Permalink
Browse files

* First public release.

  • Loading branch information...
0 parents commit 493ab423caef45d4ed23dcfc2ea6e32aab3e7620 @perusio committed Sep 13, 2010
No changes.
@@ -0,0 +1,165 @@
+* Nginx configuration for running Drupal
+
+** Introduction
+
+ This is an example configuration from running Drupal using
+ [[http://nginx.org][nginx]]. Which is a high-performance non-blocking HTTP server.
+
+ Nginx doesn't use a module like Apache does for PHP support. The
+ Apache module approach simplifies a lot of things because what you
+ have in reality is nothing less than a PHP engine running on top of
+ the HTTP server.
+
+ Instead nginx uses [[http://en.wikipedia.org/wiki/FastCGI][FastCGI]] to proxy all requests for PHP processing
+ to a php fastcgi daemon that is waiting for incoming requests and
+ then handles the php file being requested.
+
+ Although the fcgi approach is more cumbersome to set up it provides
+ a greater degree of control over which actions are permitted, hence
+ greater security.
+
+ This configuration uses a lot of stuff stolen from both [[github.com/yhager/nginx_drupal][yhager]],
+ [[http://github.com/omega8cc/nginx-for-drupal][omega8cc]] and [[http://test.brianmercer.com/content/nginx-configuration-drupal][Brian Mercer]] configurations. I've incorporated some
+ tidbits of advice I've gotten from both the nginx mailing list and
+ the [[http://wiki.nginx.org][nginx Wiki]].
+
+** Layout
+
+ The configuration has *two* possible choices.
+
+ 1. A *non drush aware* version that uses =wget/curl= to run cron
+ and updating the site using =update.php=, i.e., via a web
+ interface.
+
+ 2. A *drush aware version* that runs cron and updates the site
+ using [[http://drupal.org/project/drush][drush]].
+
+ To get drush to run cron jobs the easiest way is to define your
+ own [[http://drupal.org/node/670460][site aliases]]. See the example aliases file
+ =example.aliases.drushrc.php= that comes under the =examples=
+ directory in the drush distribution.
+
+ Example: You create the aliases for example.com and example.org,
+ with aliases =@excom= and =@exnet= respectively.
+
+ Your crontab should contain something like:
+
+ =COLUMNS=80=
+ =*/50 * * * * /path/to/drush @excom cron > /dev/null
+ 1 2 * * * /path/to/drush @exnet cron > /dev/null=
+
+ This means that the cron job for example.com will be run every
+ 50 minutes and the cron job for example.net will be run every
+ day at 02:01 hours. Check the section 7 of the Drupal
+ =INSTALL.txt= for further details about running cron.
+
+ Note that the =/path/to/drush= is the path to the *shell script
+ wrapper* that comes with drush not to to the =drush.php=
+ script. If using =drush.php= then add =php= in front of the
+ =/path/to/drush.php=.
+
+
+** General Features
+
+ 1. The use of two =server= directives to do the domain name
+ rewriting, usually redirecting =www.example.com= to
+ =example.com= or vice-versa. As recommended in [[http://wiki.nginx.org/Pitfalls#Server_Name][nginx Wiki Pitfalls]] page.
+
+ 2. *Clean URL* support.
+
+ 3. Access control for =cron.php=. It can only be requested from a
+ set of IPs addresses you specify. This is for the *non drush
+ aware* version.
+
+ 4. Support for the [[http://drupal.org/project/boost][Boost]] module.
+
+ 5. Support for virtual hosts. The =example.com= file.
+
+ 6. Support for [[http://drupal.org/project/site_map][Sitemaps]] and RSS feeds.
+
+ 7. Support for the [[http://drupal.org/project/filefield_nginx_progress][Filefield Nginx Progress]] module for the upload
+ progress bar.
+
+ 8. Use of *non-capturing* regex for all directives that are not
+ rewrites that need to use URI components.
+
+ 9. IPv6 and IPv4 support.
+
+ 10. Use of UNIX sockets in =/tmp/= subdirectory with permissions
+ *700*, i.e., accessible only to the user running the process.
+
+ You may consider the [[github.com/perusio/php-fastcgi-debian-script][init script]] that I make available here on
+ github that launches the PHP FastCGI daemon and spawns new
+ instances as required.
+
+** Security Features
+
+ 1. The use of a =default= configuration file to block all illegal
+ =Host= HTTP header requests.
+
+ 2. Access control using [[http://wiki.nginx.org/NginxHttpAuthBasicModule][HTTP Basic Auth]] for =install.php= and other
+ Drupal sensitive files. The configuration expects a password
+ file named =.htpasswd-users= in the top nginx configuration
+ directory, usually =/etc/nginx=. I provide an empty file. This
+ is also for the *non drush aware* version.
+
+ If you're on Debian or any of its derivatives like Ubuntu you
+ need the [[http://packages.debian.org/search?suite%3Dall&section%3Dall&arch%3Dany&searchon%3Dnames&keywords%3Dapache2-utils][apache2-utils]] package installed. Then create your
+ password file by issuing:
+
+ =htpasswd -d -b -c .htpasswd-users <user> <password>=
+
+ You should delete this command from your shell history
+ afterwards with =history -d <command number>= or alternatively
+ omit the =-b= switch then you'll be prompted for the password.
+
+ This creates the file (there's a =-c= switch). For adding
+ additional users omit the =-c=.
+
+ Of course you can rename the password file to whatever you want,
+ then accordingly change its name in drupal_boost.conf.
+
+ 3. Support for [[https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header][X-Frame-Options]] HTTP header to avoid Clickjacking
+ attacks.
+
+ 4. Protection of the upload directory. You can try to bypass the
+ UNIX =file= utility or the PHP =Fileinfo= extension and upload a
+ fake jpeg:
+
+ =echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg=
+
+ If you run =php test.jpg= you get 'hello'. The fact is that *all
+ files* with php extension are either matched by a particular
+ location, as is the case for =index.php=, =xmlrpc.php=,
+ =update.php= and =install.php= or match the last directive of
+ the configuration:
+
+ =location ~* ^.+\.php$ {=
+ =return 404;=
+ =}=
+
+ Returning a 404 (Not Found) for every PHP file not matched by
+ all the previous locations.
+
+** Enabling and Disabling Virtual Hosts
+
+ I've created a shell script [[http://github.com/perusio/nginx_ensite][nginx_ensite]] that lives here on
+ github for quick enabling and disabling of virtual hosts.
+
+** On groups.drupal.org
+
+ There's a [[http://groups.drupal.org/nginx][nginx]] groups.drupal.org group for sharing and learning
+ more about using nginx with Drupal.
+
+** Monitoring nginx
+
+ I use [[http://mmonit.com][Monit]] for supervising the nginx daemon. Here's my
+ [[http://github.com/perusio/monit-miscellaneous][configuration]] for nginx.
+
+** Caveat emptor
+
+ You should *always* test the configuration with =nginx -t= to see
+ if everything is correct. Only after a successful should you reload
+ nginx. On Debian and any of its derivatives you can also test the
+ configuration by invoking the init script as: =/etc/init.d/nginx
+ testconfig=.
@@ -0,0 +1,6 @@
+#-*- mode: conf; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+### fastcgi configuration.
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+include fastcgi_params;
+fastcgi_intercept_errors on;
+fastcgi_index index.php;
@@ -0,0 +1,27 @@
+# -*- mode: conf; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+### fastcgi parameters.
+
+fastcgi_read_timeout 14400; # allow 4 hrs - pass timeo responsibility to upstream
+
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
109 koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters. Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map koi8-r utf-8 {
+
+ 80 E282AC ; # euro
+
+ 95 E280A2 ; # bullet
+
+ 9A C2A0 ; # &nbsp;
+
+ 9E C2B7 ; # &middot;
+
+ A3 D191 ; # small yo
+ A4 D194 ; # small Ukrainian ye
+
+ A6 D196 ; # small Ukrainian i
+ A7 D197 ; # small Ukrainian yi
+
+ AD D291 ; # small Ukrainian soft g
+ AE D19E ; # small Byelorussian short u
+
+ B0 C2B0 ; # &deg;
+
+ B3 D081 ; # capital YO
+ B4 D084 ; # capital Ukrainian YE
+
+ B6 D086 ; # capital Ukrainian I
+ B7 D087 ; # capital Ukrainian YI
+
+ B9 E28496 ; # numero sign
+
+ BD D290 ; # capital Ukrainian soft G
+ BE D18E ; # capital Byelorussian short U
+
+ BF C2A9 ; # (C)
+
+ C0 D18E ; # small yu
+ C1 D0B0 ; # small a
+ C2 D0B1 ; # small b
+ C3 D186 ; # small ts
+ C4 D0B4 ; # small d
+ C5 D0B5 ; # small ye
+ C6 D184 ; # small f
+ C7 D0B3 ; # small g
+ C8 D185 ; # small kh
+ C9 D0B8 ; # small i
+ CA D0B9 ; # small j
+ CB D0BA ; # small k
+ CC D0BB ; # small l
+ CD D0BC ; # small m
+ CE D0BD ; # small n
+ CF D0BE ; # small o
+
+ D0 D0BF ; # small p
+ D1 D18F ; # small ya
+ D2 D180 ; # small r
+ D3 D181 ; # small s
+ D4 D182 ; # small t
+ D5 D183 ; # small u
+ D6 D0B6 ; # small zh
+ D7 D0B2 ; # small v
+ D8 D18C ; # small soft sign
+ D9 D18B ; # small y
+ DA D0B7 ; # small z
+ DB D188 ; # small sh
+ DC D18D ; # small e
+ DD D189 ; # small shch
+ DE D187 ; # small ch
+ DF D18A ; # small hard sign
+
+ E0 D0AE ; # capital YU
+ E1 D090 ; # capital A
+ E2 D091 ; # capital B
+ E3 D0A6 ; # capital TS
+ E4 D094 ; # capital D
+ E5 D095 ; # capital YE
+ E6 D0A4 ; # capital F
+ E7 D093 ; # capital G
+ E8 D0A5 ; # capital KH
+ E9 D098 ; # capital I
+ EA D099 ; # capital J
+ EB D09A ; # capital K
+ EC D09B ; # capital L
+ ED D09C ; # capital M
+ EE D09D ; # capital N
+ EF D09E ; # capital O
+
+ F0 D09F ; # capital P
+ F1 D0AF ; # capital YA
+ F2 D0A0 ; # capital R
+ F3 D0A1 ; # capital S
+ F4 D0A2 ; # capital T
+ F5 D0A3 ; # capital U
+ F6 D096 ; # capital ZH
+ F7 D092 ; # capital V
+ F8 D0AC ; # capital soft sign
+ F9 D0AB ; # capital Y
+ FA D097 ; # capital Z
+ FB D0A8 ; # capital SH
+ FC D0AD ; # capital E
+ FD D0A9 ; # capital SHCH
+ FE D0A7 ; # capital CH
+ FF D0AA ; # capital hard sign
+}
Oops, something went wrong.

0 comments on commit 493ab42

Please sign in to comment.