vhost_include.tpl.php 39.4 KB
Newer Older
1
<?php
omega8cc's avatar
omega8cc committed
2 3 4 5 6 7 8 9 10 11
$script_user = drush_get_option('script_user');
if (!$script_user && $server->script_user) {
  $script_user = $server->script_user;
}

$aegir_root = drush_get_option('aegir_root');
if (!$aegir_root && $server->aegir_root) {
  $aegir_root = $server->aegir_root;
}

12 13 14 15
$nginx_config_mode = drush_get_option('nginx_config_mode');
if (!$nginx_config_mode && $server->nginx_config_mode) {
  $nginx_config_mode = $server->nginx_config_mode;
}
16

17 18 19 20
$phpfpm_mode = drush_get_option('phpfpm_mode');
if (!$phpfpm_mode && $server->phpfpm_mode) {
  $phpfpm_mode = $server->phpfpm_mode;
}
21

22 23 24 25
// We can use $server here once we have proper inheritance.
// See Provision_Service_http_nginx_ssl for details.
$phpfpm_socket_path = Provision_Service_http_nginx::getPhpFpmSocketPath();

26 27 28 29
$nginx_is_modern = drush_get_option('nginx_is_modern');
if (!$nginx_is_modern && $server->nginx_is_modern) {
  $nginx_is_modern = $server->nginx_is_modern;
}
30

31 32 33 34 35
$nginx_has_etag = drush_get_option('nginx_has_etag');
if (!$nginx_has_etag && $server->nginx_has_etag) {
  $nginx_has_etag = $server->nginx_has_etag;
}

36 37 38 39 40
$nginx_has_http2 = drush_get_option('nginx_has_http2');
if (!$nginx_has_http2 && $server->nginx_has_http2) {
  $nginx_has_http2 = $server->nginx_has_http2;
}

omega8cc's avatar
omega8cc committed
41 42 43 44 45
$nginx_has_gzip = drush_get_option('nginx_has_gzip');
if (!$nginx_has_gzip && $server->nginx_has_gzip) {
  $nginx_has_gzip = $server->nginx_has_gzip;
}

46 47 48 49
$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress');
if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) {
  $nginx_has_upload_progress = $server->nginx_has_upload_progress;
}
50

51 52 53 54
$satellite_mode = drush_get_option('satellite_mode');
if (!$satellite_mode && $server->satellite_mode) {
  $satellite_mode = $server->satellite_mode;
}
55
?>
56 57 58 59 60 61 62
#######################################################
<?php if ($nginx_config_mode == 'extended'): ?>
###  nginx.conf site level extended vhost include start
<?php else: ?>
###  nginx.conf site level basic vhost include start
<?php endif; ?>
#######################################################
63

64 65 66 67 68 69 70 71 72
###
### Use the main site name if available, instead of
### potentially virtual server_name when alias is set
### as redirection target. See #2358977 for details.
###
if ($main_site_name = '') {
  set $main_site_name "$server_name";
}

73 74 75 76 77 78 79 80 81 82 83 84 85 86
###
### Mitigation for https://www.drupal.org/SA-CORE-2018-002
###
set $rce "ZZ";
if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
  set $rce "A";
}
if ( $request_method = POST ) {
  set $rce "${rce}B";
}
if ( $rce = "AB" ) {
  return 403;
}

87
<?php if ($nginx_config_mode == 'extended'): ?>
88 89
set $nocache_details "Cache";

90
<?php if ($satellite_mode == 'boa'): ?>
91 92 93 94 95 96 97 98
###
### Return 404 on special PHP URLs to avoid revealing version used,
### even indirectly. See also: https://drupal.org/node/2116387
###
if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
  return 404;
}

99 100 101 102 103 104 105
###
### Deny crawlers.
###
if ($is_crawler) {
  return 403;
}

106 107 108 109 110 111 112
###
### Block semalt botnet.
###
if ($is_botnet) {
  return 403;
}

113 114 115 116 117 118
###
### Include high load protection config if exists.
###
include /data/conf/nginx_high_load.c*;
<?php endif; ?>

119 120 121 122 123 124 125
###
### Deny not compatible request methods without 405 response.
###
if ( $request_method !~ ^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
  return 403;
}

126
<?php if ($nginx_config_mode == 'extended'): ?>
127 128 129 130 131 132
###
### Deny listed requests for security reasons.
###
if ($is_denied) {
  return 403;
}
133

134 135 136 137
###
### Add recommended HTTP headers
###
add_header X-Content-Type-Options nosniff;
138
add_header X-XSS-Protection "1; mode=block";
139
<?php endif; ?>
140 141

<?php if ($satellite_mode == 'boa'): ?>
142 143 144 145 146
###
### Force clean URLs for Drupal 8.
###
rewrite ^/index.php/(.*)$ $scheme://$host/$1 permanent;

147 148 149
###
### Include high level local configuration override if exists.
###
150
include <?php print $aegir_root; ?>/config/server_master/nginx/post.d/nginx_force_include*;
151 152 153 154

###
### Include PHP-FPM version override logic if exists.
###
155
include <?php print $aegir_root; ?>/config/server_master/nginx/post.d/fpm_include*;
156 157 158 159 160 161

###
### Allow to use non-default PHP-FPM version for the site
### listed in the special include file.
###
if ($user_socket = '') {
162
  set $user_socket "<?php print $script_user; ?>";
163
}
164 165 166 167 168 169 170 171 172
<?php endif; ?>

