-
-
Save cbeier/3f3edced99c7aba6c7271de805617486 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
server_name yourserver.com www.yourserver.com; | |
root /usr/share/nginx/www/drupal; | |
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# Very rarely should these ever be accessed outside of your lan | |
location ~* \.(txt|log)$ { | |
allow 192.168.0.0/16; | |
deny all; | |
} | |
# Allow access to PHP files inside /core directory. | |
location ~ ^\/core\/.*\.php$ { | |
allow all; | |
} | |
# Allow access to PHP test files. | |
location ~ \/core\/modules\/system\/tests\/https?\.php { | |
allow 192.168.0.0/16; | |
deny all; | |
} | |
# Allow access to PHP test files. | |
location ~ \/core\/modules\/statistics\/statistics\.php$ { | |
allow all; | |
} | |
# Explicitly deny access to the autoload file | |
location ~ autoload\.php$ { | |
deny all; | |
return 404; | |
} | |
# Don't allow direct access to PHP files in all subdirectories | |
location ~ .*\/.*\.(php|yml|engine|inc|install|make|module|profile|theme|twig|sql)$ { | |
deny all; | |
return 404; | |
} | |
location ~ ^/sites/.*/private/ { | |
return 403; | |
} | |
# Allow "Well-Known URIs" as per RFC 5785 | |
location ~* ^/.well-known/ { | |
allow all; | |
} | |
# Block access to "hidden" files and directories whose names begin with a | |
# period. This includes directories used by version control systems such | |
# as Subversion or Git to store control files. | |
location ~ (^|/)\. { | |
return 403; | |
} | |
location / { | |
try_files $uri /index.php?$query_string; # For Drupal >= 7 | |
} | |
location @rewrite { | |
rewrite ^/(.*)$ /index.php?q=$1; | |
} | |
# Don't allow direct access to PHP files in the vendor directory. | |
location ~ /vendor/.*\.php$ { | |
deny all; | |
return 404; | |
} | |
# In Drupal 8, we must also match new paths where the '.php' appears in | |
# the middle, such as update.php/selection. The rule we use is strict, | |
# and only allows this pattern with the update.php front controller. | |
# This allows legacy path aliases in the form of | |
# blog/index.php/legacy-path to continue to route to Drupal nodes. If | |
# you do not have any paths like that, then you might prefer to use a | |
# laxer rule, such as: | |
# location ~ \.php(/|$) { | |
# The laxer rule will continue to work if Drupal uses this new URL | |
# pattern with front controllers other than update.php in a future | |
# release. | |
location ~ '\.php$|^/update.php' { | |
# Microcaching | |
set $no_cache ""; | |
if ($request_method !~ ^(GET|HEAD)$) { | |
set $no_cache "1"; | |
} | |
if ($no_cache = "1") { | |
add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; | |
add_header X-Microcachable "0"; | |
} | |
if ($http_cookie ~ SESS) { | |
set $no_cache "1"; | |
} | |
fastcgi_no_cache $no_cache; | |
fastcgi_cache_bypass $no_cache; | |
fastcgi_cache microcache; | |
fastcgi_cache_key $server_name|$request_uri; | |
fastcgi_cache_valid 404 30m; | |
fastcgi_cache_valid 200 1s; | |
fastcgi_max_temp_file_size 1M; | |
fastcgi_cache_use_stale updating; | |
fastcgi_pass_header Set-Cookie; | |
fastcgi_pass_header Cookie; | |
fastcgi_ignore_headers Cache-Control Expires Set-Cookie; | |
fastcgi_index index.php; | |
fastcgi_split_path_info ^(.+?\.php)(|/.*)$; | |
# Security note: If you're running a version of PHP older than the | |
# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. | |
# See http://serverfault.com/q/627903/94922 for details. | |
include fastcgi_params; | |
# Block httpoxy attacks. See https://httpoxy.org/. | |
fastcgi_param HTTP_PROXY ""; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param PATH_INFO $fastcgi_path_info; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_intercept_errors on; | |
# PHP 5 socket location. | |
#fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# PHP 7 socket location. | |
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; | |
} | |
# Fighting with Styles? This little gem is amazing. | |
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 | |
try_files $uri @rewrite; | |
} | |
# Handle private files through Drupal. Private file's path can come | |
# with a language prefix. | |
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 | |
try_files $uri /index.php?$query_string; | |
} | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | |
expires max; | |
log_not_found off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment