Master

README.md

@@ -21,31 +21,24 @@
    greater security.
 
    This configuration started life as a fork of
-   [yhager's](github.com/yhager/nginx_drupal) configuration, tempered
-   by [omega8cc](http://github.com/omega8cc/nginx-for-drupal) and
-   [Brian Mercer](http://test.brianmercer.com/content/nginx-configuration-drupal)
-   (dead link) configurations. 
-
-   I've since then changed it substantially. Tried to remove as best
-   as I can the traces of bad habits promoted by Apache's
-   configuration logic. Namely the use of a `.htaccess` and what it
-   entails in terms or _reverse logic_ on the server
-   configuration. I've incorporated tidbits and advices gotten,
-   mostly, from the nginx mailing list and the
+   [Perusio's](https://github.com/perusio/drupal-with-nginx) configuration.
+
+   I've since then changed it somewhat. Mainly by adding or improving support for some additional Drupal modules,     as well as, removing Drupal 6 branch which in the wake of Drupal 8 release, I now consider completely obsolete.
+   I've incorporated tidbits and advices gotten mostly, from the nginx mailing list and the
    [nginx Wiki](http://wiki.nginx.org).
 
 ## I'm in a hurry just show me how to install it
 
-Jump **immediately** to the [installation](drupal-with-nginx#installation).
+Jump **immediately** to the [installation](#installation).
 I'll read up on all other stuff **later**.  
 
 ## Layout
 
-   The configuration comes in **two** flavors:
+The configuration comes in **two** flavors:
 
-   1. Drupal 6.
+ 1. Drupal 6.
 
-   2. Drupal 7.
+ 2. Drupal 7.
 
 Furthermore there are **two** options for each configuration:
 
@@ -61,7 +54,7 @@ Furthermore there are **two** options for each configuration:
       example aliases file `example.aliases.drushrc.php` that comes
       under the `examples` directory in the drush distribution.
 
-      Example: You create the aliases for example.com and example.org,
+      Example: You create the aliases for example.com and example.net,
       with aliases `@excom` and `@exnet` respectively.
 
       Your crontab should contain something like:
@@ -81,6 +74,22 @@ Furthermore there are **two** options for each configuration:
       script. If using `drush.php` then add `php` in front of the
       `/path/to/drush.php`.
 
+## Branching
+
+The configuration has 3 main branches:
+
+ 1. A [D7](https://github.com/perusio/drupal-with-nginx/tree/D7) branch
+    if you're running **Drupal 7** sites only on a given machine **use
+    this branch**.
+
+ 2. A [D6](https://github.com/perusio/drupal-with-nginx/tree/D6) branch
+    if you're running **Drupal 6** sites only on a given machine **use
+    this branch**.   
+
+ 3. A [master](https://github.com/perusio/drupal-with-nginx) branch if
+    you're running **both Drupal 6 and Drupal 7** sites on a given
+    machine **use this branch**.
+
 ## Escaped URIs
 
 It happens that some sites have URIs that use
@@ -106,47 +115,36 @@ version.
 ## Configuration Selection Algorithm
 
  1. I'm **not** using [Boost](http://drupal.org/project/boost):   
-
   * On **drupal 7** use the `drupal.conf` config in your vhost
     (`server` block): `include apps/drupals/drupal.conf;`.
-
   * On **drupal 7** having to serve URIs that need to be **escaped**,
     e.g., that have `+` and/or `?` then use the `drupal_escaped.conf`
     config in your vhost (`server` block): 
     `include apps/drupal/drupal_escaped.conf`.
-
   * On **drupal 6** use the `drupal6.conf` config in your vhost
     (`server` block): `include apps/drupals/drupal6.conf;`.
-
   * On **drupal 6** if having to serve URIs that need to be
     **escaped**, e.g., that have `+` and/or `?` then use the
     `drupal6_escaped.conf` config in your vhost (`server` block):
     `include apps/drupal/drupal6_escaped.conf`.
-
  2. I'm using [Boost](http://drupal.org/project/boost) for caching
       on my drupal site.
-
   * On **drupal 7** use the `drupal_boost.conf` config in your vhost
     (`server` block): `include apps/drupal/drupal_boost.conf;`.
-
   * On **drupal 7** if having to serve URIs that need to be
     **escaped**, e.g., that have `+` and/or `?` then use the
     `drupal_boost_escaped.conf` config in your vhost (`server` block):
     `include apps/drupal/drupal_boost_escaped.conf`.
-
   * On **drupal 6** use the `drupal_boost6.conf` config in your vhost
     (`server` block): `include apps/drupal/drupal_boost6.conf;`.
-
   * On **drupal 6** if having to serve URIs that need to be
     **escaped**, e.g., that have `+` and/or `?` then use the
     `drupal_boost6_escaped.conf` config in your vhost (`server`
     block): `include apps/drupal/drupal_boost6_escaped.conf`.
-
  3. I'm **not using drush** for updating and running
     cron. Additionally you should also include the
     `drupal_cron_update.conf` config in your vhost (`server` block):
     `include apps/drupal/drupal_cron_update.conf;`
-
  4. I'm using **drupal 8**. Just use the drupal 7 configuration. The
     only thing that changes so far is the location of `install.php`.
 
@@ -267,7 +265,9 @@ This is strictly a **drupal 6** issue.
    20. [ETag](https://en.wikipedia.org/wiki/HTTP_ETag) support. This
        requires a Nginx version greater or equal to **1.3.3**.
 
-   21. Support for drupal 8.     
+   21. Support for drupal 8.
+
+   22. Support for the [`file_force`](http:/drupal.org/project/file_force) module.
 