###
### HTTPRL standard support.
###
location ^~ /httprl_async_function_callback {
  location ~* ^/httprl_async_function_callback {
    access_log off;
    set $nocache_details "Skip";
173
    try_files  $uri @drupal;
174 175 176 177 178 179 180 181 182 183
  }
}

###
### HTTPRL test mode support.
###
location ^~ /admin/httprl-test {
  location ~* ^/admin/httprl-test {
    access_log off;
    set $nocache_details "Skip";
184
    try_files  $uri @drupal;
185 186 187 188 189 190 191 192 193 194
  }
}

###
### CDN Far Future expiration support.
###
location ^~ /cdn/farfuture/ {
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
195
<?php if ($nginx_has_etag): ?>
196
  etag          off;
197 198 199
<?php else: ?>
  add_header ETag "";
<?php endif; ?>
200 201 202
  gzip_http_version 1.0;
  if_modified_since exact;
  set $nocache_details "Skip";
203
  location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less)$ {
204 205 206 207
    expires max;
    add_header X-Header "CDN Far Future Generator 1.0";
    add_header Cache-Control "no-transform, public";
    add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT";
208 209
    add_header Access-Control-Allow-Origin *;
    add_header X-Content-Type-Options nosniff;
210
    add_header X-XSS-Protection "1; mode=block";
211
    rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
212
    try_files $uri @drupal;
213 214 215 216 217
  }
  location ~* ^/cdn/farfuture/ {
    expires epoch;
    add_header X-Header "CDN Far Future Generator 1.1";
    add_header Cache-Control "private, must-revalidate, proxy-revalidate";
218 219
    add_header Access-Control-Allow-Origin *;
    add_header X-Content-Type-Options nosniff;
220
    add_header X-XSS-Protection "1; mode=block";
221
    rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
222
    try_files $uri @drupal;
223
  }
224
  try_files $uri @drupal;
225
}
226 227 228 229 230 231 232 233 234
<?php endif; ?>

###
### If favicon else return error 204.
###
location = /favicon.ico {
  access_log    off;
  log_not_found off;
  expires       30d;
235 236 237
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
238
  try_files  /sites/$main_site_name/files/favicon.ico $uri =204;
239 240 241
}

###
242
### Support for https://drupal.org/project/robotstxt module
243 244 245 246 247
### and static file in the sites/domain/files directory.
###
location = /robots.txt {
  access_log    off;
  log_not_found off;
248 249 250
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
251
<?php if ($nginx_config_mode == 'extended'): ?>
252
  try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache;
253
<?php else: ?>
254
  try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @drupal;
255 256 257
<?php endif; ?>
}

258 259 260 261 262 263 264 265
<?php if ($satellite_mode == 'boa'): ?>
###
### Allow local access to the FPM status page.
###
location = /fpm-status {
  access_log   off;
  allow        127.0.0.1;
  deny         all;
omega8cc's avatar
omega8cc committed
266
<?php if ($satellite_mode == 'boa'): ?>
267
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
268
<?php elseif ($phpfpm_mode == 'port'): ?>
269 270
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
271
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
272 273 274 275 276 277 278 279 280 281
<?php endif; ?>
}

###
### Allow local access to the FPM ping URI.
###
location = /fpm-ping {
  access_log   off;
  allow        127.0.0.1;
  deny         all;
omega8cc's avatar
omega8cc committed
282
<?php if ($satellite_mode == 'boa'): ?>
283
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
284
<?php elseif ($phpfpm_mode == 'port'): ?>
285 286
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
287
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
288 289 290 291
<?php endif; ?>
}
<?php endif; ?>

292
<?php if ($nginx_config_mode == 'extended'): ?>
293 294 295 296 297 298 299
###
### Allow local access to support wget method in Aegir settings
### for running sites cron.
###
location = /cron.php {
  tcp_nopush   off;
  keepalive_requests 0;
300
<?php if ($satellite_mode == 'boa'): ?>
301 302
  allow        127.0.0.1;
  deny         all;
303 304
<?php endif; ?>
  try_files    $uri =404;
omega8cc's avatar
omega8cc committed
305
<?php if ($satellite_mode == 'boa'): ?>
306
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
307
<?php elseif ($phpfpm_mode == 'port'): ?>
308 309
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
310
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
311 312 313 314 315 316 317
<?php endif; ?>
}

###
### Allow local access to support wget method in Aegir settings
### for running sites cron in Drupal 8.
###
318
location ^~ /cron/ {
319 320 321
<?php if ($satellite_mode == 'boa'): ?>
  allow        127.0.0.1;
  deny         all;
322 323 324
<?php endif; ?>
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
325
<?php endif; ?>
326
  try_files    $uri @drupal;
327 328 329 330 331 332 333 334
}

###
### Send search to php-fpm early so searching for node.js will work.
### Deny bots on search uri.
###
location ^~ /search {
  location ~* ^/search {
memtkmcc's avatar
memtkmcc committed
335
    if ( $is_bot ) {
336 337
      return 403;
    }
338
    try_files $uri @drupal;
339 340 341
  }
}

342 343 344 345 346
###
### Support for https://drupal.org/project/js module.
###
location ^~ /js/ {
  location ~* ^/js/ {
memtkmcc's avatar
memtkmcc committed
347
    if ( $is_bot ) {
348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380
      return 403;
    }
    rewrite ^/(.*)$ /js.php?q=$1 last;
  }
}

