Permalink
Browse files

* Added support for URIs that are unsafe, i.e., require encoding.

  • Loading branch information...
1 parent 36946ac commit 4d86a4cae2e0266b308c561e39c22d86a76fdfc2 @perusio committed May 13, 2012
View
@@ -0,0 +1,4 @@
+# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
View
@@ -0,0 +1,16 @@
+# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+
+### Defines the $no_slash_uri variable for drupal 6. See https://drupal.org/node/827236.
+
+map $uri $no_slash_uri {
+ ~^/(?<no_slash>.*)$ $no_slash;
+}
+
+## If your URIs have unsafe characters, i.e., it has characters that
+## require percent encoding, then you need to escape the URI. Nginx
+## doesn't encode the characters, unless it's on a rewrite or on regex
+## based location when capturing.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $no_slash_escaped_uri
+ 'return ngx.escape_uri(ngx.var.no_slash_uri)';
View
@@ -161,6 +161,15 @@ http {
## You may comment out the line below if using drupal 7.
include map_drupal6.conf;
+ ## If you have URIs that are not URL safe, i.e., that have to be
+ ## encoded using the percent encoding. You have to comment out the
+ ## line above and uncomment the one below.
+ #include map_drupal6_escaped.conf
+
+ ## For drupal 7 with unsafe URIs uncomment the line below and
+ ## comment out the ones above.
+ #include drupal7_escaped_uri.conf;
+
## Include the caching setup. Needed for using Drupal with an external cache.
include map_cache.conf;
@@ -0,0 +1,273 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+### drush updb to run any DB updates required by the code upgrades
+### that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+### installing the site) and update.php: all updates are now
+### handled through drush.
+
+## The 'default' location.
+location / {
+
+ ## Drupal 404 from can impact performance. If using a module like
+ ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+ ## relay the handling of 404's to Drupal.
+ ## error_page 404 /index.php;
+
+ ## Use index.html whenever there's no index.php.
+ location = / {
+ error_page 404 =200 /index.html;
+ }
+
+ ## Using a nested location is the 'correct' way to use regexes.
+
+ ## Regular private file serving (i.e. handled by Drupal).
+ location ^~ /system/files/ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include fastcgi_private_files.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache/index.php?q=$no_slash_escaped_uri;
+
+ ## For not signaling a 404 in the error log whenever the
+ ## system/files directory is accessed add the line below.
+ ## Note that the 404 is the intended behavior.
+ log_not_found off;
+ }
+
+ ## Trying to access private files directly returns a 404.
+ location ^~ /sites/default/files/private/ {
+ internal;
+ }
+
+ ## If accessing an image generated by imagecache, serve it directly if
+ ## available, if not relay the request to Drupal to (re)generate the
+ ## image.
+ location ~* /imagecache/ {
+ ## Image hotlinking protection. If you want hotlinking
+ ## protection for your images uncomment the following line.
+ #include sites-available/hotlinking_protection.conf;
+
+ access_log off;
+ expires 30d;
+ try_files $uri /index.php?q=$no_slash_escaped_uri&$args;
+ }
+
+ ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+ ## https://drupal.org/node/371374.
+ location ~* /files/styles/ {
+ access_log off;
+ expires 30d;
+ try_files $uri /index.php?q=$no_slash_escaped_uri&$args;
+ }
+
+ ## Advanced Aggregation module CSS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_css/ {
+ location ~* /sites/default/files/advagg_css/css_[[:alnum:]]+\.css$ {
+ access_log off;
+ add_header Pragma '';
+ add_header Cache-Control 'public, max-age=946080000';
+ add_header Accept-Ranges '';
+ try_files $uri /index.php?q=$no_slash_escaped_uri&$args;
+ }
+ }
+
+ ## Advanced Aggregation module JS
+ ## support. http://drupal.org/project/advagg.
+ location ^~ /sites/default/files/advagg_js/ {
+ location ~* /sites/default/files/advagg_js/js_[[:alnum:]]+\.js$ {
+ access_log off;
+ add_header Pragma '';
+ add_header Cache-Control 'public, max-age=946080000';
+ add_header Accept-Ranges '';
+ try_files $uri /index.php?q=$no_slash_escaped_uri&$args;
+ }
+ }
+
+ ## All static files will be served directly.
+ location ~* ^.+\.(?:css|js|jpe?g|gif|htc|ico|png|html|xml)$ {
+ access_log off;
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ ## Set the OS file cache.
