diff --git a/http/nginx/nginx_advanced_include.conf b/http/nginx/nginx_advanced_include.conf
index a29e6e27aa85ec993216e7348e1b102f1d035bcb..50672c8be2bbfe6a11e6793f224017234ce2cbfe 100644
--- a/http/nginx/nginx_advanced_include.conf
+++ b/http/nginx/nginx_advanced_include.conf
@@ -5,18 +5,15 @@
     ###
     ### deny crawlers without 403 response
     ###
-    if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) {
+    if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) {
          return 444;
     }
 
     ###
-    ### deny bots on never cached uri without 403 response
+    ### deny not compatible request methods without 405 response
     ###
-    location ~* ^/(user)|(admin) {
-      if ($http_user_agent ~* (crawl|goog|bot) ) {
+    if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) {
          return 444;
-      }
-      try_files $uri $uri/ @cache;
     }
     
     ###
@@ -24,29 +21,50 @@
     ### http://drupal.org/project/filefield_nginx_progress
     ### http://github.com/masterzen/nginx-upload-progress-module
     ###
-    location ~ (.*)/x-progress-id:(\w*) {
+    location ~ (?:.*)/x-progress-id:(?:\w*) {
         rewrite ^(.*)/x-progress-id:(\w*)  $1?X-Progress-ID=$2;
     }
     location ^~ /progress {
         report_uploads uploads;
     }
     
+    ###
+    ### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext)
+    ###
+    location ~* ^/(?:user|admin|hosting) {
+      if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
+           return 444;
+      }
+      try_files $uri @cache;
+    }
+
+    ###
+    ### deny stupid bots
+    ###
+    location ~* /node/add {
+      if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
+           return 444;
+      }
+      access_log  off;
+      try_files $uri @cache;
+    }
+
     ###
     ### catch all unspecified requests
     ###
     location / {
-        try_files $uri $uri/ @cache;
+        try_files $uri @cache;
     }
 
     ###
     ### boost compatible cache check - nginx 0.7.27 or newer required with try_files support
     ###
     location @cache {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";        
@@ -64,44 +82,66 @@
     }
 
     ###
-    ### deny listed requests for security reasons
+    ### deny listed requests for security reasons without 403 response
     ###
-    location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
-        deny all;
+    location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ {
+        return 444;
     }
 
     ###
-    ### deny php files here for security reasons (remove 'sites' to allow civicrm install)
+    ### deny listed requests for security reasons without 403 response
     ###
-    location ~* /(files|themes|sites)/.*\.php$ {
-        deny all;
+    location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) {
+        return 444;
     }
 
+    ###
+    ### allow some known php files (like serve.php in the ad module)
+    ###
+    location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ {
+        try_files $uri =404;
+        fastcgi_pass   127.0.0.1:9000; ### php-fpm listening on port 9000
+    }
+    
     ###
     ### deny direct access to backups
     ###
-    location ~* ^/sites/(.*)/files/backup_migrate/ {
+    location ~* ^/sites/.*/files/backup_migrate/ {
         deny all;
     }    
-       
+
+    ###
+    ### deny direct access to private downloads
     ###
-    ### send all non-static requests to php-fpm
+    location ~* ^/sites/.*/private/ {
+        deny all;
+    }    
+
+    ###
+    ### send all non-static requests to php-fpm, restricted to known php files
     ###    
-    location ~ \.php$ {
+    location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ {
           try_files $uri @drupal;        ### check for existence of php file first
           fastcgi_pass   127.0.0.1:9000; ### php-fpm listening on port 9000
           track_uploads  uploads 60s;    ### required for upload progress
     }
 
+    ###
+    ### deny access to any not listed above php files
+    ###    
+    location ~* ^.+\.php$ {
+        deny all;
+    }
+
     ###
     ### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.css$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
@@ -114,11 +154,11 @@
     ### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.js$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
@@ -131,11 +171,11 @@
     ### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.json$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
@@ -153,38 +193,48 @@
     }
 
