/etc/nginx/apps/drupal/drupal.conf

1. ### FOR DEMO FOLDER ###
2.  
3. #location /demo/ {
4. # alias /var/www/sites/site.com/demo/$1;
5. # try_files $uri @drupal;
6. #}
7.  
8. ### END DEMO FOLDER ###
9.  
10. ## The 'default' location.
11. location / {
12.  
13. ## Drupal 404 from can impact performance. If using a module like
14. ## search404 then 404's *have *to be handled by Drupal. Uncomment to
15. ## relay the handling of 404's to Drupal.
16. ## error_page 404 /index.php;
17.  
18. ## Using a nested location is the 'correct' way to use regexes.
19.  
20. ## Regular private file serving (i.e. handled by Drupal).
21. location ^~ /system/files/ {
22. ## Include the specific FastCGI configuration. This is for a
23. ## FCGI backend like php-cgi or php-fpm.
24. include apps/drupal/fastcgi_drupal.conf;
25. fastcgi_pass phpcgi;
26.  
27. ## If proxying to apache comment the two lines above and
28. ## uncomment the two lines below.
29. #proxy_pass http://phpapache/index.php?q=$uri;
30. #proxy_set_header Connection '';
31.  
32. ## For not signaling a 404 in the error log whenever the
33. ## system/files directory is accessed add the line below.
34. ## Note that the 404 is the intended behavior.
35. log_not_found off;
36. }
37.  
38. ## Trying to access private files directly returns a 404.
39. location ^~ /sites/default/files/private/ {
40. internal;
41. }
42.  
43. ## Support for the file_force module
44. ## http://drupal.org/project/file_force.
45. location ^~ /system/files_force/ {
46. ## Include the specific FastCGI configuration. This is for a
47. ## FCGI backend like php-cgi or php-fpm.
48. include apps/drupal/fastcgi_drupal.conf;
49. fastcgi_pass phpcgi;
50.  
51. ## If proxying to apache comment the two lines above and
52. ## uncomment the two lines below.
53. #proxy_pass http://phpapache/index.php?q=$uri;
54. #proxy_set_header Connection '';
55.  
56. ## For not signaling a 404 in the error log whenever the
57. ## system/files directory is accessed add the line below.
58. ## Note that the 404 is the intended behavior.
59. log_not_found off;
60. }
61.  
62. ## If accessing an image generated by Drupal 6 imagecache, serve it
63. ## directly if available, if not relay the request to Drupal to (re)generate
64. ## the image.
65. location ~* /imagecache/ {
66. ## Image hotlinking protection. If you want hotlinking
67. ## protection for your images uncomment the following line.
68. #include apps/drupal/hotlinking_protection.conf;
69.  
70. access_log off;
71. expires 30d;
72. try_files $uri @drupal;
73. }
74.  
75. ## Drupal 7 generated image handling, i.e., imagecache in core. See:
76. ## http://drupal.org/node/371374.
77. location ~* /files/styles/ {
78. ## Image hotlinking protection. If you want hotlinking
79. ## protection for your images uncomment the following line.
80. #include apps/drupal/hotlinking_protection.conf;
81.  
82. access_log off;
83. expires 30d;
84. try_files $uri @drupal;
85. }
86.  
87. ## Advanced Aggregation module CSS
88. ## support. http://drupal.org/project/advagg.
89. location ^~ /sites/default/files/advagg_css/ {
90. expires max;
91. add_header ETag '';
92. add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
93. add_header Accept-Ranges '';
94.  
95. location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
96. access_log off;
97. try_files $uri @drupal;
98. }
99. }
100.  
101. ## Advanced Aggregation module JS
102. ## support. http://drupal.org/project/advagg.
103. location ^~ /sites/default/files/advagg_js/ {
104. expires max;
105. add_header ETag '';
106. add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
107. add_header Accept-Ranges '';
108.  
109. location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
110. access_log off;
111. try_files $uri @drupal;
112. }
113. }
114.  
115. ## All static files will be served directly.
116. location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
117.  
118. access_log off;
119. expires 30d;
120. ## No need to bleed constant updates. Send the all shebang in one
121. ## fell swoop.
122. tcp_nodelay off;
123. ## Set the OS file cache.
124. open_file_cache max=3000 inactive=120s;
125. open_file_cache_valid 45s;
126. open_file_cache_min_uses 2;
127. open_file_cache_errors off;
128. }
129.  
130. ## PDFs and powerpoint files handling.
131. location ~* ^.+\.(?:pdf|pptx?)$ {
132. expires 30d;
133. ## No need to bleed constant updates. Send the all shebang in one
134. ## fell swoop.
135. tcp_nodelay off;
136. }
137.  
138. ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
139. location ^~ /sites/default/files/audio/mp3 {
140. location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
141. directio 4k; # for XFS
142. ## If you're using ext3 or similar uncomment the line below and comment the above.
143. #directio 512; # for ext3 or similar (block alignments)
144. tcp_nopush off;
145. #aio on;
146. output_buffers 1 2M;
147. }
148. }
149.  
150. location ^~ /sites/default/files/audio/ogg {
151. location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
152. directio 4k; # for XFS
153. ## If you're using ext3 or similar uncomment the line below and comment the above.
154. #directio 512; # for ext3 or similar (block alignments)
155. tcp_nopush off;
156. #aio on;
157. output_buffers 1 2M;
158. }
159. }
160.  
161. ## Pseudo streaming of FLV files:
162. ## http://wiki.nginx.org/HttpFlvStreamModule.
163. ## If pseudo streaming isn't working, try to comment
164. ## out in nginx.conf line with:
165. ## add_header X-Frame-Options SAMEORIGIN;
166. location ^~ /sites/default/files/video/flv {
167. location ~* ^/sites/default/files/video/flv/.*\.flv$ {
168. flv;
169. }
170. }
171.  