 ## Secure HTTP aka SSL/TLS support
 
@@ -357,10 +357,15 @@ This is strictly a **drupal 6** issue.
       then accordingly change its name in drupal_boost.conf.
 
    4. Support for
-      [X-Frame-Options](https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header)
+      [`X-Frame-Options`](https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header)
       HTTP header to avoid Clickjacking attacks.
+
+   5. Support for
+      [`X-Content-Options`](http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true)
+      for avoiding MIME type deviation from the declared
+      `Content-Type`.
 
-   5. Protection of the upload directory. You can try to bypass the
+   6. Protection of the upload directory. You can try to bypass the
       UNIX `file` utility or the PHP `Fileinfo` extension and upload a
       fake jpeg:
 
@@ -383,23 +388,25 @@ This is strictly a **drupal 6** issue.
       it always from within the Nginx config. You cannot access it
       directly from outside.
 
-   6. Use of [Strict Transport Security](http://www.chromium.org/sts
+   7. Use of [Strict Transport Security](http://www.chromium.org/sts
       "STS at chromium.org") for enhanced security. It forces during
       the specified period for the configured domain to be contacted
       only over HTTPS. Requires a modern browser to be of use, i.e.,
       **Chrome/Chromium**, **Firefox 4** or **Firefox with
       NoScript**.
 
-   7. DoS prevention with a _low_ number of connections by client
+   8. DoS prevention with a _low_ number of connections by client
       allowed: **32**. This number can be adjusted as you see fit.
 
-   8. The Drupal specific headers like `X-Drupal-Cache` provided by
+   9. The Drupal specific headers like `X-Drupal-Cache` provided by
       [pressflow](https://github.com/pressflow/6) or the `X-Generator`
       header that Drupal 7 sets are both **hidden**. 
 
-   9. Limitation of allowed HTTP methods. Out of the box only `GET`,
+   10. Limitation of allowed HTTP methods. Out of the box only `GET`,
       `HEAD` and `POST`are allowed.
 
+   11. Protection of the `/admin` URIs with Basic Auth.   
+
 ## Private file handling
 
    This config assumes that **private** files are stored under a directory
@@ -539,6 +546,19 @@ This is strictly a **drupal 6** issue.
    directive and enumerate the client IPs that are allowed to use the
    *extra* methods like `PUT`.
 
+## Protection of the `/admin` URIs using Basic Auth
+
+   Just uncomment the line that includes the
+   `apps/drupal/admin_basic_auth.conf` file. Now whenever you got to a
+   `/admin` URI the server will prompt you for a username/password
+   pair. Note that by default this config provides no
+   username/password values for the `.htpasswd-users` file. This is to
+   avoid the creeping of laziness and that 80% of the sites that have
+   the `/admin` URIs protected have the same username/password.
+
+   Note that this is much more effective if at least all your logged
+   in traffic goes over SSL (HTTPS).
+
 ## Multisite support
 
    [Drupal multisite](http://drupal.org/documentation/install/multi-site)
@@ -738,13 +758,29 @@ replace** the indicated address by **your** address.
 For Nginx versions greater or equal than 1.3.4 IPv6 and IPv4 sockets
 are **separate** by default.
 
+Note also that socket options like `ipv6only=on` can only be specified
+**once**. Hence the use of different IPv6 addresses for the server
+block that redirects from `www` to the base domain in both HTTP and
+HTTPS servers. 
+
 ## Installation
 
  1. Move the old `/etc/nginx` directory to `/etc/nginx.old`.
 
  2. Clone the git repository from github:
-
-        git clone https://github.com/perusio/drupal-with-nginx.git
+
+        git clone https://github.com/perusio/drupal-with-nginx.git /etc/nginx
+
+    If you want to use only the Drupal specific version configuration
+    you must do one of the checkouts below: 
+
+  * For the **D7** branch (running **only** D7 sites on the same server):
+
+            git checkout D7
+
+  * For the **D6** branch (running **only** D6 sites on the same server):
+
+            git checkout D6      
 
  3. Edit the `sites-available/example.com.conf` configuration file to
     suit your requirements. Namely replacing example.com with **your**
@@ -834,6 +870,13 @@ are **separate** by default.
    for Nginx to serve.
 
 
+## Troubleshooting
+
+If by any reason you have some kind of error, please get a
+[debug log](http://nginx.org/en/docs/debugging_log.html) and paste it
+in a [Gist](https://gist.github.com) and **open an issue** on the
+github issue queue for the module.
+
 ## Acessing the php-fpm status and ping pages
 
    You can get the
@@ -876,7 +919,7 @@ are **separate** by default.
    own. Generally the APT machinery will sort out for you any
    dependencies issues that might exist.
 
-## Ad and Aditional modules support
+## Ad and Additional modules support
 
    The config is quite tight in the sense that if you have something
    that is not contemplated in the **exact** match locations,

apps/drupal/admin_basic_auth.conf

@@ -0,0 +1,12 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+## Protect the /admin URIs with a basic auth.
+location ^~ /admin {
+    auth_basic "Restricted access"; #realm
+    auth_basic_user_file .htpasswd-users;
+
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+}

cron_allowed_hosts.conf → apps/drupal/cron_allowed_hosts.conf

@@ -6,5 +6,5 @@ geo $not_allowed_cron {
     default 1;
     ## Add your set of hosts.
     127.0.0.1 0; # allow the localhost
-    192.168.1.0/24 0; # (V)LAN hosts allowed
+    192.168.1.0/24 0; # allow on an internal network
 }