vhost_include.tpl.php 34.1 KB
Newer Older
1
<?php
2 3 4 5
$nginx_config_mode = drush_get_option('nginx_config_mode');
if (!$nginx_config_mode && $server->nginx_config_mode) {
  $nginx_config_mode = $server->nginx_config_mode;
}
6

7 8 9 10
$phpfpm_mode = drush_get_option('phpfpm_mode');
if (!$phpfpm_mode && $server->phpfpm_mode) {
  $phpfpm_mode = $server->phpfpm_mode;
}
11

12 13 14 15
$nginx_is_modern = drush_get_option('nginx_is_modern');
if (!$nginx_is_modern && $server->nginx_is_modern) {
  $nginx_is_modern = $server->nginx_is_modern;
}
16 17 18 19 20 21

$nginx_has_http2 = drush_get_option('nginx_has_http2');
if (!$nginx_has_http2 && $server->nginx_has_http2) {
  $nginx_has_http2 = $server->nginx_has_http2;
}

22 23 24 25
$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress');
if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) {
  $nginx_has_upload_progress = $server->nginx_has_upload_progress;
}
26

27 28 29 30
$satellite_mode = drush_get_option('satellite_mode');
if (!$satellite_mode && $server->satellite_mode) {
  $satellite_mode = $server->satellite_mode;
}
31
?>
32 33 34 35 36 37 38
#######################################################
<?php if ($nginx_config_mode == 'extended'): ?>
###  nginx.conf site level extended vhost include start
<?php else: ?>
###  nginx.conf site level basic vhost include start
<?php endif; ?>
#######################################################
39

40 41 42 43 44 45 46 47 48
###
### Use the main site name if available, instead of
### potentially virtual server_name when alias is set
### as redirection target. See #2358977 for details.
###
if ($main_site_name = '') {
  set $main_site_name "$server_name";
}

49
<?php if ($nginx_config_mode == 'extended'): ?>
50 51
set $nocache_details "Cache";

52 53 54 55 56 57 58 59
<?php if ($satellite_mode == 'boa'): ?>
###
### Deny crawlers.
###
if ($is_crawler) {
  return 403;
}

60 61 62 63 64 65 66
###
### Block semalt botnet.
###
if ($is_botnet) {
  return 403;
}

67 68 69 70 71 72
###
### Include high load protection config if exists.
###
include /data/conf/nginx_high_load.c*;
<?php endif; ?>

73 74 75 76 77 78 79
###
### Deny not compatible request methods without 405 response.
###
if ( $request_method !~ ^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
  return 403;
}

80
<?php if ($nginx_config_mode == 'extended'): ?>
81 82 83 84 85 86
###
### Deny listed requests for security reasons.
###
if ($is_denied) {
  return 403;
}
87 88 89 90 91 92 93

###
### Support for letsencrypt.org per https://tools.ietf.org/html/rfc5785.
###
location ^~ /.well-known/acme-challenge/ {
  try_files $uri 404;
}
94
<?php endif; ?>
95 96

<?php if ($satellite_mode == 'boa'): ?>
97 98 99 100 101
###
### Force clean URLs for Drupal 8.
###
rewrite ^/index.php/(.*)$ $scheme://$host/$1 permanent;

102 103 104 105
###
### Include high level local configuration override if exists.
###
include /data/disk/EDIT_USER/config/server_master/nginx/post.d/nginx_force_include*;
106 107 108 109 110 111 112 113 114 115 116 117 118

###
### Include PHP-FPM version override logic if exists.
###
include /data/disk/EDIT_USER/config/server_master/nginx/post.d/fpm_include*;

###
### Allow to use non-default PHP-FPM version for the site
### listed in the special include file.
###
if ($user_socket = '') {
  set $user_socket "EDIT_USER";
}
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
<?php endif; ?>

###
### HTTPRL standard support.
###
location ^~ /httprl_async_function_callback {
  location ~* ^/httprl_async_function_callback {
    access_log off;
    add_header X-Header "HTTPRL 2.0";
    set $nocache_details "Skip";
    try_files  $uri @nobots;
  }
}

###
### HTTPRL test mode support.
###
location ^~ /admin/httprl-test {
  location ~* ^/admin/httprl-test {
    access_log off;
    add_header X-Header "HTTPRL 2.1";
    set $nocache_details "Skip";
    try_files  $uri @nobots;
  }
}

###
### CDN Far Future expiration support.
###
location ^~ /cdn/farfuture/ {
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
  etag          off;
  gzip_http_version 1.0;
  if_modified_since exact;
  set $nocache_details "Skip";
  location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ {
    expires max;
    add_header Access-Control-Allow-Origin *;
    add_header X-Header "CDN Far Future Generator 1.0";
    add_header Cache-Control "no-transform, public";
    add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT";
    rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
    try_files $uri @nobots;
  }
  location ~* ^/cdn/farfuture/ {
    expires epoch;
    add_header Access-Control-Allow-Origin *;
    add_header X-Header "CDN Far Future Generator 1.1";
    add_header Cache-Control "private, must-revalidate, proxy-revalidate";
    rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
    try_files $uri @nobots;
  }
  try_files $uri @nobots;
}
175 176 177 178 179 180 181 182 183
<?php endif; ?>

###
### If favicon else return error 204.
###
location = /favicon.ico {
  access_log    off;
  log_not_found off;
  expires       30d;
184 185
  add_header Access-Control-Allow-Origin *;
  try_files     /sites/$main_site_name/files/favicon.ico $uri =204;
186 187 188
}

###
189
### Support for https://drupal.org/project/robotstxt module
190 191 192 193 194
### and static file in the sites/domain/files directory.
###
location = /robots.txt {
  access_log    off;
  log_not_found off;
195
<?php if ($nginx_config_mode == 'extended'): ?>
196
  try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache;
197
<?php else: ?>
198
  try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @drupal;
199 200 201
<?php endif; ?>
}

202 203 204 205 206 207 208 209
<?php if ($satellite_mode == 'boa'): ?>
###
### Allow local access to the FPM status page.
###
location = /fpm-status {
  access_log   off;
  allow        127.0.0.1;
  deny         all;
omega8cc's avatar
omega8cc committed
210
<?php if ($satellite_mode == 'boa'): ?>
211
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
212
<?php elseif ($phpfpm_mode == 'port'): ?>
213 214 215 216 217 218 219 220 221 222 223 224 225
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
}

###
### Allow local access to the FPM ping URI.
###
location = /fpm-ping {
  access_log   off;
  allow        127.0.0.1;
  deny         all;
omega8cc's avatar
omega8cc committed
226
<?php if ($satellite_mode == 'boa'): ?>
227
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
228
<?php elseif ($phpfpm_mode == 'port'): ?>
229 230 231 232 233 234 235
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
}
<?php endif; ?>

236
<?php if ($nginx_config_mode == 'extended'): ?>
237 238 239 240 241 242 243
###
### Allow local access to support wget method in Aegir settings
### for running sites cron.
###
location = /cron.php {
  tcp_nopush   off;
  keepalive_requests 0;
244
<?php if ($satellite_mode == 'boa'): ?>
245 246
  allow        127.0.0.1;
  deny         all;
247 248
<?php endif; ?>
  try_files    $uri =404;
omega8cc's avatar
omega8cc committed
249
<?php if ($satellite_mode == 'boa'): ?>
250
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
251
<?php elseif ($phpfpm_mode == 'port'): ?>
252 253 254 255 256 257 258 259 260 261
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
}

###
### Allow local access to support wget method in Aegir settings
### for running sites cron in Drupal 8.
###
262
location ^~ /cron/ {
263 264 265
<?php if ($satellite_mode == 'boa'): ?>
  allow        127.0.0.1;
  deny         all;
266 267 268
<?php endif; ?>
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
269
<?php endif; ?>
270
  try_files    $uri @drupal;
271 272 273 274 275 276 277 278 279 280 281 282 283 284 285
}

###
### Send search to php-fpm early so searching for node.js will work.
### Deny bots on search uri.
###
location ^~ /search {
  location ~* ^/search {
    if ($is_bot) {
      return 403;
    }
    try_files $uri @cache;
  }
}

286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328
###
### Support for https://drupal.org/project/js module.
###
location ^~ /js/ {
  location ~* ^/js/ {
    if ($is_bot) {
      return 403;
    }
    rewrite ^/(.*)$ /js.php?q=$1 last;
  }
}

<?php if ($nginx_has_upload_progress): ?>
###
### Upload progress support.
### https://drupal.org/project/filefield_nginx_progress
### http://github.com/masterzen/nginx-upload-progress-module
###
location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
  access_log off;
  rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
}
location ^~ /progress {
  access_log off;
  upload_progress_json_output;
  report_uploads uploads;
}
<?php endif; ?>

<?php if ($satellite_mode == 'boa'): ?>
###
### Deny access to Hostmaster web/db server node.
### It is still possible to edit or break web/db server
### node at /node/2/edit, if you know what are you doing.
###
location ^~ /hosting/c/server_master {
  if ($cache_uid = '') {
    return 403;
  }
  if ($is_bot) {
    return 403;
  }
  access_log off;
329
  return 301 $scheme://$host/hosting/sites;
330 331 332 333 334 335 336 337 338 339 340 341 342 343 344
}

