differ for + ### Drupal 6 and Drupal 7. + ################################################################# + include apps/drupal/drupal_upload_progress.conf; ## Including the php-fpm status and ping pages config. ## Uncomment to enable if you're running php-fpm. @@ -103,15 +110,53 @@ server { } # HTTP server +## Return (no rewrite) server block. +server { + ## This is to avoid the spurious if for sub-domain name + ## "rewriting". + ## Comment the line below if you're using SPDY. + listen 443 ssl; + ## Uncomment the line below if you're using SPDY. + #listen 443 ssl spdy; # IPv4 + + ## Replace the IPv6 address by your own address. The address below + ## was stolen from the wikipedia page on IPv6. + + ## Comment the line below if you're using SPDY. + listen [fe80::202:b3ff:fe1e:8329]:443 ssl ipv6only=on; + ## Uncomment the line below if you're using SPDY. + #listen [fe80::202:b3ff:fe1e:8329]:443 ssl spdy ipv6only=on; + + server_name www.example.com; + + ## Keep alive timeout set to a greater value for SSL/TLS. + keepalive_timeout 75 75; + + ## See the keepalive_timeout directive in nginx.conf. + ## Server certificate and key. + ssl_certificate /etc/ssl/certs/example-cert.pem; + ssl_certificate_key /etc/ssl/private/example.key; + + return 301 $scheme://example.com$request_uri; + +} # server domain return. ## HTTPS server. server { + ## Comment the line below if you're using SPDY. listen 443 ssl; + ## Uncomment the line below if you're using SPDY. + #listen 443 ssl spdy; ## Replace the IPv6 address by your own address. The address below ## was stolen from the wikipedia page on IPv6. - listen [fe80::202:b3ff:fe1e:8329]:443 ssl ipv6only=on; + + ## Comment the line below if you're using SPDY. + listen [fe80::202:b3ff:fe1e:8330]:443 ssl ipv6only=on; + ## Uncomment the line below if you're using SPDY. + #listen [fe80::202:b3ff:fe1e:8330]:443 ssl spdy ipv6only=on; server_name example.com; + limit_conn arbeit 32; ## Access and error logs. @@ -164,9 +209,10 @@ server { include apps/drupal/drupal.conf; ################################################################ - ### Generic configuration: for most Drupal 6 sites. + ### Configuration for Drupal 7 sites to serve URIs that need + ### to be **escaped** ################################################################ - # include apps/drupal/drupal6.conf; + #include apps/drupal/drupal_escaped.conf; ################################################################# ### Configuration for Drupal 7 sites that use boost. @@ -174,9 +220,10 @@ server { #include apps/drupal/drupal_boost.conf; ################################################################# - ### Configuration for Drupal 6 sites that use boost. + ### Configuration for Drupal 7 sites that use boost if having + ### to serve URIs that need to be **escaped** ################################################################# - #include apps/drupal/drupal_boost6.conf; + #include apps/drupal/drupal_boost_escaped.conf; ################################################################# ### Configuration for updating the site via update.php and running @@ -185,23 +232,24 @@ server { ################################################################# #include apps/drupal/drupal_cron_update.conf; + ################################################################ + ### Installation handling. This should be commented out after + ### installation if on an already installed site there's no need + ### to touch it. If on a yet to be installed site. Uncomment the + ### line below and comment out after installation. Note that + ### there's a basic auth in front as secondary ligne of defense. + ################################################################ + #include apps/drupal/drupal_install.conf; ################################################################# ### Support for upload progress bar. Configurations differ for ### Drupal 6 and Drupal 7. ################################################################# - - ## This is for Drupal 7. Comment out the line below if you're on - ## Drupal 6. include apps/drupal/drupal_upload_progress.conf; - ## This is for Drupal 6. Comment out the line above and uncomment - ## the line below if you're on Drupla 6. - #include apps/drupal/drupal6_upload_progress.conf; - ## Including the php-fpm status and ping pages config. ## Uncomment to enable if you're running php-fpm. - #include php_fpm_status.conf; + #include php_fpm_status_vhost.conf; ## Including the Nginx stub status page for having stats about ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule. diff --git a/upstream_phpapache.conf b/upstream_phpapache.conf index b8d1b523..47796fdc 100644 --- a/upstream_phpapache.conf +++ b/upstream_phpapache.conf @@ -9,10 +9,10 @@ ## version with the fair load balancer. upstream phpapache { - ## If your version of Nginx doesn't have the fair load balancer: - ## https://github.com/gnosek/nginx-upstream-fair comment out the - ## following line. - fair; + ## Use the least connection algorithm for load balancing. This + ## algorithm was introduced in versions 1.3.1 and 1.2.2. + least_conn; + server 127.0.0.1:8080; server 127.0.0.1:8081; ## Create a backend connection cache. Note that this requires @@ -22,7 +22,9 @@ upstream phpapache { keepalive 5; } -## Add a third pool as a fallback. +## Add a third pool as a fallback. Note that this requires php-cgi +## side by side php-fpm. If you don't have it installed comment it +## out. upstream phpapache_backup { server 127.0.0.1:8082; ## Create a backend connection cache. Note that this requires @@ -31,3 +33,4 @@ upstream phpapache_backup { ## following line if that's not the case. keepalive 1; } + diff --git a/upstream_phpcgi_tcp.conf b/upstream_phpcgi_tcp.conf index 41d2a64b..101ffc7a 100644 --- a/upstream_phpcgi_tcp.conf +++ b/upstream_phpcgi_tcp.conf @@ -8,11 +8,12 @@ ## upstream connections are supported and that you have a Nginx ## version with the fair load balancer. +## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. upstream phpcgi { - ## If your version of Nginx doesn't have the fair load balancer: - ## https://github.com/gnosek/nginx-upstream-fair comment out the - ## following line. - fair; + ## Use the least connection algorithm for load balancing. This + ## algorithm was introduced in versions 1.3.1 and 1.2.2. + least_conn; + server 127.0.0.1:9001; server 127.0.0.1:9002; ## Create a backend connection cache. Note that this requires @@ -21,3 +22,27 @@ upstream phpcgi { ## line if that's not the case. keepalive 5; } + +## Add a third pool as a fallback. Note that this requires php-cgi +## side by side php-fpm. If you don't have it installed comment it +## out. +upstream phpcgi_backup { + server 127.0.0.1:9003; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the + ## following line if that's not the case. + keepalive 1; +} + +## The upstreams below are used only for monitoring php-fpm status, + +## The PHP TCP upstream that corresponds to the first pool: www0. +upstream www0 { + server 127.0.0.1:9001; +} + +## The PHP TCP upstream that corresponds to the second pool: www1. +upstream www1 { + server 127.0.0.1:9002; +} diff --git a/upstream_phpcgi_unix.conf b/upstream_phpcgi_unix.conf index e4bd66b7..ec3a80b2 100644 --- a/upstream_phpcgi_unix.conf +++ b/upstream_phpcgi_unix.conf @@ -10,10 +10,10 @@ ## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. upstream phpcgi { - ## If your version of Nginx doesn't have the fair load balancer: - ## https://github.com/gnosek/nginx-upstream-fair comment out the - ## following line. - fair; + ## Use the least connection algorithm for load balancing. This + ## algorithm was introduced in versions 1.3.1 and 1.2.2. + least_conn; + server unix:/var/run/php-fpm.sock; server unix:/var/run/php-fpm-zwei.sock; ## Create a backend connection cache. Note that this requires @@ -22,3 +22,27 @@ upstream phpcgi { ## line if that's not the case. keepalive 5; } + +## Add a third pool as a fallback. Note that this requires php-cgi +## side by side php-fpm. If you don't have it installed comment it +## out. +upstream phpcgi_backup { + server unix:/var/run/php-fpm-bkp.sock; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the + ## following line if that's not the case. + keepalive 1; +} + +## The upstreams below are used only for monitoring php-fpm status, + +## The PHP TCP upstream that corresponds to the first pool: www0. +upstream www0 { + server unix:/var/run/php-fpm.sock; +} + +## The PHP TCP upstream that corresponds to the second pool: www1. +upstream www1 { + server unix:/var/run/php-fpm-zwei.sock; +} diff --git a/win-utf b/win-utf index ed8bc007..391b3357 100644 --- a/win-utf +++ b/win-utf @@ -1,4 +1,3 @@ - # This map is not a full windows-1251 <> utf8 map: it does not # contain Serbian and Macedonian letters. If you need a full map, # use contrib/unicode2nginx/win-utf map instead.