-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathdefault.conf
More file actions
156 lines (125 loc) · 3.77 KB
/
default.conf
File metadata and controls
156 lines (125 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
upstream php {
server ${PHP_HOST}:${PHP_PORT};
}
map $http_x_forwarded_proto $fastcgi_https {
default $https;
http '';
https on;
}
# We should use $host$request_uri to support redirects when nginx is serving multiple domains.
map $host$request_uri $new_host_and_uri {
include /etc/nginx/conf.d/redirects[.]map;
}
# We should use $request_uri to support redirects with query parameters.
map $request_uri $new_uri {
include /etc/nginx/conf.d/redirects[.]map;
}
# Custom configuration to be included dynamically.
include /etc/nginx/conf.d/custom/*.conf;
server {
access_log /var/log/nginx/access.log ${NGINX_ACCESS_LOG_FORMAT};
server_name ${NGINX_DEFAULT_SERVER_NAME};
# Please note that nginx always has a default server.
# In the absence of any server block explicitly marked
# as default_server , nginx will use the first server
# with a matching listen directive.
# If defaul_server is set, this server will be the
# default, catch all server, regardless of server_name.
listen ${NGINX_DEFAULT_SERVER_PORT} ${DEFAULT_SERVER};
#cspheader
#hstsheader
if ($new_host_and_uri) {
return 301 $new_host_and_uri;
}
if ($new_uri) {
return 301 $new_uri;
}
root ${NGINX_DEFAULT_ROOT};
index index.php;
include fastcgi.conf;
#httpsredirect
#securityheaders
include /etc/nginx/conf.d/fragments/*.conf;
# Just return for google gclb healthcheck.
if ($http_user_agent = 'GoogleHC/1.0') {
return 200;
}
location = /favicon.ico {
expires 30d;
# Google cloud cdn needs a Cache-Control: public header.
add_header Cache-Control "public";
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
# if the file is not present call the upstream server (useful for handling /robots.txt route via @rewrite handler)
try_files $uri @rewrite;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~* ^/\.well-known/.*\.php$ {
deny all;
}
location ~* ^/\.well-known(/|$) {
allow all;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~ (^|/)\. {
return 403;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~* (composer\.(json|lock)|package(-lock)?\.json)$ {
deny all;
return 404;
}
location / {
include /etc/nginx/conf.d/fragments/location/root/*.conf;
try_files $uri @rewrite;
}
location @rewrite {
rewrite ^ /index.php;
}
location ~ \.php$ {
include fastcgi.conf;
include /etc/nginx/conf.d/fragments/location/php/*.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass php;
}
location ~ ^/sites/.*/files/styles/ {
expires 30d;
# Google cloud cdn needs a Cache-Control: public header.
add_header Cache-Control "public";
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|svg|woff2|webp)$ {
expires 30d;
log_not_found off;
# Google cloud cdn needs a Cache-Control: public header.
add_header Cache-Control "public";
try_files $uri @rewrite;
}
location @rewriteQuery {
rewrite ^ /index.php?$query_string;
}
}