Commit 48c1609c authored by Adrian Rossouw's avatar Adrian Rossouw

Nginx support for redirect #872064

parent 85c5121d
#
# fastcgi_ssl_params.conf for Aegir
#
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE SSLApacheSolaris/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_index index.php;
...@@ -153,14 +153,17 @@ ...@@ -153,14 +153,17 @@
} }
### ###
### imagecache and (f)ckeditor support ### imagecache, crossdomain file for flash and (f)ckeditor support
### ###
location ~* /(files/imagecache)|(fckeditor)|(ckeditor)/ { location ~* /(files/imagecache)|(fckeditor)|(ckeditor)|(crossdomain)|(cross-domain)/ {
access_log off; access_log off;
expires 30d; expires 30d;
# fix common problems with old paths after import from standalone to Aegir multisite # fix common problems with old paths after import from standalone to Aegir multisite
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last; rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$1/files/imagecache/$2/$3 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last; rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/www\.(.*)/files/(.*)$ /sites/$1/files/imagecache/$2/$4 last;
try_files $uri @drupal; try_files $uri @drupal;
} }
......
#######################################################
### nginx.conf site standard vhost include start
#######################################################
###
### deny crawlers without 403 response
###
if ($http_user_agent ~* (HTTrack|HTMLParser|libwww) ) {
return 444;
}
###
### deny bots on never cached uri without 403 response
###
location ~* /(user)|(admin) {
if ($http_user_agent ~* (crawl|goog|bot) ) {
return 444;
}
try_files $uri $uri/ @cache;
}
###
### upload progress support
### http://drupal.org/project/filefield_nginx_progress
### http://github.com/masterzen/nginx-upload-progress-module
###
location ~ (.*)/x-progress-id:(\w*) {
rewrite ^(.*)/x-progress-id:(\w*) $1?X-Progress-ID=$2;
}
location ^~ /progress {
report_uploads uploads;
}
###
### catch all unspecified requests
###
location / {
try_files $uri $uri/ @cache;
}
###
### boost compatible cache check - nginx 0.7.27 or newer required with try_files support
###
location @cache {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-Header "Boost Citrus 1.9";
charset utf-8;
try_files /cache/normal/$host${uri}_$args.html @drupal;
}
###
### send all not cached requests to drupal with clean URLs support
###
location @drupal {
rewrite ^/(.*)$ /index.php?q=$1 last;
}
###
### deny listed requests for security reasons
###
location ~* (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
deny all;
}
###
### deny php files here for security reasons (remove 'sites' to allow civicrm install)
###
location ~* /(files|themes|sites)/.*\.php$ {
deny all;
}
###
### deny direct access to backups
###
location ~* ^/sites/(.*)/files/backup_migrate/ {
deny all;
}
###
### send all non-static requests to php-fpm
###
location ~ \.php$ {
try_files $uri @drupal; ### check for existence of php file first
fastcgi_pass 127.0.0.1:9000; ### php-fpm listening on port 9000
fastcgi_index index.php;
track_uploads uploads 60s; ### required for upload progress
}
###
### make css files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.css$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; #if using aggregator
add_header X-Header "Boost Citrus 2.1";
try_files /cache/perm/$host${uri}_.css $uri =404;
}
###
### make js files compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.js$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; # if using aggregator
add_header X-Header "Boost Citrus 2.2";
try_files /cache/perm/$host${uri}_.js $uri =404;
}
###
### make json compatible with boost caching - nginx 0.7.27 or newer required with try_files support
###
location ~ \.json$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @uncached;
access_log off;
expires max; ### if using aggregator
add_header X-Header "Boost Citrus 2.3";
try_files /cache/normal/$host${uri}_.json $uri =404;
}
###
### helper location to bypass boost static files cache for logged in users
###
location @uncached {
access_log off;
expires max; # max if using aggregator, otherwise sane expire time
}
###
### imagecache and (f)ckeditor support
###
location ~* /(files/imagecache)|(fckeditor)|(ckeditor)/ {
access_log off;
expires 30d;
# fix common problems with old paths after import from standalone to Aegir multisite
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)/(.*)/(.*)$ /sites/$1/files/imagecache/$2/$3/$4/$5 last;
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/images/(.*)$ /sites/$1/files/imagecache/$2/images/$3 last;
try_files $uri @drupal;
}
###
### serve & no-log static files & images directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(jpg|jpeg|gif|png|ico|swf|pdf|doc|xls|tiff|tif|txt|shtml|cgi|bat|pl|dll|asp|exe|class)$ {
access_log off;
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
try_files $uri =404;
}
###
### serve & log bigger media/static/archive files directly, without all standard drupal rewrites, php-fpm etc.
###
location ~* ^.+\.(avi|mpg|mpeg|mov|wmv|mp3|mp4|m4a|flv|wav|midi|zip|gz|rar)$ {
expires 30d;
# allow files to be accessed without /sites/fqdn/
rewrite ^/files/(.*)$ /sites/$host/files/$1 last;
try_files $uri =404;
}
###
### make feeds compatible with boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
###
location ~* \.xml$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-Header "Boost Citrus 2.4";
charset utf-8;
types { }
default_type application/rss+xml;
try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
}
###
### make feeds compatible with Boost caching and set correct mime type - nginx 0.7.27 or newer required with try_files support
###
location ~* /feed$ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_cookie ~ "DRUPAL_UID") {
return 405;
}
error_page 405 = @drupal;
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-Header "Boost Citrus 2.5";
charset utf-8;
types { }
default_type application/rss+xml;
try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal;
}
#######################################################
### nginx.conf site standard vhost include end
#######################################################
...@@ -23,10 +23,10 @@ class provisionService_http_nginx extends provisionService_http_public { ...@@ -23,10 +23,10 @@ class provisionService_http_nginx extends provisionService_http_public {
if ($command['command'] == 'provision-save') { if ($command['command'] == 'provision-save') {
// Check if some nginx features are supported and save them for later. // Check if some nginx features are supported and save them for later.
$this->server->shell_exec('nginx -V'); $this->server->shell_exec('/usr/sbin/nginx -V');
$this->server->nginx_has_gzip = preg_match("/(with-http_gzip_static_module)/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_gzip = preg_match("/with-http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
$this->server->nginx_has_upload_progress = preg_match("/(nginx-upload-progress-module)/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/nginx-upload-progress-module/", implode('', drush_shell_exec_output()), $match);
$this->server->nginx_has_new_version = preg_match("/(nginx\/0\.8\.)/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_new_version = preg_match("/nginx\/0.8./", implode('', drush_shell_exec_output()), $match);
} }
} }
...@@ -37,6 +37,10 @@ class provisionService_http_nginx extends provisionService_http_public { ...@@ -37,6 +37,10 @@ class provisionService_http_nginx extends provisionService_http_public {
$this->sync($this->server->include_path . '/nginx_advanced_include.conf'); $this->sync($this->server->include_path . '/nginx_advanced_include.conf');
provision_file()->copy(dirname(__FILE__) . '/nginx_simple_include.conf', $this->server->include_path . '/nginx_simple_include.conf'); provision_file()->copy(dirname(__FILE__) . '/nginx_simple_include.conf', $this->server->include_path . '/nginx_simple_include.conf');
$this->sync($this->server->include_path . '/nginx_simple_include.conf'); $this->sync($this->server->include_path . '/nginx_simple_include.conf');
provision_file()->copy(dirname(__FILE__) . '/fastcgi_params.conf', $this->server->include_path . '/fastcgi_params.conf');
$this->sync($this->server->include_path . '/fastcgi_params.conf');
provision_file()->copy(dirname(__FILE__) . '/fastcgi_ssl_params.conf', $this->server->include_path . '/fastcgi_ssl_params.conf');
$this->sync($this->server->include_path . '/fastcgi_ssl_params.conf');
} }
// Call the parent at the end. it will restart the server when it finishes. // Call the parent at the end. it will restart the server when it finishes.
parent::verify(); parent::verify();
......
...@@ -27,13 +27,15 @@ ...@@ -27,13 +27,15 @@
## Size Limits ## Size Limits
client_body_buffer_size 64k; client_body_buffer_size 64k;
client_header_buffer_size 1k; client_header_buffer_size 32k;
client_max_body_size 25m; client_max_body_size 50m;
large_client_header_buffers 4 32k; large_client_header_buffers 32 32k;
connection_pool_size 256; connection_pool_size 256;
request_pool_size 4k; request_pool_size 4k;
server_names_hash_bucket_size 128; server_names_hash_bucket_size 128;
types_hash_max_size 8192;
types_hash_bucket_size 128;
## Timeouts ## Timeouts
client_body_timeout 60; client_body_timeout 60;
client_header_timeout 60; client_header_timeout 60;
...@@ -47,6 +49,10 @@ ...@@ -47,6 +49,10 @@
## TCP options ## TCP options
tcp_nopush on; tcp_nopush on;
## SSL performance
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
## Compression ## Compression
gzip_buffers 16 8k; gzip_buffers 16 8k;
gzip_comp_level 9; gzip_comp_level 9;
......
server { server {
<?php
print " include " . $server->include_path . "/fastcgi_params.conf;\n";
?>
limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
listen <?php print $ip_address . ':' . $http_port; ?>; listen <?php print $ip_address . ':' . $http_port; ?>;
server_name <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>; server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
root <?php print $this->root; ?>; root <?php print $this->root; ?>;
index index.php index.html; index index.php index.html;
<?php <?php
if ($this->redirection || $ssl_redirection) {
if ($ssl_redirection && !$this->redirection) {
// redirect aliases in non-ssl to the same alias on ssl.
print "\n rewrite ^/(.*)$ https://\$host/$1 permanent;\n";
}
elseif ($ssl_redirection && $this->redirection) {
// redirect all aliases + main uri to the main https uri.
print "\n rewrite ^/(.*)$ https://{$this->uri}/$1 permanent;\n";
}
elseif (!$ssl_redirection && $this->redirection) {
// Redirect all aliases to the main http url.
print "\n if (\$host !~ ^({$this->uri})$ ) {\n rewrite ^/(.*)$ http://{$this->uri}/$1 permanent;\n }\n";
if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) { if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) {
print ' include ' . $server->include_path . '/nginx_advanced_include.conf'; print " include " . $server->include_path . "/nginx_advanced_include.conf;\n";
} }
else { else {
print ' include ' . $server->include_path . '/nginx_simple_include.conf'; print " include " . $server->include_path . "/nginx_simple_include.conf;\n";
} }
?>; }
} }
else {
<?php if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) {
if ($this->redirection) { print " include " . $server->include_path . "/nginx_advanced_include.conf;\n";
require(dirname(__FILE__) . '/http/nginx/vhost_redirect.tpl.php'); }
else {
print " include " . $server->include_path . "/nginx_simple_include.conf;\n";
}
}
?>
} }
server { server {
listen <?php print $ip_address . ':' . $http_port; ?>; listen <?php print $ip_address . ':' . $http_port; ?>;
server_name <?php print $this->uri; ?><?php if (is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>; server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
root <?php print $this->root; ?>; root <?php print $this->root; ?>;
index index.php index.html; index index.php index.html;
location / { location / {
......
server {
listen <?php print $ip_address . ':' . $http_port; ?>;
server_name <?php if ($this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>;
root <?php print $this->root; ?>;
index index.php index.html;
location / {
root /var/www/nginx-default;
index index.html index.htm;
<?php if ($ssl_redirect): ?>
rewrite ^/(.*)$ https://<?php print $this->uri ?>/$1 permanent;
<?php else: ?>
rewrite ^/(.*)$ http://<?php print $this->uri ?>/$1 permanent;
<?php endif; ?>
}
}
...@@ -52,6 +52,10 @@ class provisionService_http_nginx_ssl extends provisionService_http_ssl { ...@@ -52,6 +52,10 @@ class provisionService_http_nginx_ssl extends provisionService_http_ssl {
$this->sync($this->server->include_path . '/nginx_advanced_include.conf'); $this->sync($this->server->include_path . '/nginx_advanced_include.conf');
provision_file()->copy(dirname(__FILE__) . '/nginx_simple_include.conf', $this->server->include_path . '/nginx_simple_include.conf'); provision_file()->copy(dirname(__FILE__) . '/nginx_simple_include.conf', $this->server->include_path . '/nginx_simple_include.conf');
$this->sync($this->server->include_path . '/nginx_simple_include.conf'); $this->sync($this->server->include_path . '/nginx_simple_include.conf');
provision_file()->copy(dirname(__FILE__) . '/fastcgi_params.conf', $this->server->include_path . '/fastcgi_params.conf');
$this->sync($this->server->include_path . '/fastcgi_params.conf');
provision_file()->copy(dirname(__FILE__) . '/fastcgi_ssl_params.conf', $this->server->include_path . '/fastcgi_ssl_params.conf');
$this->sync($this->server->include_path . '/fastcgi_ssl_params.conf');
} }
// Call the parent at the end. it will restart the server when it finishes. // Call the parent at the end. it will restart the server when it finishes.
parent::verify(); parent::verify();
......
...@@ -2,49 +2,38 @@ ...@@ -2,49 +2,38 @@
<?php if ($this->ssl_enabled && $this->ssl_key) : ?> <?php if ($this->ssl_enabled && $this->ssl_key) : ?>
server { server {
<?php
print " include " . $server->include_path . "/fastcgi_ssl_params.conf;\n";
?>
limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address limit_conn gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
listen <?php print "{$ip_address}:{$http_ssl_port}"; ?>; listen <?php print "{$ip_address}:{$http_ssl_port}"; ?>;
server_name <?php print $this->uri; ?> <?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php $alias_url = "." . $alias_url; ?> <?php print $alias_url; ?> <?php endif; endforeach; endif; ?>; server_name <?php print $this->uri . ' ' . implode(' ', $this->aliases); ?>;
root <?php print $this->root; ?>; root <?php print $this->root; ?>;
index index.php index.html; index index.php index.html;
ssl on; ssl on;
ssl_certificate <?php print $ssl_cert; ?>; ssl_certificate <?php print $ssl_cert; ?>;
ssl_certificate_key <?php print $ssl_cert_key; ?>; ssl_certificate_key <?php print $ssl_cert_key; ?>;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1; ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
<?php keepalive_timeout 70;
<?php
if ($this->redirection) {
// Redirect all aliases to the main https url.
print "\n if (\$host !~ ^({$this->uri})$ ) {\n rewrite ^/(.*)$ https://{$this->uri}/$1 permanent;\n }\n";
}
if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) { if ($server->nginx_has_new_version || $server->nginx_has_upload_progress) {
print ' include ' . $server->include_path . '/nginx_advanced_include.conf'; print " include " . $server->include_path . "/nginx_advanced_include.conf;\n";
} }
else { else {
print ' include ' . $server->include_path . '/nginx_simple_include.conf'; print " include " . $server->include_path . "/nginx_simple_include.conf;\n";
} }
?>; ?>
} }
<?php endif; ?> <?php endif; ?>
<?php <?php
if ($this->ssl_enabled != 2) : // Generate the standard virtual host too.
// Generate the standard virtual host too. include('http/nginx/vhost.tpl.php');
include('http/nginx/vhost.tpl.php');
else :
// Generate a virtual host that redirects all HTTP traffic to https.
?> ?>
server {
listen <?php print $ip_address . ':' . $http_port; ?>;
server_name <?php print $this->uri; ?> <?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php $alias_url = "." . $alias_url; ?> <?php print $alias_url; ?> <?php endif; endforeach; endif; ?>;
root <?php print $this->root; ?>;
index index.php index.html;
location / {
root /var/www/nginx-default;
index index.html index.htm;
rewrite ^/(.*)$ <?php print $ssl_redirect_url ?>/$1 permanent;
}
}
<?php endif; ?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment