summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJon Pugh2019-01-09 17:02:29 (GMT)
committerJon Pugh2019-01-09 17:02:29 (GMT)
commit40b45d0d98bd3b9c00918c3bd81b515708da58d8 (patch)
tree88c019682bffd92ad88aaecbfb62ebe99bf5509e
parent3d97e2ecbce0c4d5583d2053137f5da811bb6266 (diff)
parent0421a14a982e17192c0896c5ef83d6c21018d75e (diff)
Merge branch '7.x-3.x' of git.drupal.org:project/provision into 7.x-3.x
-rw-r--r--http/Provision/Config/Nginx/Inc/vhost_include.tpl.php284
-rw-r--r--http/Provision/Config/Nginx/subdir.tpl.php205
2 files changed, 308 insertions, 181 deletions
diff --git a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php
index 785a8e4..a45ab5d 100644
--- a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php
+++ b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php
@@ -70,11 +70,33 @@ if ($main_site_name = '') {
set $main_site_name "$server_name";
}
+###
+### Mitigation for https://www.drupal.org/SA-CORE-2018-002
+###
+set $rce "ZZ";
+if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
+ set $rce "A";
+}
+if ( $request_method = POST ) {
+ set $rce "${rce}B";
+}
+if ( $rce = "AB" ) {
+ return 403;
+}
+
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Cache";
<?php if ($satellite_mode == 'boa'): ?>
###
+### Return 404 on special PHP URLs to avoid revealing version used,
+### even indirectly. See also: https://drupal.org/node/2116387
+###
+if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
+ return 404;
+}
+
+###
### Deny crawlers.
###
if ($is_crawler) {
@@ -112,7 +134,6 @@ if ($is_denied) {
###
### Add recommended HTTP headers
###
-add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php endif; ?>
@@ -149,7 +170,7 @@ location ^~ /httprl_async_function_callback {
location ~* ^/httprl_async_function_callback {
access_log off;
set $nocache_details "Skip";
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
}
@@ -160,7 +181,7 @@ location ^~ /admin/httprl-test {
location ~* ^/admin/httprl-test {
access_log off;
set $nocache_details "Skip";
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
}
@@ -179,7 +200,7 @@ location ^~ /cdn/farfuture/ {
gzip_http_version 1.0;
if_modified_since exact;
set $nocache_details "Skip";
- location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ {
+ location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less)$ {
expires max;
add_header X-Header "CDN Far Future Generator 1.0";
add_header Cache-Control "no-transform, public";
@@ -188,7 +209,7 @@ location ^~ /cdn/farfuture/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
location ~* ^/cdn/farfuture/ {
expires epoch;
@@ -198,9 +219,9 @@ location ^~ /cdn/farfuture/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
<?php endif; ?>
@@ -211,6 +232,9 @@ location = /favicon.ico {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /sites/$main_site_name/files/favicon.ico $uri =204;
}
@@ -221,6 +245,9 @@ location = /favicon.ico {
location = /robots.txt {
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache;
<?php else: ?>
@@ -305,10 +332,10 @@ location ^~ /cron/ {
###
location ^~ /search {
location ~* ^/search {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
- try_files $uri @cache;
+ try_files $uri @drupal;
}
}
@@ -317,7 +344,7 @@ location ^~ /search {
###
location ^~ /js/ {
location ~* ^/js/ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
rewrite ^/(.*)$ /js.php?q=$1 last;
@@ -351,7 +378,7 @@ location ^~ /hosting/c/server_master {
if ($cache_uid = '') {
return 403;
}
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -367,7 +394,7 @@ location ^~ /hosting/c/server_localhost {
if ($cache_uid = '') {
return 403;
}
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -379,7 +406,7 @@ location ^~ /hosting/c/server_localhost {
### Fix for #2005116
###
location ^~ /hosting/sites {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -391,12 +418,12 @@ location ^~ /hosting/sites {
### Fix for Aegir & .info .pl domain extensions.
###
location ^~ /hosting {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
set $nocache_details "Skip";
- try_files $uri @cache;
+ try_files $uri @drupal;
}
<?php if ($satellite_mode == 'boa'): ?>
@@ -421,7 +448,7 @@ location ^~ /admin/config/development/performance/redis {
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /admin {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -433,7 +460,7 @@ location ^~ /admin {
### Avoid caching /civicrm* and protect it from bots.
###
location ^~ /civicrm {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -458,7 +485,7 @@ location ~* ^/\w\w/civicrm {
###
location ^~ /audio/download {
location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
tcp_nopush off;
@@ -515,11 +542,11 @@ location ~* (?:cgi-bin|vti-bin) {
### Deny bots on some weak modules uri.
###
location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
- try_files $uri @cache;
+ try_files $uri @drupal;
}
###
@@ -557,6 +584,9 @@ location ~* /sites/.*/files/styles/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
@@ -570,6 +600,9 @@ location ~* /s3/files/styles/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
@@ -583,6 +616,9 @@ location ~* /sites/.*/files/imagecache/(.*)$ {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
# fix common problems with old paths after import from standalone to Aegir multisite
rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last;
@@ -634,7 +670,7 @@ include <?php print $aegir_root; ?>/config/server_master/nginx/post.d/nginx_vhos
### Note: this location doesn't work with X-Accel-Redirect.
###
location ~* ^/sites/.*/files/private/ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -651,7 +687,7 @@ location ~* ^/sites/.*/files/private/ {
location ~* ^/sites/.*/private/ {
internal;
<?php if ($nginx_config_mode == 'extended'): ?>
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
<?php endif; ?>
@@ -665,7 +701,7 @@ location ~* ^/sites/.*/private/ {
###
location ~* /files/private/ {
internal;
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -677,7 +713,10 @@ location ~* /files/private/ {
location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) {
access_log off;
log_not_found off;
- try_files $uri @nobots;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ try_files $uri @drupal;
}
###
@@ -698,7 +737,7 @@ location ~* files/advagg_(?:css|js)/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
set $nocache_details "Skip";
- try_files $uri @nobots;
+ try_files $uri @drupal;
}
###
@@ -715,10 +754,20 @@ location ~* \.css$ {
access_log off;
tcp_nodelay off;
expires max; #if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/perm/$host${uri}_.css $uri =404;
}
###
+### Support for dynamic /sw.js requests. See #2982073 on drupal.org
+###
+location = /sw.js {
+ try_files $uri @drupal;
+}
+
+###
### Make js files compatible with boost caching.
###
location ~* \.(?:js|htc)$ {
@@ -732,10 +781,20 @@ location ~* \.(?:js|htc)$ {
access_log off;
tcp_nodelay off;
expires max; # if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/perm/$host${uri}_.js $uri =404;
}
###
+### Support for dynamic .json requests.
+###
+location ~* \.json$ {
+ try_files $uri @drupal;
+}
+
+###
### Support for static .json files with fast 404 +Boost compatibility.
###
location ~* ^/sites/.*/files/.*\.json$ {
@@ -746,17 +805,13 @@ location ~* ^/sites/.*/files/.*\.json$ {
access_log off;
tcp_nodelay off;
expires max; ### if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/normal/$host${uri}_.json $uri =404;
}
###
-### Support for dynamic .json requests.
-###
-location ~* \.json$ {
- try_files $uri @cache;
-}
-
-###
### Helper location to bypass boost static files cache for logged in users.
###
location @uncached {
@@ -770,6 +825,48 @@ location @uncached {
###
location ^~ /files/ {
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+<?php if ($satellite_mode == 'boa'): ?>
+ ###
+ ### Sub-location to support Flash Video (FLV) files with short URIs.
+ ###
+ location ~* /files/.+\.flv$ {
+ flv;
+ tcp_nodelay off;
+ tcp_nopush off;
+ expires 30d;
+ access_log off;
+ log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last;
+ try_files $uri =404;
+ }
+
+ ###
+ ### Sub-location to support H.264/AAC files with short URIs.
+ ###
+ location ~* /files/.+\.(?:mp4|m4a)$ {
+ mp4;
+ mp4_buffer_size 1m;
+ mp4_max_buffer_size 5m;
+ tcp_nodelay off;
+ tcp_nopush off;
+ expires 30d;
+ access_log off;
+ log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last;
+ try_files $uri =404;
+ }
+<?php endif; ?>
+
###
### Sub-location to support files/styles with short URIs.
###
@@ -801,7 +898,7 @@ location ^~ /files/ {
try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal;
}
- location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ {
+ location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ {
expires 30d;
tcp_nodelay off;
access_log off;
@@ -820,11 +917,14 @@ location ^~ /files/ {
### Map /downloads/ shortcut early to avoid overrides in other locations.
###
location ^~ /downloads/ {
- location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
+ location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
expires 30d;
tcp_nodelay off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
rewrite ^/downloads/(.*)$ /sites/$main_site_name/files/downloads/$1 last;
try_files $uri =404;
}
@@ -839,11 +939,14 @@ location ^~ /downloads/ {
### Serve & no-log static files & images directly,
### without all standard drupal rewrites, php-fpm etc.
###
-location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ {
+location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|mp3|wav|midi)$ {
expires 30d;
tcp_nodelay off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
rewrite ^/images/(.*)$ /sites/$main_site_name/files/images/$1 last;
rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last;
try_files $uri =404;
@@ -859,6 +962,9 @@ location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|i
tcp_nopush off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last;
try_files $uri =404;
}
@@ -874,6 +980,9 @@ location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ {
tcp_nodelay off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
@@ -888,6 +997,9 @@ location ~* ^.+\.flv$ {
expires 30d;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
@@ -903,6 +1015,9 @@ location ~* ^.+\.(?:mp4|m4a)$ {
expires 30d;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
<?php endif; ?>
@@ -914,6 +1029,9 @@ location ~* /(?:cross-?domain)\.xml$ {
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
@@ -928,7 +1046,7 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin
tcp_nopush off;
keepalive_requests 0;
access_log off;
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
try_files $uri =404;
@@ -945,14 +1063,14 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin
### Deny crawlers and never cache known AJAX requests.
###
location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
log_not_found off;
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
- try_files $uri @nobots;
+ try_files $uri @drupal;
<?php else: ?>
try_files $uri @drupal;
<?php endif; ?>
@@ -962,12 +1080,15 @@ location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*)
### Serve & no-log static helper files used in some wysiwyg editors.
###
location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
@@ -978,6 +1099,9 @@ location ~* ^/sites/.*/files/ {
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files $uri =404;
}
@@ -1013,7 +1137,7 @@ location ~* \.xml$ {
### Deny bots on never cached uri.
###
location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -1025,7 +1149,7 @@ location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) {
### Protect from DoS attempts on never cached uri.
###
location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -1040,7 +1164,7 @@ location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) {
if ($cache_uid = '') {
return 403;
}
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -1079,7 +1203,6 @@ location ~ ^/(?<esi>esi/.*)"$ {
add_header X-This-Proto "$http_x_forwarded_proto";
add_header X-Server-Name "$main_site_name";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
- add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
###
@@ -1105,9 +1228,9 @@ location ~ ^/(?<esi>esi/.*)"$ {
fastcgi_cache_methods GET HEAD;
fastcgi_cache_min_uses 1;
fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg";
- fastcgi_cache_valid 200 5s;
- fastcgi_cache_valid 301 1m;
- fastcgi_cache_valid 302 403 404 1s;
+ fastcgi_cache_valid 200 3s;
+ fastcgi_cache_valid 301 302 403 404 1s;
+ fastcgi_cache_valid any 1s;
fastcgi_cache_lock on;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
@@ -1195,63 +1318,32 @@ location @cache {
### Send all not cached requests to drupal with clean URLs support.
###
location @drupal {
-<?php if ($nginx_config_mode == 'extended'): ?>
- error_page 418 = @nobots;
- if ($args) {
- return 418;
- }
-<?php endif; ?>
+ set $core_detected "Legacy";
###
### For Drupal >= 7
###
- if ($sent_http_x_generator) {
- add_header X-Info-Gen "Modern";
- rewrite ^ /index.php?$query_string last;
+ if ( -e $document_root/web.config ) {
+ set $core_detected "Regular";
+ }
+ if ( -e $document_root/core ) {
+ set $core_detected "Modern";
+ }
+ error_page 418 = @modern;
+ if ( $core_detected ~ (?:Regular|Modern) ) {
+ return 418;
}
###
- ### For Drupal <= 6
+ ### For Drupal 6
###
rewrite ^/(.*)$ /index.php?q=$1 last;
}
<?php if ($nginx_config_mode == 'extended'): ?>
###
-### Special location for bots custom restrictions; can be overridden.
+### Special location for Drupal 7+.
###
-location @nobots {
- ###
- ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below
- ###
- # if ( $query_string ~ "^amp$" ) {
- # rewrite ^/(.*)$ /index.php?q=$1 last;
- # }
-
- ###
- ### Send all known bots to $args free URLs (optional)
- ###
- # if ($is_bot) {
- # return 301 $scheme://$host$request_uri;
- # }
-
- ###
- ### Return 404 on special PHP URLs to avoid revealing version used,
- ### even indirectly. See also: https://drupal.org/node/2116387
- ###
- if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
- return 404;
- }
-
- ###
- ### For Drupal >= 7
- ###
- if ($sent_http_x_generator) {
- add_header X-Info-Gen "Modern";
- rewrite ^ /index.php?$query_string last;
- }
- ###
- ### For Drupal <= 6
- ###
- rewrite ^/(.*)$ /index.php?q=$1 last;
+location @modern {
+ try_files $uri /index.php?$query_string;
}
###
@@ -1265,13 +1357,13 @@ location = /index.php {
add_header X-GeoIP-Country-Name "$geoip_country_name";
<?php endif; ?>
<?php if ($nginx_config_mode == 'extended'): ?>
+ add_header X-Core-Variant "$core_detected";
add_header X-Speed-Cache "$upstream_cache_status";
add_header X-Speed-Cache-UID "$cache_uid";
add_header X-Speed-Cache-Key "$key_uri";
add_header X-NoCache "$nocache_details";
add_header X-This-Proto "$http_x_forwarded_proto";
add_header X-Server-Name "$main_site_name";
- add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php endif; ?>
@@ -1300,9 +1392,9 @@ location = /index.php {
fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity
fastcgi_cache_min_uses 1;
fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg";
- fastcgi_cache_valid 200 10s;
- fastcgi_cache_valid 301 1m;
- fastcgi_cache_valid 302 403 404 1s;
+ fastcgi_cache_valid 200 3s;
+ fastcgi_cache_valid 301 302 403 404 1s;
+ fastcgi_cache_valid any 1s;
fastcgi_cache_lock on;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
@@ -1324,7 +1416,7 @@ location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ {
<?php endif; ?>
<?php if ($satellite_mode == 'boa'): ?>
limit_conn limreq 88;
- if ($is_bot) {
+ if ( $is_bot ) {
return 404;
}
<?php endif; ?>
diff --git a/http/Provision/Config/Nginx/subdir.tpl.php b/http/Provision/Config/Nginx/subdir.tpl.php
index b4d4e01..1b1bd8b 100644
--- a/http/Provision/Config/Nginx/subdir.tpl.php
+++ b/http/Provision/Config/Nginx/subdir.tpl.php
@@ -75,7 +75,13 @@ $subdir_dot = str_replace('/', '.', $subdir);
// use this simple fallback to guarantee that empty db_port does not
// break Nginx reload which results with downtime for the affected vhosts.
if (!$db_port) {
- $db_port = $this->server->db_port ? $this->server->db_port : '3306';
+ $ctrlf = '/data/conf/' . $script_user . '_use_proxysql.txt';
+ if (provision_file()->exists($ctrlf)->status()) {
+ $db_port = '6033';
+ }
+ else {
+ $db_port = $this->server->db_port ? $this->server->db_port : '3306';
+ }
}
?>
#######################################################
@@ -97,11 +103,24 @@ if ($subdir_main_site_name = '') {
set $subdir_main_site_name "$server_name";
}
+# Mitigation for https://www.drupal.org/SA-CORE-2018-002
+set $rce "ZZ";
+if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
+ set $rce "A";
+}
+
+if ( $request_method = POST ) {
+ set $rce "${rce}B";
+}
+
+if ( $rce = "AB" ) {
+ return 403;
+}
+
<?php if ($nginx_config_mode == 'extended'): ?>
###
### Add recommended HTTP headers
###
-add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
@@ -110,6 +129,10 @@ add_header X-XSS-Protection "1; mode=block";
###
location ^~ /<?php print $subdir; ?>/sites/default/files {
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
root <?php print "{$this->root}"; ?>;
location ~* ^/<?php print $subdir; ?>/sites/default/files/imagecache {
@@ -118,7 +141,7 @@ location ^~ /<?php print $subdir; ?>/sites/default/files {
expires 30d;
set $nocache_details "Skip";
rewrite ^/<?php print $subdir; ?>/sites/default/files/imagecache/(.*)$ /<?php print $subdir; ?>/sites/$subdir_main_site_name/files/imagecache/$1 last;
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
location ~* ^/<?php print $subdir; ?>/sites/default/files/styles {
access_log off;
@@ -126,7 +149,7 @@ location ^~ /<?php print $subdir; ?>/sites/default/files {
expires 30d;
set $nocache_details "Skip";
rewrite ^/<?php print $subdir; ?>/sites/default/files/styles/(.*)$ /<?php print $subdir; ?>/sites/$subdir_main_site_name/files/styles/$1 last;
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
location ~* ^/<?php print $subdir; ?>/sites/default/files {
access_log off;
@@ -205,7 +228,7 @@ location ^~ /<?php print $subdir; ?> {
location ~* ^/<?php print $subdir; ?>/httprl_async_function_callback {
access_log off;
set $nocache_details "Skip";
- try_files /httprl_async_function_callback $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /httprl_async_function_callback $uri @drupal_<?php print $subdir_loc; ?>;
}
}
@@ -216,7 +239,7 @@ location ^~ /<?php print $subdir; ?> {
location ~* ^/<?php print $subdir; ?>/admin/httprl-test {
access_log off;
set $nocache_details "Skip";
- try_files /admin/httprl-test $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /admin/httprl-test $uri @drupal_<?php print $subdir_loc; ?>;
}
}
@@ -231,7 +254,7 @@ location ^~ /<?php print $subdir; ?> {
gzip_http_version 1.0;
if_modified_since exact;
set $nocache_details "Skip";
- location ~* ^/<?php print $subdir; ?>/(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less))$ {
+ location ~* ^/<?php print $subdir; ?>/(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less))$ {
expires max;
add_header X-Header "CDN Far Future Generator 1.0";
add_header Cache-Control "no-transform, public";
@@ -240,7 +263,7 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/<?php print $subdir; ?>/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
- try_files /$1 $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
location ~* ^/<?php print $subdir; ?>/(cdn/farfuture/) {
expires epoch;
@@ -250,9 +273,9 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
rewrite ^/<?php print $subdir; ?>/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
- try_files /$1 $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
- try_files $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
<?php endif; ?>
@@ -263,6 +286,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /sites/$subdir_main_site_name/files/favicon.ico /sites/$host/files/favicon.ico /favicon.ico $uri =204;
}
@@ -273,6 +299,9 @@ location ^~ /<?php print $subdir; ?> {
location = /<?php print $subdir; ?>/robots.txt {
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
try_files /sites/$subdir_main_site_name/files/$host.robots.txt /sites/$subdir_main_site_name/files/robots.txt /sites/$host/files/robots.txt /robots.txt $uri @cache_<?php print $subdir_loc; ?>;
<?php else: ?>
@@ -345,10 +374,10 @@ location ^~ /<?php print $subdir; ?> {
###
location ^~ /<?php print $subdir; ?>/search {
location ~* ^/<?php print $subdir; ?>/search {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
- try_files /search $uri @cache_<?php print $subdir_loc; ?>;
+ try_files /search $uri @drupal_<?php print $subdir_loc; ?>;
}
}
@@ -357,7 +386,7 @@ location ^~ /<?php print $subdir; ?> {
###
location ^~ /<?php print $subdir; ?>/js/ {
location ~* ^/<?php print $subdir; ?>/js/ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
rewrite ^/<?php print $subdir; ?>/(.*)$ /js.php?q=$1 last;
@@ -403,7 +432,7 @@ location ^~ /<?php print $subdir; ?> {
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /<?php print $subdir; ?>/admin {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -415,7 +444,7 @@ location ^~ /<?php print $subdir; ?> {
### Avoid caching /civicrm* and protect it from bots.
###
location ^~ /<?php print $subdir; ?>/civicrm {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
set $nocache_details "Skip";
@@ -427,7 +456,7 @@ location ^~ /<?php print $subdir; ?> {
###
location ^~ /<?php print $subdir; ?>/audio/download {
location ~* ^/<?php print $subdir; ?>/(audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg))$ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
tcp_nopush off;
@@ -483,7 +512,7 @@ location ^~ /<?php print $subdir; ?> {
rewrite ^/<?php print $subdir; ?>/(.*)\.r(\.(?:jpe?g|png|gif))$ /<?php print $subdir; ?>/$1$2 last;
access_log off;
set $nocache_details "Skip";
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
###
@@ -496,7 +525,7 @@ location ^~ /<?php print $subdir; ?> {
}
access_log off;
set $nocache_details "Skip";
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
<?php endif; ?>
@@ -505,6 +534,10 @@ location ^~ /<?php print $subdir; ?> {
###
location ^~ /<?php print $subdir; ?>/files/ {
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
###
### Sub-location to support files/styles with short URIs.
###
@@ -536,7 +569,7 @@ location ^~ /<?php print $subdir; ?> {
try_files /<?php print $subdir; ?>/sites/$subdir_main_site_name/files/imagecache/$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
- location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ {
+ location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ {
expires 30d;
tcp_nodelay off;
access_log off;
@@ -545,9 +578,9 @@ location ^~ /<?php print $subdir; ?> {
try_files $uri =404;
}
<?php if ($nginx_config_mode == 'extended'): ?>
- try_files $uri @cache_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @cache_<?php print $subdir_loc; ?>;
<?php else: ?>
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
<?php endif; ?>
}
@@ -559,6 +592,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
@@ -572,6 +608,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
log_not_found off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
<?php endif; ?>
@@ -600,7 +639,7 @@ location ^~ /<?php print $subdir; ?> {
### Note: this location doesn't work with X-Accel-Redirect.
###
location ~* ^/<?php print $subdir; ?>/(sites/.*/files/private/.*) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -617,7 +656,7 @@ location ^~ /<?php print $subdir; ?> {
