nginx_config_mode) { $nginx_config_mode = $server->nginx_config_mode; } $phpfpm_mode = drush_get_option('phpfpm_mode'); if (!$phpfpm_mode && $server->phpfpm_mode) { $phpfpm_mode = $server->phpfpm_mode; } $nginx_is_modern = drush_get_option('nginx_is_modern'); if (!$nginx_is_modern && $server->nginx_is_modern) { $nginx_is_modern = $server->nginx_is_modern; } $nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) { $nginx_has_upload_progress = $server->nginx_has_upload_progress; } $satellite_mode = drush_get_option('satellite_mode'); if (!$satellite_mode && $server->satellite_mode) { $satellite_mode = $server->satellite_mode; } ?> ####################################################### ### nginx.conf site level extended vhost include start ### nginx.conf site level basic vhost include start ####################################################### ### ### Master location for subdir support (start) ### location ^~ / { root root}"; ?>; set $nocache_details "Cache"; ### ### Deny crawlers. ### if ($is_crawler) { return 403; } ### ### Block semalt botnet. ### if ($is_botnet) { return 403; } ### ### Include high load protection config if exists. ### include /data/conf/nginx_high_load.c*; ### ### Deny not compatible request methods without 405 response. ### if ( $request_method !~ ^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { return 403; } ### ### Deny listed requests for security reasons. ### if ($is_denied) { return 403; } ### ### HTTPRL standard support. ### location ^~ //httprl_async_function_callback { location ~* ^//httprl_async_function_callback { access_log off; add_header X-Header "HTTPRL 2.0"; set $nocache_details "Skip"; try_files /httprl_async_function_callback $uri @nobots_; } } ### ### HTTPRL test mode support. ### location ^~ //admin/httprl-test { location ~* ^//admin/httprl-test { access_log off; add_header X-Header "HTTPRL 2.1"; set $nocache_details "Skip"; try_files /admin/httprl-test $uri @nobots_; } } ### ### CDN Far Future expiration support. ### location ^~ //cdn/farfuture/ { tcp_nodelay off; access_log off; log_not_found off; etag off; gzip_http_version 1.0; if_modified_since exact; set $nocache_details "Skip"; location ~* ^//(cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less))$ { expires max; add_header Access-Control-Allow-Origin *; add_header X-Header "CDN Far Future Generator 1.0"; add_header Cache-Control "no-transform, public"; add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; try_files /$1 $uri @nobots_; } location ~* ^//(cdn/farfuture/) { expires epoch; add_header Access-Control-Allow-Origin *; add_header X-Header "CDN Far Future Generator 1.1"; add_header Cache-Control "private, must-revalidate, proxy-revalidate"; rewrite ^//cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; try_files /$1 $uri @nobots_; } try_files $uri @nobots_; } ### ### If favicon else return error 204. ### location = //favicon.ico { access_log off; log_not_found off; expires 30d; try_files /sites/$server_name/files/favicon.ico /sites/$host/files/favicon.ico /favicon.ico $uri =204; } ### ### Support for http://drupal.org/project/robotstxt module ### and static file in the sites/domain/files directory. ### location = //robots.txt { access_log off; log_not_found off; try_files /sites/$server_name/files/$host.robots.txt /sites/$server_name/files/robots.txt /sites/$host/files/robots.txt /robots.txt $uri @cache_; try_files /sites/$server_name/files/$host.robots.txt /sites/$server_name/files/robots.txt /sites/$host/files/robots.txt /robots.txt $uri @drupal_; } ### ### Allow local access to support wget method in Aegir settings ### for running sites cron. ### location = //cron.php { include fastcgi_params; fastcgi_param db_type ; fastcgi_param db_name ; fastcgi_param db_user ; fastcgi_param db_passwd ; fastcgi_param db_host ; fastcgi_param db_port ; fastcgi_param HTTP_HOST .$host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; set $real_fastcgi_script_name cron.php; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; tcp_nopush off; keepalive_requests 0; access_log off; allow 127.0.0.1; deny all; try_files /cron.php $uri =404; fastcgi_pass unix:/var/run/www53.fpm.socket; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Send search to php-fpm early so searching for node.js will work. ### Deny bots on search uri. ### location ^~ //search { location ~* ^//search { if ($is_bot) { return 403; } try_files /search $uri @cache_; } } ### ### Support for https://drupal.org/project/js module. ### location ^~ //js/ { location ~* ^//js/ { if ($is_bot) { return 403; } rewrite ^//(.*)$ /js.php?q=$1 last; } } ### ### Upload progress support. ### https://drupal.org/project/filefield_nginx_progress ### http://github.com/masterzen/nginx-upload-progress-module ### location ~ (?.*)/x-progress-id:(?\d*) { access_log off; rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; } location ^~ //progress { access_log off; upload_progress_json_output; report_uploads uploads; } ### ### Deny cache details display. ### location ^~ //admin/settings/performance/cache-backend { access_log off; rewrite ^ $scheme://$host//admin/settings/performance permanent; } ### ### Deny cache details display. ### location ^~ //admin/config/development/performance/redis { access_log off; rewrite ^ $scheme://$host//admin/config/development/performance permanent; } ### ### Support for backup_migrate module download/restore/delete actions. ### location ^~ //admin { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files /admin $uri @drupal_; } ### ### Avoid caching /civicrm* and protect it from bots. ### location ^~ //civicrm { if ($is_bot) { return 403; } set $nocache_details "Skip"; try_files /civicrm $uri @drupal_; } ### ### Support for audio module. ### location ^~ //audio/download { location ~* ^//(audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg))$ { if ($is_bot) { return 403; } tcp_nopush off; access_log off; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } } ### ### Deny listed requests for security reasons. ### location ~* (/\..*|settings\.php$|\.(?:git|htaccess|engine|make|config|inc|ini|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)$|^(?:Entries.*|Repository|Root|Tag|Template))$ { access_log off; return 404; } ### ### Deny listed requests for security reasons. ### location ~* /(?:modules|themes|libraries)/.*\.(?:txt|md)$ { access_log off; return 404; } ### ### Deny listed requests for security reasons. ### location ~* /files/civicrm/(?:ConfigAndLog|upload|templates_c) { access_log off; return 404; } ### ### Responsive Images support. ### http://drupal.org/project/responsive_images ### location ~* ^//.*\.r\.(?:jpe?g|png|gif) { if ( $http_cookie ~* "rwdimgsize=large" ) { rewrite ^//(.*)/mobile/(.*)\.r(\.(?:jpe?g|png|gif))$ //$1/desktop/$2$3 last; } rewrite ^//(.*)\.r(\.(?:jpe?g|png|gif))$ //$1$2 last; access_log off; add_header X-Header "RI Generator 1.0"; set $nocache_details "Skip"; try_files $uri @drupal_; } ### ### Adaptive Image Styles support. ### http://drupal.org/project/ais ### location ~* ^//(?:.+)/files/styles/adaptive/(?:.+)$ { if ( $http_cookie ~* "ais=(?[a-z0-9-_]+)" ) { rewrite ^//(.+)/files/styles/adaptive/(.+)$ //$1/files/styles/$ais_cookie/$2 last; } access_log off; add_header X-Header "AIS Generator 1.0"; set $nocache_details "Skip"; try_files $uri @drupal_; } ### ### Imagecache and imagecache_external support. ### location ~* ^//((?:external|system|files/imagecache|files/styles)/.*) { access_log off; log_not_found off; expires 30d; add_header X-Header "IC Generator 1.0"; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } ### ### Deny direct access to backups. ### location ~* ^//sites/.*/files/backup_migrate/ { access_log off; deny all; } ### ### Deny direct access to config files in Drupal 8. ### location ~* ^//sites/.*/files/config_.