diff --git a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php index 785a8e437511101240ae73cf7a360a47ff5a6971..a45ab5dfbac9aab6bfb038c52fe9f77037c803ff 100644 --- a/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php +++ b/http/Provision/Config/Nginx/Inc/vhost_include.tpl.php @@ -70,10 +70,32 @@ if ($main_site_name = '') { set $main_site_name "$server_name"; } +### +### Mitigation for https://www.drupal.org/SA-CORE-2018-002 +### +set $rce "ZZ"; +if ( $query_string ~* (23value|23default_value|element_parents=%23) ) { + set $rce "A"; +} +if ( $request_method = POST ) { + set $rce "${rce}B"; +} +if ( $rce = "AB" ) { + return 403; +} + set $nocache_details "Cache"; +### +### Return 404 on special PHP URLs to avoid revealing version used, +### even indirectly. See also: https://drupal.org/node/2116387 +### +if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { + return 404; +} + ### ### Deny crawlers. ### @@ -112,7 +134,6 @@ if ($is_denied) { ### ### Add recommended HTTP headers ### -add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -149,7 +170,7 @@ location ^~ /httprl_async_function_callback { location ~* ^/httprl_async_function_callback { access_log off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } } @@ -160,7 +181,7 @@ location ^~ /admin/httprl-test { location ~* ^/admin/httprl-test { access_log off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } } @@ -179,7 +200,7 @@ location ^~ /cdn/farfuture/ { gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; - location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ { + location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less)$ { expires max; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; @@ -188,7 +209,7 @@ location ^~ /cdn/farfuture/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files $uri @nobots; + try_files $uri @drupal; } location ~* ^/cdn/farfuture/ { expires epoch; @@ -198,9 +219,9 @@ location ^~ /cdn/farfuture/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files $uri @nobots; + try_files $uri @drupal; } - try_files $uri @nobots; + try_files $uri @drupal; } @@ -211,6 +232,9 @@ location = /favicon.ico { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$main_site_name/files/favicon.ico $uri =204; } @@ -221,6 +245,9 @@ location = /favicon.ico { location = /robots.txt { access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache; @@ -305,10 +332,10 @@ location ^~ /cron/ { ### location ^~ /search { location ~* ^/search { - if ($is_bot) { + if ( $is_bot ) { return 403; } - try_files $uri @cache; + try_files $uri @drupal; } } @@ -317,7 +344,7 @@ location ^~ /search { ### location ^~ /js/ { location ~* ^/js/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } rewrite ^/(.*)$ /js.php?q=$1 last; @@ -351,7 +378,7 @@ location ^~ /hosting/c/server_master { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -367,7 +394,7 @@ location ^~ /hosting/c/server_localhost { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -379,7 +406,7 @@ location ^~ /hosting/c/server_localhost { ### Fix for #2005116 ### location ^~ /hosting/sites { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -391,12 +418,12 @@ location ^~ /hosting/sites { ### Fix for Aegir & .info .pl domain extensions. ### location ^~ /hosting { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; set $nocache_details "Skip"; - try_files $uri @cache; + try_files $uri @drupal; } @@ -421,7 +448,7 @@ location ^~ /admin/config/development/performance/redis { ### Support for backup_migrate module download/restore/delete actions. ### location ^~ /admin { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -433,7 +460,7 @@ location ^~ /admin { ### Avoid caching /civicrm* and protect it from bots. ### location ^~ /civicrm { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -458,7 +485,7 @@ location ~* ^/\w\w/civicrm { ### location ^~ /audio/download { location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } tcp_nopush off; @@ -515,11 +542,11 @@ location ~* (?:cgi-bin|vti-bin) { ### Deny bots on some weak modules uri. ### location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; - try_files $uri @cache; + try_files $uri @drupal; } ### @@ -557,6 +584,9 @@ location ~* /sites/.*/files/styles/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -570,6 +600,9 @@ location ~* /s3/files/styles/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -583,6 +616,9 @@ location ~* /sites/.*/files/imagecache/(.*)$ { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; # fix common problems with old paths after import from standalone to Aegir multisite rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last; @@ -634,7 +670,7 @@ include /config/server_master/nginx/post.d/nginx_vhos ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^/sites/.*/files/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -651,7 +687,7 @@ location ~* ^/sites/.*/files/private/ { location ~* ^/sites/.