Commit d3abcecd authored by Grace's avatar Grace Committed by anarcat

Batch Update of Nginx configuration - version 0.7.27 or newer required. (Grace)

parent d5a12803
......@@ -5,18 +5,15 @@
###
### deny crawlers without 403 response
###
if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) {
if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) {
return 444;
}
###
### deny bots on never cached uri without 403 response
### deny not compatible request methods without 405 response
###
location ~* ^/(user)|(admin) {
if ($http_user_agent ~* (crawl|goog|bot) ) {
if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) {
return 444;
}
try_files $uri $uri/ @cache;
}
###
......@@ -24,29 +21,50 @@
### http://drupal.org/project/filefield_nginx_progress
### http://github.com/masterzen/nginx-upload-progress-module
###
location ~ (.*)/x-progress-id:(\w*) {
location ~ (?:.*)/x-progress-id:(?:\w*) {
rewrite ^(.*)/x-progress-id:(\w*) $1?X-Progress-ID=$2;
}
location ^~ /progress {
report_uploads uploads;
}
###
### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext)
###
location ~* ^/(?:user|admin|hosting) {
if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
return 444;
}
try_files $uri @cache;
}
###
### deny stupid bots
###
location ~* /node/add {
if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
return 444;
}
access_log off;
try_files $uri @cache;
}
###
### catch all unspecified requests
###
location / {
try_files $uri $uri/ @cache;
try_files $uri @cache;
}
###
### boost compatible cache check - nginx 0.7.27 or newer required with try_files support
###
location @cache {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
......@@ -64,44 +82,66 @@
}
###
### deny listed requests for security reasons
### deny listed requests for security reasons without 403 response
###
location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
deny all;
location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ {
return 444;
}
###
### deny php files here for security reasons (remove 'sites' to allow civicrm install)
### deny listed requests for security reasons without 403 response
###
location ~* /(files|themes|sites)/.*\.php$ {
deny all;
location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) {
return 444;
}
###
### allow some known php files (like serve.php in the ad module)
###
location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000
}
###
### deny direct access to backups
###
location ~* ^/sites/(.*)/files/backup_migrate/ {
location ~* ^/sites/.*/files/backup_migrate/ {
deny all;
}
###
### deny direct access to private downloads
###
### send all non-static requests to php-fpm
location ~* ^/sites/.*/private/ {
deny all;
}
###
### send all non-static requests to php-fpm, restricted to known php files
###
location ~ \.php$ {
location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ {
try_files $uri @drupal; ### check for existence of php file first
fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000
track_uploads uploads 60s; ### required for upload progress
}
###
### deny access to any not listed above php files
###
location ~* ^.+\.php$ {
deny all;
}
###
### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.css$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
......@@ -114,11 +154,11 @@
### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.js$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
......@@ -131,11 +171,11 @@
### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.json$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
......@@ -153,38 +193,48 @@
}
###
### imagecache, crossdomain file for flash and (f)ckeditor support
### imagecache, imagecache_external and (f)ckeditor support
###
location ~* /(files/imagecache)|(fckeditor)|(ckeditor)|(crossdomain)|(cross-domain)/ {
location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ {
access_log off;
expires 30d;
# fix common problems with old paths after import from standalone to Aegir multisite
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$1/files/imagecache/$2/$3 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/www\.(.*)/files/(.*)$ /sites/$1/files/imagecache/$2/$4 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$host/files/imagecache/$2/$3 last;
rewrite ^/files/imagecache/(.*)$ /sites/$host/files/imagecache/$1 last;
rewrite ^/files/styles/(.*)$ /sites/$host/files/styles/$1 last;
try_files $uri @drupal;
}
###
### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ {
location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ {
access_log off;
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
# allow files/images/downloads to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
rewrite ^/images/(.*)$ /sites/$host/files/images/$1 last;
rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last;
try_files $uri =404;
}
###
### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ {
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ {
expires 30d;
# allow files/downloads to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last;
try_files $uri =404;
}
###
### serve & no-log some static files as is, without forcing default_type
###
location ~* /(?:cross-?domain)\.xml$ {
access_log off;
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
try_files $uri =404;
}
......@@ -192,16 +242,16 @@
### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
###
location ~* \.xml$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-Header "Boost Citrus 2.4";
add_header X-Header "Boost Citrus 2.4";
charset utf-8;
types { }
default_type application/rss+xml;
......@@ -212,11 +262,11 @@
### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
###
location ~* /feed$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
......
......@@ -22,8 +22,9 @@ class provisionService_http_nginx extends provisionService_http_public {
$this->server->shell_exec('nginx -V');
$this->server->nginx_has_gzip = preg_match("/(with-http_gzip_static_module)/", implode('', drush_shell_exec_output()), $match);
$this->server->nginx_has_upload_progress = preg_match("/(nginx-upload-progress-module)/", implode('', drush_shell_exec_output()), $match);
$this->server->nginx_has_new_version = preg_match("/(nginx\/0\.8\.)/", implode('', drush_shell_exec_output()), $match);
$this->server->nginx_has_new_version = preg_match("/(Barracuda\/0\.9\.)/", implode('', drush_shell_exec_output()), $match);
$this->server->provision_db_cloaking = FALSE;
$this->server->nginx_web_server = 1;
}
function verify_server_cmd() {
......
#######################################################
### nginx.conf site pre 0.7.27 vhost include start
### nginx.conf site standard vhost include start
#######################################################
###
### deny crawlers without 403 response
###
if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) {
if ( $http_user_agent ~* (?:HTTrack|HTMLParser|libwww|wget) ) {
return 444;
}
###
### deny bots on never cached uri without 403 response
### deny not compatible request methods without 405 response
###
location ~* ^/(user)|(admin) {
if ($http_user_agent ~* (crawl|goog|bot) ) {
if ( $request_method !~ ^(?:GET|HEAD|POST)$ ) {
return 444;
}
###
### deny bots on never cached uri without 403 response (and fix for Aegir & .info .pl domain ext)
###
location ~* ^/(?:user|admin|hosting) {
if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
return 444;
}
#try_files $uri $uri/ @cache;
if (!-e $request_filename) {
break;
try_files $uri @cache;
}
###
### deny stupid bots
###
location ~* /node/add {
if ( $http_user_agent ~* (?:crawl|goog|yahoo|spider|bot|yandex) ) {
return 444;
}
error_page 404 = @cache;
access_log off;
try_files $uri @cache;
}
###
### catch all unspecified requests
###
location / {
#try_files $uri $uri/ @cache;
if (!-e $request_filename) {
break;
}
error_page 404 = @cache;
try_files $uri @cache;
}
###
### boost compatible cache check
### boost compatible cache check - nginx 0.7.27 or newer required with try_files support
###
location @cache {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-Header "Boost Citrus 1.9";
charset utf-8;
#try_files /cache/normal/$host${uri}_$args.html @drupal;
if (-f $document_root/cache/normal/$host${uri}_$args.html) {
rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last;
break;
}
error_page 404 = @drupal;
try_files /cache/normal/$host${uri}_$args.html @drupal;
}
###
### send all not cached requests to drupal with clean URLs support
###
location @drupal {
if (!-e $request_filename) {
rewrite ^/\?q=([^.]+)$ /index.php?q=$1 last;
rewrite ^/(.*)$ /index.php?q=$1 last;
break;
}
rewrite ^/(.*)$ /index.php?q=$1 last;
}
###
### deny listed requests for security reasons
### deny listed requests for security reasons without 403 response
###
location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
deny all;
location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ {
return 444;
}
###
### deny php files here for security reasons (remove 'sites' to allow civicrm install)
### deny listed requests for security reasons without 403 response
###
location ~* /(files|themes|sites)/.*\.php$ {
deny all;
location ~* (?:delete.+from|insert.+into|select.+from|union.+select|onload|script|\.php.+src|system\(.+|iframe|document\.cookie|alert|\;|\.\.) {
return 444;
}
###
### allow some known php files (like serve.php in the ad module)
###
location ~* /(?:modules|libraries)/(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck)/.*\.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000
}
###
### deny direct access to backups
###
location ~* ^/sites/(.*)/files/backup_migrate/ {
location ~* ^/sites/.*/files/backup_migrate/ {
deny all;
}
###
### deny direct access to private downloads
###
location ~* ^/sites/.*/private/ {
deny all;
}
###
### send all non-static requests to php-fpm
### send all non-static requests to php-fpm, restricted to known php files
###
location ~ \.php$ {