<?php if ($nginx_has_upload_progress): ?>
###
### Upload progress support.
### https://drupal.org/project/filefield_nginx_progress
### http://github.com/masterzen/nginx-upload-progress-module
###
location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
  access_log off;
  rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
}
location ^~ /progress {
  access_log off;
  upload_progress_json_output;
  report_uploads uploads;
}
<?php endif; ?>

<?php if ($satellite_mode == 'boa'): ?>
###
### Deny access to Hostmaster web/db server node.
### It is still possible to edit or break web/db server
### node at /node/2/edit, if you know what are you doing.
###
location ^~ /hosting/c/server_master {
  if ($cache_uid = '') {
    return 403;
  }
memtkmcc's avatar
memtkmcc committed
381
  if ( $is_bot ) {
382 383 384
    return 403;
  }
  access_log off;
385
  return 301 $scheme://$host/hosting/sites;
386 387 388 389 390 391 392 393 394 395 396
}

###
### Deny access to Hostmaster db server node.
### It is still possible to edit or break db server
### node at /node/4/edit, if you know what are you doing.
###
location ^~ /hosting/c/server_localhost {
  if ($cache_uid = '') {
    return 403;
  }
memtkmcc's avatar
memtkmcc committed
397
  if ( $is_bot ) {
398 399 400
    return 403;
  }
  access_log off;
401
  return 301 $scheme://$host/hosting/sites;
402 403 404 405 406 407 408
}
<?php endif; ?>

###
### Fix for #2005116
###
location ^~ /hosting/sites {
memtkmcc's avatar
memtkmcc committed
409
  if ( $is_bot ) {
410 411 412 413 414 415 416
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

417 418 419 420
###
### Fix for Aegir & .info .pl domain extensions.
###
location ^~ /hosting {
memtkmcc's avatar
memtkmcc committed
421
  if ( $is_bot ) {
422 423
    return 403;
  }
424 425
  access_log off;
  set $nocache_details "Skip";
426
  try_files $uri @drupal;
427 428 429 430 431 432 433 434
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Deny cache details display.
###
location ^~ /admin/settings/performance/cache-backend {
  access_log off;
435
  return 301 $scheme://$host/admin/settings/performance;
436 437
}

438 439 440 441 442
###
### Deny cache details display.
###
location ^~ /admin/config/development/performance/redis {
  access_log off;
443
  return 301 $scheme://$host/admin/config/development/performance;
444 445 446
}
<?php endif; ?>

447 448 449 450
###
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /admin {
memtkmcc's avatar
memtkmcc committed
451
  if ( $is_bot ) {
452 453 454 455 456 457 458 459 460 461 462
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
### Avoid caching /civicrm* and protect it from bots.
###
location ^~ /civicrm {
memtkmcc's avatar
memtkmcc committed
463
  if ( $is_bot ) {
464 465
    return 403;
  }
466
  access_log off;
467
  set $nocache_details "Skip";
468 469 470 471 472 473 474 475 476 477 478 479
  try_files $uri @drupal;
}

###
### Avoid caching /civicrm* and protect it from bots on a multi-lingual site
###
location ~* ^/\w\w/civicrm {
  if ( $is_bot ) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
480 481 482 483 484 485 486 487
  try_files $uri @drupal;
}

###
### Support for audio module.
###
location ^~ /audio/download {
  location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ {
memtkmcc's avatar
memtkmcc committed
488
    if ( $is_bot ) {
489 490 491
      return 403;
    }
    tcp_nopush off;
492 493
    access_log    off;
    log_not_found off;
494 495 496 497 498 499 500 501 502
    set $nocache_details "Skip";
    try_files $uri @drupal;
  }
}
<?php endif; ?>

###
### Deny listed requests for security reasons.
###
503
location ~* (\.(?:git.*|htaccess|engine|config|inc|ini|info|install|make|module|profile|test|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save))$ {
504 505 506 507 508 509 510 511 512 513 514 515 516 517 518
  access_log off;
  return 404;
}

###
### Deny listed requests for security reasons.
###
location ~* /(?:modules|themes|libraries)/.*\.(?:txt|md)$ {
  access_log off;
  return 404;
}

###
### Deny listed requests for security reasons.
###
519
location ~* ^/sites/.*/files/civicrm/(?:ConfigAndLog|custom|upload|templates_c) {
520 521
  access_log off;
  return 404;
522 523
}

524
<?php if ($nginx_config_mode == 'extended'): ?>
memtkmcc's avatar
memtkmcc committed
525 526 527 528 529 530 531 532
###
### Deny often flooded URI for performance reasons
###
location = /autodiscover/autodiscover.xml {
  access_log off;
  return 404;
}

533 534 535 536 537 538 539 540 541 542 543 544
###
### Deny some not supported URI like cgi-bin on the Nginx level.
###
location ~* (?:cgi-bin|vti-bin) {
  access_log off;
  return 404;
}

###
### Deny bots on some weak modules uri.
###
location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) {
memtkmcc's avatar
memtkmcc committed
545
  if ( $is_bot ) {
546 547 548
    return 403;
  }
  access_log off;
549
  try_files $uri @drupal;
550 551
}

552 553
###
### Responsive Images support.
554
### https://drupal.org/project/responsive_images
555 556 557 558 559 560 561 562 563 564 565 566 567
###
location ~* \.r\.(?:jpe?g|png|gif) {
  if ( $http_cookie ~* "rwdimgsize=large" ) {
    rewrite ^/(.*)/mobile/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1/desktop/$2$3 last;
  }
  rewrite ^/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1$2 last;
  access_log off;
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}

###
### Adaptive Image Styles support.
568
### https://drupal.org/project/ais
569 570 571 572 573 574 575 576 577 578 579 580
###
location ~* /(?:.+)/files/styles/adaptive/(?:.+)$ {
  if ( $http_cookie ~* "ais=(?<ais_cookie>[a-z0-9-_]+)" ) {
    rewrite ^/(.+)/files/styles/adaptive/(.+)$ /$1/files/styles/$ais_cookie/$2 last;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}
<?php endif; ?>

###
581
### The files/styles support.
582
###
583 584 585 586
location ~* /sites/.*/files/styles/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
587 588 589
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
590 591 592 593 594 595
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
}

596 597 598 599 600 601 602
###
### The s3/files/styles (s3fs) support.
###
location ~* /s3/files/styles/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
603 604 605
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
606 607 608 609 610 611
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
}

612 613 614 615 616 617 618
###
### The files/imagecache support.
###
location ~* /sites/.*/files/imagecache/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
619 620 621
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
622
<?php if ($nginx_config_mode == 'extended'): ?>
623 624 625
  # fix common problems with old paths after import from standalone to Aegir multisite
  rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last;
  rewrite ^/sites/(.*)/files/imagecache/(.*)/files/(.*)$               /sites/$main_site_name/files/imagecache/$2/$3 last;
626 627 628 629 630 631 632 633 634
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/imagecache/$1 $uri @drupal;
}

###
### Send requests with /external/ and /system/ URI keywords to @drupal.
###
location ~* /(?:external|system)/ {
635 636 637
  access_log off;
  log_not_found off;
  expires    30d;
638
<?php if ($nginx_config_mode == 'extended'): ?>
639 640 641 642 643 644 645 646 647 648 649 650 651
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  $uri @drupal;
}

###
### Deny direct access to backups.
###
location ~* ^/sites/.*/files/backup_migrate/ {
  access_log off;
  deny all;
}

652 653 654 655 656 657 658 659 660 661 662 663
###
### Deny direct access to config files in Drupal 8.
###
location ~* ^/sites/.*/files/config_.* {
  access_log off;
  deny all;
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Include local configuration override if exists.
###
664
include <?php print $aegir_root; ?>/config/server_master/nginx/post.d/nginx_vhost_include*;
665 666
<?php endif; ?>

667
<?php if ($nginx_config_mode == 'extended'): ?>
668 669 670 671 672
###
### Private downloads are always sent to the drupal backend.
### Note: this location doesn't work with X-Accel-Redirect.
###
location ~* ^/sites/.*/files/private/ {
memtkmcc's avatar
memtkmcc committed
673
  if ( $is_bot ) {
674 675 676 677 678 679 680 681 682 683 684 685 686 687
    return 403;
  }
  access_log off;
  rewrite    ^/sites/.*/files/private/(.*)$ $scheme://$host/system/files/private/$1 permanent;
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}
<?php endif; ?>

###
### Deny direct access to private downloads in sites/domain/private.
### Note: this location works with X-Accel-Redirect.
###
location ~* ^/sites/.*/private/ {
688
  internal;
689
<?php if ($nginx_config_mode == 'extended'): ?>
memtkmcc's avatar
memtkmcc committed
690
  if ( $is_bot ) {
691 692 693 694 695 696
    return 403;
  }
<?php endif; ?>
  access_log off;
}

697
<?php if ($nginx_config_mode == 'extended'): ?>
698 699 700 701 702
###
### Deny direct access to private downloads also for short, rewritten URLs.
### Note: this location works with X-Accel-Redirect.
###
location ~* /files/private/ {
703
  internal;
memtkmcc's avatar
memtkmcc committed
704
  if ( $is_bot ) {
705 706 707 708 709 710 711 712 713 714 715
    return 403;
  }
  access_log off;
}

###
### Wysiwyg Fields support.
###
location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) {
  access_log off;
  log_not_found off;
716 717 718 719
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  try_files $uri @drupal;
720 721 722 723 724 725 726
}

###
### Advagg_css and Advagg_js support.
###
location ~* files/advagg_(?:css|js)/ {
  expires    max;
727
  access_log off;
728
<?php if ($nginx_has_etag): ?>
729 730
  etag       off;
<?php else: ?>
731
  add_header ETag "";
732 733
<?php endif; ?>
  rewrite    ^/files/advagg_(.*)/(.*)$ /sites/$main_site_name/files/advagg_$1/$2 last;
734
  add_header X-Header "AdvAgg Generator 2.0";
735
  add_header Cache-Control "max-age=31449600, no-transform, public";
736
  add_header Access-Control-Allow-Origin *;
737
  add_header X-Content-Type-Options nosniff;
738
  add_header X-XSS-Protection "1; mode=block";
739
  set $nocache_details "Skip";
740
  try_files  $uri @drupal;
741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756
}

###
### Make css files compatible with boost caching.
###
location ~* \.css$ {
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; #if using aggregator
757 758 759
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
760 761 762
  try_files   /cache/perm/$host${uri}_.css $uri =404;
}