*/private/ { internal; - if ($is_bot) { + if ( $is_bot ) { return 403; } @@ -665,7 +701,7 @@ location ~* ^/sites/.*/private/ { ### location ~* /files/private/ { internal; - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -677,7 +713,10 @@ location ~* /files/private/ { location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) { access_log off; log_not_found off; - try_files $uri @nobots; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + try_files $uri @drupal; } ### @@ -698,7 +737,7 @@ location ~* files/advagg_(?:css|js)/ { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; } ### @@ -715,9 +754,19 @@ location ~* \.css$ { access_log off; tcp_nodelay off; expires max; #if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.css $uri =404; } +### +### Support for dynamic /sw.js requests. See #2982073 on drupal.org +### +location = /sw.js { + try_files $uri @drupal; +} + ### ### Make js files compatible with boost caching. ### @@ -732,9 +781,19 @@ location ~* \.(?:js|htc)$ { access_log off; tcp_nodelay off; expires max; # if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.js $uri =404; } +### +### Support for dynamic .json requests. +### +location ~* \.json$ { + try_files $uri @drupal; +} + ### ### Support for static .json files with fast 404 +Boost compatibility. ### @@ -746,16 +805,12 @@ location ~* ^/sites/.*/files/.*\.json$ { access_log off; tcp_nodelay off; expires max; ### if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/normal/$host${uri}_.json $uri =404; } -### -### Support for dynamic .json requests. -### -location ~* \.json$ { - try_files $uri @cache; -} - ### ### Helper location to bypass boost static files cache for logged in users. ### @@ -770,6 +825,48 @@ location @uncached { ### location ^~ /files/ { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + + ### + ### Sub-location to support Flash Video (FLV) files with short URIs. + ### + location ~* /files/.+\.flv$ { + flv; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; + } + + ### + ### Sub-location to support H.264/AAC files with short URIs. + ### + location ~* /files/.+\.(?:mp4|m4a)$ { + mp4; + mp4_buffer_size 1m; + mp4_max_buffer_size 5m; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; + } + + ### ### Sub-location to support files/styles with short URIs. ### @@ -801,7 +898,7 @@ location ^~ /files/ { try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal; } - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { expires 30d; tcp_nodelay off; access_log off; @@ -820,11 +917,14 @@ location ^~ /files/ { ### Map /downloads/ shortcut early to avoid overrides in other locations. ### location ^~ /downloads/ { - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/downloads/(.*)$ /sites/$main_site_name/files/downloads/$1 last; try_files $uri =404; } @@ -839,11 +939,14 @@ location ^~ /downloads/ { ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### -location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ { +location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|mp3|wav|midi)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/images/(.*)$ /sites/$main_site_name/files/images/$1 last; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; @@ -859,6 +962,9 @@ location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|i tcp_nopush off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; } @@ -874,6 +980,9 @@ location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ { tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -888,6 +997,9 @@ location ~* ^.+\.flv$ { expires 30d; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -903,6 +1015,9 @@ location ~* ^.+\.(?:mp4|m4a)$ { expires 30d; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -914,6 +1029,9 @@ location ~* /(?:cross-?domain)\.xml$ { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -928,7 +1046,7 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin tcp_nopush off; keepalive_requests 0; access_log off; - if ($is_bot) { + if ( $is_bot ) { return 403; } try_files $uri =404; @@ -945,14 +1063,14 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin ### Deny crawlers and never cache known AJAX requests. ### location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; - try_files $uri @nobots; + try_files $uri @drupal; try_files $uri @drupal; @@ -962,12 +1080,15 @@ location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -978,6 +1099,9 @@ location ~* ^/sites/.*/files/ { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files $uri =404; } @@ -1013,7 +1137,7 @@ location ~* \.xml$ { ### Deny bots on never cached uri. ### location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -1025,7 +1149,7 @@ location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { ### Protect from DoS attempts on never cached uri. ### location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -1040,7 +1164,7 @@ location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -1079,7 +1203,6 @@ location ~ ^/(?esi/.*)"$ { add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ### @@ -1105,9 +1228,9 @@ location ~ ^/(?esi/.*)"$ { fastcgi_cache_methods GET HEAD; fastcgi_cache_min_uses 1; fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; - fastcgi_cache_valid 200 5s; - fastcgi_cache_valid 301 1m; - fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid 200 3s; + fastcgi_cache_valid 301 302 403 404 1s; + fastcgi_cache_valid any 1s; fastcgi_cache_lock on; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; @@ -1195,63 +1318,32 @@ location @cache { ### Send all not cached requests to drupal with clean URLs support. ### location @drupal { - - error_page 418 = @nobots; - if ($args) { - return 418; - } - + set $core_detected "Legacy"; ### ### For Drupal >= 7 ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ /index.php?$query_string last; + if ( -e $document_root/web.config ) { + set $core_detected "Regular"; + } + if ( -e $document_root/core ) { + set $core_detected "Modern"; + } + error_page 418 = @modern; + if ( $core_detected ~ (?:Regular|Modern) ) { + return 418; } ### - ### For Drupal <= 6 + ### For Drupal 6 ### rewrite ^/(.*)$ /index.php?q=$1 last; } ### -### Special location for bots custom restrictions; can be overridden. +### Special location for Drupal 7+. ### -location @nobots { - ### - ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below - ### - # if ( $query_string ~ "^amp$" ) { - # rewrite ^/(.*)$ /index.php?q=$1 last; - # } - - ### - ### Send all known bots to $args free URLs (optional) - ### - # if ($is_bot) { - # return 301 $scheme://$host$request_uri; - # } - - ### - ### Return 404 on special PHP URLs to avoid revealing version used, - ### even indirectly. See also: https://drupal.org/node/2116387 - ### - if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { - return 404; - } - - ### - ### For Drupal >= 7 - ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ /index.php?$query_string last; - } - ### - ### For Drupal <= 6 - ### - rewrite ^/(.*)$ /index.php?q=$1 last; +location @modern { + try_files $uri /index.php?$query_string; } ### @@ -1265,13 +1357,13 @@ location = /index.php { add_header X-GeoIP-Country-Name "$geoip_country_name"; + add_header X-Core-Variant "$core_detected"; add_header X-Speed-Cache "$upstream_cache_status"; add_header X-Speed-Cache-UID "$cache_uid"; add_header X-Speed-Cache-Key "$key_uri"; add_header X-NoCache "$nocache_details"; add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -1300,9 +1392,9 @@ location = /index.php { fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity fastcgi_cache_min_uses 1; fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; - fastcgi_cache_valid 200 10s; - fastcgi_cache_valid 301 1m; - fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid 200 3s; + fastcgi_cache_valid 301 302 403 404 1s; + fastcgi_cache_valid any 1s; fastcgi_cache_lock on; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; @@ -1324,7 +1416,7 @@ location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ { limit_conn limreq 88; - if ($is_bot) { + if ( $is_bot ) { return 404; } diff --git a/http/Provision/Config/Nginx/subdir.tpl.php b/http/Provision/Config/Nginx/subdir.tpl.php index b4d4e0190f613c47ae906034dc065a5f2f3697d1..1b1bd8b9d316f054d05d2c902a5670aec814a4eb 100644 --- a/http/Provision/Config/Nginx/subdir.tpl.php +++ b/http/Provision/Config/Nginx/subdir.tpl.php @@ -75,7 +75,13 @@ $subdir_dot = str_replace('/', '.', $subdir); // use this simple fallback to guarantee that empty db_port does not // break Nginx reload which results with downtime for the affected vhosts. if (!$db_port) { - $db_port = $this->server->db_port ? $this->server->db_port : '3306'; + $ctrlf = '/data/conf/' . $script_user . '_use_proxysql.txt'; + if (provision_file()->exists($ctrlf)->status()) { + $db_port = '6033'; + } + else { + $db_port = $this->server->db_port ? $this->server->db_port : '3306'; + } } ?> ####################################################### @@ -97,11 +103,24 @@ if ($subdir_main_site_name = '') { set $subdir_main_site_name "$server_name"; } +# Mitigation for https://www.drupal.org/SA-CORE-2018-002 +set $rce "ZZ"; +if ( $query_string ~* (23value|23default_value|element_parents=%23) ) { + set $rce "A"; +} + +if ( $request_method = POST ) { + set $rce "${rce}B"; +} + +if ( $rce = "AB" ) { + return 403; +} + ### ### Add recommended HTTP headers ### -add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -110,6 +129,10 @@ add_header X-XSS-Protection "1; mode=block"; ### location ^~ //sites/default/files { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + root root}"; ?>; location ~* ^//sites/default/files/imagecache { @@ -118,7 +141,7 @@ location ^~ //sites/default/files { expires 30d; set $nocache_details "Skip"; rewrite ^//sites/default/files/imagecache/(.*)$ //sites/$subdir_main_site_name/files/imagecache/$1 last; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } location ~* ^//sites/default/files/styles { access_log off; @@ -126,7 +149,7 @@ location ^~ //sites/default/files { expires 30d; set $nocache_details "Skip"; rewrite ^//sites/default/files/styles/(.*)$ //sites/$subdir_main_site_name/files/styles/$1 last; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } location ~* ^//sites/default/files { access_log off; @@ -205,7 +228,7 @@ location ^~ / { location ~* ^//httprl_async_function_callback { access_log off; set $nocache_details "Skip"; - try_files /httprl_async_function_callback $uri @nobots_; + try_files /httprl_async_function_callback $uri @drupal_; } } @@ -216,7 +239,7 @@ location ^~ / { location ~* ^//admin/httprl-test { access_log off; set $nocache_details "Skip"; - try_files /admin/httprl-test $uri @nobots_; + try_files /admin/httprl-test $uri @drupal_; } } @@ -231,7 +254,7 @@ location ^~ / { gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; - location ~* ^//(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less))$ { + location ~* ^//(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff2?|eot|less))$ { expires max; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; @@ -240,7 +263,7 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } location ~* ^//(cdn/farfuture/) { expires epoch; @@ -250,9 +273,9 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } - try_files $uri @nobots_; + try_files /$1 $uri @drupal_; } @@ -263,6 +286,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$subdir_main_site_name/files/favicon.ico /sites/$host/files/favicon.ico /favicon.ico $uri =204; } @@ -273,6 +299,9 @@ location ^~ / { location = //robots.txt { access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /sites/$subdir_main_site_name/files/$host.robots.txt /sites/$subdir_main_site_name/files/robots.txt /sites/$host/files/robots.txt /robots.txt $uri @cache_; @@ -345,10 +374,10 @@ location ^~ / { ### location ^~ //search { location ~* ^//search { - if ($is_bot) { + if ( $is_bot ) { return 403; } - try_files /search $uri @cache_; + try_files /search $uri @drupal_; } } @@ -357,7 +386,7 @@ location ^~ / { ### location ^~ //js/ { location ~* ^//js/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } rewrite ^//(.*)$ /js.php?q=$1 last; @@ -403,7 +432,7 @@ location ^~ / { ### Support for backup_migrate module download/restore/delete actions. ### location ^~ //admin { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -415,7 +444,7 @@ location ^~ / { ### Avoid caching /civicrm* and protect it from bots. ### location ^~ //civicrm { - if ($is_bot) { + if ( $is_bot ) { return 403; } set $nocache_details "Skip"; @@ -427,7 +456,7 @@ location ^~ / { ### location ^~ //audio/download { location ~* ^//(audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg))$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } tcp_nopush off; @@ -483,7 +512,7 @@ location ^~ / { rewrite ^//(.*)\.r(\.(?:jpe?g|png|gif))$ //$1$2 last; access_log off; set $nocache_details "Skip"; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } ### @@ -496,7 +525,7 @@ location ^~ / { } access_log off; set $nocache_details "Skip"; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -505,6 +534,10 @@ location ^~ / { ### location ^~ //files/ { + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + ### ### Sub-location to support files/styles with short URIs. ### @@ -536,7 +569,7 @@ location ^~ / { try_files //sites/$subdir_main_site_name/files/imagecache/$1 $uri @drupal_; } - location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|class|otf|ttf|woff2?|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { expires 30d; tcp_nodelay off; access_log off; @@ -545,9 +578,9 @@ location ^~ / { try_files $uri =404; } - try_files $uri @cache_; + try_files /$1 $uri @cache_; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -559,6 +592,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -572,6 +608,9 @@ location ^~ / { access_log off; log_not_found off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; @@ -600,7 +639,7 @@ location ^~ / { ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^//(sites/.*/files/private/.*) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -617,7 +656,7 @@ location ^~ / { ### location ~* ^//sites/.*/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } @@ -631,7 +670,7 @@ location ^~ / { ### Note: this location works with X-Accel-Redirect. ### location ~* //files/private/ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -644,7 +683,10 @@ location ^~ / { location ~* ^//(.*/wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css)) { access_log off; log_not_found off; - try_files /$1 $uri @nobots_; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + try_files /$1 $uri @drupal_; } ### @@ -664,7 +706,7 @@ location ^~ / { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; set $nocache_details "Skip"; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; } ### @@ -674,6 +716,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; #if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.css /$1 $uri =404; } @@ -684,6 +729,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; # if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/perm/$host${uri}_.js /$1 $uri =404; } @@ -694,6 +742,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires max; ### if using aggregator + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /cache/normal/$host${uri}_.json /$1 $uri =404; } @@ -701,7 +752,7 @@ location ^~ / { ### Support for dynamic .json requests. ### location ~* (.*\.json)$ { - try_files /$1 $uri @cache_; + try_files /$1 $uri @drupal_; } @@ -709,11 +760,14 @@ location ^~ / { ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### - location ~* ^//(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less))$ { + location ~* ^//(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|vcard|vcf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff2?|eot|less))$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -727,6 +781,9 @@ location ^~ / { tcp_nopush off; access_log off; log_not_found off; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -737,6 +794,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -776,7 +836,7 @@ location ^~ / { tcp_nopush off; keepalive_requests 0; access_log off; - if ($is_bot) { + if ( $is_bot ) { return 403; } try_files /$1 $uri =404; @@ -793,14 +853,14 @@ location ^~ / { ### Deny crawlers and never cache known AJAX requests. ### location ~* ^//(.*(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*).*)$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; - try_files /$1 $uri @nobots_; + try_files /$1 $uri @drupal_; try_files /$1 $uri @drupal_; @@ -810,12 +870,15 @@ location ^~ / { ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^//(sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml))$ { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -828,6 +891,9 @@ location ^~ / { access_log off; tcp_nodelay off; expires 30d; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; try_files /$1 $uri =404; } @@ -859,7 +925,7 @@ location ^~ / { ### Deny bots on never cached uri. ### location ~* ^//((?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply)) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -871,7 +937,7 @@ location ^~ / { ### Protect from DoS attempts on never cached uri. ### location ~* ^//((?:.*/)?(?:node/[0-9]+/edit|node/add)) { - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -886,7 +952,7 @@ location ^~ / { if ($cache_uid = '') { return 403; } - if ($is_bot) { + if ( $is_bot ) { return 403; } access_log off; @@ -929,9 +995,9 @@ location ^~ / { return 403; } - try_files $uri @cache_; + try_files /$1 $uri @cache_; - try_files $uri @drupal_; + try_files /$1 $uri @drupal_; } @@ -945,7 +1011,7 @@ location ^~ / { limit_conn limreq 88; - if ($is_bot) { + if ( $is_bot ) { return 404; } @@ -1025,7 +1091,6 @@ location ^~ / { add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Sub-Name "$subdir_main_site_name"; add_header X-Response-Status "$status"; - add_header Access-Control-Allow-Origin *; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -1084,6 +1149,7 @@ location ^~ / { fastcgi_cache_valid 200 10s; fastcgi_cache_valid 301 1m; fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_valid any 3s; fastcgi_cache_lock on; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; @@ -1148,65 +1214,34 @@ location @cache_ { ### Send all not cached requests to drupal with clean URLs support. ### location @drupal_ { - - error_page 418 = @nobots_; - if ($args) { - return 418; - } - + set $core_detected "Legacy"; ### ### For Drupal >= 7 ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ //index.php?$query_string last; + if ( -e $document_root/web.config ) { + set $core_detected "Regular"; + } + if ( -e $document_root/core ) { + set $core_detected "Modern"; + } + error_page 418 = @modern_; + if ( $core_detected ~ (?:NotForD7|Modern) ) { + return 418; } ### - ### For Drupal <= 6 + ### For Drupal 6 ### rewrite ^//(.*)$ //index.php?q=$1 last; } - ### -### Special location for bots custom restrictions; can be overridden. +### Special location for Drupal 7+. ### -location @nobots_ { - ### - ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below - ### - # if ( $query_string ~ "^amp$" ) { - # rewrite ^//(.*)$ //index.php?q=$1 last; - # } - - ### - ### Send all known bots to $args free URLs (optional) - ### - # if ($is_bot) { - # return 301 $scheme://$host$request_uri; - # } - - ### - ### Return 404 on special PHP URLs to avoid revealing version used, - ### even indirectly. See also: https://drupal.org/node/2116387 - ### - if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { - return 404; - } - - ### - ### For Drupal >= 7 - ### - if ($sent_http_x_generator) { - add_header X-Info-Gen "Modern"; - rewrite ^ //index.php?$query_string last; - } - ### - ### For Drupal <= 6 - ### - rewrite ^//(.*)$ //index.php?q=$1 last; +location @modern_ { + try_files $uri //index.php?$query_string; } + ### ### Internal location for /authorize.php and /update.php restricted access. ###