cbeier/drupal.conf

## drupal.conf
server {
  server_name yourserver.com www.yourserver.com;
  root /usr/share/nginx/www/drupal;

  fastcgi_param SCRIPT_NAME $fastcgi_script_name;

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  # Very rarely should these ever be accessed outside of your lan
  location ~* \.(txt|log)$ {
    allow 192.168.0.0/16;
    deny all;
  }

  # Allow access to PHP files inside /core directory.
  location ~ ^\/core\/.*\.php$ {
    allow all;
  }
  # Allow access to PHP test files.
  location ~ \/core\/modules\/system\/tests\/https?\.php {
    allow 192.168.0.0/16;
    deny all;
  }
  # Allow access to PHP test files.
  location ~ \/core\/modules\/statistics\/statistics\.php$ {
    allow all;
  }
  # Explicitly deny access to the autoload file
  location ~ autoload\.php$ {
    deny all;
    return 404;
  }
  # Don't allow direct access to PHP files in all subdirectories
  location ~ .*\/.*\.(php|yml|engine|inc|install|make|module|profile|theme|twig|sql)$ {
    deny all;
    return 404;
  }

  location ~ ^/sites/.*/private/ {
    return 403;
  }

  # Allow "Well-Known URIs" as per RFC 5785
  location ~* ^/.well-known/ {
    allow all;
  }

  # Block access to "hidden" files and directories whose names begin with a
  # period. This includes directories used by version control systems such
  # as Subversion or Git to store control files.
  location ~ (^|/)\. {
    return 403;
  }

  location / {
    try_files $uri /index.php?$query_string; # For Drupal >= 7
  }

  location @rewrite {
    rewrite ^/(.*)$ /index.php?q=$1;
  }

  # Don't allow direct access to PHP files in the vendor directory.
  location ~ /vendor/.*\.php$ {
    deny all;
    return 404;
  }

  # In Drupal 8, we must also match new paths where the '.php' appears in
  # the middle, such as update.php/selection. The rule we use is strict,
  # and only allows this pattern with the update.php front controller.
  # This allows legacy path aliases in the form of
  # blog/index.php/legacy-path to continue to route to Drupal nodes. If
  # you do not have any paths like that, then you might prefer to use a
  # laxer rule, such as:
  #   location ~ \.php(/|$) {
  # The laxer rule will continue to work if Drupal uses this new URL
  # pattern with front controllers other than update.php in a future
  # release.
  location ~ '\.php$|^/update.php' {
    # Microcaching
    set $no_cache "";
    if ($request_method !~ ^(GET|HEAD)$) {
      set $no_cache "1";
    }

    if ($no_cache = "1") {
      add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
      add_header X-Microcachable "0";
    }

    if ($http_cookie ~ SESS) {
      set $no_cache "1";
    }

    fastcgi_no_cache $no_cache;
    fastcgi_cache_bypass $no_cache;
    fastcgi_cache microcache;
    fastcgi_cache_key $server_name|$request_uri;
    fastcgi_cache_valid 404 30m;
    fastcgi_cache_valid 200 1s;
    fastcgi_max_temp_file_size 1M;
    fastcgi_cache_use_stale updating;
    fastcgi_pass_header Set-Cookie;
    fastcgi_pass_header Cookie;
    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
    fastcgi_index index.php;

    fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
    # Security note: If you're running a version of PHP older than the
    # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
    # See http://serverfault.com/q/627903/94922 for details.
    include fastcgi_params;
    # Block httpoxy attacks. See https://httpoxy.org/.
    fastcgi_param HTTP_PROXY "";
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_intercept_errors on;
    # PHP 5 socket location.
    #fastcgi_pass unix:/var/run/php5-fpm.sock;
    # PHP 7 socket location.
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  }

  # Fighting with Styles? This little gem is amazing.
  location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
    try_files $uri @rewrite;
  }

  # Handle private files through Drupal. Private file's path can come
  # with a language prefix.
  location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
    try_files $uri /index.php?$query_string;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
  }
}
	server {
	server_name yourserver.com www.yourserver.com;
	root /usr/share/nginx/www/drupal;

	fastcgi_param SCRIPT_NAME $fastcgi_script_name;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Very rarely should these ever be accessed outside of your lan
	location ~* \.(txt\|log)$ {
	allow 192.168.0.0/16;
	deny all;
	}

	# Allow access to PHP files inside /core directory.
	location ~ ^\/core\/.*\.php$ {
	allow all;
	}
	# Allow access to PHP test files.
	location ~ \/core\/modules\/system\/tests\/https?\.php {
	allow 192.168.0.0/16;
	deny all;
	}
	# Allow access to PHP test files.
	location ~ \/core\/modules\/statistics\/statistics\.php$ {
	allow all;
	}
	# Explicitly deny access to the autoload file
	location ~ autoload\.php$ {
	deny all;
	return 404;
	}
	# Don't allow direct access to PHP files in all subdirectories
	location ~ .\/.\.(php\|yml\|engine\|inc\|install\|make\|module\|profile\|theme\|twig\|sql)$ {
	deny all;
	return 404;
	}

	location ~ ^/sites/.*/private/ {
	return 403;
	}

	# Allow "Well-Known URIs" as per RFC 5785
	location ~* ^/.well-known/ {
	allow all;
	}

	# Block access to "hidden" files and directories whose names begin with a
	# period. This includes directories used by version control systems such
	# as Subversion or Git to store control files.
	location ~ (^\|/)\. {
	return 403;
	}

	location / {
	try_files $uri /index.php?$query_string; # For Drupal >= 7
	}

	location @rewrite {
	rewrite ^/(.*)$ /index.php?q=$1;
	}

	# Don't allow direct access to PHP files in the vendor directory.
	location ~ /vendor/.*\.php$ {
	deny all;
	return 404;
	}

	# In Drupal 8, we must also match new paths where the '.php' appears in
	# the middle, such as update.php/selection. The rule we use is strict,
	# and only allows this pattern with the update.php front controller.
	# This allows legacy path aliases in the form of
	# blog/index.php/legacy-path to continue to route to Drupal nodes. If
	# you do not have any paths like that, then you might prefer to use a
	# laxer rule, such as:
	# location ~ \.php(/\|$) {
	# The laxer rule will continue to work if Drupal uses this new URL
	# pattern with front controllers other than update.php in a future
	# release.
	location ~ '\.php$\|^/update.php' {
	# Microcaching
	set $no_cache "";
	if ($request_method !~ ^(GET\|HEAD)$) {
	set $no_cache "1";
	}

	if ($no_cache = "1") {
	add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
	add_header X-Microcachable "0";
	}

	if ($http_cookie ~ SESS) {
	set $no_cache "1";
	}

	fastcgi_no_cache $no_cache;
	fastcgi_cache_bypass $no_cache;
	fastcgi_cache microcache;
	fastcgi_cache_key $server_name\|$request_uri;
	fastcgi_cache_valid 404 30m;
	fastcgi_cache_valid 200 1s;
	fastcgi_max_temp_file_size 1M;
	fastcgi_cache_use_stale updating;
	fastcgi_pass_header Set-Cookie;
	fastcgi_pass_header Cookie;
	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
	fastcgi_index index.php;

	fastcgi_split_path_info ^(.+?\.php)(\|/.*)$;
	# Security note: If you're running a version of PHP older than the
	# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
	# See http://serverfault.com/q/627903/94922 for details.
	include fastcgi_params;
	# Block httpoxy attacks. See https://httpoxy.org/.
	fastcgi_param HTTP_PROXY "";
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param QUERY_STRING $query_string;
	fastcgi_intercept_errors on;
	# PHP 5 socket location.
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	# PHP 7 socket location.
	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	}

	# Fighting with Styles? This little gem is amazing.
	location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
	try_files $uri @rewrite;
	}

	# Handle private files through Drupal. Private file's path can come
	# with a language prefix.
	location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
	try_files $uri /index.php?$query_string;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires max;
	log_not_found off;
	}
	}