763 764 765 766 767 768 769
###
### Support for dynamic /sw.js requests. See #2982073 on drupal.org
###
location = /sw.js {
  try_files $uri @drupal;
}

770 771 772 773 774 775 776 777 778 779 780 781 782 783
###
### Make js files compatible with boost caching.
###
location ~* \.(?:js|htc)$ {
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; # if using aggregator
784 785 786
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
787 788 789
  try_files   /cache/perm/$host${uri}_.js $uri =404;
}

790 791 792 793 794 795 796
###
### Support for dynamic .json requests.
###
location ~* \.json$ {
  try_files $uri @drupal;
}

797
###
798
### Support for static .json files with fast 404 +Boost compatibility.
799
###
800
location ~* ^/sites/.*/files/.*\.json$ {
801 802 803 804 805 806 807
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; ### if using aggregator
808 809 810
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
811 812 813 814 815 816 817 818 819 820 821 822
  try_files   /cache/normal/$host${uri}_.json $uri =404;
}

###
### Helper location to bypass boost static files cache for logged in users.
###
location @uncached {
  access_log off;
  expires max; # max if using aggregator, otherwise sane expire time
}
<?php endif; ?>

823 824 825 826
###
### Map /files/ shortcut early to avoid overrides in other locations.
###
location ^~ /files/ {
827

828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";

<?php if ($satellite_mode == 'boa'): ?>
  ###
  ### Sub-location to support Flash Video (FLV) files with short URIs.
  ###
  location ~* /files/.+\.flv$ {
    flv;
    tcp_nodelay off;
    tcp_nopush off;
    expires 30d;
    access_log    off;
    log_not_found off;
    add_header Access-Control-Allow-Origin *;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files   $uri =404;
  }

  ###
  ### Sub-location to support H.264/AAC files with short URIs.
  ###
  location ~* /files/.+\.(?:mp4|m4a)$ {
    mp4;
    mp4_buffer_size 1m;
    mp4_max_buffer_size 5m;
    tcp_nodelay off;
    tcp_nopush off;
    expires 30d;
    access_log    off;
    log_not_found off;
    add_header Access-Control-Allow-Origin *;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files   $uri =404;
  }
<?php endif; ?>

870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900
  ###
  ### Sub-location to support files/styles with short URIs.
  ###
  location ~* /files/styles/(.*)$ {
    access_log off;
    log_not_found off;
    expires    30d;
<?php if ($nginx_config_mode == 'extended'): ?>
    set $nocache_details "Skip";
<?php endif; ?>
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
  }

  ###
  ### Sub-location to support files/imagecache with short URIs.
  ###
  location ~* /files/imagecache/(.*)$ {
    access_log off;
    log_not_found off;
    expires    30d;
<?php if ($nginx_config_mode == 'extended'): ?>
    # fix common problems with old paths after import from standalone to Aegir multisite
    rewrite ^/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$1/$2 last;
    rewrite ^/files/imagecache/(.*)/files/(.*)$               /sites/$main_site_name/files/imagecache/$1/$2 last;
    set $nocache_details "Skip";
<?php endif; ?>
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files  /sites/$main_site_name/files/imagecache/$1 $uri @drupal;
  }

901
  location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ {
902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
    expires       30d;
    tcp_nodelay   off;
    access_log    off;
    log_not_found off;
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files   $uri =404;
  }
<?php if ($nginx_config_mode == 'extended'): ?>
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

###
### Map /downloads/ shortcut early to avoid overrides in other locations.
###
location ^~ /downloads/ {
920
  location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
921 922 923 924
    expires       30d;
    tcp_nodelay   off;
    access_log    off;
    log_not_found off;
925 926 927
    add_header Access-Control-Allow-Origin *;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
928 929 930 931 932 933 934 935 936 937
    rewrite  ^/downloads/(.*)$  /sites/$main_site_name/files/downloads/$1 last;
    try_files   $uri =404;
  }
<?php if ($nginx_config_mode == 'extended'): ?>
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

938 939 940 941
###
### Serve & no-log static files & images directly,
### without all standard drupal rewrites, php-fpm etc.
###
942
location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|mp3|wav|midi)$ {
943 944 945 946
  expires       30d;
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
947 948 949
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
950 951
  rewrite     ^/images/(.*)$  /sites/$main_site_name/files/images/$1 last;
  rewrite     ^/.+/sites/.+/files/(.*)$  /sites/$main_site_name/files/$1 last;
952 953 954 955
  try_files   $uri =404;
}

###
956
### Serve bigger media/static/archive files directly,
957 958
### without all standard drupal rewrites, php-fpm etc.
###
959
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
960 961 962
  expires     30d;
  tcp_nodelay off;
  tcp_nopush  off;
963 964
  access_log    off;
  log_not_found off;
965 966 967
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
968
  rewrite     ^/.+/sites/.+/files/(.*)$  /sites/$main_site_name/files/$1 last;
969 970 971
  try_files   $uri =404;
}

972 973 974 975 976 977 978 979 980 981 982
###
### Serve & no-log some static files directly,
### but only from the files directory to not break
### dynamically created pdf files or redirects for
### legacy URLs with asp/aspx extension.
###
location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ {
  expires       30d;
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
983 984 985
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
986 987 988 989 990 991 992 993 994 995 996 997
  try_files   $uri =404;
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Pseudo-streaming server-side support for Flash Video (FLV) files.
###
location ~* ^.+\.flv$ {
  flv;
  tcp_nodelay off;
  tcp_nopush off;
  expires 30d;
998 999
  access_log    off;
  log_not_found off;
1000 1001 1002
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015
  try_files $uri =404;
}

###
### Pseudo-streaming server-side support for H.264/AAC files.
###
location ~* ^.+\.(?:mp4|m4a)$ {
  mp4;
  mp4_buffer_size 1m;
  mp4_max_buffer_size 5m;
  tcp_nodelay off;
  tcp_nopush off;
  expires 30d;
1016 1017
  access_log    off;
  log_not_found off;
1018 1019 1020
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
1021 1022 1023 1024
  try_files $uri =404;
}
<?php endif; ?>

1025 1026 1027 1028 1029 1030 1031
###
### Serve & no-log some static files as is, without forcing default_type.
###
location ~* /(?:cross-?domain)\.xml$ {
  access_log  off;
  tcp_nodelay off;
  expires     30d;
1032 1033 1034
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
1035 1036 1037
  try_files   $uri =404;
}

1038
<?php if ($nginx_config_mode == 'extended'): ?>
1039 1040 1041
###
### Allow some known php files (like serve.php in the ad module).
###
1042
location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck|ecc|civicrm|fbconnect|radioactivity|statistics)/.*\.php$ {
1043 1044 1045
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn   limreq 88;
<?php endif; ?>
1046 1047 1048
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
memtkmcc's avatar
memtkmcc committed
1049
  if ( $is_bot ) {
1050 1051 1052
    return 403;
  }
  try_files    $uri =404;
omega8cc's avatar
omega8cc committed
1053
<?php if ($satellite_mode == 'boa'): ?>
1054
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1055
<?php elseif ($phpfpm_mode == 'port'): ?>
1056
  fastcgi_pass 127.0.0.1:9000;
1057
<?php else: ?>
1058
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
1059
<?php endif; ?>
1060 1061
}

1062
###
1063
### Deny crawlers and never cache known AJAX requests.
1064
###
1065
location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) {
memtkmcc's avatar
memtkmcc committed
1066
  if ( $is_bot ) {
1067 1068 1069 1070 1071 1072
    return 403;
  }
  access_log off;
  log_not_found off;
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
1073
  try_files $uri @drupal;
1074 1075 1076 1077 1078
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

1079 1080 1081
###
### Serve & no-log static helper files used in some wysiwyg editors.
###
1082
location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ {
memtkmcc's avatar
memtkmcc committed
1083
  if ( $is_bot ) {
1084 1085 1086 1087 1088
    return 403;
  }
  access_log      off;
  tcp_nodelay     off;
  expires         30d;
1089 1090 1091
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
1092 1093 1094 1095 1096 1097 1098 1099 1100 1101
  try_files $uri =404;
}

###
### Serve & no-log any not specified above static files directly.
###
location ~* ^/sites/.*/files/ {
  access_log      off;
  tcp_nodelay     off;
  expires         30d;
1102 1103 1104
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
1105 1106 1107 1108 1109 1110 1111
  try_files $uri =404;
}

###
### Make feeds compatible with boost caching and set correct mime type.
###
location ~* \.xml$ {
1112 1113 1114 1115
  location ~* ^/autodiscover/autodiscover\.xml {
    access_log off;
    return 400;
  }
1116 1117 1118 1119 1120 1121 1122 1123
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page 405 = @drupal;
  access_log off;
1124
  add_header X-Header "Boost Citrus 1.0";
1125
  add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
1126
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
1127 1128
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
1129
  add_header X-XSS-Protection "1; mode=block";
1130 1131
  charset    utf-8;
  types { }
1132
  default_type text/xml;
1133 1134 1135 1136 1137 1138
  try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
}

###
### Deny bots on never cached uri.
###
1139 1140 1141 1142 1143 1144 1145 1146 1147
location ~* ^/(?:admin|user|cart|checkout|logout) {
  if ( $is_bot ) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}
location ~* ^/\w\w/(?:admin|user|cart|checkout|logout) {
memtkmcc's avatar
memtkmcc committed
1148
  if ( $is_bot ) {
1149 1150 1151 1152 1153 1154 1155 1156 1157 1158
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
### Protect from DoS attempts on never cached uri.
###
1159
location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add|comment/reply) {
memtkmcc's avatar
memtkmcc committed
1160
  if ( $is_bot ) {
1161 1162 1163 1164 1165 1166 1167 1168
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
1169
### Protect from DoS attempts on never cached uri.
1170
###
1171
location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) {
1172 1173 1174
  if ($cache_uid = '') {
    return 403;
  }
memtkmcc's avatar
memtkmcc committed
1175
  if ( $is_bot ) {
1176 1177 1178 1179 1180 1181
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}
1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203

