skilld-labs · gaydabura · Apr 14, 2017
diff --git a/drupal8.conf b/drupal8.conf
@@ -2,7 +2,7 @@ server {
     server_name SERVER_NAME;
     listen 80;
 
-    root /var/www/html/;
+    root /var/www/html/docroot;
     index index.php;
 
     fastcgi_keep_conn on;
@@ -11,219 +11,106 @@ server {
     fastcgi_param SCRIPT_NAME $fastcgi_script_name;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 
-    location / {
-
-        location ^~ /system/files/ {
-            include fastcgi_params;
-            fastcgi_param QUERY_STRING q=$uri&$args;
-            fastcgi_param SCRIPT_NAME /index.php;
-            fastcgi_param SCRIPT_FILENAME $document_root/index.php;
-            fastcgi_hide_header 'X-Drupal-Cache';
-            fastcgi_hide_header 'X-Generator';
-            fastcgi_pass upstream;
-            log_not_found off;
-        }
-
-        location ^~ /sites/.*/files/private/ {
-            internal;
-        }
-
-        location ~* /imagecache/ {
-            access_log off;
-            expires 30d;
-            try_files $uri @drupal;
-        }
-
-        location ~* /files/styles/ {
-            access_log off;
-            expires 30d;
-            try_files $uri @drupal;
-        }
-
-        location ^~ /sites/.*/files/advagg_css/ {
-            expires max;
-            add_header ETag '';
-            add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
-            add_header Accept-Ranges '';
-            location ~* /sites/.*/files/advagg_css/css[_[:alnum:]]+\.css$ {
-                access_log off;
-                try_files $uri @drupal;
-            }
-        }
-
-        location ^~ /sites/.*/files/advagg_js/ {
-            expires max;
-            add_header ETag '';
-            add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
-            add_header Accept-Ranges '';
-            location ~* /sites/.*/files/advagg_js/js[_[:alnum:]]+\.js$ {
-                access_log off;
-                try_files $uri @drupal;
-            }
-        }
-
-        location ~* /admin/reports/hacked/.+/diff/ {
-            try_files $uri @drupal;
-        }
-
-        location ~* ^.+\.(?:cur|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg)$ {
-            access_log off;
-            expires 30d;
-            tcp_nodelay off;
-            open_file_cache max=3000 inactive=120s;
-            open_file_cache_valid 45s;
-            open_file_cache_min_uses 2;
-            open_file_cache_errors off;
-        }
-
-        location ~* ^.+\.(?:css|js)$ {
-            access_log off;
-            expires 30d;
-            tcp_nodelay off;
-            open_file_cache off;
-        }
-
-        location ~* ^.+\.(?:pdf|pptx?)$ {
-            expires 30d;
-            tcp_nodelay off;
-        }
-
-        location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
-            return 404;
-        }
-        try_files $uri @drupal;
-    }
-
-    location @drupal {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING q=$uri&$args;
-        fastcgi_param SCRIPT_NAME /index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
-        track_uploads uploads 60s;
-    }
-
-    location @drupal-no-args {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING q=$uri;
-        fastcgi_param SCRIPT_NAME /index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
-    }
-
-    location = /index.php {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING $query_string;
-        fastcgi_param SCRIPT_NAME /index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
     }
 
-    location = /cron {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING q=$uri&$args;
-        fastcgi_param SCRIPT_NAME /index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
     }
 
-    location ~* ^/update.php {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING $args;
-        fastcgi_param SCRIPT_NAME /update.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/update.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
+    # Very rarely should these ever be accessed outside of your lan
+    location ~* \.(txt|log)$ {
+        deny all;
     }
 
-    location = /core/install.php {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING $args;
-        fastcgi_param SCRIPT_NAME /core/install.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/core/install.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
+    location ~ \..*/.*\.php$ {
+        return 403;
     }
 
-    location ~* ^/core/authorize.php {
-        include fastcgi_params;
-        fastcgi_param QUERY_STRING $args;
-        fastcgi_param SCRIPT_NAME /core/authorize.php;
-        fastcgi_param SCRIPT_FILENAME $document_root/core/authorize.php;
-        fastcgi_hide_header 'X-Drupal-Cache';
-        fastcgi_hide_header 'X-Generator';
-        fastcgi_pass upstream;
+    location ~ ^/sites/.*/private/ {
+        return 403;
     }
 
-    location ^~ /.bzr {
-        return 404;
-    }
-
-    location ^~ /.git {
-        return 404;
+    # Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+        allow all;
     }
 
-    location ^~ /.hg {
-        return 404;
+    # Block access to "hidden" files and directories whose names begin with a
+    # period. This includes directories used by version control systems such
+    # as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+        return 403;
     }
 
-    location ^~ /.svn {
-        return 404;
+    location ^~ /docroot/files/ {
+        rewrite ^/docroot/files/(.+)$ /files/$1 break;
     }
 
-    location ^~ /.cvs {
-        return 404;
+    location / {
+        # try_files $uri @rewrite; # For Drupal <= 6
+        try_files $uri /index.php?$query_string; # For Drupal >= 7
     }
 
-    location ^~ /patches {
-        return 404;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
 
-    location ^~ /backup {
+    # Don't allow direct access to PHP files in the vendor directory.
+    location ~ /vendor/.*\.php$ {
+        deny all;
         return 404;
     }
 
-    location = /robots.txt {
-        access_log off;
-        try_files $uri @drupal-no-args;
-    }
-
-    location = /rss.xml {
-        try_files $uri @drupal-no-args;
-    }
-
-    location = /sitemap.xml {
-        try_files $uri @drupal-no-args;
-    }
-
-    location = /favicon.ico {
-        expires 30d;
-        try_files /favicon.ico @empty;
+    # In Drupal 8, we must also match new paths where the '.php' appears in
+    # the middle, such as update.php/selection. The rule we use is strict,
+    # and only allows this pattern with the update.php front controller.
+    # This allows legacy path aliases in the form of
+    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
+    # you do not have any paths like that, then you might prefer to use a
+    # laxer rule, such as:
+    #   location ~ \.php(/|$) {
+    # The laxer rule will continue to work if Drupal uses this new URL
+    # pattern with front controllers other than update.php in a future
+    # release.
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        # Security note: If you're running a version of PHP older than the
+        # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
+        # See http://serverfault.com/q/627903/94922 for details.
+        include fastcgi_params;
+        # Block httpoxy attacks. See https://httpoxy.org/.
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_intercept_errors on;
+        # PHP 5 socket location.
+        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+        # PHP 7 socket location.
+        fastcgi_pass upstream;
     }
 
-    location ~* ^/.well-known/ {
-        allow all;
+    # Fighting with Styles? This little gem is amazing.
+    # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+        try_files $uri @rewrite;
     }
 
-    location @empty {
-        expires 30d;
-        empty_gif;
+    # Handle private files through Drupal. Private file's path can come
+    # with a language prefix.
+    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~* ^.+\.php$ {
-        return 404;
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
     }
-
     location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
         rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
     }