     ###
-    ### imagecache, crossdomain file for flash and (f)ckeditor support
+    ### imagecache, imagecache_external and (f)ckeditor support
     ###
-    location ~* /(files/imagecache)|(fckeditor)|(ckeditor)|(crossdomain)|(cross-domain)/ {
+    location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ {
         access_log         off;
         expires            30d;
         # fix common problems with old paths after import from standalone to Aegir multisite
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$  /sites/$1/files/imagecache/$2/$3/$4/$5 last;
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)$  /sites/$1/files/imagecache/$2/$3/$4 last;
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$  /sites/$1/files/imagecache/$2/$3 last;
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$  /sites/$1/files/imagecache/$2/images/$3 last;
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/www\.(.*)/files/(.*)$  /sites/$1/files/imagecache/$2/$4 last;
+        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$  /sites/$host/files/imagecache/$2/$3 last;
+        rewrite  ^/files/imagecache/(.*)$                                      /sites/$host/files/imagecache/$1 last;
+        rewrite  ^/files/styles/(.*)$                                          /sites/$host/files/styles/$1 last;
         try_files $uri @drupal;
     }
 
     ###
     ### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc.
     ###    
-    location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ {
+    location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ {
         access_log      off;
         expires         30d;
-        # allow files to be accessed without /sites/fqdn/
-        rewrite  ^/files/(.*)$  /sites/$host/files/$1 last;
+        # allow files/images/downloads to be accessed without /sites/fqdn/
+        rewrite  ^/files/(.*)$      /sites/$host/files/$1 last;
+        rewrite  ^/images/(.*)$     /sites/$host/files/images/$1 last;
+        rewrite  ^/downloads/(.*)$  /sites/$host/files/downloads/$1 last;
         try_files $uri =404;
     }
 
     ###
     ### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc.
     ###    
-    location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ {
+    location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ {
+        expires         30d;
+        # allow files/downloads to be accessed without /sites/fqdn/
+        rewrite  ^/files/(.*)$      /sites/$host/files/$1 last;
+        rewrite  ^/downloads/(.*)$  /sites/$host/files/downloads/$1 last;
+        try_files $uri =404;
+    }
+
+    ###
+    ### serve & no-log some static files as is, without forcing default_type
+    ###    
+    location ~* /(?:cross-?domain)\.xml$ {
+        access_log      off;
         expires         30d;
-        # allow files to be accessed without /sites/fqdn/
-        rewrite  ^/files/(.*)$  /sites/$host/files/$1 last;
         try_files $uri =404;
     }
 
@@ -192,16 +242,16 @@
     ### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~* \.xml$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
         add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
-        add_header X-Header "Boost Citrus 2.4";               
+        add_header X-Header "Boost Citrus 2.4";
         charset utf-8;
         types { }
         default_type application/rss+xml;
@@ -212,11 +262,11 @@
     ### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~* /feed$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
diff --git a/http/nginx/nginx_service.inc b/http/nginx/nginx_service.inc
index 0acf70d2ab6e69e0aafa6c1cef750814b45c6fcb..a9814498e377f8a3a3d9d1d61f701482a91f058a 100644
--- a/http/nginx/nginx_service.inc
+++ b/http/nginx/nginx_service.inc
@@ -22,8 +22,9 @@ class provisionService_http_nginx extends provisionService_http_public {
     $this->server->shell_exec('nginx -V');
     $this->server->nginx_has_gzip = preg_match("/(with-http_gzip_static_module)/", implode('', drush_shell_exec_output()), $match);
     $this->server->nginx_has_upload_progress = preg_match("/(nginx-upload-progress-module)/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_new_version = preg_match("/(nginx\/0\.8\.)/", implode('', drush_shell_exec_output()), $match);
-
+    $this->server->nginx_has_new_version = preg_match("/(Barracuda\/0\.9\.)/", implode('', drush_shell_exec_output()), $match);
+    $this->server->provision_db_cloaking = FALSE;
+    $this->server->nginx_web_server = 1;
   }
 
   function verify_server_cmd() {
diff --git a/http/nginx/nginx_simple_include.conf b/http/nginx/nginx_simple_include.conf
index f9ff2d8b1e35ae4245c17fca62894898bea68dc5..8d39ace26c2ca1878288849687c581b5effaec69 100644
--- a/http/nginx/nginx_simple_include.conf
+++ b/http/nginx/nginx_simple_include.conf
@@ -1,168 +1,174 @@
 #######################################################
-###  nginx.conf site pre 0.7.27 vhost include start
+###  nginx.conf site standard vhost include start
 #######################################################
 