###
### Deny access to Hostmaster db server node.
### It is still possible to edit or break db server
### node at /node/4/edit, if you know what are you doing.
###
location ^~ /hosting/c/server_localhost {
  if ($cache_uid = '') {
    return 403;
  }
  if ($is_bot) {
    return 403;
  }
  access_log off;
345
  return 301 $scheme://$host/hosting/sites;
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360
}
<?php endif; ?>

###
### Fix for #2005116
###
location ^~ /hosting/sites {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

361 362 363 364
###
### Fix for Aegir & .info .pl domain extensions.
###
location ^~ /hosting {
365 366 367
  if ($is_bot) {
    return 403;
  }
368 369
  access_log off;
  set $nocache_details "Skip";
370 371 372 373 374 375 376 377 378
  try_files $uri @cache;
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Deny cache details display.
###
location ^~ /admin/settings/performance/cache-backend {
  access_log off;
379
  return 301 $scheme://$host/admin/settings/performance;
380 381
}

382 383 384 385 386
###
### Deny cache details display.
###
location ^~ /admin/config/development/performance/redis {
  access_log off;
387
  return 301 $scheme://$host/admin/config/development/performance;
388 389 390
}
<?php endif; ?>

391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409
###
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /admin {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
### Avoid caching /civicrm* and protect it from bots.
###
location ^~ /civicrm {
  if ($is_bot) {
    return 403;
  }
410
  access_log off;
411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
### Support for audio module.
###
location ^~ /audio/download {
  location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ {
    if ($is_bot) {
      return 403;
    }
    tcp_nopush off;
    access_log off;
    set $nocache_details "Skip";
    try_files $uri @drupal;
  }
}
<?php endif; ?>

###
### Deny listed requests for security reasons.
###
434
location ~* (\.(?:git|htaccess|engine|config|inc|ini|info|install|make|module|profile|test|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save))$ {
435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452
  access_log off;
  return 404;
}

###
### Deny listed requests for security reasons.
###
location ~* /(?:modules|themes|libraries)/.*\.(?:txt|md)$ {
  access_log off;
  return 404;
}

###
### Deny listed requests for security reasons.
###
location ~* ^/sites/.*/files/civicrm/(?:ConfigAndLog|upload|templates_c) {
  access_log off;
  return 404;
453 454
}

455
<?php if ($nginx_config_mode == 'extended'): ?>
456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474
###
### Deny some not supported URI like cgi-bin on the Nginx level.
###
location ~* (?:cgi-bin|vti-bin) {
  access_log off;
  return 404;
}

###
### Deny bots on some weak modules uri.
###
location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  try_files $uri @cache;
}

475 476
###
### Responsive Images support.
477
### https://drupal.org/project/responsive_images
478 479 480 481 482 483 484 485 486 487 488 489 490 491
###
location ~* \.r\.(?:jpe?g|png|gif) {
  if ( $http_cookie ~* "rwdimgsize=large" ) {
    rewrite ^/(.*)/mobile/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1/desktop/$2$3 last;
  }
  rewrite ^/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1$2 last;
  access_log off;
  add_header X-Header "RI Generator 1.0";
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}

###
### Adaptive Image Styles support.
492
### https://drupal.org/project/ais
493 494 495 496 497 498
###
location ~* /(?:.+)/files/styles/adaptive/(?:.+)$ {
  if ( $http_cookie ~* "ais=(?<ais_cookie>[a-z0-9-_]+)" ) {
    rewrite ^/(.+)/files/styles/adaptive/(.+)$ /$1/files/styles/$ais_cookie/$2 last;
  }
  access_log off;
499
  add_header Access-Control-Allow-Origin *;
500 501 502 503 504 505 506
  add_header X-Header "AIS Generator 1.0";
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}
<?php endif; ?>

###
507
### The files/styles support.
508
###
509 510 511 512
location ~* /sites/.*/files/styles/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
513
  add_header Access-Control-Allow-Origin *;
514 515 516 517 518 519
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
}

520 521 522 523 524 525 526
###
### The s3/files/styles (s3fs) support.
###
location ~* /s3/files/styles/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
527
  add_header Access-Control-Allow-Origin *;
528 529 530 531 532 533
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
}

534 535 536 537 538 539 540
###
### The files/imagecache support.
###
location ~* /sites/.*/files/imagecache/(.*)$ {
  access_log off;
  log_not_found off;
  expires    30d;
541
  add_header Access-Control-Allow-Origin *;
542
<?php if ($nginx_config_mode == 'extended'): ?>
543 544 545
  # fix common problems with old paths after import from standalone to Aegir multisite
  rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last;
  rewrite ^/sites/(.*)/files/imagecache/(.*)/files/(.*)$               /sites/$main_site_name/files/imagecache/$2/$3 last;
546 547 548 549 550 551 552 553 554
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  /sites/$main_site_name/files/imagecache/$1 $uri @drupal;
}

###
### Send requests with /external/ and /system/ URI keywords to @drupal.
###
location ~* /(?:external|system)/ {
555 556 557
  access_log off;
  log_not_found off;
  expires    30d;
558
<?php if ($nginx_config_mode == 'extended'): ?>
559 560 561 562 563 564 565 566 567 568 569 570 571
  set $nocache_details "Skip";
<?php endif; ?>
  try_files  $uri @drupal;
}

###
### Deny direct access to backups.
###
location ~* ^/sites/.*/files/backup_migrate/ {
  access_log off;
  deny all;
}

572 573 574 575 576 577 578 579 580 581 582 583 584 585 586
###
### Deny direct access to config files in Drupal 8.
###
location ~* ^/sites/.*/files/config_.* {
  access_log off;
  deny all;
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Include local configuration override if exists.
###
include /data/disk/EDIT_USER/config/server_master/nginx/post.d/nginx_vhost_include*;
<?php endif; ?>

587
<?php if ($nginx_config_mode == 'extended'): ?>
588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608
###
### Private downloads are always sent to the drupal backend.
### Note: this location doesn't work with X-Accel-Redirect.
###
location ~* ^/sites/.*/files/private/ {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  rewrite    ^/sites/.*/files/private/(.*)$ $scheme://$host/system/files/private/$1 permanent;
  add_header X-Header "Private Generator 1.0a";
  set $nocache_details "Skip";
  try_files  $uri @drupal;
}
<?php endif; ?>

###
### Deny direct access to private downloads in sites/domain/private.
### Note: this location works with X-Accel-Redirect.
###
location ~* ^/sites/.*/private/ {
609
  internal;
610
<?php if ($nginx_config_mode == 'extended'): ?>
611 612 613 614 615 616 617
  if ($is_bot) {
    return 403;
  }
<?php endif; ?>
  access_log off;
}

618
<?php if ($nginx_config_mode == 'extended'): ?>
619 620 621 622 623
###
### Deny direct access to private downloads also for short, rewritten URLs.
### Note: this location works with X-Accel-Redirect.
###
location ~* /files/private/ {
624
  internal;
625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644
  if ($is_bot) {
    return 403;
  }
  access_log off;
}

###
### Wysiwyg Fields support.
###
location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) {
  access_log off;
  log_not_found off;
  try_files $uri @nobots;
}

###
### Advagg_css and Advagg_js support.
###
location ~* files/advagg_(?:css|js)/ {
  expires    max;
645 646 647 648
  access_log off;
<?php if ($nginx_is_modern): ?>
  etag       off;
<?php else: ?>
649
  add_header ETag "";
650 651 652
<?php endif; ?>
  rewrite    ^/files/advagg_(.*)/(.*)$ /sites/$main_site_name/files/advagg_$1/$2 last;
  add_header Cache-Control "max-age=31449600, no-transform, public";
653
  add_header Access-Control-Allow-Origin *;
654
  add_header X-Header "AdvAgg Generator 2.0";
655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695
  set $nocache_details "Skip";
  try_files  $uri @nobots;
}

###
### Make css files compatible with boost caching.
###
location ~* \.css$ {
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; #if using aggregator
  add_header  X-Header "Boost Citrus 2.1";
  try_files   /cache/perm/$host${uri}_.css $uri =404;
}

###
### Make js files compatible with boost caching.
###
location ~* \.(?:js|htc)$ {
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; # if using aggregator
  add_header  X-Header "Boost Citrus 2.2";
  try_files   /cache/perm/$host${uri}_.js $uri =404;
}

###
696
### Support for static .json files with fast 404 +Boost compatibility.
697
###
698
location ~* ^/sites/.*/files/.*\.json$ {
699 700 701 702 703 704 705 706
  if ( $cache_uid ) {
    return 405;
  }
  error_page  405 = @uncached;
  access_log  off;
  tcp_nodelay off;
  expires     max; ### if using aggregator
  add_header  X-Header "Boost Citrus 2.3";
707
  add_header  Access-Control-Allow-Origin *;
708 709 710
  try_files   /cache/normal/$host${uri}_.json $uri =404;
}

711 712 713 714 715 716 717
###
### Support for dynamic .json requests.
###
location ~* \.json$ {
  try_files $uri @cache;
}

718 719 720 721 722 723 724 725 726
###
### Helper location to bypass boost static files cache for logged in users.
###
location @uncached {
  access_log off;
  expires max; # max if using aggregator, otherwise sane expire time
}
<?php endif; ?>