* { access_log off; deny all; } ### ### Private downloads are always sent to the drupal backend. ### Note: this location doesn't work with X-Accel-Redirect. ### location ~* ^//(sites/.*/files/private/.*) { if ($is_bot) { return 403; } access_log off; rewrite ^//sites/.*/files/private/(.*)$ $scheme://$host//system/files/private/$1 permanent; add_header X-Header "Private Generator 1.0a"; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } ### ### Deny direct access to private downloads in sites/domain/private. ### Note: this location works with X-Accel-Redirect. ### location ~* ^//sites/.*/private/ { if ($is_bot) { return 403; } access_log off; internal; } ### ### Deny direct access to private downloads also for short, rewritten URLs. ### Note: this location works with X-Accel-Redirect. ### location ~* //files/private/ { if ($is_bot) { return 403; } access_log off; internal; } ### ### Wysiwyg Fields support. ### location ~* ^//(.*/wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css)) { access_log off; log_not_found off; try_files /$1 $uri @nobots_; } ### ### Advagg_css and Advagg_js support. ### location ~* ^//(.*/files/advagg_(?:css|js).*) { expires max; access_log off; etag off; add_header ETag ""; add_header Cache-Control "max-age=31449600, no-transform, public"; add_header Access-Control-Allow-Origin *; add_header X-Header "AdvAgg Generator 2.0"; set $nocache_details "Skip"; try_files /$1 $uri @nobots_; } ### ### Make css files compatible with boost caching. ### location ~* ^//(.*\.css)$ { access_log off; tcp_nodelay off; expires max; #if using aggregator add_header X-Header "Boost Citrus 2.1"; try_files /cache/perm/$host${uri}_.css /$1 $uri =404; } ### ### Make js files compatible with boost caching. ### location ~* ^//(.*\.(?:js|htc))$ { access_log off; tcp_nodelay off; expires max; # if using aggregator add_header X-Header "Boost Citrus 2.2"; try_files /cache/perm/$host${uri}_.js /$1 $uri =404; } ### ### Support for static .json files with fast 404 +Boost compatibility. ### location ~* ^//sites/.*/files/(.*\.json)$ { access_log off; tcp_nodelay off; expires max; ### if using aggregator add_header X-Header "Boost Citrus 2.3"; add_header Access-Control-Allow-Origin *; try_files /cache/normal/$host${uri}_.json /$1 $uri =404; } ### ### Support for dynamic .json requests. ### location ~* (.*\.json)$ { try_files /$1 $uri @cache_; } ### ### Serve & no-log static files & images directly, ### without all standard drupal rewrites, php-fpm etc. ### location ~* ^//(.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less))$ { expires 30d; tcp_nodelay off; access_log off; log_not_found off; add_header Access-Control-Allow-Origin *; try_files /$1 $uri =404; } ### ### Serve & log bigger media/static/archive files directly, ### without all standard drupal rewrites, php-fpm etc. ### location ~* ^//(.+\.(?:avi|mpe?g|mov|wmv|mp3|mp4|m4a|ogg|ogv|flv|wav|midi|zip|tar|t?gz|rar|dmg|exe))$ { expires 30d; tcp_nodelay off; tcp_nopush off; add_header Access-Control-Allow-Origin *; try_files /$1 $uri =404; } ### ### Serve & no-log some static files as is, without forcing default_type. ### location ~* ^//((?:cross-?domain)\.xml)$ { access_log off; tcp_nodelay off; expires 30d; add_header X-Header "XML Generator 1.0"; try_files /$1 $uri =404; } ### ### Allow some known php files (like serve.php in the ad module). ### location ~* ^//(.*/(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck|ecc|civicrm|fbconnect|radioactivity)/.*\.php)$ { limit_conn limreq 88; include fastcgi_params; fastcgi_param db_type ; fastcgi_param db_name ; fastcgi_param db_user ; fastcgi_param db_passwd ; fastcgi_param db_host ; fastcgi_param db_port ; fastcgi_param HTTP_HOST .$host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; set $real_fastcgi_script_name $1; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; tcp_nopush off; keepalive_requests 0; access_log off; if ($is_bot) { return 403; } try_files /$1 $uri =404; fastcgi_pass unix:/var/run/www53.fpm.socket; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Deny crawlers and never cache known AJAX and webform requests. ### location ~* ^//(.