     ###
     ### deny crawlers without 403 response
     ###
-    if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) {
+    if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) {
          return 444;
     }
 
     ###
-    ### deny bots on never cached uri without 403 response
+    ### deny not compatible request methods without 405 response
     ###
-    location ~* ^/(user)|(admin) {
-      if ($http_user_agent ~* (crawl|goog|bot) ) {
+    if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) {
          return 444;
+    }
+        
+    ###
+    ### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext)
+    ###
+    location ~* ^/(?:user|admin|hosting) {
+      if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
+           return 444;
       }
-      #try_files $uri $uri/ @cache;
-      if (!-e $request_filename) {
-        break;
+      try_files $uri @cache;
+    }
+
+    ###
+    ### deny stupid bots
+    ###
+    location ~* /node/add {
+      if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
+           return 444;
       }
-      error_page 404 = @cache;
+      access_log  off;
+      try_files $uri @cache;
     }
-        
+
     ###
     ### catch all unspecified requests
     ###
     location / {
-        #try_files $uri $uri/ @cache;
-        if (!-e $request_filename) {
-          break;
-        }
-        error_page 404 = @cache;
+        try_files $uri @cache;
     }
 
     ###
-    ### boost compatible cache check
+    ### boost compatible cache check - nginx 0.7.27 or newer required with try_files support
     ###
     location @cache {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";        
         add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
         add_header X-Header "Boost Citrus 1.9";               
         charset utf-8;
-        #try_files /cache/normal/$host${uri}_$args.html @drupal;
-        if (-f $document_root/cache/normal/$host${uri}_$args.html) {
-          rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last;
-          break;
-        }
-        error_page 404 = @drupal;
+        try_files /cache/normal/$host${uri}_$args.html @drupal;
     }
 
     ###
     ### send all not cached requests to drupal with clean URLs support
     ###
     location @drupal {
-        if (!-e $request_filename) {
-           rewrite ^/\?q=([^.]+)$  /index.php?q=$1 last;
-           rewrite ^/(.*)$         /index.php?q=$1 last;
-           break;
-        }
+        rewrite ^/(.*)$  /index.php?q=$1 last;
     }
 
     ###
-    ### deny listed requests for security reasons
+    ### deny listed requests for security reasons without 403 response
     ###
-    location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
-        deny all;
+    location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ {
+        return 444;
     }
 
     ###
-    ### deny php files here for security reasons (remove 'sites' to allow civicrm install)
+    ### deny listed requests for security reasons without 403 response
     ###
-    location ~* /(files|themes|sites)/.*\.php$ {
-        deny all;
+    location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) {
+        return 444;
     }
 
+    ###
+    ### allow some known php files (like serve.php in the ad module)
+    ###
+    location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ {
+        try_files $uri =404;
+        fastcgi_pass   127.0.0.1:9000; ### php-fpm listening on port 9000
+    }
+    
     ###
     ### deny direct access to backups
     ###
-    location ~* ^/sites/(.*)/files/backup_migrate/ {
+    location ~* ^/sites/.*/files/backup_migrate/ {
         deny all;
     }    
-       
+
+    ###
+    ### deny direct access to private downloads
+    ###
+    location ~* ^/sites/.*/private/ {
+        deny all;
+    }    
+
     ###
-    ### send all non-static requests to php-fpm
+    ### send all non-static requests to php-fpm, restricted to known php files
     ###    
-    location ~ \.php$ {
-      if ( $uri !~ "/(files|themes|sites)/") {
+    location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ {
+          try_files $uri @drupal;        ### check for existence of php file first
           fastcgi_pass   127.0.0.1:9000; ### php-fpm listening on port 9000
-      }
-      error_page 404 = @drupal;
     }
 
     ###
-    ### make css files compatible with boost caching
+    ### deny access to any not listed above php files
+    ###    
+    location ~* ^.+\.php$ {
+        deny all;
+    }
+
+    ###
+    ### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.css$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
         expires  max; #if using aggregator
         add_header X-Header "Boost Citrus 2.1";
-        #try_files /cache/perm/$host${uri}_.css $uri =404;
-        if (-f $document_root/cache/perm/$host${uri}_$args.html) {
-          rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last;
-          break;
-        }
-        error_page 404 = @drupal;
+        try_files /cache/perm/$host${uri}_.css $uri =404;
     }
     
     ###
-    ### make js files compatible with boost caching
+    ### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.js$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
         expires  max; # if using aggregator
         add_header X-Header "Boost Citrus 2.2";               
-        #try_files /cache/perm/$host${uri}_.js $uri =404;
-        if (-f $document_root/cache/perm/$host${uri}_$args.html) {
-          rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last;
-          break;
-        }
-        error_page 404 = @drupal;
+        try_files /cache/perm/$host${uri}_.js $uri =404;
     }
 
     ###
-    ### make json compatible with boost caching
+    ### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~ \.json$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @uncached;
         access_log  off;
         expires  max; ### if using aggregator
         add_header X-Header "Boost Citrus 2.3";               
-        #try_files /cache/normal/$host${uri}_.json $uri =404;
-        if (-f $document_root/cache/normal/$host${uri}_$args.html) {
-          rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last;
-          break;
-        }
-        error_page 404 = @drupal;
+        try_files /cache/normal/$host${uri}_.json $uri =404;
     }
 
     ###
@@ -174,84 +180,80 @@
     }
 
     ###
-    ### imagecache and (f)ckeditor support
+    ### imagecache, imagecache_external and (f)ckeditor support
     ###
-    location ~* /(files/imagecache)|(fckeditor)|(ckeditor)/ {
+    location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ {
         access_log         off;
         expires            30d;
         # fix common problems with old paths after import from standalone to Aegir multisite
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$  /sites/$1/files/imagecache/$2/$3/$4/$5 last;
-        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$  /sites/$1/files/imagecache/$2/images/$3 last;
-        #try_files $uri @drupal;
-        if (!-e $request_filename) {
-          break;
-        }
-        error_page 404 = @drupal;
+        rewrite  ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$  /sites/$host/files/imagecache/$2/$3 last;
+        rewrite  ^/files/imagecache/(.*)$                                      /sites/$host/files/imagecache/$1 last;
+        rewrite  ^/files/styles/(.*)$                                          /sites/$host/files/styles/$1 last;
+        try_files $uri @drupal;
     }
 
     ###
     ### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc.
     ###    
-    location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ {
+    location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ {
         access_log      off;
         expires         30d;
-        # allow files to be accessed without /sites/fqdn/
-        rewrite  ^/files/(.*)$  /sites/$host/files/$1 last;
-        #try_files $uri =404;
-        if (!-e $request_filename) {
-          break;
-        }
-        error_page 404 /50x.html;
+        # allow files/images/downloads to be accessed without /sites/fqdn/
+        rewrite  ^/files/(.*)$      /sites/$host/files/$1 last;
+        rewrite  ^/images/(.*)$     /sites/$host/files/images/$1 last;
+        rewrite  ^/downloads/(.*)$  /sites/$host/files/downloads/$1 last;
+        try_files $uri =404;
     }
 
     ###
     ### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc.
     ###    
-    location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ {
+    location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ {
         expires         30d;
-        # allow files to be accessed without /sites/fqdn/
-        rewrite  ^/files/(.*)$  /sites/$host/files/$1 last;
-        #try_files $uri =404;
-        if (!-e $request_filename) {
-          break;
-        }
-        error_page 404 /50x.html;
+        # allow files/downloads to be accessed without /sites/fqdn/
+        rewrite  ^/files/(.*)$      /sites/$host/files/$1 last;
+        rewrite  ^/downloads/(.*)$  /sites/$host/files/downloads/$1 last;
+        try_files $uri =404;
     }
 