172. ## Pseudo streaming of H264/AAC files. This requires an Nginx
173. ## version greater or equal to 1.0.7 for the stable branch and
174. ## greater or equal to 1.1.3 for the development branch.
175. ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
176. location ^~ /sites/default/files/video/mp4 { # videos
177. location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
178. mp4;
179. mp4_buffer_size 1M;
180. mp4_max_buffer_size 5M;
181. }
182. }
183.  
184. location ^~ /sites/default/files/audio/m4a { # audios
185. location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
186. mp4;
187. mp4_buffer_size 1M;
188. mp4_max_buffer_size 5M;
189. }
190. }
191.  
192. ## Advanced Help module makes each module provided README available.
193. location ^~ /help/ {
194. location ~* ^/help/[^/]*/README\.txt$ {
195. ## Include the specific FastCGI configuration. This is for a
196. ## FCGI backend like php-cgi or php-fpm.
197. include apps/drupal/fastcgi_drupal.conf;
198. fastcgi_pass phpcgi;
199.  
200. ## If proxying to apache comment the two lines above and
201. ## uncomment the two lines below.
202. #proxy_pass http://phpapache/index.php?q=$uri;
203. #proxy_set_header Connection '';
204. }
205. }
206.  
207. ## Replicate the Apache <FilesMatch> directive of Drupal standard
208. ## .htaccess. Disable access to any code files. Return a 404 to curtail
209. ## information disclosure. Hide also the text files.
210. location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
211. return 404;
212. }
213.  
214. ## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
215. try_files $uri @drupal;
216. }
217.  
218. ########### Security measures ##########
219.  
220. ## Uncomment the line below if you want to enable basic auth for
221. ## access to all /admin URIs. Note that this provides much better
222. ## protection if use HTTPS. Since it can easily be eavesdropped if you
223. ## use HTTP.
224. #include apps/drupal/admin_basic_auth.conf;
225.  
226. ## Restrict access to the strictly necessary PHP files. Reducing the
227. ## scope for exploits. Handling of PHP code and the Drupal event loop.
228. location @drupal {
229. ## Include the FastCGI config.
230. include apps/drupal/fastcgi_drupal.conf;
231. fastcgi_pass phpcgi;
232.  
233. ## FastCGI microcache.
234. include apps/drupal/microcache_fcgi.conf;
235. ## FCGI microcache for authenticated users also.
236. #include apps/drupal/microcache_fcgi_auth.conf;
237.  
238. ## If proxying to apache comment the two lines above and
239. ## uncomment the two lines below.
240. #proxy_pass http://phpapache/index.php?q=$uri;
241. #proxy_set_header Connection '';
242.  
243. ## Proxy microcache.
244. #include apps/drupal/microcache_proxy.conf;
245. ## Proxy microcache for authenticated users also.
246. #include apps/drupal/microcache_proxy_auth.conf;
247.  
248. ## Filefield Upload progress
249. ## http://drupal.org/project/filefield_nginx_progress support
250. ## through the NginxUploadProgress modules.
251. track_uploads uploads 60s;
252. }
253.  
254. location @drupal-no-args {
255. ## Include the specific FastCGI configuration. This is for a
256. ## FCGI backend like php-cgi or php-fpm.
257. include apps/drupal/fastcgi_no_args_drupal.conf;
258. fastcgi_pass phpcgi;
259.  
260. ## FastCGI microcache.
261. include apps/drupal/microcache_fcgi.conf;
262. ## FCGI microcache for authenticated users also.
263. #include apps/drupal/microcache_fcgi_auth.conf;
264.  
265. ## If proxying to apache comment the two lines above and
266. ## uncomment the two lines below.
267. #proxy_pass http://phpapache/index.php?q=$uri;
268. #proxy_set_header Connection '';
269.  
270. ## Proxy microcache.
271. #include apps/drupal/microcache_proxy.conf;
272. ## Proxy microcache for authenticated users also.
273. #include apps/drupal/microcache_proxy_auth.conf;
274. }
275.  
276. ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
277. ## 404 as not to disclose information.
278. location ^~ /.bzr {
279. return 404;
280. }
281.  
282. location ^~ /.git {
283. return 404;
284. }
285.  
286. location ^~ /.hg {
287. return 404;
288. }
289.  
290. location ^~ /.svn {
291. return 404;
292. }
293.  
294. location ^~ /.cvs {
295. return 404;
296. }
297.  
298. ## Disallow access to patches directory.
299. location ^~ /patches {
300. return 404;
301. }
302.  
303. ## Disallow access to drush backup directory.
304. location ^~ /backup {
305. return 404;
306. }
307.  
308. ## Disable access logs for robots.txt.
309. location = /robots.txt {
310. access_log off;
311. ## Add support for the robotstxt module
312. ## http://drupal.org/project/robotstxt.
313. try_files $uri @drupal-no-args;
314. }
315.  
316. ## RSS feed support.
317. location = /rss.xml {
318. try_files $uri @drupal-no-args;
319. }
320.  
321. ## XML Sitemap support.
322. location = /sitemap.xml {
323. try_files $uri @drupal-no-args;
324. }
325.  
326. ## Support for favicon. Return an 1x1 transparent GIF if it doesn't
327. ## exist.
328. location = /favicon.ico {
329. expires 30d;
330. try_files /favicon.ico @empty;
331. }
332.  
333. ## Return an in memory 1x1 transparent GIF.
334. location @empty {
335. expires 30d;
336. empty_gif;
337. }
338.  
339. ## Any other attempt to access PHP files returns a 404.
340. location ~* ^.+\.php$ {
341. return 404;
342. }