* New simplified config.

fiasco · Jun 6, 2011 · 7c1b68b · 7c1b68b
1 parent 68f0dbb
commit 7c1b68b
Show file tree

Hide file tree

Showing 13 changed files with 367 additions and 1,076 deletions.
diff --git a/sites-available/drupal.conf b/sites-available/drupal.conf
@@ -1,12 +1,107 @@
-# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
-### Nginx configuration for a generic Drupal site. If you're using if
-### for a OpenAtrium or ManagingNews site use the drupal_spaces.conf
-### file instead.
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
 
-## Drupal 404 from can impact performance. If using a module like
-## search404 then 404's *have *to be handled by Drupal. Uncomment to
-## relay the handling of 404's to Drupal.
-## error_page 404 /index.php;
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Use index.html whenever there's no index.php.
+    location = / {
+        error_page 404 =200 /index.html;
+    }
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ~* /system/files/ {
+        try_files $uri /index.php?q=$uri&$args;
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by imagecache, serve it directly if
+    ## available, if not relay the request to Drupal to (re)generate the
+    ## image.
+    location ~* /imagecache/ {
+        access_log off;
+        expires 30d;
+        try_files $uri /index.php?q=$uri&$args;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## https://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        access_log off;            
+        expires 30d;
+        try_files $uri /index.php?q=$uri&$args;
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|js|jpg|jpeg|gif|ico|png|html|xml)$ {
+        access_log        off;
+        expires           30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ~* /files/private/ {
+        internal;
+    }
+
+
+    ## Keep a tab on the 'big' static files.
+    location ~* ^.+\.(?:m4a|mp3|mp4|mov|ogg|flv|pdf|ppt[x]*)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404; 
+    }
+
+    ## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
+    try_files $uri /index.php?q=$uri&$args;
+}
+
+
+########### Security measures ########## 
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location = /index.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NgninxUploadProgress modules.
+    track_uploads uploads 60s;
+}
 
 ## Disallow access to .git directory: return 404 as not to disclose
 ## information.
@@ -24,13 +119,11 @@ location = /backup {
     return 404;
 }
 
-
 ## Disable access logs for robots.txt.
 location = /robots.txt {
     access_log off;
 }
 
-
 ## RSS feed support.
 location = /rss.xml {
     try_files $uri /index.php?q=$uri;
@@ -46,3 +139,8 @@ location = /sitemap.xml {
 location = /favicon.ico {
     try_files /favicon.ico =204;
 }
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404; 
+}
diff --git a/sites-available/drupal_boost_drush.conf → sites-available/drupal_boost.conf b/sites-available/drupal_boost_drush.conf → sites-available/drupal_boost.conf
@@ -15,6 +15,11 @@
 ## The 'default' location.
 location / {
 
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
     ## Use index.html whenever there's no index.php.
     location = / {
         error_page 404 =200 /index.html;
@@ -122,23 +127,63 @@ location @cache {
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location = /index.php {
     fastcgi_pass phpcgi;
-    # To use Apache for serving PHP uncomment the line bellow and
-    # comment out the above.
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
     #proxy_pass http://phpapache;
-    # Filefield Upload progress
-    # http://drupal.org/project/filefield_nginx_progress support
-    # through the NgninxUploadProgress modules.
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NgninxUploadProgress modules.
     track_uploads uploads 60s;
 }
 
 ## Boost stats.
 location = /boost_stats.php {
     fastcgi_pass phpcgi;
-    # To use Apache for serving PHP uncomment the line bellow and
-    # comment out the above.
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
     #proxy_pass http://phpapache;
 }
 
+
+## Disallow access to .git directory: return 404 as not to disclose
+## information.
+location = /.git {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location = /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location = /backup {
+    return 404;
+}
+
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+}
+
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $uri /index.php?q=$uri;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $uri /index.php?q=$uri;
+}
+
+## Support for favicon. Return a 204 (No Content) if the favicon
+## doesn't exist.
+location = /favicon.ico {
+    try_files /favicon.ico =204;
+}
+
 ## Any other attempt to access PHP files returns a 404.
 location ~* ^.+\.php$ {
     return 404; 

diff --git a/sites-available/drupal_boost_no_drush.conf b/sites-available/drupal_boost_no_drush.conf