###
location ~* ^/<?php print $subdir; ?>/sites/.*/private/ {
<?php if ($nginx_config_mode == 'extended'): ?>
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
<?php endif; ?>
@@ -631,7 +670,7 @@ location ^~ /<?php print $subdir; ?> {
### Note: this location works with X-Accel-Redirect.
###
location ~* /<?php print $subdir; ?>/files/private/ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -644,7 +683,10 @@ location ^~ /<?php print $subdir; ?> {
location ~* ^/<?php print $subdir; ?>/(.*/wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css)) {
access_log off;
log_not_found off;
- try_files /$1 $uri @nobots_<?php print $subdir_loc; ?>;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
###
@@ -664,7 +706,7 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
set $nocache_details "Skip";
- try_files /$1 $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
###
@@ -674,6 +716,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
tcp_nodelay off;
expires max; #if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/perm/$host${uri}_.css /$1 $uri =404;
}
@@ -684,6 +729,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
tcp_nodelay off;
expires max; # if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/perm/$host${uri}_.js /$1 $uri =404;
}
@@ -694,6 +742,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
tcp_nodelay off;
expires max; ### if using aggregator
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /cache/normal/$host${uri}_.json /$1 $uri =404;
}
@@ -701,7 +752,7 @@ location ^~ /<?php print $subdir; ?> {
### Support for dynamic .json requests.
###
location ~* (.*\.json)$ {
- try_files /$1 $uri @cache_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
}
<?php endif; ?>
@@ -709,11 +760,14 @@ location ^~ /<?php print $subdir; ?> {
### Serve & no-log static files & images directly,
### without all standard drupal rewrites, php-fpm etc.
###
- location ~* ^/<?php print $subdir; ?>/(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less))$ {
+ location ~* ^/<?php print $subdir; ?>/(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff2?|eot|less))$ {
expires 30d;
tcp_nodelay off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /$1 $uri =404;
}
@@ -727,6 +781,9 @@ location ^~ /<?php print $subdir; ?> {
tcp_nopush off;
access_log off;
log_not_found off;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /$1 $uri =404;
}
@@ -737,6 +794,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /$1 $uri =404;
}
@@ -776,7 +836,7 @@ location ^~ /<?php print $subdir; ?> {
tcp_nopush off;
keepalive_requests 0;
access_log off;
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
try_files /$1 $uri =404;
@@ -793,14 +853,14 @@ location ^~ /<?php print $subdir; ?> {
### Deny crawlers and never cache known AJAX requests.
###
location ~* ^/<?php print $subdir; ?>/(.*(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*).*)$ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
log_not_found off;
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Skip";
- try_files /$1 $uri @nobots_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
<?php else: ?>
try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
<?php endif; ?>
@@ -810,12 +870,15 @@ location ^~ /<?php print $subdir; ?> {
### Serve & no-log static helper files used in some wysiwyg editors.
###
location ~* ^/<?php print $subdir; ?>/(sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml))$ {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /$1 $uri =404;
}
@@ -828,6 +891,9 @@ location ^~ /<?php print $subdir; ?> {
access_log off;
tcp_nodelay off;
expires 30d;
+ add_header Access-Control-Allow-Origin *;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
try_files /$1 $uri =404;
}
@@ -859,7 +925,7 @@ location ^~ /<?php print $subdir; ?> {
### Deny bots on never cached uri.
###
location ~* ^/<?php print $subdir; ?>/((?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply)) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -871,7 +937,7 @@ location ^~ /<?php print $subdir; ?> {
### Protect from DoS attempts on never cached uri.
###
location ~* ^/<?php print $subdir; ?>/((?:.*/)?(?:node/[0-9]+/edit|node/add)) {
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -886,7 +952,7 @@ location ^~ /<?php print $subdir; ?> {
if ($cache_uid = '') {
return 403;
}
- if ($is_bot) {
+ if ( $is_bot ) {
return 403;
}
access_log off;
@@ -929,9 +995,9 @@ location ^~ /<?php print $subdir; ?> {
return 403;
}
<?php endif; ?>
- try_files $uri @cache_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @cache_<?php print $subdir_loc; ?>;
<?php else: ?>
- try_files $uri @drupal_<?php print $subdir_loc; ?>;
+ try_files /$1 $uri @drupal_<?php print $subdir_loc; ?>;
<?php endif; ?>
}
@@ -945,7 +1011,7 @@ location ^~ /<?php print $subdir; ?> {
<?php endif; ?>
<?php if ($satellite_mode == 'boa'): ?>
limit_conn limreq 88;
- if ($is_bot) {
+ if ( $is_bot ) {
return 404;
}
<?php endif; ?>
@@ -1025,7 +1091,6 @@ location ^~ /<?php print $subdir; ?> {
add_header X-This-Proto "$http_x_forwarded_proto";
add_header X-Server-Sub-Name "$subdir_main_site_name";
add_header X-Response-Status "$status";
- add_header Access-Control-Allow-Origin *;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
<?php endif; ?>
@@ -1084,6 +1149,7 @@ location ^~ /<?php print $subdir; ?> {
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 301 1m;
fastcgi_cache_valid 302 403 404 1s;
+ fastcgi_cache_valid any 3s;
fastcgi_cache_lock on;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
@@ -1148,65 +1214,34 @@ location @cache_<?php print $subdir_loc; ?> {
### Send all not cached requests to drupal with clean URLs support.
###
location @drupal_<?php print $subdir_loc; ?> {
-<?php if ($nginx_config_mode == 'extended'): ?>
- error_page 418 = @nobots_<?php print $subdir_loc; ?>;
- if ($args) {
- return 418;
- }
-<?php endif; ?>
+ set $core_detected "Legacy";
###
### For Drupal >= 7
###
- if ($sent_http_x_generator) {
- add_header X-Info-Gen "Modern";
- rewrite ^ /<?php print $subdir; ?>/index.php?$query_string last;
+ if ( -e $document_root/web.config ) {
+ set $core_detected "Regular";
+ }
+ if ( -e $document_root/core ) {
+ set $core_detected "Modern";
+ }
+ error_page 418 = @modern_<?php print $subdir_loc; ?>;
+ if ( $core_detected ~ (?:NotForD7|Modern) ) {
+ return 418;
}
###
- ### For Drupal <= 6
+ ### For Drupal 6
###
rewrite ^/<?php print $subdir; ?>/(.*)$ /<?php print $subdir; ?>/index.php?q=$1 last;
}
-<?php if ($nginx_config_mode == 'extended'): ?>
###
-### Special location for bots custom restrictions; can be overridden.
+### Special location for Drupal 7+.
###
-location @nobots_<?php print $subdir_loc; ?> {
- ###
- ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below
- ###
- # if ( $query_string ~ "^amp$" ) {
- # rewrite ^/<?php print $subdir; ?>/(.*)$ /<?php print $subdir; ?>/index.php?q=$1 last;
- # }
-
- ###
- ### Send all known bots to $args free URLs (optional)
- ###
- # if ($is_bot) {
- # return 301 $scheme://$host$request_uri;
- # }
-
- ###
- ### Return 404 on special PHP URLs to avoid revealing version used,
- ### even indirectly. See also: https://drupal.org/node/2116387
- ###
- if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
- return 404;
- }
-
- ###
- ### For Drupal >= 7
- ###
- if ($sent_http_x_generator) {
- add_header X-Info-Gen "Modern";
- rewrite ^ /<?php print $subdir; ?>/index.php?$query_string last;
- }
- ###
- ### For Drupal <= 6
- ###
- rewrite ^/<?php print $subdir; ?>/(.*)$ /<?php print $subdir; ?>/index.php?q=$1 last;
+location @modern_<?php print $subdir_loc; ?> {
+ try_files $uri /<?php print $subdir; ?>/index.php?$query_string;
}
+<?php if ($nginx_config_mode == 'extended'): ?>
###
### Internal location for /authorize.php and /update.php restricted access.
###