<?php if ($satellite_mode == 'boa'): ?>
###
### Support for ESI microcaching: http://groups.drupal.org/node/197478.
###
### This may enhance not only anonymous visitors, but also
### logged in users experience, as it allows you to separate
### microcache for ESI/SSI includes (valid for just 5 seconds)
### from both default Speed Booster cache for anonymous visitors
### (valid by default for 10s or 1h, unless purged on demand via
### recently introduced Purge/Expire modules) and also from
### Speed Booster cache per logged in user (valid for 10 seconds).
###
### Now you have three different levels of Speed Booster cache
### to leverage and deliver the 'live content' experience for
### all visitors, and still protect your server from DoS or
### simply high load caused by unexpected high traffic etc.
###
location ~ ^/(?<esi>esi/.*)"$ {
  ssi on;
  ssi_silent_errors on;
  internal;
1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214
  limit_conn limreq 888;
  add_header X-Device "$device";
  add_header X-Speed-Micro-Cache "$upstream_cache_status";
  add_header X-Speed-Micro-Cache-Expire "5s";
  add_header X-NoCache "$nocache_details";
  add_header X-GeoIP-Country-Code "$geoip_country_code";
  add_header X-GeoIP-Country-Name "$geoip_country_name";
  add_header X-This-Proto "$http_x_forwarded_proto";
  add_header X-Server-Name "$main_site_name";
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
  add_header X-Content-Type-Options nosniff;
1215
  add_header X-XSS-Protection "1; mode=block";
1216 1217 1218 1219 1220
  ###
  ### Set correct, local $uri.
  ###
  fastcgi_param QUERY_STRING q=$esi;
  fastcgi_param SCRIPT_FILENAME $document_root/index.php;
omega8cc's avatar
omega8cc committed
1221
<?php if ($satellite_mode == 'boa'): ?>
1222
  fastcgi_pass  unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1223
<?php elseif ($phpfpm_mode == 'port'): ?>
1224
  fastcgi_pass  127.0.0.1:9000;
omega8cc's avatar
omega8cc committed
1225
<?php else: ?>
1226
  fastcgi_pass  unix:<?php print $phpfpm_socket_path; ?>;
omega8cc's avatar
omega8cc committed
1227
<?php endif; ?>
1228 1229 1230 1231 1232 1233 1234 1235 1236 1237
  ###
  ### Use Nginx cache for all visitors.
  ###
  set $nocache "";
  if ( $http_cookie ~* "NoCacheID" ) {
    set $nocache "NoCache";
  }
  fastcgi_cache speed;
  fastcgi_cache_methods GET HEAD;
  fastcgi_cache_min_uses 1;
1238
  fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg";
1239 1240 1241
  fastcgi_cache_valid 200 3s;
  fastcgi_cache_valid 301 302 403 404 1s;
  fastcgi_cache_valid any 1s;
1242
  fastcgi_cache_lock on;
1243
  fastcgi_ignore_headers Cache-Control Expires Vary;
1244 1245 1246
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header X-Accel-Expires;
  fastcgi_pass_header X-Accel-Redirect;
1247 1248
  fastcgi_no_cache $cookie_NoCacheID $http_authorization $nocache;
  fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $nocache;
1249 1250 1251 1252 1253 1254
  fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating;
  tcp_nopush off;
  keepalive_requests 0;
  expires epoch;
}

1255 1256 1257 1258 1259 1260
###
### Workaround for https://www.drupal.org/node/2599326.
###
if ( $args ~* "/autocomplete/" ) {
  return 405;
}
1261
error_page 405 = @drupal;
1262

1263 1264 1265 1266 1267 1268 1269
###
### Rewrite legacy requests with /index.php to extension-free URL.
###
if ( $args ~* "^q=(?<query_value>.*)" ) {
  rewrite ^/index.php$ $scheme://$host/?q=$query_value? permanent;
}
<?php endif; ?>
1270 1271 1272 1273 1274 1275
<?php endif; ?>

###
### Catch all unspecified requests.
###
location / {
1276
<?php if ($nginx_config_mode == 'extended'): ?>
1277 1278 1279 1280 1281
<?php if ($satellite_mode == 'boa'): ?>
  if ( $http_user_agent ~* wget ) {
    return 403;
  }
<?php endif; ?>
1282 1283 1284 1285 1286 1287
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

1288
<?php if ($nginx_config_mode == 'extended'): ?>
1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300
###
### Boost compatible cache check.
###
location @cache {
  if ( $request_method = POST ) {
    set $nocache_details "Method";
    return 405;
  }
  if ( $args ~* "nocache=1" ) {
    set $nocache_details "Args";
    return 405;
  }
1301 1302 1303 1304 1305 1306 1307 1308
  if ( $sent_http_x_force_nocache = "YES" ) {
    set $nocache_details "Skip";
    return 405;
  }
  if ( $http_cookie ~* "NoCacheID" ) {
    set $nocache_details "AegirCookie";
    return 405;
  }
1309 1310 1311 1312 1313
  if ( $cache_uid ) {
    set $nocache_details "DrupalCookie";
    return 405;
  }
  error_page 405 = @drupal;
1314
  add_header X-Header "Boost Citrus 1.0";
1315
  add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
1316
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
1317 1318
  add_header Access-Control-Allow-Origin *;
  add_header X-Content-Type-Options nosniff;
1319
  add_header X-XSS-Protection "1; mode=block";
1320 1321 1322 1323 1324 1325 1326 1327 1328
  charset    utf-8;
  try_files  /cache/normal/$host${uri}_$args.html @drupal;
}
<?php endif; ?>

###
### Send all not cached requests to drupal with clean URLs support.
###
location @drupal {
1329
  set $core_detected "Legacy";
1330 1331 1332
  ###
  ### For Drupal >= 7
  ###
1333 1334 1335 1336 1337 1338 1339
  if ( -e $document_root/web.config ) {
    set $core_detected "Regular";
  }
  if ( -e $document_root/core ) {
    set $core_detected "Modern";
  }
  error_page 418 = @modern;
1340
  if ( $core_detected ~ (?:Regular|Modern) ) {
1341
    return 418;
1342 1343
  }
  ###
1344
  ### For Drupal 6
1345 1346
  ###
  rewrite ^/(.*)$ /index.php?q=$1 last;
1347 1348
}