     ###
-    ### make feeds compatible with boost caching and set correct mime type
+    ### serve & no-log some static files as is, without forcing default_type
+    ###    
+    location ~* /(?:cross-?domain)\.xml$ {
+        access_log      off;
+        expires         30d;
+        try_files $uri =404;
+    }
+
+    ###
+    ### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~* \.xml$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
         add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
-        add_header X-Header "Boost Citrus 2.4";               
+        add_header X-Header "Boost Citrus 2.4";
         charset utf-8;
         types { }
         default_type application/rss+xml;
-        #try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
-        if (-f $document_root/cache/normal/$host${uri}_.xml) {
-          rewrite ^/(.+)$ /cache/normal/$host${uri}_.xml last;
-          break;
-        }
-        error_page 404 = @drupal;
+        try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
     }
 
     ###
-    ### make feeds compatible with Boost caching and set correct mime type
+    ### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
     ###    
     location ~* /feed$ {
-        if ( $request_method !~ ^(GET|HEAD)$ ) {
-            return 405;
+        if ( $request_method !~ ^(?:GET|HEAD)$ ) {
+             return 405;
         }
-        if ($http_cookie ~ "DRUPAL_UID") {
-            return 405;
+        if ( $http_cookie ~ "DRUPAL_UID" ) {
+             return 405;
         }
         error_page 405 = @drupal;
         add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
@@ -260,22 +262,10 @@
         charset utf-8;
         types { }
         default_type application/rss+xml;
-        #try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
-        if (-f $document_root/cache/normal/$host${uri}_.xml) {
-          rewrite ^/(.+)$ /cache/normal/$host${uri}_.xml last;
-          break;
-        }
-        error_page 404 = @drupal;
-    }
-
-    ###
-    ### helper location for static files 404 error
-    ###    
-    location = /50x.html {
-        root /var/www/nginx-default;
+        try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
     }
 
 #######################################################
-###  nginx.conf site pre 0.7.27 vhost include end
+###  nginx.conf site standard vhost include end
 #######################################################
 
diff --git a/http/nginx/server.tpl.php b/http/nginx/server.tpl.php
index 8a8b98817a7775d491bd319646bd3a666691a986..16f778c334b9d070de22718b91caf5aac0977e66 100644
--- a/http/nginx/server.tpl.php
+++ b/http/nginx/server.tpl.php
@@ -25,26 +25,48 @@
   fastcgi_param  REDIRECT_STATUS    200;
   fastcgi_index  index.php;
 
+ ## Default index files
+  index         index.php index.html;
+ 
  ## Size Limits
   client_body_buffer_size        64k;
   client_header_buffer_size      32k;
-  client_max_body_size           50m;
+  client_max_body_size          100m;
   large_client_header_buffers 32 32k;
   connection_pool_size           256;
   request_pool_size               4k;
-  server_names_hash_bucket_size  128;
+  server_names_hash_bucket_size  512;
+  server_names_hash_max_size    8192;
   types_hash_max_size           8192;
-  types_hash_bucket_size         128;  
+  types_hash_bucket_size         512;
+  fastcgi_buffer_size           128k;
+  fastcgi_buffers             256 4k;
+  fastcgi_busy_buffers_size     256k;
+  fastcgi_temp_file_write_size  256k;
   
  ## Timeouts 
   client_body_timeout             60;
   client_header_timeout           60;
   send_timeout                    60;
+  lingering_time                  30;
+  lingering_timeout                5;
+  fastcgi_connect_timeout         60;
+  fastcgi_send_timeout           300;
+  fastcgi_read_timeout           300;
 
+ ## FastCGI Caching
+  fastcgi_cache_path /var/lib/nginx/speed
+                     levels=2:2:2
+                     keys_zone=speed:50m
+                     inactive=8h
+                     max_size=1g;
+  
  ## General Options
   ignore_invalid_headers          on;
   limit_zone gulag $binary_remote_addr 10m;
   recursive_error_pages           on;
+  reset_timedout_connection       on;
+  fastcgi_intercept_errors        on;
 