if ( $uri !~ "/(files|themes|sites)/") {
location ~* ^/(?:index|boost_stats|update|xmlrpc)\.php$ {
try_files $uri @drupal; ### check for existence of php file first
fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000
}
error_page 404 = @drupal;
}
###
### make css files compatible with boost caching
### deny access to any not listed above php files
###
location ~* ^.+\.php$ {
deny all;
}
###
### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.css$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; #if using aggregator
add_header X-Header "Boost Citrus 2.1";
#try_files /cache/perm/$host${uri}_.css $uri =404;
if (-f $document_root/cache/perm/$host${uri}_$args.html) {
rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last;
break;
}
error_page 404 = @drupal;
try_files /cache/perm/$host${uri}_.css $uri =404;
}
###
### make js files compatible with boost caching
### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.js$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; # if using aggregator
add_header X-Header "Boost Citrus 2.2";
#try_files /cache/perm/$host${uri}_.js $uri =404;
if (-f $document_root/cache/perm/$host${uri}_$args.html) {
rewrite ^/(.+)$ /cache/perm/$host${uri}_$args.html last;
break;
}
error_page 404 = @drupal;
try_files /cache/perm/$host${uri}_.js $uri =404;
}
###
### make json compatible with boost caching
### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.json$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
if ( $http_cookie ~ "DRUPAL_UID" ) {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; ### if using aggregator
add_header X-Header "Boost Citrus 2.3";
#try_files /cache/normal/$host${uri}_.json $uri =404;
if (-f $document_root/cache/normal/$host${uri}_$args.html) {
rewrite ^/(.+)$ /cache/normal/$host${uri}_$args.html last;
break;
}
error_page 404 = @drupal;
try_files /cache/normal/$host${uri}_.json $uri =404;
}
###
......@@ -174,84 +180,80 @@
}
###
### imagecache and (f)ckeditor support
### imagecache, imagecache_external and (f)ckeditor support
###
location ~* /(files/imagecache)|(fckeditor)|(ckeditor)/ {
location ~* /(?:external|system|files/imagecache|files/styles|f?ckeditor)/ {
access_log off;
expires 30d;
# fix common problems with old paths after import from standalone to Aegir multisite
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last;
#try_files $uri @drupal;
if (!-e $request_filename) {
break;
}
error_page 404 = @drupal;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$host/files/imagecache/$2/$3 last;
rewrite ^/files/imagecache/(.*)$ /sites/$host/files/imagecache/$1 last;
rewrite ^/files/styles/(.*)$ /sites/$host/files/styles/$1 last;
try_files $uri @drupal;
}
###
### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ {
location ~* ^.+\.(?:jpe?g|gif|png|ico|swf|pdf|doc|xls|tiff?|txt|cgi|bat|pl|dll|aspx?|exe|class)$ {
access_log off;
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
#try_files $uri =404;
if (!-e $request_filename) {
break;
}
error_page 404 /50x.html;
# allow files/images/downloads to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
rewrite ^/images/(.*)$ /sites/$host/files/images/$1 last;
rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last;
try_files $uri =404;
}
###
### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ {
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|flv|wav|midi|zip|t?gz|rar)$ {
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
#try_files $uri =404;
if (!-e $request_filename) {
break;
}
error_page 404 /50x.html;
# allow files/downloads to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
rewrite ^/downloads/(.*)$ /sites/$host/files/downloads/$1 last;
try_files $uri =404;
}
###
### make feeds compatible with boost caching and set correct mime type
### serve & no-log some static files as is, without forcing default_type
###
location ~* /(?:cross-?domain)\.xml$ {
access_log off;
expires 30d;
try_files $uri =404;
}
###
### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
###
location ~* \.xml$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
if ( $request_method !~ ^(?:GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {