diff --git a/drupal8.conf b/drupal8.conf index 9edc11e..d8d5487 100644 --- a/drupal8.conf +++ b/drupal8.conf @@ -2,7 +2,7 @@ server { server_name SERVER_NAME; listen 80; - root /var/www/html/; + root /var/www/html/docroot; index index.php; fastcgi_keep_conn on; @@ -11,219 +11,106 @@ server { fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - location / { - - location ^~ /system/files/ { - include fastcgi_params; - fastcgi_param QUERY_STRING q=$uri&$args; - fastcgi_param SCRIPT_NAME /index.php; - fastcgi_param SCRIPT_FILENAME $document_root/index.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; - log_not_found off; - } - - location ^~ /sites/.*/files/private/ { - internal; - } - - location ~* /imagecache/ { - access_log off; - expires 30d; - try_files $uri @drupal; - } - - location ~* /files/styles/ { - access_log off; - expires 30d; - try_files $uri @drupal; - } - - location ^~ /sites/.*/files/advagg_css/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - location ~* /sites/.*/files/advagg_css/css[_[:alnum:]]+\.css$ { - access_log off; - try_files $uri @drupal; - } - } - - location ^~ /sites/.*/files/advagg_js/ { - expires max; - add_header ETag ''; - add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; - add_header Accept-Ranges ''; - location ~* /sites/.*/files/advagg_js/js[_[:alnum:]]+\.js$ { - access_log off; - try_files $uri @drupal; - } - } - - location ~* /admin/reports/hacked/.+/diff/ { - try_files $uri @drupal; - } - - location ~* ^.+\.(?:cur|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg)$ { - access_log off; - expires 30d; - tcp_nodelay off; - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } - - location ~* ^.+\.(?:css|js)$ { - access_log off; - expires 30d; - tcp_nodelay off; - open_file_cache off; - } - - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - tcp_nodelay off; - } - - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; - } - try_files $uri @drupal; - } - - location @drupal { - include fastcgi_params; - fastcgi_param QUERY_STRING q=$uri&$args; - fastcgi_param SCRIPT_NAME /index.php; - fastcgi_param SCRIPT_FILENAME $document_root/index.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; - track_uploads uploads 60s; - } - - location @drupal-no-args { - include fastcgi_params; - fastcgi_param QUERY_STRING q=$uri; - fastcgi_param SCRIPT_NAME /index.php; - fastcgi_param SCRIPT_FILENAME $document_root/index.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; - } - - location = /index.php { - include fastcgi_params; - fastcgi_param QUERY_STRING $query_string; - fastcgi_param SCRIPT_NAME /index.php; - fastcgi_param SCRIPT_FILENAME $document_root/index.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; + location = /favicon.ico { + log_not_found off; + access_log off; } - location = /cron { - include fastcgi_params; - fastcgi_param QUERY_STRING q=$uri&$args; - fastcgi_param SCRIPT_NAME /index.php; - fastcgi_param SCRIPT_FILENAME $document_root/index.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; + location = /robots.txt { + allow all; + log_not_found off; + access_log off; } - location ~* ^/update.php { - include fastcgi_params; - fastcgi_param QUERY_STRING $args; - fastcgi_param SCRIPT_NAME /update.php; - fastcgi_param SCRIPT_FILENAME $document_root/update.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; + # Very rarely should these ever be accessed outside of your lan + location ~* \.(txt|log)$ { + deny all; } - location = /core/install.php { - include fastcgi_params; - fastcgi_param QUERY_STRING $args; - fastcgi_param SCRIPT_NAME /core/install.php; - fastcgi_param SCRIPT_FILENAME $document_root/core/install.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; + location ~ \..*/.*\.php$ { + return 403; } - location ~* ^/core/authorize.php { - include fastcgi_params; - fastcgi_param QUERY_STRING $args; - fastcgi_param SCRIPT_NAME /core/authorize.php; - fastcgi_param SCRIPT_FILENAME $document_root/core/authorize.php; - fastcgi_hide_header 'X-Drupal-Cache'; - fastcgi_hide_header 'X-Generator'; - fastcgi_pass upstream; + location ~ ^/sites/.*/private/ { + return 403; } - location ^~ /.bzr { - return 404; - } - - location ^~ /.git { - return 404; + # Allow "Well-Known URIs" as per RFC 5785 + location ~* ^/.well-known/ { + allow all; } - location ^~ /.hg { - return 404; + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + location ~ (^|/)\. { + return 403; } - location ^~ /.svn { - return 404; + location ^~ /docroot/files/ { + rewrite ^/docroot/files/(.+)$ /files/$1 break; } - location ^~ /.cvs { - return 404; + location / { + # try_files $uri @rewrite; # For Drupal <= 6 + try_files $uri /index.php?$query_string; # For Drupal >= 7 } - location ^~ /patches { - return 404; + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; } - location ^~ /backup { + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; return 404; } - location = /robots.txt { - access_log off; - try_files $uri @drupal-no-args; - } - - location = /rss.xml { - try_files $uri @drupal-no-args; - } - - location = /sitemap.xml { - try_files $uri @drupal-no-args; - } - - location = /favicon.ico { - expires 30d; - try_files /favicon.ico @empty; + # In Drupal 8, we must also match new paths where the '.php' appears in + # the middle, such as update.php/selection. The rule we use is strict, + # and only allows this pattern with the update.php front controller. + # This allows legacy path aliases in the form of + # blog/index.php/legacy-path to continue to route to Drupal nodes. If + # you do not have any paths like that, then you might prefer to use a + # laxer rule, such as: + # location ~ \.php(/|$) { + # The laxer rule will continue to work if Drupal uses this new URL + # pattern with front controllers other than update.php in a future + # release. + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + # Security note: If you're running a version of PHP older than the + # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. + # See http://serverfault.com/q/627903/94922 for details. + include fastcgi_params; + # Block httpoxy attacks. See https://httpoxy.org/. + fastcgi_param HTTP_PROXY ""; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $query_string; + fastcgi_intercept_errors on; + # PHP 5 socket location. + #fastcgi_pass unix:/var/run/php5-fpm.sock; + # PHP 7 socket location. + fastcgi_pass upstream; } - location ~* ^/.well-known/ { - allow all; + # Fighting with Styles? This little gem is amazing. + # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 + location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 + try_files $uri @rewrite; } - location @empty { - expires 30d; - empty_gif; + # Handle private files through Drupal. Private file's path can come + # with a language prefix. + location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 + try_files $uri /index.php?$query_string; } - location ~* ^.+\.php$ { - return 404; + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; } - location ~ (?.*)/x-progress-id:(?\d*) { rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; }