  ## TCP options  
   tcp_nopush  on;
@@ -62,12 +84,14 @@
   gzip_vary         on;
   gzip_proxied      any;
   gzip_disable      "MSIE [1-6]\.";
-<?php 
-if ($server->nginx_has_gzip) {
-   print '  gzip_static       on\;';
+<?php
+$nginx_has_gzip = drush_get_option('nginx_has_gzip');
+if ($nginx_has_gzip) {
+   print "  gzip_static       on;\n";
 }
-if ($server->nginx_has_upload_progress) {
-   print '  upload_progress uploads 1m\;';
+$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress');
+if ($nginx_has_upload_progress) {
+   print "  upload_progress uploads 1m;\n";
 }
 ?>
 
diff --git a/http/nginx/vhost.tpl.php b/http/nginx/vhost.tpl.php
index 4a4242d8c021decc6cf1f9f59948ab958345acd4..a7ef4f30a600999fadb2b430a08d37484fcce979 100644
--- a/http/nginx/vhost.tpl.php
+++ b/http/nginx/vhost.tpl.php
@@ -1,25 +1,35 @@
-server {
-<?php 
-   print "   include      " . $server->include_path . "/fastcgi_params.conf;\n";
+<?php
+if ($ssl_redirection || $this->redirection) {
+  // Redirect all aliases to the main http url using separate vhosts blocks to avoid if{} in Nginx.
+  foreach ($this->aliases as $alias_url) {
+    print "server {\n";
+    print "   listen      {$ip_address}:{$http_port};\n";
+    print "   server_name {$alias_url};\n";
+    print "   rewrite ^ \$scheme://{$this->uri}\$request_uri? permanent;\n";
+    print "}\n";
+  }
+}
 ?>
+
+server {
+   include      <?php print "{$server->include_path}"; ?>/fastcgi_params.conf;
    limit_conn   gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
    listen       <?php print $ip_address . ':' . $http_port; ?>;
-   server_name  <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
-   root         <?php print $this->root; ?>;
-   index        index.php index.html;
+   server_name  <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>;
+   root         <?php print "{$this->root}"; ?>;
 <?php
+$nginx_has_new_version = drush_get_option('nginx_has_new_version');
+$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress');
 if ($this->redirection || $ssl_redirection) {
   if ($ssl_redirection && !$this->redirection) {
     // redirect aliases in non-ssl to the same alias on ssl.
-    print "\n   rewrite ^/(.*)$  https://\$host/$1 permanent;\n";
+    print "\n   rewrite ^ https://\$host\$request_uri? permanent;\n";
   }
   elseif ($ssl_redirection && $this->redirection) {
     // redirect all aliases + main uri to the main https uri.
-    print "\n   rewrite ^/(.*)$  https://{$this->uri}/$1 permanent;\n";
+    print "\n   rewrite ^ https://{$this->uri}\$request_uri? permanent;\n";
   }
   elseif (!$ssl_redirection && $this->redirection) {
-    // Redirect all aliases to the main http url.
-    print "\n   if (\$host !~ ^({$this->uri})$ ) {\n       rewrite ^/(.*)$  http://{$this->uri}/$1 permanent;\n   }\n";
     if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) {
       print "   include      " . $server->include_path . "/nginx_advanced_include.conf;\n";
     }
diff --git a/http/nginx/vhost_disabled.tpl.php b/http/nginx/vhost_disabled.tpl.php
index d1495077758fe611ee7a0f06468924c9f7f21f48..6ac7bfd4add49a6dc833c2e5eedcbe33125a19cf 100644
--- a/http/nginx/vhost_disabled.tpl.php
+++ b/http/nginx/vhost_disabled.tpl.php
@@ -1,11 +1,8 @@
 server {
   listen       <?php print $ip_address . ':' . $http_port; ?>;
   server_name  <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
-  root         <?php print $this->root; ?>;
-  index        index.php index.html;
-  location / {
-     root   /var/www/nginx-default;
-     index  index.html index.htm;
-     rewrite ^/(.*)$  <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>? permanent;
-  }
+  root         /var/www/nginx-default;
+  index        index.html index.htm;
+  
+  ### Dont't reveal Aegir front-end URL here.
 }
diff --git a/http/nginx_ssl/vhost_ssl.tpl.php b/http/nginx_ssl/vhost_ssl.tpl.php
index c2ee59f30e616a21381229cbf98d46f0382deba8..036ccb822f9567ee3cf8cf22a365e01e3d034bbc 100644
--- a/http/nginx_ssl/vhost_ssl.tpl.php
+++ b/http/nginx_ssl/vhost_ssl.tpl.php
@@ -1,28 +1,36 @@
 