+ open_file_cache max=3000 inactive=120s;
+ open_file_cache_valid 45s;
+ open_file_cache_min_uses 2;
+ open_file_cache_errors off;
+ }
+
+ ## PDFs and powerpoint files handling.
+ location ~* ^.+\.(?:pdf|pptx?)$ {
+ expires 30d;
+ ## No need to bleed constant updates. Send the all shebang in one
+ ## fell swoop.
+ tcp_nodelay off;
+ }
+
+ ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+ location ^~ /sites/default/files/audio/mp3 {
+ location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/ogg {
+ location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+ directio 4k; # for XFS
+ ## If you're using ext3 or similar uncomment the line below and comment the above.
+ #directio 512; # for ext3 or similar (block alignments)
+ tcp_nopush off;
+ aio on;
+ output_buffers 1 2M;
+ }
+ }
+
+ ## Pseudo streaming of FLV files:
+ ## http://wiki.nginx.org/HttpFlvStreamModule.
+ location ^~ /sites/default/files/video/flv {
+ location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+ flv;
+ }
+ }
+
+ ## Pseudo streaming of H264/AAC files. This requires an Nginx
+ ## version greater or equal to 1.0.7 for the stable branch and
+ ## greater or equal to 1.1.3 for the development branch.
+ ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+ location ^~ /sites/default/files/video/mp4 { # videos
+ location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ location ^~ /sites/default/files/audio/m4a { # audios
+ location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+ mp4;
+ mp4_buffer_size 1M;
+ mp4_max_buffer_size 5M;
+ }
+ }
+
+ ## Advanced Help module makes each module provided README available.
+ location ^~ /help/ {
+ location ~* ^/help/[^/]*/README\.txt$ {
+ ## Include the specific FastCGI configuration. This is for a
+ ## FCGI backend like php-cgi or php-fpm.
+ include fastcgi_private_files.conf;
+ fastcgi_pass phpcgi;
+
+ ## If proxying to apache comment the two lines above and
+ ## uncomment the line below.
+ #proxy_pass http://phpapache;
+ }
+ }
+
+ ## Replicate the Apache <FilesMatch> directive of Drupal standard
+ ## .htaccess. Disable access to any code files. Return a 404 to curtail
+ ## information disclosure. Hide also the text files.
+ location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+ return 404;
+ }
+
+ ## First we try the URI and relay to the /index.php?q=$no_slash_escaped_uri&$args if not found.
+ try_files $uri /index.php?q=$no_slash_escaped_uri&$args;
+}
+
+########### Security measures ##########
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location = /index.php {
+ ## This is marked internal
+ ## http://wiki.nginx.org/HttpCoreModule#internal as pro-active
+ ## security practice. No direct access to index.php is allowed all
+ ## accesses are made by Nginx from other locations or internal
+ ## redirect.
+ internal;
+ fastcgi_pass phpcgi;
+
+ ## FastCGI microcache.
+ include sites-available/microcache_fcgi.conf;
+ ## FCGI microcache for authenticated users also.
+ #include sites-available/microcache_fcgi_auth.conf;
+
+ ## To use Apache for serving PHP uncomment the line bellow and
+ ## comment out the above.
+ #proxy_pass http://phpapache;
+ ## Proxy microcache.
+ #include sites-available/microcache_proxy.conf;
+ ## Proxy microcache for authenticated users also.
+ #include sites-available/microcache_proxy_auth.conf;
+
+ ## Filefield Upload progress
+ ## http://drupal.org/project/filefield_nginx_progress support
+ ## through the NgninxUploadProgress modules.
+ track_uploads uploads 60s;
+}
+
+## Disallow access to .git directory: return 404 as not to disclose
+## information.
+location ^~ /.git {
+ return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+ return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+ return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+ access_log off;
+}
+
+## RSS feed support.
+location = /rss.xml {
+ try_files $uri /index.php?q=$uri;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+ try_files $uri /index.php?q=$uri;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+ expires 30d;
+ try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+ expires 30d;
+ empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+ return 404;
+}
Oops, something went wrong.

1 comment on commit 4d86a4c

With drupal_boost6_escaped.conf I always have the frontpage, no matter what is the URL :(

Please sign in to comment.