diff --git a/http/nginx/nginx_advanced_include.conf b/http/nginx/nginx_advanced_include.conf index a29e6e27aa85ec993216e7348e1b102f1d035bcb..50672c8be2bbfe6a11e6793f224017234ce2cbfe 100644 --- a/http/nginx/nginx_advanced_include.conf +++ b/http/nginx/nginx_advanced_include.conf @@ -5,18 +5,15 @@ ### ### deny crawlers without 403 response ### - if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) { + if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) { return 444; } ### - ### deny bots on never cached uri without 403 response + ### deny not compatible request methods without 405 response ### - location ~* ^/(user)|(admin) { - if ($http_user_agent ~* (crawl|goog|bot) ) { + if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) { return 444; - } - try_files $uri $uri/ @cache; } ### @@ -24,29 +21,50 @@ ### http://drupal.org/project/filefield_nginx_progress ### http://github.com/masterzen/nginx-upload-progress-module ### - location ~ (.*)/x-progress-id:(\w*) { + location ~ (?:.*)/x-progress-id:(?:\w*) { rewrite ^(.*)/x-progress-id:(\w*) $1?X-Progress-ID=$2; } location ^~ /progress { report_uploads uploads; } + ### + ### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext) + ### + location ~* ^/(?:user|admin|hosting) { + if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) { + return 444; + } + try_files $uri @cache; + } + + ### + ### deny stupid bots + ### + location ~* /node/add { + if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) { + return 444; + } + access_log off; + try_files $uri @cache; + } + ### ### catch all unspecified requests ### location / { - try_files $uri $uri/ @cache; + try_files $uri @cache; } ### ### boost compatible cache check - nginx 0.7.27 or newer required with try_files support ### location @cache { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; @@ -64,44 +82,66 @@ } ### - ### deny listed requests for security reasons + ### deny listed requests for security reasons without 403 response ### - location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ { - deny all; + location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ { + return 444; } ### - ### deny php files here for security reasons (remove 'sites' to allow civicrm install) + ### deny listed requests for security reasons without 403 response ### - location ~* /(files|themes|sites)/.*\.php$ { - deny all; + location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) { + return 444; } + ### + ### allow some known php files (like serve.php in the ad module) + ### + location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ { + try_files $uri =404; + fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000 + } + ### ### deny direct access to backups ### - location ~* ^/sites/(.*)/files/backup_migrate/ { + location ~* ^/sites/.*/files/backup_migrate/ { deny all; } - + + ### + ### deny direct access to private downloads ### - ### send all non-static requests to php-fpm + location ~* ^/sites/.*/private/ { + deny all; + } + + ### + ### send all non-static requests to php-fpm, restricted to known php files ### - location ~ \.php$ { + location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ { try_files $uri @drupal; ### check for existence of php file first fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000 track_uploads uploads 60s; ### required for upload progress } + ### + ### deny access to any not listed above php files + ### + location ~* ^.+\.php$ { + deny all; + } + ### ### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.css$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; @@ -114,11 +154,11 @@ ### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.js$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; @@ -131,11 +171,11 @@ ### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.json$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; @@ -153,38 +193,48 @@ } ### - ### imagecache, crossdomain file for flash and (f)ckeditor support + ### imagecache, imagecache_external and (f)ckeditor support ### - location ~* /(files/imagecache)|(fckeditor)|(ckeditor)|(crossdomain)|(cross-domain)/ { + location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ { access_log off; expires 30d; # fix common problems with old paths after import from standalone to Aegir multisite - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last; - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4 last; - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$1/files/imagecache/$2/$3 last; - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last; - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/www\.(.*)/files/(.*)$ /sites/$1/files/imagecache/$2/$4 last; + rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$host/files/imagecache/$2/$3 last; + rewrite ^/files/imagecache/(.*)$ /sites/$host/files/imagecache/$1 last; + rewrite ^/files/styles/(.*)$ /sites/$host/files/styles/$1 last; try_files $uri @drupal; } ### ### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc. ### - location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ { + location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ { access_log off; expires 30d; - # allow files to be accessed without /sites/fqdn/ - rewrite ^/files/(.*)$ /sites/$host/files/$1 last; + # allow files/images/downloads to be accessed without /sites/fqdn/ + rewrite ^/files/(.*)$ /sites/$host/files/$1 last; + rewrite ^/images/(.*)$ /sites/$host/files/images/$1 last; + rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last; try_files $uri =404; } ### ### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc. ### - location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ { + location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ { + expires 30d; + # allow files/downloads to be accessed without /sites/fqdn/ + rewrite ^/files/(.*)$ /sites/$host/files/$1 last; + rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last; + try_files $uri =404; + } + + ### + ### serve & no-log some static files as is, without forcing default_type + ### + location ~* /(?:cross-?domain)\.xml$ { + access_log off; expires 30d; - # allow files to be accessed without /sites/fqdn/ - rewrite ^/files/(.*)$ /sites/$host/files/$1 last; try_files $uri =404; } @@ -192,16 +242,16 @@ ### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support ### location ~* \.xml$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - add_header X-Header "Boost Citrus 2.4"; + add_header X-Header "Boost Citrus 2.4"; charset utf-8; types { } default_type application/rss+xml; @@ -212,11 +262,11 @@ ### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support ### location ~* /feed$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; diff --git a/http/nginx/nginx_service.inc b/http/nginx/nginx_service.inc index 0acf70d2ab6e69e0aafa6c1cef750814b45c6fcb..a9814498e377f8a3a3d9d1d61f701482a91f058a 100644 --- a/http/nginx/nginx_service.inc +++ b/http/nginx/nginx_service.inc @@ -22,8 +22,9 @@ class provisionService_http_nginx extends provisionService_http_public { $this->server->shell_exec('nginx -V'); $this->server->nginx_has_gzip = preg_match("/(with-http_gzip_static_module)/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/(nginx-upload-progress-module)/", implode('', drush_shell_exec_output()), $match); - $this->server->nginx_has_new_version = preg_match("/(nginx\/0\.8\.)/", implode('', drush_shell_exec_output()), $match); - + $this->server->nginx_has_new_version = preg_match("/(Barracuda\/0\.9\.)/", implode('', drush_shell_exec_output()), $match); + $this->server->provision_db_cloaking = FALSE; + $this->server->nginx_web_server = 1; } function verify_server_cmd() { diff --git a/http/nginx/nginx_simple_include.conf b/http/nginx/nginx_simple_include.conf index f9ff2d8b1e35ae4245c17fca62894898bea68dc5..8d39ace26c2ca1878288849687c581b5effaec69 100644 --- a/http/nginx/nginx_simple_include.conf +++ b/http/nginx/nginx_simple_include.conf @@ -1,168 +1,174 @@ ####################################################### -### nginx.conf site pre 0.7.27 vhost include start +### nginx.conf site standard vhost include start ####################################################### ### ### deny crawlers without 403 response ### - if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) { + if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) { return 444; } ### - ### deny bots on never cached uri without 403 response + ### deny not compatible request methods without 405 response ### - location ~* ^/(user)|(admin) { - if ($http_user_agent ~* (crawl|goog|bot) ) { + if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) { return 444; + } + + ### + ### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext) + ### + location ~* ^/(?:user|admin|hosting) { + if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) { + return 444; } - #try_files $uri $uri/ @cache; - if (!-e $request_filename) { - break; + try_files $uri @cache; + } + + ### + ### deny stupid bots + ### + location ~* /node/add { + if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) { + return 444; } - error_page 404 = @cache; + access_log off; + try_files $uri @cache; } - + ### ### catch all unspecified requests ### location / { - #try_files $uri $uri/ @cache; - if (!-e $request_filename) { - break; - } - error_page 404 = @cache; + try_files $uri @cache; } ### - ### boost compatible cache check + ### boost compatible cache check - nginx 0.7.27 or newer required with try_files support ### location @cache { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; add_header X-Header "Boost Citrus 1.9"; charset utf-8; - #try_files /cache/normal/$host${uri}_$args.html @drupal; - if (-f $document_root/cache/normal/$host${uri}_$args.html) { - rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last; - break; - } - error_page 404 = @drupal; + try_files /cache/normal/$host${uri}_$args.html @drupal; } ### ### send all not cached requests to drupal with clean URLs support ### location @drupal { - if (!-e $request_filename) { - rewrite ^/\?q=([^.]+)$ /index.php?q=$1 last; - rewrite ^/(.*)$ /index.php?q=$1 last; - break; - } + rewrite ^/(.*)$ /index.php?q=$1 last; } ### - ### deny listed requests for security reasons + ### deny listed requests for security reasons without 403 response ### - location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ { - deny all; + location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ { + return 444; } ### - ### deny php files here for security reasons (remove 'sites' to allow civicrm install) + ### deny listed requests for security reasons without 403 response ### - location ~* /(files|themes|sites)/.*\.php$ { - deny all; + location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) { + return 444; } + ### + ### allow some known php files (like serve.php in the ad module) + ### + location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ { + try_files $uri =404; + fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000 + } + ### ### deny direct access to backups ### - location ~* ^/sites/(.*)/files/backup_migrate/ { + location ~* ^/sites/.*/files/backup_migrate/ { deny all; } - + + ### + ### deny direct access to private downloads + ### + location ~* ^/sites/.*/private/ { + deny all; + } + ### - ### send all non-static requests to php-fpm + ### send all non-static requests to php-fpm, restricted to known php files ### - location ~ \.php$ { - if ( $uri !~ "/(files|themes|sites)/") { + location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ { + try_files $uri @drupal; ### check for existence of php file first fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000 - } - error_page 404 = @drupal; } ### - ### make css files compatible with boost caching + ### deny access to any not listed above php files + ### + location ~* ^.+\.php$ { + deny all; + } + + ### + ### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.css$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; expires max; #if using aggregator add_header X-Header "Boost Citrus 2.1"; - #try_files /cache/perm/$host${uri}_.css $uri =404; - if (-f $document_root/cache/perm/$host${uri}_$args.html) { - rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last; - break; - } - error_page 404 = @drupal; + try_files /cache/perm/$host${uri}_.css $uri =404; } ### - ### make js files compatible with boost caching + ### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.js$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; expires max; # if using aggregator add_header X-Header "Boost Citrus 2.2"; - #try_files /cache/perm/$host${uri}_.js $uri =404; - if (-f $document_root/cache/perm/$host${uri}_$args.html) { - rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last; - break; - } - error_page 404 = @drupal; + try_files /cache/perm/$host${uri}_.js $uri =404; } ### - ### make json compatible with boost caching + ### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support ### location ~ \.json$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @uncached; access_log off; expires max; ### if using aggregator add_header X-Header "Boost Citrus 2.3"; - #try_files /cache/normal/$host${uri}_.json $uri =404; - if (-f $document_root/cache/normal/$host${uri}_$args.html) { - rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last; - break; - } - error_page 404 = @drupal; + try_files /cache/normal/$host${uri}_.json $uri =404; } ### @@ -174,84 +180,80 @@ } ### - ### imagecache and (f)ckeditor support + ### imagecache, imagecache_external and (f)ckeditor support ### - location ~* /(files/imagecache)|(fckeditor)|(ckeditor)/ { + location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ { access_log off; expires 30d; # fix common problems with old paths after import from standalone to Aegir multisite - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last; - rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last; - #try_files $uri @drupal; - if (!-e $request_filename) { - break; - } - error_page 404 = @drupal; + rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$host/files/imagecache/$2/$3 last; + rewrite ^/files/imagecache/(.*)$ /sites/$host/files/imagecache/$1 last; + rewrite ^/files/styles/(.*)$ /sites/$host/files/styles/$1 last; + try_files $uri @drupal; } ### ### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc. ### - location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ { + location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ { access_log off; expires 30d; - # allow files to be accessed without /sites/fqdn/ - rewrite ^/files/(.*)$ /sites/$host/files/$1 last; - #try_files $uri =404; - if (!-e $request_filename) { - break; - } - error_page 404 /50x.html; + # allow files/images/downloads to be accessed without /sites/fqdn/ + rewrite ^/files/(.*)$ /sites/$host/files/$1 last; + rewrite ^/images/(.*)$ /sites/$host/files/images/$1 last; + rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last; + try_files $uri =404; } ### ### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc. ### - location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ { + location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ { expires 30d; - # allow files to be accessed without /sites/fqdn/ - rewrite ^/files/(.*)$ /sites/$host/files/$1 last; - #try_files $uri =404; - if (!-e $request_filename) { - break; - } - error_page 404 /50x.html; + # allow files/downloads to be accessed without /sites/fqdn/ + rewrite ^/files/(.*)$ /sites/$host/files/$1 last; + rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last; + try_files $uri =404; } ### - ### make feeds compatible with boost caching and set correct mime type + ### serve & no-log some static files as is, without forcing default_type + ### + location ~* /(?:cross-?domain)\.xml$ { + access_log off; + expires 30d; + try_files $uri =404; + } + + ### + ### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support ### location ~* \.xml$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; - add_header X-Header "Boost Citrus 2.4"; + add_header X-Header "Boost Citrus 2.4"; charset utf-8; types { } default_type application/rss+xml; - #try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; - if (-f $document_root/cache/normal/$host${uri}_.xml) { - rewrite ^/(.+)$ /cache/normal/$host${uri}_.xml last; - break; - } - error_page 404 = @drupal; + try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; } ### - ### make feeds compatible with Boost caching and set correct mime type + ### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support ### location ~* /feed$ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; + if ( $request_method !~ ^(?:GET|HEAD)$ ) { + return 405; } - if ($http_cookie ~ "DRUPAL_UID") { - return 405; + if ( $http_cookie ~ "DRUPAL_UID" ) { + return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; @@ -260,22 +262,10 @@ charset utf-8; types { } default_type application/rss+xml; - #try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; - if (-f $document_root/cache/normal/$host${uri}_.xml) { - rewrite ^/(.+)$ /cache/normal/$host${uri}_.xml last; - break; - } - error_page 404 = @drupal; - } - - ### - ### helper location for static files 404 error - ### - location = /50x.html { - root /var/www/nginx-default; + try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; } ####################################################### -### nginx.conf site pre 0.7.27 vhost include end +### nginx.conf site standard vhost include end ####################################################### diff --git a/http/nginx/server.tpl.php b/http/nginx/server.tpl.php index 8a8b98817a7775d491bd319646bd3a666691a986..16f778c334b9d070de22718b91caf5aac0977e66 100644 --- a/http/nginx/server.tpl.php +++ b/http/nginx/server.tpl.php @@ -25,26 +25,48 @@ fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; + ## Default index files + index index.php index.html; + ## Size Limits client_body_buffer_size 64k; client_header_buffer_size 32k; - client_max_body_size 50m; + client_max_body_size 100m; large_client_header_buffers 32 32k; connection_pool_size 256; request_pool_size 4k; - server_names_hash_bucket_size 128; + server_names_hash_bucket_size 512; + server_names_hash_max_size 8192; types_hash_max_size 8192; - types_hash_bucket_size 128; + types_hash_bucket_size 512; + fastcgi_buffer_size 128k; + fastcgi_buffers 256 4k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; ## Timeouts client_body_timeout 60; client_header_timeout 60; send_timeout 60; + lingering_time 30; + lingering_timeout 5; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + ## FastCGI Caching + fastcgi_cache_path /var/lib/nginx/speed + levels=2:2:2 + keys_zone=speed:50m + inactive=8h + max_size=1g; + ## General Options ignore_invalid_headers on; limit_zone gulag $binary_remote_addr 10m; recursive_error_pages on; + reset_timedout_connection on; + fastcgi_intercept_errors on; ## TCP options tcp_nopush on; @@ -62,12 +84,14 @@ gzip_vary on; gzip_proxied any; gzip_disable "MSIE [1-6]\."; -<?php -if ($server->nginx_has_gzip) { - print ' gzip_static on\;'; +<?php +$nginx_has_gzip = drush_get_option('nginx_has_gzip'); +if ($nginx_has_gzip) { + print " gzip_static on;\n"; } -if ($server->nginx_has_upload_progress) { - print ' upload_progress uploads 1m\;'; +$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); +if ($nginx_has_upload_progress) { + print " upload_progress uploads 1m;\n"; } ?> diff --git a/http/nginx/vhost.tpl.php b/http/nginx/vhost.tpl.php index 4a4242d8c021decc6cf1f9f59948ab958345acd4..a7ef4f30a600999fadb2b430a08d37484fcce979 100644 --- a/http/nginx/vhost.tpl.php +++ b/http/nginx/vhost.tpl.php @@ -1,25 +1,35 @@ -server { -<?php - print " include " . $server->include_path . "/fastcgi_params.conf;\n"; +<?php +if ($ssl_redirection || $this->redirection) { + // Redirect all aliases to the main http url using separate vhosts blocks to avoid if{} in Nginx. + foreach ($this->aliases as $alias_url) { + print "server {\n"; + print " listen {$ip_address}:{$http_port};\n"; + print " server_name {$alias_url};\n"; + print " rewrite ^ \$scheme://{$this->uri}\$request_uri? permanent;\n"; + print "}\n"; + } +} ?> + +server { + include <?php print "{$server->include_path}"; ?>/fastcgi_params.conf; limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address listen <?php print $ip_address . ':' . $http_port; ?>; - server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>; - root <?php print $this->root; ?>; - index index.php index.html; + server_name <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>; + root <?php print "{$this->root}"; ?>; <?php +$nginx_has_new_version = drush_get_option('nginx_has_new_version'); +$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); if ($this->redirection || $ssl_redirection) { if ($ssl_redirection && !$this->redirection) { // redirect aliases in non-ssl to the same alias on ssl. - print "\n rewrite ^/(.*)$ https://\$host/$1 permanent;\n"; + print "\n rewrite ^ https://\$host\$request_uri? permanent;\n"; } elseif ($ssl_redirection && $this->redirection) { // redirect all aliases + main uri to the main https uri. - print "\n rewrite ^/(.*)$ https://{$this->uri}/$1 permanent;\n"; + print "\n rewrite ^ https://{$this->uri}\$request_uri? permanent;\n"; } elseif (!$ssl_redirection && $this->redirection) { - // Redirect all aliases to the main http url. - print "\n if (\$host !~ ^({$this->uri})$ ) {\n rewrite ^/(.*)$ http://{$this->uri}/$1 permanent;\n }\n"; if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) { print " include " . $server->include_path . "/nginx_advanced_include.conf;\n"; } diff --git a/http/nginx/vhost_disabled.tpl.php b/http/nginx/vhost_disabled.tpl.php index d1495077758fe611ee7a0f06468924c9f7f21f48..6ac7bfd4add49a6dc833c2e5eedcbe33125a19cf 100644 --- a/http/nginx/vhost_disabled.tpl.php +++ b/http/nginx/vhost_disabled.tpl.php @@ -1,11 +1,8 @@ server { listen <?php print $ip_address . ':' . $http_port; ?>; server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>; - root <?php print $this->root; ?>; - index index.php index.html; - location / { - root /var/www/nginx-default; - index index.html index.htm; - rewrite ^/(.*)$ <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>? permanent; - } + root /var/www/nginx-default; + index index.html index.htm; + + ### Dont't reveal Aegir front-end URL here. } diff --git a/http/nginx_ssl/vhost_ssl.tpl.php b/http/nginx_ssl/vhost_ssl.tpl.php index c2ee59f30e616a21381229cbf98d46f0382deba8..036ccb822f9567ee3cf8cf22a365e01e3d034bbc 100644 --- a/http/nginx_ssl/vhost_ssl.tpl.php +++ b/http/nginx_ssl/vhost_ssl.tpl.php @@ -1,28 +1,36 @@ <?php if ($this->ssl_enabled && $this->ssl_key) : ?> -server { -<?php - print " include " . $server->include_path . "/fastcgi_ssl_params.conf;\n"; +<?php +if ($this->redirection) { + // Redirect all aliases to the main https url using separate vhosts blocks to avoid if{} in Nginx. + foreach ($this->aliases as $alias_url) { + print "server {\n"; + print " listen {$ip_address}:{$http_ssl_port};\n"; + print " server_name {$alias_url};\n"; + print " rewrite ^ \$scheme://{$this->uri}\$request_uri? permanent;\n"; + print "}\n"; + } +} ?> + +server { + include <?php print "{$server->include_path}"; ?>/fastcgi_ssl_params.conf; limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address listen <?php print "{$ip_address}:{$http_ssl_port}"; ?>; - server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>; - root <?php print $this->root; ?>; - index index.php index.html; + server_name <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>; + root <?php print "{$this->root}"; ?>; ssl on; ssl_certificate <?php print $ssl_cert; ?>; ssl_certificate_key <?php print $ssl_cert_key; ?>; - ssl_protocols SSLv2 SSLv3 TLSv1; - ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:!ADH:!MD5; ssl_prefer_server_ciphers on; keepalive_timeout 70; <?php - if ($this->redirection) { - // Redirect all aliases to the main https url. - print "\n if (\$host !~ ^({$this->uri})$ ) {\n rewrite ^/(.*)$ https://{$this->uri}/$1 permanent;\n }\n"; - } - if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) { +$nginx_has_new_version = drush_get_option('nginx_has_new_version'); +$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); + if ($nginx_has_new_version || $nginx_has_upload_progress) { print " include " . $server->include_path . "/nginx_advanced_include.conf;\n"; } else { diff --git a/http/nginx_ssl/vhost_ssl_disabled.tpl.php b/http/nginx_ssl/vhost_ssl_disabled.tpl.php index 0ac78b597e6888832c69b9af4557363d3023d919..37479213cb1bc7ba914f48217db2cc41e8a0e13e 100644 --- a/http/nginx_ssl/vhost_ssl_disabled.tpl.php +++ b/http/nginx_ssl/vhost_ssl_disabled.tpl.php @@ -2,28 +2,21 @@ <?php if ($this->ssl_enabled && $this->ssl_key) : ?> server { -<?php - print " include " . $server->include_path . "/fastcgi_ssl_params.conf;\n"; -?> + include <?php print "{$server->include_path}"; ?>/fastcgi_ssl_params.conf; limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address listen <?php print "{$ip_address}:{$http_ssl_port}"; ?>; server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>; - root <?php print $this->root; ?>; - index index.php index.html; + root /var/www/nginx-default; + index index.html index.htm; ssl on; ssl_certificate <?php print $ssl_cert; ?>; ssl_certificate_key <?php print $ssl_cert_key; ?>; - ssl_protocols SSLv2 SSLv3 TLSv1; - ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:!ADH:!MD5; ssl_prefer_server_ciphers on; keepalive_timeout 70; - - location / { - root /var/www/nginx-default; - index index.html index.htm; - rewrite ^/(.*)$ <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>? permanent; - } - + + ### Dont't reveal Aegir front-end URL here. } <?php endif; ?>