727 728 729 730
###
### Map /files/ shortcut early to avoid overrides in other locations.
###
location ^~ /files/ {
731 732 733 734 735 736 737 738

  ###
  ### Sub-location to support files/styles with short URIs.
  ###
  location ~* /files/styles/(.*)$ {
    access_log off;
    log_not_found off;
    expires    30d;
739
    add_header Access-Control-Allow-Origin *;
740 741 742 743 744 745 746 747 748 749 750 751 752 753
<?php if ($nginx_config_mode == 'extended'): ?>
    set $nocache_details "Skip";
<?php endif; ?>
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files  /sites/$main_site_name/files/styles/$1 $uri @drupal;
  }

  ###
  ### Sub-location to support files/imagecache with short URIs.
  ###
  location ~* /files/imagecache/(.*)$ {
    access_log off;
    log_not_found off;
    expires    30d;
754
    add_header Access-Control-Allow-Origin *;
755 756 757 758 759 760 761 762 763 764
<?php if ($nginx_config_mode == 'extended'): ?>
    # fix common problems with old paths after import from standalone to Aegir multisite
    rewrite ^/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$1/$2 last;
    rewrite ^/files/imagecache/(.*)/files/(.*)$               /sites/$main_site_name/files/imagecache/$1/$2 last;
    set $nocache_details "Skip";
<?php endif; ?>
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files  /sites/$main_site_name/files/imagecache/$1 $uri @drupal;
  }

765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800
  location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
    expires       30d;
    tcp_nodelay   off;
    access_log    off;
    log_not_found off;
    add_header  Access-Control-Allow-Origin *;
    rewrite  ^/files/(.*)$  /sites/$main_site_name/files/$1 last;
    try_files   $uri =404;
  }
<?php if ($nginx_config_mode == 'extended'): ?>
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

###
### Map /downloads/ shortcut early to avoid overrides in other locations.
###
location ^~ /downloads/ {
  location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
    expires       30d;
    tcp_nodelay   off;
    access_log    off;
    log_not_found off;
    add_header  Access-Control-Allow-Origin *;
    rewrite  ^/downloads/(.*)$  /sites/$main_site_name/files/downloads/$1 last;
    try_files   $uri =404;
  }
<?php if ($nginx_config_mode == 'extended'): ?>
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

801 802 803 804
###
### Serve & no-log static files & images directly,
### without all standard drupal rewrites, php-fpm etc.
###
805
location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ {
806 807 808 809 810
  expires       30d;
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
  add_header  Access-Control-Allow-Origin *;
811 812
  rewrite     ^/images/(.*)$  /sites/$main_site_name/files/images/$1 last;
  rewrite     ^/.+/sites/.+/files/(.*)$  /sites/$main_site_name/files/$1 last;
813 814 815 816 817 818 819
  try_files   $uri =404;
}

###
### Serve & log bigger media/static/archive files directly,
### without all standard drupal rewrites, php-fpm etc.
###
820
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
821 822 823 824
  expires     30d;
  tcp_nodelay off;
  tcp_nopush  off;
  add_header  Access-Control-Allow-Origin *;
825
  rewrite     ^/.+/sites/.+/files/(.*)$  /sites/$main_site_name/files/$1 last;
826 827 828
  try_files   $uri =404;
}

829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871
###
### Serve & no-log some static files directly,
### but only from the files directory to not break
### dynamically created pdf files or redirects for
### legacy URLs with asp/aspx extension.
###
location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ {
  expires       30d;
  tcp_nodelay   off;
  access_log    off;
  log_not_found off;
  add_header  Access-Control-Allow-Origin *;
  try_files   $uri =404;
}

<?php if ($satellite_mode == 'boa'): ?>
###
### Pseudo-streaming server-side support for Flash Video (FLV) files.
###
location ~* ^.+\.flv$ {
  flv;
  add_header Access-Control-Allow-Origin *;
  tcp_nodelay off;
  tcp_nopush off;
  expires 30d;
  try_files $uri =404;
}

###
### Pseudo-streaming server-side support for H.264/AAC files.
###
location ~* ^.+\.(?:mp4|m4a)$ {
  mp4;
  add_header Access-Control-Allow-Origin *;
  mp4_buffer_size 1m;
  mp4_max_buffer_size 5m;
  tcp_nodelay off;
  tcp_nopush off;
  expires 30d;
  try_files $uri =404;
}
<?php endif; ?>

872 873 874 875 876 877 878 879 880 881 882
###
### Serve & no-log some static files as is, without forcing default_type.
###
location ~* /(?:cross-?domain)\.xml$ {
  access_log  off;
  tcp_nodelay off;
  expires     30d;
  add_header  X-Header "XML Generator 1.0";
  try_files   $uri =404;
}