 <?php if ($this->ssl_enabled && $this->ssl_key) : ?>
 
-server {
-<?php 
-   print "   include      " . $server->include_path . "/fastcgi_ssl_params.conf;\n";
+<?php
+if ($this->redirection) {
+  // Redirect all aliases to the main https url using separate vhosts blocks to avoid if{} in Nginx.
+  foreach ($this->aliases as $alias_url) {
+    print "server {\n";
+    print "   listen      {$ip_address}:{$http_ssl_port};\n";
+    print "   server_name {$alias_url};\n";
+    print "   rewrite ^ \$scheme://{$this->uri}\$request_uri? permanent;\n";
+    print "}\n";
+  }
+}
 ?>
+
+server {
+   include      <?php print "{$server->include_path}"; ?>/fastcgi_ssl_params.conf;
    limit_conn   gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
    listen       <?php print "{$ip_address}:{$http_ssl_port}"; ?>;
-   server_name  <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
-   root         <?php print $this->root; ?>;
-   index        index.php index.html;
+   server_name  <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>;
+   root         <?php print "{$this->root}"; ?>;
    ssl                         on;
    ssl_certificate             <?php print $ssl_cert; ?>;
    ssl_certificate_key         <?php print $ssl_cert_key; ?>;
-   ssl_protocols               SSLv2 SSLv3 TLSv1;
-   ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+   ssl_protocols               SSLv3 TLSv1;
+   ssl_ciphers                 HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers   on;
    keepalive_timeout           70;
 <?php
-    if ($this->redirection) {
-      // Redirect all aliases to the main https url.
-      print "\n   if (\$host !~ ^({$this->uri})$ ) {\n       rewrite ^/(.*)$  https://{$this->uri}/$1 permanent;\n   }\n";
-    }
-    if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) {
+$nginx_has_new_version = drush_get_option('nginx_has_new_version');
+$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress');
+    if ($nginx_has_new_version || $nginx_has_upload_progress) {
       print "   include      " . $server->include_path . "/nginx_advanced_include.conf;\n";
     }
     else {
diff --git a/http/nginx_ssl/vhost_ssl_disabled.tpl.php b/http/nginx_ssl/vhost_ssl_disabled.tpl.php
index 0ac78b597e6888832c69b9af4557363d3023d919..37479213cb1bc7ba914f48217db2cc41e8a0e13e 100644
--- a/http/nginx_ssl/vhost_ssl_disabled.tpl.php
+++ b/http/nginx_ssl/vhost_ssl_disabled.tpl.php
@@ -2,28 +2,21 @@
 <?php if ($this->ssl_enabled && $this->ssl_key) : ?>
 
 server {
-<?php 
-   print "   include      " . $server->include_path . "/fastcgi_ssl_params.conf;\n";
-?>
+   include      <?php print "{$server->include_path}"; ?>/fastcgi_ssl_params.conf;
    limit_conn   gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
    listen       <?php print "{$ip_address}:{$http_ssl_port}"; ?>;
    server_name  <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
-   root         <?php print $this->root; ?>;
-   index        index.php index.html;
+   root         /var/www/nginx-default;
+   index        index.html index.htm;
    ssl                         on;
    ssl_certificate             <?php print $ssl_cert; ?>;
    ssl_certificate_key         <?php print $ssl_cert_key; ?>;
-   ssl_protocols               SSLv2 SSLv3 TLSv1;
-   ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+   ssl_protocols               SSLv3 TLSv1;
+   ssl_ciphers                 HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers   on;
    keepalive_timeout           70;
-
-  location / {
-     root   /var/www/nginx-default;
-     index  index.html index.htm;
-     rewrite ^/(.*)$  <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>? permanent;
-  }
-
+   
+   ### Dont't reveal Aegir front-end URL here.
 }
 
 <?php endif; ?>