nginx_config_mode) { $nginx_config_mode = $server->nginx_config_mode; } $phpfpm_mode = drush_get_option('phpfpm_mode'); if (!$phpfpm_mode && $server->phpfpm_mode) { $phpfpm_mode = $server->phpfpm_mode; } $nginx_is_modern = drush_get_option('nginx_is_modern'); if (!$nginx_is_modern && $server->nginx_is_modern) { $nginx_is_modern = $server->nginx_is_modern; } $nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) { $nginx_has_upload_progress = $server->nginx_has_upload_progress; } $satellite_mode = drush_get_option('satellite_mode'); if (!$satellite_mode && $server->satellite_mode) { $satellite_mode = $server->satellite_mode; } ?> ####################################################### ### nginx.conf site level extended vhost include start ### nginx.conf site level basic vhost include start ####################################################### ### ### Use the main site name if available, instead of ### potentially virtual server_name when alias is set ### as redirection target. See #2358977 for details. ### if ($main_site_name = '') { set $main_site_name "$server_name"; } set $nocache_details "Cache"; ### ### Deny crawlers. ### if ($is_crawler) { return 403; } ### ### Include high load protection config if exists. ### include /data/conf/nginx_high_load.c*; ### ### Deny not compatible request methods without 405 response. ### if ( $request_method !~ ^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { return 403; } ### ### Deny listed requests for security reasons. ### if ($is_denied) { return 403; } ### ### Include high level local configuration override if exists. ### include /data/disk/EDIT_USER/config/server_master/nginx/post.d/nginx_force_include*; ### ### HTTPRL standard support. ### location ^~ /httprl_async_function_callback { location ~* ^/httprl_async_function_callback { access_log off; add_header X-Header "HTTPRL 2.0"; set $nocache_details "Skip"; try_files $uri @nobots; } } ### ### HTTPRL test mode support. ### location ^~ /admin/httprl-test { location ~* ^/admin/httprl-test { access_log off; add_header X-Header "HTTPRL 2.1"; set $nocache_details "Skip"; try_files $uri @nobots; } } ### ### CDN Far Future expiration support. ### location ^~ /cdn/farfuture/ { tcp_nodelay off; access_log off; log_not_found off; etag off; gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ { expires max; add_header Access-Control-Allow-Origin *; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; try_files $uri @nobots; } location ~* ^/cdn/farfuture/ { expires epoch; add_header Access-Control-Allow-Origin *; add_header X-Header "CDN Far Future Generator 1.1"; add_header Cache-Control "private, must-revalidate, proxy-revalidate"; rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; try_files $uri @nobots; } try_files $uri @nobots; } ### ### If favicon else return error 204. ### location = /favicon.ico { access_log off; log_not_found off; expires 30d; add_header Access-Control-Allow-Origin *; try_files /sites/$main_site_name/files/favicon.ico $uri =204; } ### ### Support for https://drupal.org/project/robotstxt module ### and static file in the sites/domain/files directory. ### location = /robots.txt { access_log off; log_not_found off; try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache; try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @drupal; } ### ### Allow local access to the FPM status page. ### location = /fpm-status { access_log off; allow 127.0.0.1; deny all; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Allow local access to the FPM ping URI. ### location = /fpm-ping { access_log off; allow 127.0.0.1; deny all; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Allow local access to support wget method in Aegir settings ### for running sites cron. ### location = /cron.php { tcp_nopush off; keepalive_requests 0; access_log off; allow 127.0.0.1; deny all; try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Allow local access to support wget method in Aegir settings ### for running sites cron in Drupal 8. ### location = /core/cron.php { tcp_nopush off; keepalive_requests 0; access_log off; allow 127.0.0.1; deny all; try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Send search to php-fpm early so searching for node.js will work. ### Deny bots on search uri. ### location ^~ /search { location ~* ^/search { if ($is_bot) { return 403; } try_files $uri @cache; } } ### ### Support for https://drupal.org/project/js module. ### location ^~ /js/ { location ~* ^/js/ { if ($is_bot) { return 403; } rewrite ^/(.*)$ /js.php?q=$1 last; } } ### ### Upload progress support. ### https://drupal.org/project/filefield_nginx_progress ### http://github.com/masterzen/nginx-upload-progress-module ### location ~ (?.*)/x-progress-id:(?\d*) { access_log off; rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; } location ^~ /progress { access_log off; upload_progress_json_output; report_uploads uploads; } ### ### Deny access to Hostmaster web/db server node. ### It is still possible to edit or break web/db server ### node at /node/2/edit, if you know what are you doing. ### location ^~ /hosting/c/server_master { if ($cache_uid = '') { return 403; } if ($is_bot) { return 403; } access_log off; rewrite ^ $scheme://$host/hosting/sites permanent; } ### ### Deny access to Hostmaster db server node. ### It is still possible to edit or break db server ### node at /node/4/edit, if you know what are you doing. ### location ^~ /hosting/c/server_localhost { if ($cache_uid = '') { return 403; } if ($is_bot) { return 403; } access_log off; rewrite ^ $scheme://$host/hosting/sites permanent; } ### ### Fix for #2005116 ### location ^~ /hosting/sites { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Fix for Aegir & .info .pl domain extensions. ### location ^~ /hosting { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @cache; } ### ### Deny cache details display. ### location ^~ /admin/settings/performance/cache-backend { access_log off; rewrite ^ $scheme://$host/admin/settings/performance permanent; } ### ### Deny cache details display. ### location ^~ /admin/config/development/performance/redis { access_log off; rewrite ^ $scheme://$host/admin/config/development/performance permanent; } ### ### Support for backup_migrate module download/restore/delete actions. ### location ^~ /admin { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Avoid caching /civicrm* and protect it from bots. ### location ^~ /civicrm { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Support for audio module. ### location ^~ /audio/download { location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ { if ($is_bot) { return 403; } tcp_nopush off; access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } } ### ### Deny listed requests for security reasons. ### location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|make|config|inc|ini|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ { access_log off; return 404; } ### ### Deny listed requests for security reasons. ### location ~* /(?:modules|themes|libraries)/.*\.(?:txt|md)$ { access_log off; return 404; } ### ### Deny listed requests for security reasons. ### location ~* ^/sites/.*/files/civicrm/(?:ConfigAndLog|upload|templates_c) { access_log off; return 404; } ### ### Deny some not supported URI like cgi-bin on the Nginx level. ### location ~* (?:cgi-bin|vti-bin) { access_log off; return 404; } ### ### Deny bots on some weak modules uri. ### location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) { if ($is_bot) { return 403; } access_log off; try_files $uri @cache; } ### ### Responsive Images support. ### https://drupal.org/project/responsive_images ### location ~* \.r\.(?:jpe?g|png|gif) { if ( $http_cookie ~* "rwdimgsize=large" ) { rewrite ^/(.*)/mobile/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1/desktop/$2$3 last; } rewrite ^/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1$2 last; access_log off; add_header X-Header "RI Generator 1.0"; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Adaptive Image Styles support. ### https://drupal.org/project/ais ### location ~* /(?:.+)/files/styles/adaptive/(?:.+)$ { if ( $http_cookie ~* "ais=(?[a-z0-9-_]+)" ) { rewrite ^/(.+)/files/styles/adaptive/(.+)$ /$1/files/styles/$ais_cookie/$2 last; } access_log off; add_header X-Header "AIS Generator 1.0"; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### The files/styles support. ### location ~* /sites/.*/files/styles/(.*)$ { access_log off; log_not_found off; expires 30d; set $nocache_details "Skip"; try_files /sites/$main_site_name/files/styles/$1 $uri @drupal; } ### ### The files/imagecache support. ### location ~* /sites/.*/files/imagecache/(.*)$ { access_log off; log_not_found off; expires 30d; set $nocache_details "Skip"; try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal; } ### ### Send requests with /external/ and /system/ URI keywords to @drupal. ### location ~* /(?:external|system)/ { access_log off; log_not_found off; expires 30d; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Deny direct access to backups. ### location ~* ^/sites/.