Created
July 3, 2013 20:37
-
-
Save perusio/5922588 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- | |
| ### Nginx configuration for Drupal. This configuration makes use of | |
| ### drush (http:///drupal.org/project/drush) for site maintenance | |
| ### and like tasks: | |
| ### | |
| ### 1. Run the cronjobs. | |
| ### 2. Run the DB and code updates: drush up or drush upc followed by | |
| ### drush updb to run any DB updates required by the code upgrades | |
| ### that were performed. | |
| ### 3. Disabling of xmlrpc.xml, install.php (needed only for | |
| ### installing the site) and update.php: all updates are now | |
| ### handled through drush. | |
| ## The 'default' location. | |
| location /subdir { | |
| ## Drupal 404 from can impact performance. If using a module like | |
| ## search404 then 404's *have *to be handled by Drupal. Uncomment to | |
| ## relay the handling of 404's to Drupal. | |
| ## error_page 404 /index.php; | |
| ## Using a nested location is the 'correct' way to use regexes. | |
| ## Regular private file serving (i.e. handled by Drupal). | |
| location ^~ /subdir/system/files/ { | |
| ## Include the specific FastCGI configuration. This is for a | |
| ## FCGI backend like php-cgi or php-fpm. | |
| include apps/drupal/fastcgi_drupal.conf; | |
| fastcgi_pass phpcgi; | |
| ## If proxying to apache comment the two lines above and | |
| ## uncomment the line below. | |
| #proxy_pass http://phpapache/index.php?q=$uri; | |
| ## For not signaling a 404 in the error log whenever the | |
| ## system/files directory is accessed add the line below. | |
| ## Note that the 404 is the intended behavior. | |
| log_not_found off; | |
| } | |
| ## Trying to access private files directly returns a 404. | |
| location ^~ /subdir/sites/default/files/private/ { | |
| internal; | |
| } | |
| ## Support for the file_force module | |
| ## http://drupal.org/project/file_force. | |
| location ^~ /subdir/system/files_force/ { | |
| ## Include the specific FastCGI configuration. This is for a | |
| ## FCGI backend like php-cgi or php-fpm. | |
| include apps/drupal/fastcgi_drupal.conf; | |
| fastcgi_pass phpcgi; | |
| ## If proxying to apache comment the two lines above and | |
| ## uncomment the line below. | |
| #proxy_pass http://phpapache/index.php?q=$no_slash_uri; | |
| ## For not signaling a 404 in the error log whenever the | |
| ## system/files directory is accessed add the line below. | |
| ## Note that the 404 is the intended behavior. | |
| log_not_found off; | |
| } | |
| ## If accessing an image generated by Drupal 6 imagecache, serve it | |
| ## directly if available, if not relay the request to Drupal to (re)generate | |
| ## the image. | |
| location ~* /imagecache/ { | |
| ## Image hotlinking protection. If you want hotlinking | |
| ## protection for your images uncomment the following line. | |
| #include apps/drupal/hotlinking_protection.conf; | |
| access_log off; | |
| expires 30d; | |
| try_files $uri @drupal; | |
| } | |
| ## Drupal 7 generated image handling, i.e., imagecache in core. See: | |
| ## http://drupal.org/node/371374. | |
| location ~* /files/styles/ { | |
| ## Image hotlinking protection. If you want hotlinking | |
| ## protection for your images uncomment the following line. | |
| #include apps/drupal/hotlinking_protection.conf; | |
| access_log off; | |
| expires 30d; | |
| try_files $uri @drupal; | |
| } | |
| ## Advanced Aggregation module CSS | |
| ## support. http://drupal.org/project/advagg. | |
| location ^~ /subdir/sites/default/files/advagg_css/ { | |
| location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ { | |
| access_log off; | |
| add_header Pragma ''; | |
| add_header Cache-Control 'public, max-age=946080000'; | |
| add_header Accept-Ranges ''; | |
| try_files $uri @drupal; | |
| } | |
| } | |
| ## Advanced Aggregation module JS | |
| ## support. http://drupal.org/project/advagg. | |
| location ^~ /subdir/sites/default/files/advagg_js/ { | |
| location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ { | |
| access_log off; | |
| add_header Pragma ''; | |
| add_header Cache-Control 'public, max-age=946080000'; | |
| add_header Accept-Ranges ''; | |
| try_files $uri @drupal; | |
| } | |
| } | |
| ## All static files will be served directly. | |
| location ~* ^.+\.(?:css|cur|js|jpg|jpeg|gif|htc|ico|png|html|xml)$ { | |
| access_log off; | |
| expires 30d; | |
| ## No need to bleed constant updates. Send the all shebang in one | |
| ## fell swoop. | |
| tcp_nodelay off; | |
| ## Set the OS file cache. | |
| open_file_cache max=3000 inactive=120s; | |
| open_file_cache_valid 45s; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_errors off; | |
| } | |
| ## PDFs and powerpoint files handling. | |
| location ~* ^.+\.(?:pdf|pptx?)$ { | |
| expires 30d; | |
| ## No need to bleed constant updates. Send the all shebang in one | |
| ## fell swoop. | |
| tcp_nodelay off; | |
| } | |
| ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. | |
| location ^~ /sites/default/files/audio/mp3 { | |
| location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { | |
| directio 4k; # for XFS | |
| ## If you're using ext3 or similar uncomment the line below and comment the above. | |
| #directio 512; # for ext3 or similar (block alignments) | |
| tcp_nopush off; | |
| aio on; | |
| output_buffers 1 2M; | |
| } | |
| } | |
| location ^~ /sites/default/files/audio/ogg { | |
| location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { | |
| directio 4k; # for XFS | |
| ## If you're using ext3 or similar uncomment the line below and comment the above. | |
| #directio 512; # for ext3 or similar (block alignments) | |
| tcp_nopush off; | |
| aio on; | |
| output_buffers 1 2M; | |
| } | |
| } | |
| ## Pseudo streaming of FLV files: | |
| ## http://wiki.nginx.org/HttpFlvStreamModule. | |
| ## If pseudo streaming isn't working, try to comment | |
| ## out in nginx.conf line with: | |
| ## add_header X-Frame-Options SAMEORIGIN; | |
| location ^~ /subdir/sites/default/files/video/flv { | |
| location ~* ^/sites/default/files/video/flv/.*\.flv$ { | |
| flv; | |
| } | |
| } | |
| ## Pseudo streaming of H264/AAC files. This requires an Nginx | |
| ## version greater or equal to 1.0.7 for the stable branch and | |
| ## greater or equal to 1.1.3 for the development branch. | |
| ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. | |
| location ^~ /subdir/sites/default/files/video/mp4 { # videos | |
| location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { | |
| mp4; | |
| mp4_buffer_size 1M; | |
| mp4_max_buffer_size 5M; | |
| } | |
| } | |
| location ^~ /subdir/sites/default/files/audio/m4a { # audios | |
| location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { | |
| mp4; | |
| mp4_buffer_size 1M; | |
| mp4_max_buffer_size 5M; | |
| } | |
| } | |
| ## Advanced Help module makes each module provided README available. | |
| location ^~ /subdir/help/ { | |
| location ~* ^/help/[^/]*/README\.txt$ { | |
| ## Include the specific FastCGI configuration. This is for a | |
| ## FCGI backend like php-cgi or php-fpm. | |
| include apps/drupal/fastcgi_drupal.conf; | |
| fastcgi_pass phpcgi; | |
| ## If proxying to apache comment the two lines above and | |
| ## uncomment the line below. | |
| #proxy_pass http://phpapache/index.php?q=$uri; | |
| } | |
| } | |
| ## Replicate the Apache <FilesMatch> directive of Drupal standard | |
| ## .htaccess. Disable access to any code files. Return a 404 to curtail | |
| ## information disclosure. Hide also the text files. | |
| location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { | |
| return 404; | |
| } | |
| ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. | |
| try_files $uri @drupal; | |
| } | |
| ########### Security measures ########## | |
| ## Uncomment the line below if you want to enable basic auth for | |
| ## access to all /admin URIs. Note that this provides much better | |
| ## protection if use HTTPS. Since it can easily be eavesdropped if you | |
| ## use HTTP. | |
| #include apps/drupal/admin_basic_auth.conf; | |
| ## Restrict access to the strictly necessary PHP files. Reducing the | |
| ## scope for exploits. Handling of PHP code and the Drupal event loop. | |
| location @drupal { | |
| ## Include the FastCGI config. | |
| include apps/drupal/fastcgi_drupal.conf; | |
| fastcgi_pass phpcgi; | |
| ## FastCGI microcache. | |
| include apps/drupal/microcache_fcgi.conf; | |
| ## FCGI microcache for authenticated users also. | |
| #include apps/drupal/microcache_fcgi_auth.conf; | |
| ## To use Apache for serving PHP uncomment the line bellow and | |
| ## comment out the above. | |
| #proxy_pass http://phpapache/index.php?q=$uri&$args; | |
| ## Proxy microcache. | |
| #include apps/drupal/microcache_proxy.conf; | |
| ## Proxy microcache for authenticated users also. | |
| #include apps/drupal/microcache_proxy_auth.conf; | |
| ## Filefield Upload progress | |
| ## http://drupal.org/project/filefield_nginx_progress support | |
| ## through the NginxUploadProgress modules. | |
| track_uploads uploads 60s; | |
| } | |
| location @drupal-no-args { | |
| ## Include the specific FastCGI configuration. This is for a | |
| ## FCGI backend like php-cgi or php-fpm. | |
| include apps/drupal/fastcgi_no_args_drupal.conf; | |
| fastcgi_pass phpcgi; | |
| ## FastCGI microcache. | |
| include apps/drupal/microcache_fcgi.conf; | |
| ## FCGI microcache for authenticated users also. | |
| #include apps/drupal/microcache_fcgi_auth.conf; | |
| ## If proxying to apache comment the two lines above and | |
| ## uncomment the line below. | |
| #proxy_pass http://phpapache/index.php?q=$uri; | |
| ## Proxy microcache. | |
| #include apps/drupal/microcache_proxy.conf; | |
| ## Proxy microcache for authenticated users also. | |
| #include apps/drupal/microcache_proxy_auth.conf; | |
| } | |
| ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return | |
| ## 404 as not to disclose information. | |
| location ^~ /subdir/.bzr { | |
| return 404; | |
| } | |
| location ^~ /subdir/.git { | |
| return 404; | |
| } | |
| location ^~ /subdir/.hg { | |
| return 404; | |
| } | |
| location ^~ /subdir/.svn { | |
| return 404; | |
| } | |
| location ^~ /subdir/.cvs { | |
| return 404; | |
| } | |
| ## Disallow access to patches directory. | |
| location ^~ /subdir/patches { | |
| return 404; | |
| } | |
| ## Disallow access to drush backup directory. | |
| location ^~ /subdir/backup { | |
| return 404; | |
| } | |
| ## Disable access logs for robots.txt. | |
| location = /subdir/robots.txt { | |
| access_log off; | |
| ## Add support for the robotstxt module | |
| ## http://drupal.org/project/robotstxt. | |
| try_files $uri @drupal-no-args; | |
| } | |
| ## RSS feed support. | |
| location = /subdir/rss.xml { | |
| try_files $uri @drupal-no-args; | |
| } | |
| ## XML Sitemap support. | |
| location = /subdir/sitemap.xml { | |
| try_files $uri @drupal-no-args; | |
| } | |
| ## Support for favicon. Return an 1x1 transparent GIF if it doesn't | |
| ## exist. | |
| location = /subdir/favicon.ico { | |
| expires 30d; | |
| try_files /favicon.ico @empty; | |
| } | |
| ## Return an in memory 1x1 transparent GIF. | |
| location @empty { | |
| expires 30d; | |
| empty_gif; | |
| } | |
| ## Any other attempt to access PHP files returns a 404. | |
| location ~* ^.+\.php$ { | |
| return 404; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment