-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdrupal.conf
261 lines (224 loc) · 8.44 KB
/
drupal.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
### Nginx configuration for Drupal. This configuration makes use of
### drush (http:///drupal.org/project/drush) for site maintenance
### and like tasks:
###
### 1. Run the cronjobs.
### 2. Run the DB and code updates: drush up or drush upc followed by
### drush updb to run any DB updates required by the code upgrades
### that were performed.
### 3. Disabling of xmlrpc.xml, install.php (needed only for
### installing the site) and update.php: all updates are now
### handled through drush.
## The 'default' location.
location / {
## Drupal 404 from can impact performance. If using a module like
## search404 then 404's *have *to be handled by Drupal. Uncomment to
## relay the handling of 404's to Drupal.
## error_page 404 /index.php;
## Using a nested location is the 'correct' way to use regexes.
## Regular private file serving (i.e. handled by Drupal).
location ^~ /system/files/ {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include fastcgi_private_files.conf;
fastcgi_pass 127.0.0.1:9000;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$uri;
## For not signaling a 404 in the error log whenever the
## system/files directory is accessed add the line below.
## Note that the 404 is the intended behavior.
log_not_found off;
}
## Trying to access private files directly returns a 404.
location ^~ /sites/default/files/private/ {
internal;
}
## If accessing an image generated by imagecache, serve it directly if
## available, if not relay the request to Drupal to (re)generate the
## image.
location ~* /imagecache/ {
## Image hotlinking protection. If you want hotlinking
## protection for your images uncomment the following line.
#include sites-available/hotlinking_protection.conf;
access_log off;
expires 30d;
try_files $uri @drupal;
}
## Drupal 7 generated image handling, i.e., imagecache in core. See:
## https://drupal.org/node/371374.
location ~* /files/styles/ {
access_log off;
expires 30d;
try_files $uri @drupal;
}
## Advanced Aggregation module CSS
## support. http://drupal.org/project/advagg.
location ^~ /sites/default/files/advagg_css/ {
location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ {
access_log off;
add_header Pragma '';
add_header Cache-Control 'public, max-age=946080000';
add_header Accept-Ranges '';
try_files $uri @drupal;
}
}
## Advanced Aggregation module JS
## support. http://drupal.org/project/advagg.
location ^~ /sites/default/files/advagg_js/ {
location ~* /sites/default/files/advagg_css/js_[[:alnum:]]+\.js$ {
access_log off;
add_header Pragma '';
add_header Cache-Control 'public, max-age=946080000';
add_header Accept-Ranges '';
try_files $uri @drupal;
}
}
## All static files will be served directly.
location ~* ^.+\.(?:css|js|jpe?g|gif|ico|png|html|xml)$ {
access_log off;
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## PDFs and powerpoint files handling.
location ~* ^.+\.(?:pdf|pptx?)$ {
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
}
## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
location ^~ /sites/default/files/audio/mp3 {
location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
directio 4k; # for XFS
## If you're using ext3 or similar uncomment the line below and comment the above.
#directio 512; # for ext3 or similar (block alignments)
tcp_nopush off;
#aio on;
output_buffers 1 2M;
}
}
location ^~ /sites/default/files/audio/ogg {
location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
directio 4k; # for XFS
## If you're using ext3 or similar uncomment the line below and comment the above.
#directio 512; # for ext3 or similar (block alignments)
tcp_nopush off;
#aio on;
output_buffers 1 2M;
}
}
## Pseudo streaming of FLV files:
## http://wiki.nginx.org/HttpFlvStreamModule.
## If pseudo streaming isn't working, try to comment
## out line 115 in nginx.conf:
## add_header X-Frame-Options SAMEORIGIN;
#location ^~ /sites/default/files/video/flv {
# location ~* ^/sites/default/files/video/flv/.*\.flv$ {
# flv;
# }
#}
## Pseudo streaming of H264/AAC files. This requires an Nginx
## version greater or equal to 1.0.7 for the stable branch and
## greater or equal to 1.1.3 for the development branch.
## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
#location ^~ /sites/default/files/video/mp4 { # videos
# location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
# mp4;
# mp4_buffer_size 1M;
# mp4_max_buffer_size 5M;
# }
#}
#location ^~ /sites/default/files/audio/m4a { # audios
# location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
# mp4;
# mp4_buffer_size 1M;
# mp4_max_buffer_size 5M;
# }
#}
## Advanced Help module makes each module provided README available.
location ^~ /help/ {
location ~* ^/help/[^/]*/README\.txt$ {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include fastcgi_private_files.conf;
fastcgi_pass 127.0.0.1:9000;
## If proxying to apache comment the two lines above and
## uncomment the line below.
#proxy_pass http://phpapache/index.php?q=$uri;
}
}
## Replicate the Apache <FilesMatch> directive of Drupal standard
## .htaccess. Disable access to any code files. Return a 404 to curtail
## information disclosure. Hide also the text files.
location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
return 404;
}
## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
try_files $uri @drupal;
}
########### Security measures ##########
## Restrict access to the strictly necessary PHP files. Reducing the
## scope for exploits. Handling of PHP code and the Drupal event loop.
location @drupal {
## Include the FastCGI config.
include fastcgi_drupal.conf;
fastcgi_pass 127.0.0.1:9000;
## Filefield Upload progress
## http://drupal.org/project/filefield_nginx_progress support
## through the NgninxUploadProgress modules.
#track_uploads uploads 60s;
}
location @drupal-no-args {
## Include the specific FastCGI configuration. This is for a
## FCGI backend like php-cgi or php-fpm.
include fastcgi_private_files.conf;
fastcgi_pass 127.0.0.1:9000;
}
## Disallow access to .git directory: return 404 as not to disclose
## information.
location ^~ /.git {
return 404;
}
## Disallow access to patches directory.
location ^~ /patches {
return 404;
}
## Disallow access to drush backup directory.
location ^~ /backup {
return 404;
}
## Disable access logs for robots.txt.
location = /robots.txt {
access_log off;
}
## RSS feed support.
location = /rss.xml {
try_files $uri @drupal-no-args;
}
## XML Sitemap support.
location = /sitemap.xml {
try_files $uri @drupal-no-args;
}
## Support for favicon. Return an 1x1 transparent GIF if it doesn't
## exist.
location = /favicon.ico {
expires 30d;
try_files /favicon.ico @empty;
}
## Return an in memory 1x1 transparent GIF.
location @empty {
expires 30d;
empty_gif;
}
## Any other attempt to access PHP files returns a 404.
location ~* ^.+\.php$ {
return 404;
}