*/files/backup_migrate/ { access_log off; deny all; } ### ### Deny direct access to config files in Drupal 8. ### location ~* ^/sites/.*/files/config_.* { access_log off; deny all; } ### ### Include local configuration override if exists. ### include /data/disk/EDIT_USER/config/server_master/nginx/post.d/nginx_vhost_include*; ### ### Private downloads are always sent to the drupal backend. ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^/sites/.*/files/private/ { if ($is_bot) { return 403; } access_log off; rewrite ^/sites/.*/files/private/(.*)$ $scheme://$host/system/files/private/$1 permanent; add_header X-Header "Private Generator 1.0a"; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Deny direct access to private downloads in sites/domain/private. ### Note: this location works with X-Accel-Redirect. ### location ~* ^/sites/.*/private/ { internal; if ($is_bot) { return 403; } access_log off; } ### ### Deny direct access to private downloads also for short, rewritten URLs. ### Note: this location works with X-Accel-Redirect. ### location ~* /files/private/ { internal; if ($is_bot) { return 403; } access_log off; } ### ### Wysiwyg Fields support. ### location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) { access_log off; log_not_found off; try_files $uri @nobots; } ### ### Advagg_css and Advagg_js support. ### location ~* files/advagg_(?:css|js)/ { expires max; access_log off; etag off; add_header ETag ""; rewrite ^/files/advagg_(.*)/(.*)$ /sites/$main_site_name/files/advagg_$1/$2 last; add_header Cache-Control "max-age=31449600, no-transform, public"; add_header Access-Control-Allow-Origin *; add_header X-Header "AdvAgg Generator 2.0"; set $nocache_details "Skip"; try_files $uri @nobots; } ### ### Make css files compatible with boost caching. ### location ~* \.css$ { if ( $request_method = POST ) { return 405; } if ( $cache_uid ) { return 405; } error_page 405 = @uncached; access_log off; tcp_nodelay off; expires max; #if using aggregator add_header X-Header "Boost Citrus 2.1"; try_files /cache/perm/$host${uri}_.css $uri =404; } ### ### Make js files compatible with boost caching. ### location ~* \.(?:js|htc)$ { if ( $request_method = POST ) { return 405; } if ( $cache_uid ) { return 405; } error_page 405 = @uncached; access_log off; tcp_nodelay off; expires max; # if using aggregator add_header X-Header "Boost Citrus 2.2"; try_files /cache/perm/$host${uri}_.js $uri =404; } ### ### Support for static .json files with fast 404 +Boost compatibility. ### location ~* ^/sites/.*/files/.*\.json$ { if ( $cache_uid ) { return 405; } error_page 405 = @uncached; access_log off; tcp_nodelay off; expires max; ### if using aggregator add_header X-Header "Boost Citrus 2.3"; add_header Access-Control-Allow-Origin *; try_files /cache/normal/$host${uri}_.json $uri =404; } ### ### Support for dynamic .json requests. ### location ~* \.json$ { try_files $uri @cache; } ### ### Helper location to bypass boost static files cache for logged in users. ### location @uncached { access_log off; expires max; # max if using aggregator, otherwise sane expire time } ### ### Map /files/ shortcut early to avoid overrides in other locations. ### location ^~ /files/ { location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; add_header Access-Control-Allow-Origin *; rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; } try_files $uri @cache; try_files $uri @drupal; } ### ### Map /downloads/ shortcut early to avoid overrides in other locations. ### location ^~ /downloads/ { location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; add_header Access-Control-Allow-Origin *; rewrite ^/downloads/(.*)$ /sites/$main_site_name/files/downloads/$1 last; try_files $uri =404; } try_files $uri @cache; try_files $uri @drupal; } ### ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; add_header Access-Control-Allow-Origin *; rewrite ^/images/(.*)$ /sites/$main_site_name/files/images/$1 last; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; } ### ### Serve & log bigger media/static/archive files directly, ### without all standard drupal rewrites, php-fpm etc. ### location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { expires 30d; tcp_nodelay off; tcp_nopush off; add_header Access-Control-Allow-Origin *; rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; try_files $uri =404; } ### ### Serve & no-log some static files directly, ### but only from the files directory to not break ### dynamically created pdf files or redirects for ### legacy URLs with asp/aspx extension. ### location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; add_header Access-Control-Allow-Origin *; try_files $uri =404; } ### ### Pseudo-streaming server-side support for Flash Video (FLV) files. ### location ~* ^.+\.flv$ { flv; add_header Access-Control-Allow-Origin *; tcp_nodelay off; tcp_nopush off; expires 30d; try_files $uri =404; } ### ### Pseudo-streaming server-side support for H.264/AAC files. ### location ~* ^.+\.(?:mp4|m4a)$ { mp4; add_header Access-Control-Allow-Origin *; mp4_buffer_size 1m; mp4_max_buffer_size 5m; tcp_nodelay off; tcp_nopush off; expires 30d; try_files $uri =404; } ### ### Serve & no-log some static files as is, without forcing default_type. ### location ~* /(?:cross-?domain)\.xml$ { access_log off; tcp_nodelay off; expires 30d; add_header X-Header "XML Generator 1.0"; try_files $uri =404; } ### ### Allow some known php files (like serve.php in the ad module). ### location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck|ecc|civicrm|fbconnect|radioactivity)/.*\.php$ { limit_conn limreq 88; tcp_nopush off; keepalive_requests 0; access_log off; if ($is_bot) { return 403; } try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Deny crawlers and never cache known AJAX and webform requests. ### location ~* /(?:ahah|ajax|batch|autocomplete|webform|done|progress/|x-progress-id|js/.*) { if ($is_bot) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; try_files $uri @nobots; try_files $uri @drupal; } ### ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ { if ($is_bot) { return 403; } access_log off; tcp_nodelay off; expires 30d; try_files $uri =404; } ### ### Serve & no-log any not specified above static files directly. ### location ~* ^/sites/.*/files/ { access_log off; tcp_nodelay off; expires 30d; try_files $uri =404; } ### ### Make feeds compatible with boost caching and set correct mime type. ### location ~* \.xml$ { if ( $request_method = POST ) { return 405; } if ( $cache_uid ) { return 405; } error_page 405 = @drupal; access_log off; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header X-Header "Boost Citrus 2.4"; charset utf-8; types { } default_type text/xml; try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; } ### ### Deny bots on never cached uri. ### location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Protect from DoS attempts on never cached uri. ### location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Protect from DoS attempts on never cached uri. ### location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) { if ($cache_uid = '') { return 403; } if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files $uri @drupal; } ### ### Support for ESI microcaching: http://groups.drupal.org/node/197478. ### ### This may enhance not only anonymous visitors, but also ### logged in users experience, as it allows you to separate ### microcache for ESI/SSI includes (valid for just 5 seconds) ### from both default Speed Booster cache for anonymous visitors ### (valid by default for 10s or 1h, unless purged on demand via ### recently introduced Purge/Expire modules) and also from ### Speed Booster cache per logged in user (valid for 10 seconds). ### ### Now you have three different levels of Speed Booster cache ### to leverage and deliver the 'live content' experience for ### all visitors, and still protect your server from DoS or ### simply high load caused by unexpected high traffic etc. ### location ~ ^/(?esi/.*)"$ { ssi on; ssi_silent_errors on; internal; limit_conn limreq 88; add_header X-Device "$device"; add_header X-Speed-Micro-Cache "$upstream_cache_status"; add_header X-Speed-Micro-Cache-Expire "5s"; add_header X-NoCache "$nocache_details"; add_header X-GeoIP-Country-Code "$geoip_country_code"; add_header X-GeoIP-Country-Name "$geoip_country_name"; add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; ### ### Set correct, local $uri. ### fastcgi_param QUERY_STRING q=$esi; fastcgi_param SCRIPT_FILENAME $document_root/index.php; fastcgi_pass 127.0.0.1:9000; ### ### Use Nginx cache for all visitors. ### set $nocache ""; if ( $http_cookie ~* "NoCacheID" ) { set $nocache "NoCache"; } fastcgi_cache speed; fastcgi_cache_methods GET HEAD; fastcgi_cache_min_uses 1; fastcgi_cache_key "$is_bot$device$host$request_method$uri$is_args$args$cache_uid$http_x_forwarded_proto"; fastcgi_cache_valid 200 301 404 5s; fastcgi_cache_valid 302 1m; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; fastcgi_pass_header X-Accel-Expires; fastcgi_pass_header X-Accel-Redirect; fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; tcp_nopush off; keepalive_requests 0; expires epoch; } ### ### Rewrite legacy requests with /index.php to extension-free URL. ### if ( $args ~* "^q=(?.*)" ) { rewrite ^/index.php$ $scheme://$host/?q=$query_value? permanent; } ### ### Catch all unspecified requests. ### location / { if ( $http_user_agent ~* wget ) { return 403; } try_files $uri @cache; try_files $uri @drupal; } ### ### Boost compatible cache check. ### location @cache { if ( $request_method = POST ) { set $nocache_details "Method"; return 405; } if ( $args ~* "nocache=1" ) { set $nocache_details "Args"; return 405; } if ( $sent_http_x_force_nocache = "YES" ) { set $nocache_details "Skip"; return 405; } if ( $http_cookie ~* "NoCacheID" ) { set $nocache_details "AegirCookie"; return 405; } if ( $cache_uid ) { set $nocache_details "DrupalCookie"; return 405; } error_page 405 = @drupal; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header X-Header "Boost Citrus 1.9"; charset utf-8; try_files /cache/normal/$host${uri}_$args.html @drupal; } ### ### Send all not cached requests to drupal with clean URLs support. ### location @drupal { error_page 418 = @nobots; if ($args) { return 418; } rewrite ^/(.*)$ /index.php?q=$1 last; } ### ### Send all known bots to $args free URLs. ### location @nobots { if ($is_bot) { rewrite ^ $scheme://$host$uri? permanent; } ### ### Return 404 on special PHP URLs to avoid revealing version used, ### even indirectly. See also: https://drupal.org/node/2116387 ### if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { return 404; } rewrite ^/(.*)$ /index.php?q=$1 last; } ### ### Send all non-static requests to php-fpm, restricted to known php file. ### location = /index.php { internal; limit_conn limreq 88; add_header X-Device "$device"; add_header X-GeoIP-Country-Code "$geoip_country_code"; add_header X-GeoIP-Country-Name "$geoip_country_name"; add_header X-Speed-Cache "$upstream_cache_status"; add_header X-Speed-Cache-UID "$cache_uid"; add_header X-Speed-Cache-Key "$key_uri"; add_header X-NoCache "$nocache_details"; add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$main_site_name"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; tcp_nopush off; keepalive_requests 0; try_files $uri =404; ### check for existence of php file first fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; track_uploads uploads 60s; ### required for upload progress ### ### Use Nginx cache for all visitors. ### set $nocache ""; if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) { set $nocache "NoCache"; } fastcgi_cache speed; fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity fastcgi_cache_min_uses 1; fastcgi_cache_key "$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; fastcgi_cache_valid 200 10s; fastcgi_cache_valid 302 1m; fastcgi_cache_valid 301 403 404 5s; fastcgi_cache_valid 500 502 503 504 1s; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; fastcgi_pass_header X-Accel-Expires; fastcgi_pass_header X-Accel-Redirect; fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; } ### ### Send other known php requests/files to php-fpm without any caching. ### location ~* ^/(?:core/)?(?:boost_stats|rtoc|js)\.php$ { location ~* ^/(?:index|cron|boost_stats|update|authorize)\.php$ { limit_conn limreq 88; if ($is_bot) { return 404; } tcp_nopush off; keepalive_requests 0; access_log off; try_files $uri =404; ### check for existence of php file first fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Allow access to /authorize.php and /update.php only for logged in admin user. ### location ~* ^/(?:core/)?(?:authorize|update)\.php$ { error_page 418 = @allowupdate; if ( $cache_uid ) { return 418; } return 404; } ### ### Internal location for /authorize.php and /update.php restricted access. ### location @allowupdate { limit_conn limreq 88; tcp_nopush off; keepalive_requests 0; access_log off; try_files $uri =404; ### check for existence of php file first fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Deny access to any not listed above php files with 404 error. ### location ~* ^.+\.php$ { return 404; } ####################################################### ### nginx.conf site level extended vhost include end ### nginx.conf site level basic vhost include end #######################################################