*(?:ahah|ajax|batch|autocomplete|webform|done|progress/|x-progress-id|js/.*).*)$ { if ($is_bot) { return 403; } access_log off; log_not_found off; set $nocache_details "Skip"; try_files /$1 $uri @nobots_; try_files /$1 $uri @drupal_; } ### ### Serve & no-log static helper files used in some wysiwyg editors. ### location ~* ^//(sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml))$ { if ($is_bot) { return 403; } access_log off; tcp_nodelay off; expires 30d; try_files /$1 $uri =404; } ### ### Serve & no-log any not specified above static files directly. ### location ~* ^//(sites/.*/files/.*) { root root}"; ?>; rewrite ^//sites/(.*)$ /sites/$server_name/$1 last; access_log off; tcp_nodelay off; expires 30d; try_files /$1 $uri =404; } ### ### Make feeds compatible with boost caching and set correct mime type. ### location ~* ^//(.*\.xml)$ { if ( $request_method = POST ) { return 405; } if ( $cache_uid ) { return 405; } error_page 405 = @drupal_; access_log off; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; add_header X-Header "Boost Citrus 2.4"; charset utf-8; types { } default_type text/xml; try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html /$1 $uri @drupal_; } ### ### Deny bots on never cached uri. ### location ~* ^//((?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply)) { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } ### ### Protect from DoS attempts on never cached uri. ### location ~* ^//((?:.*/)?(?:node/[0-9]+/edit|node/add)) { if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } ### ### Protect from DoS attempts on never cached uri. ### location ~* ^//((?:.*/)?(?:node/[0-9]+/delete|approve)) { if ($cache_uid = '') { return 403; } if ($is_bot) { return 403; } access_log off; set $nocache_details "Skip"; try_files /$1 $uri @drupal_; } ### ### Rewrite legacy requests with /index.php to extension-free URL. ### if ( $args ~* "^q=(?.*)" ) { rewrite ^//index.php$ $scheme://$host//?q=$query_value? permanent; } ### ### Redirect to working homepage. ### location = / { rewrite ^ $scheme://$host//? permanent; } ### ### Catch all unspecified requests. ### location // { if ( $http_user_agent ~* wget ) { return 403; } try_files $uri @cache_; try_files $uri @drupal_; } ### ### Send other known php requests/files to php-fpm without any caching. ### location ~* ^//((core/)?(boost_stats|rtoc|js))\.php$ { location ~* ^//(cron|boost_stats|update|authorize)\.php$ { limit_conn limreq 88; if ($is_bot) { return 404; } include fastcgi_params; fastcgi_param db_type ; fastcgi_param db_name ; fastcgi_param db_user ; fastcgi_param db_passwd ; fastcgi_param db_host ; fastcgi_param db_port ; fastcgi_param HTTP_HOST .$host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; set $real_fastcgi_script_name $1.php; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; tcp_nopush off; keepalive_requests 0; access_log off; try_files /$1.php =404; ### check for existence of php file first fastcgi_pass unix:/var/run/www53.fpm.socket; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ### ### Allow access to /authorize.php and /update.php only for logged in admin user. ### location ~* ^//((?:core/)?(authorize|update))\.php$ { set $real_fastcgi_script_name $1.php; error_page 418 = @allowupdate_; if ( $cache_uid ) { return 418; } return 404; } ### ### Rewrite legacy requests with //index.php to extension-free URL. ### if ( $args ~* "^q=(?.*)" ) { rewrite ^//index.php$ $scheme://$host//?q=$query_value? permanent; } ### ### Send all non-static requests to php-fpm, restricted to known php file. ### location = //index.php { internal; limit_conn limreq 88; add_header X-Device "$device"; add_header X-GeoIP-Country-Code "$geoip_country_code"; add_header X-GeoIP-Country-Name "$geoip_country_name"; add_header X-Speed-Cache "$upstream_cache_status"; add_header X-Speed-Cache-UID "$cache_uid"; add_header X-Speed-Cache-Key "$key_uri"; add_header X-NoCache "$nocache_details"; add_header X-This-Proto "$http_x_forwarded_proto"; add_header X-Server-Name "$server_name"; root root}"; ?>; include fastcgi_params; fastcgi_param db_type ; fastcgi_param db_name ; fastcgi_param db_user ; fastcgi_param db_passwd ; fastcgi_param db_host ; fastcgi_param db_port ; fastcgi_param HTTP_HOST .$host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; set $real_fastcgi_script_name index.php; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; tcp_nopush off; keepalive_requests 0; try_files /index.php =404; ### check for existence of php file first fastcgi_pass unix:/var/run/www53.fpm.socket; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; track_uploads uploads 60s; ### required for upload progress ### ### Use Nginx cache for all visitors. ### set $nocache ""; if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) { set $nocache "NoCache"; } fastcgi_cache speed; fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity fastcgi_cache_min_uses 1; fastcgi_cache_key "$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; fastcgi_cache_valid 200 10s; fastcgi_cache_valid 302 1m; fastcgi_cache_valid 301 403 404 5s; fastcgi_cache_valid 500 502 503 504 1s; fastcgi_ignore_headers Cache-Control Expires; fastcgi_pass_header Set-Cookie; fastcgi_pass_header X-Accel-Expires; fastcgi_pass_header X-Accel-Redirect; fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; } ### ### Deny access to any not listed above php files with 404 error. ### location ~* ^.+\.php$ { return 404; } } ### ### Master location for subdir support (end) ### ### ### Boost compatible cache check. ### location @cache_ { if ( $request_method = POST ) { set $nocache_details "Method"; return 405; } if ( $args ~* "nocache=1" ) { set $nocache_details "Args"; return 405; } if ( $sent_http_x_force_nocache = "YES" ) { set $nocache_details "Skip"; return 405; } if ( $http_cookie ~* "NoCacheID" ) { set $nocache_details "AegirCookie"; return 405; } if ( $cache_uid ) { set $nocache_details "DrupalCookie"; return 405; } error_page 405 = @drupal_; add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header X-Header "Boost Citrus 1.9"; charset utf-8; try_files /cache/normal/$host${uri}_$args.html @drupal_; } ### ### Send all not cached requests to drupal with clean URLs support. ### location @drupal_ { error_page 418 = @nobots_; if ($args) { return 418; } rewrite ^//(.*)$ //index.php?q=$1 last; } ### ### Send all known bots to $args free URLs. ### location @nobots_ { if ($is_bot) { rewrite ^ $scheme://$host$uri? permanent; } ### ### Return 404 on special PHP URLs to avoid revealing version used, ### even indirectly. See also: https://drupal.org/node/2116387 ### if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { return 404; } rewrite ^//(.*)$ //index.php?q=$1 last; } ### ### Internal location for /authorize.php and /update.php restricted access. ### location @allowupdate_ { limit_conn limreq 88; include fastcgi_params; fastcgi_param db_type ; fastcgi_param db_name ; fastcgi_param db_user ; fastcgi_param db_passwd ; fastcgi_param db_host ; fastcgi_param db_port ; fastcgi_param HTTP_HOST .$host; fastcgi_param RAW_HOST $host; fastcgi_param SITE_SUBDIR ; fastcgi_param REDIRECT_STATUS 200; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME root}"; ?>/$real_fastcgi_script_name; tcp_nopush off; keepalive_requests 0; access_log off; try_files /$real_fastcgi_script_name =404; ### check for existence of php file first fastcgi_pass unix:/var/run/www53.fpm.socket; fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; } ####################################################### ### nginx.conf site level extended vhost include end ### nginx.conf site level basic vhost include end #######################################################