883
<?php if ($nginx_config_mode == 'extended'): ?>
884 885 886 887
###
### Allow some known php files (like serve.php in the ad module).
###
location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck|ecc|civicrm|fbconnect|radioactivity)/.*\.php$ {
888 889 890
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn   limreq 88;
<?php endif; ?>
891 892 893 894 895 896 897
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
  if ($is_bot) {
    return 403;
  }
  try_files    $uri =404;
omega8cc's avatar
omega8cc committed
898
<?php if ($satellite_mode == 'boa'): ?>
899
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
900
<?php elseif ($phpfpm_mode == 'port'): ?>
901
  fastcgi_pass 127.0.0.1:9000;
902 903 904
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
905 906
}

907
###
908
### Deny crawlers and never cache known AJAX requests.
909
###
910
location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) {
911 912 913 914 915 916 917 918 919 920 921 922 923
  if ($is_bot) {
    return 403;
  }
  access_log off;
  log_not_found off;
<?php if ($nginx_config_mode == 'extended'): ?>
  set $nocache_details "Skip";
  try_files $uri @nobots;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

924 925 926
###
### Serve & no-log static helper files used in some wysiwyg editors.
###
927
location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ {
928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943
  if ($is_bot) {
    return 403;
  }
  access_log      off;
  tcp_nodelay     off;
  expires         30d;
  try_files $uri =404;
}

###
### Serve & no-log any not specified above static files directly.
###
location ~* ^/sites/.*/files/ {
  access_log      off;
  tcp_nodelay     off;
  expires         30d;
944
  add_header Access-Control-Allow-Origin *;
945 946 947 948 949 950 951
  try_files $uri =404;
}

###
### Make feeds compatible with boost caching and set correct mime type.
###
location ~* \.xml$ {
952 953 954 955
  location ~* ^/autodiscover/autodiscover\.xml {
    access_log off;
    return 400;
  }
956 957 958 959 960 961 962 963 964
  if ( $request_method = POST ) {
    return 405;
  }
  if ( $cache_uid ) {
    return 405;
  }
  error_page 405 = @drupal;
  access_log off;
  add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
965
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
966 967 968
  add_header X-Header "Boost Citrus 2.4";
  charset    utf-8;
  types { }
969
  default_type text/xml;
970 971 972 973 974 975
  try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
}

###
### Deny bots on never cached uri.
###
976 977 978 979 980 981 982 983 984 985 986 987 988
location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
### Protect from DoS attempts on never cached uri.
###
location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) {
989 990 991 992 993 994 995 996 997
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

###
998
### Protect from DoS attempts on never cached uri.
999
###
1000
location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) {
1001 1002 1003 1004 1005 1006 1007 1008 1009 1010
  if ($cache_uid = '') {
    return 403;
  }
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}
1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041

<?php if ($satellite_mode == 'boa'): ?>
###
### Support for ESI microcaching: http://groups.drupal.org/node/197478.
###
### This may enhance not only anonymous visitors, but also
### logged in users experience, as it allows you to separate
### microcache for ESI/SSI includes (valid for just 5 seconds)
### from both default Speed Booster cache for anonymous visitors
### (valid by default for 10s or 1h, unless purged on demand via
### recently introduced Purge/Expire modules) and also from
### Speed Booster cache per logged in user (valid for 10 seconds).
###
### Now you have three different levels of Speed Booster cache
### to leverage and deliver the 'live content' experience for
### all visitors, and still protect your server from DoS or
### simply high load caused by unexpected high traffic etc.
###
location ~ ^/(?<esi>esi/.*)"$ {
  ssi on;
  ssi_silent_errors on;
  internal;
  limit_conn    limreq 88;
  add_header    X-Device "$device";
  add_header    X-Speed-Micro-Cache "$upstream_cache_status";
  add_header    X-Speed-Micro-Cache-Expire "5s";
  add_header    X-NoCache "$nocache_details";
  add_header    X-GeoIP-Country-Code "$geoip_country_code";
  add_header    X-GeoIP-Country-Name "$geoip_country_name";
  add_header    X-This-Proto "$http_x_forwarded_proto";
  add_header    X-Server-Name "$main_site_name";
1042
  add_header    X-Response-Status "$status";
1043 1044 1045 1046 1047 1048
  add_header    Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
  ###
  ### Set correct, local $uri.
  ###
  fastcgi_param QUERY_STRING q=$esi;
  fastcgi_param SCRIPT_FILENAME $document_root/index.php;
omega8cc's avatar
omega8cc committed
1049
<?php if ($satellite_mode == 'boa'): ?>
1050
  fastcgi_pass  unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1051
<?php elseif ($phpfpm_mode == 'port'): ?>
1052
  fastcgi_pass  127.0.0.1:9000;
omega8cc's avatar
omega8cc committed
1053 1054 1055
<?php else: ?>
  fastcgi_pass  unix:/var/run/php5-fpm.sock;
<?php endif; ?>
1056 1057 1058 1059 1060 1061 1062 1063 1064 1065
  ###
  ### Use Nginx cache for all visitors.
  ###
  set $nocache "";
  if ( $http_cookie ~* "NoCacheID" ) {
    set $nocache "NoCache";
  }
  fastcgi_cache speed;
  fastcgi_cache_methods GET HEAD;
  fastcgi_cache_min_uses 1;
1066
  fastcgi_cache_key "$is_bot$device$host$request_method$uri$is_args$args$cache_uid$http_x_forwarded_proto$status";
1067 1068
  fastcgi_cache_valid 200 301 404 5s;
  fastcgi_cache_valid 302 1m;
1069
  fastcgi_cache_lock on;
1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081
  fastcgi_ignore_headers Cache-Control Expires;
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header X-Accel-Expires;
  fastcgi_pass_header X-Accel-Redirect;
  fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache;
  fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache;
  fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating;
  tcp_nopush off;
  keepalive_requests 0;
  expires epoch;
}

1082 1083 1084 1085 1086 1087
###
### Workaround for https://www.drupal.org/node/2599326.
###
if ( $args ~* "/autocomplete/" ) {
  return 405;
}
1088
error_page 405 = @drupal;
1089

1090 1091 1092 1093 1094 1095 1096
###
### Rewrite legacy requests with /index.php to extension-free URL.
###
if ( $args ~* "^q=(?<query_value>.*)" ) {
  rewrite ^/index.php$ $scheme://$host/?q=$query_value? permanent;
}
<?php endif; ?>
1097 1098 1099 1100 1101 1102
<?php endif; ?>

###
### Catch all unspecified requests.
###
location / {
1103
<?php if ($nginx_config_mode == 'extended'): ?>
1104 1105 1106 1107 1108
<?php if ($satellite_mode == 'boa'): ?>
  if ( $http_user_agent ~* wget ) {
    return 403;
  }
<?php endif; ?>
1109 1110 1111 1112 1113 1114
  try_files $uri @cache;
<?php else: ?>
  try_files $uri @drupal;
<?php endif; ?>
}

1115
<?php if ($nginx_config_mode == 'extended'): ?>
1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127
###
### Boost compatible cache check.
###
location @cache {
  if ( $request_method = POST ) {
    set $nocache_details "Method";
    return 405;
  }
  if ( $args ~* "nocache=1" ) {
    set $nocache_details "Args";
    return 405;
  }
1128 1129 1130 1131 1132 1133 1134 1135
  if ( $sent_http_x_force_nocache = "YES" ) {
    set $nocache_details "Skip";
    return 405;
  }
  if ( $http_cookie ~* "NoCacheID" ) {
    set $nocache_details "AegirCookie";
    return 405;
  }
1136 1137 1138 1139 1140 1141
  if ( $cache_uid ) {
    set $nocache_details "DrupalCookie";
    return 405;
  }
  error_page 405 = @drupal;
  add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
1142
  add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
1143 1144 1145 1146 1147 1148 1149 1150 1151 1152
  add_header X-Header "Boost Citrus 1.9";
  charset    utf-8;
  try_files  /cache/normal/$host${uri}_$args.html @drupal;
}
<?php endif; ?>

###
### Send all not cached requests to drupal with clean URLs support.
###
location @drupal {
1153
<?php if ($nginx_config_mode == 'extended'): ?>
1154 1155 1156 1157 1158 1159 1160 1161
  error_page 418 = @nobots;
  if ($args) {
    return 418;
  }
<?php endif; ?>
  rewrite ^/(.*)$  /index.php?q=$1 last;
}

1162
<?php if ($nginx_config_mode == 'extended'): ?>
1163 1164 1165 1166 1167
###
### Send all known bots to $args free URLs.
###
location @nobots {
  if ($is_bot) {
1168
    return 301 $scheme://$host$request_uri;
1169
  }
1170 1171 1172 1173 1174 1175 1176
  ###
  ### Return 404 on special PHP URLs to avoid revealing version used,
  ### even indirectly. See also: https://drupal.org/node/2116387
  ###
  if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
    return 404;
  }
1177 1178 1179 1180 1181 1182 1183
  rewrite ^/(.*)$  /index.php?q=$1 last;
}

###
### Send all non-static requests to php-fpm, restricted to known php file.
###
location = /index.php {
1184 1185 1186 1187 1188 1189 1190
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn    limreq 88;
  add_header    X-Device "$device";
  add_header    X-GeoIP-Country-Code "$geoip_country_code";
  add_header    X-GeoIP-Country-Name "$geoip_country_name";
<?php endif; ?>
<?php if ($nginx_config_mode == 'extended'): ?>
1191 1192 1193 1194 1195
  add_header    X-Speed-Cache "$upstream_cache_status";
  add_header    X-Speed-Cache-UID "$cache_uid";
  add_header    X-Speed-Cache-Key "$key_uri";
  add_header    X-NoCache "$nocache_details";
  add_header    X-This-Proto "$http_x_forwarded_proto";
1196
  add_header    X-Server-Name "$main_site_name";
1197
  add_header    X-Response-Status "$status";
1198 1199
<?php endif; ?>
  add_header    Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
1200 1201 1202
  tcp_nopush    off;
  keepalive_requests 0;
  try_files     $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1203
<?php if ($satellite_mode == 'boa'): ?>
1204
  fastcgi_pass  unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1205
<?php elseif ($phpfpm_mode == 'port'): ?>
1206
  fastcgi_pass  127.0.0.1:9000;
1207 1208
<?php else: ?>
  fastcgi_pass  unix:/var/run/php5-fpm.sock;
1209 1210 1211
<?php endif; ?>
<?php if ($nginx_has_upload_progress): ?>
  track_uploads uploads 60s; ### required for upload progress
1212
<?php endif; ?>
1213 1214 1215 1216
  ###
  ### Use Nginx cache for all visitors.
  ###
  set $nocache "";
1217
  if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) {
1218 1219 1220 1221 1222
    set $nocache "NoCache";
  }
  fastcgi_cache speed;
  fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity
  fastcgi_cache_min_uses 1;
1223
  fastcgi_cache_key "$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg$status";
1224 1225 1226 1227
  fastcgi_cache_valid 200 10s;
  fastcgi_cache_valid 302 1m;
  fastcgi_cache_valid 301 403 404 5s;
  fastcgi_cache_valid 500 502 503 504 1s;
1228
  fastcgi_cache_lock on;
1229 1230 1231 1232
  fastcgi_ignore_headers Cache-Control Expires;
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header X-Accel-Expires;
  fastcgi_pass_header X-Accel-Redirect;
1233 1234
  fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache;
  fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache;
1235 1236 1237 1238 1239 1240 1241
  fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating;
}
<?php endif; ?>

###
### Send other known php requests/files to php-fpm without any caching.
###
1242
<?php if ($nginx_config_mode == 'extended'): ?>
1243
location ~* ^/(?:core/)?(?:boost_stats|rtoc|js)\.php$ {
1244
<?php else: ?>
1245
location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ {
1246 1247 1248 1249 1250 1251
<?php endif; ?>
<?php if ($satellite_mode == 'boa'): ?>
  limit_conn   limreq 88;
  if ($is_bot) {
    return 404;
  }
1252 1253 1254 1255 1256
<?php endif; ?>
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
  try_files    $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1257
<?php if ($satellite_mode == 'boa'): ?>
1258
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1259
<?php elseif ($phpfpm_mode == 'port'): ?>
1260
  fastcgi_pass 127.0.0.1:9000;
1261 1262 1263
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
1264 1265
}

1266
<?php if ($nginx_config_mode == 'extended'): ?>
1267
###
1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286
### Allow access to /authorize.php and /update.php only for logged in admin user.
###
location ~* ^/(?:core/)?(?:authorize|update)\.php$ {
  error_page 418 = @allowupdate;
  if ( $cache_uid ) {
    return 418;
  }
  return 404;
}

###
### Internal location for /authorize.php and /update.php restricted access.
###
location @allowupdate {
  limit_conn   limreq 88;
  tcp_nopush   off;
  keepalive_requests 0;
  access_log   off;
  try_files    $uri =404; ### check for existence of php file first
omega8cc's avatar
omega8cc committed
1287
<?php if ($satellite_mode == 'boa'): ?>
1288
  fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
omega8cc's avatar
omega8cc committed
1289
<?php elseif ($phpfpm_mode == 'port'): ?>
1290 1291 1292 1293 1294 1295 1296 1297 1298
  fastcgi_pass 127.0.0.1:9000;
<?php else: ?>
  fastcgi_pass unix:/var/run/php5-fpm.sock;
<?php endif; ?>
}
<?php endif; ?>

###
### Deny access to any not listed above php files with 404 error.
1299 1300
###
location ~* ^.+\.php$ {
1301
  return 404;
1302 1303 1304
}

#######################################################
1305 1306 1307 1308 1309
<?php if ($nginx_config_mode == 'extended'): ?>
###  nginx.conf site level extended vhost include end
<?php else: ?>
###  nginx.conf site level basic vhost include end
<?php endif; ?>
1310
#######################################################