1349
<?php if ($nginx_config_mode == 'extended'): ?>
1350
###
1351
### Special location for Drupal 7+.
memtkmcc's avatar
memtkmcc committed
1352
###
1353 1354
location @modern {
  try_files $uri /index.php?$query_string;
1355 1356 1357 1358 1359 1360
}

###
### Send all non-static requests to php-fpm, restricted to known php file.
###
location = /index.php {
1361 1362
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn    limreq 88;
1363 1364 1365
  add_header X-Device "$device";
  add_header X-GeoIP-Country-Code "$geoip_country_code";
  add_header X-GeoIP-Country-Name "$geoip_country_name";
1366 1367
<?php endif; ?>
<?php if ($nginx_config_mode == 'extended'): ?>
1368
  add_header X-Core-Variant "$core_detected";
1369 1370 1371 1372 1373 1374 1375
  add_header X-Speed-Cache "$upstream_cache_status";
  add_header X-Speed-Cache-UID "$cache_uid";
  add_header X-Speed-Cache-Key "$key_uri";
  add_header X-NoCache "$nocache_details";
  add_header X-This-Proto "$http_x_forwarded_proto";
  add_header X-Server-Name "$main_site_name";
  add_header X-Content-Type-Options nosniff;
1376
  add_header X-XSS-Protection "1; mode=block";
1377
<?php endif; ?>
1378
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
1379 1380 1381
  tcp_nopush    off;
  keepalive_requests 0;
  try_files     $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1382
<?php if ($satellite_mode == 'boa'): ?>
1383
  fastcgi_pass  unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1384
<?php elseif ($phpfpm_mode == 'port'): ?>
1385
  fastcgi_pass  127.0.0.1:9000;
1386
<?php else: ?>
1387
  fastcgi_pass  unix:<?php print $phpfpm_socket_path; ?>;
1388 1389 1390
<?php endif; ?>
<?php if ($nginx_has_upload_progress): ?>
  track_uploads uploads 60s; ### required for upload progress
1391
<?php endif; ?>
1392 1393 1394 1395
  ###
  ### Use Nginx cache for all visitors.
  ###
  set $nocache "";
1396
  if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) {
1397 1398 1399 1400 1401
    set $nocache "NoCache";
  }
  fastcgi_cache speed;
  fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity
  fastcgi_cache_min_uses 1;
1402
  fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg";
1403 1404 1405
  fastcgi_cache_valid 200 3s;
  fastcgi_cache_valid 301 302 403 404 1s;
  fastcgi_cache_valid any 1s;
1406
  fastcgi_cache_lock on;
1407
  fastcgi_ignore_headers Cache-Control Expires Vary;
1408 1409 1410
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header X-Accel-Expires;
  fastcgi_pass_header X-Accel-Redirect;
1411 1412
  fastcgi_no_cache $cookie_NoCacheID $http_authorization $nocache;
  fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $nocache;
1413 1414 1415 1416 1417 1418 1419
  fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating;
}
<?php endif; ?>

###
### Send other known php requests/files to php-fpm without any caching.
###
1420
<?php if ($nginx_config_mode == 'extended'): ?>
1421
location ~* ^/(?:core/)?(?:boost_stats|rtoc|js)\.php$ {
1422
<?php else: ?>
1423
location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ {
1424 1425 1426
<?php endif; ?>
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn   limreq 88;
memtkmcc's avatar
memtkmcc committed
1427
  if ( $is_bot ) {
1428 1429
    return 404;
  }
1430 1431 1432 1433 1434
<?php endif; ?>
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
  try_files    $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1435
<?php if ($satellite_mode == 'boa'): ?>
1436
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1437
<?php elseif ($phpfpm_mode == 'port'): ?>
1438
  fastcgi_pass 127.0.0.1:9000;
1439
<?php else: ?>
1440
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
1441
<?php endif; ?>
1442 1443
}

1444
<?php if ($nginx_config_mode == 'extended'): ?>
1445
###
1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464
### Allow access to /authorize.php and /update.php only for logged in admin user.
###
location ~* ^/(?:core/)?(?:authorize|update)\.php$ {
  error_page 418 = @allowupdate;
  if ( $cache_uid ) {
    return 418;
  }
  return 404;
}

###
### Internal location for /authorize.php and /update.php restricted access.
###
location @allowupdate {
  limit_conn   limreq 88;
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
  try_files    $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1465
<?php if ($satellite_mode == 'boa'): ?>
1466
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1467
<?php elseif ($phpfpm_mode == 'port'): ?>
1468 1469
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
1470
  fastcgi_pass unix:<?php print $phpfpm_socket_path; ?>;
1471 1472 1473 1474 1475 1476
<?php endif; ?>
}
<?php endif; ?>

###
### Deny access to any not listed above php files with 404 error.
1477 1478
###
location ~* ^.+\.php$ {
1479
  return 404;
1480 1481 1482
}

#######################################################
1483 1484 1485 1486 1487
<?php if ($nginx_config_mode == 'extended'): ?>
###  nginx.conf site level extended vhost include end
<?php else: ?>
###  nginx.conf site level basic vhost include end
<?php endif; ?>
1488
#######################################################