From eea13372b3fae17a781d48833ec341a0359b03b5 Mon Sep 17 00:00:00 2001 From: Glyn Gray Date: Sat, 20 Jan 2024 18:23:36 -0800 Subject: [PATCH 1/5] Drupal Vhost updates + Varnish, and Sendy Vhost. --- v2-varnish/Drupal/Drupal 10 | 102 +++++++++++++++++++++++++++++------ v2-varnish/Drupal/Drupal 9 | 105 ++++++++++++++++++++++++++++++------ v2/Drupal/Drupal 9 | 60 +++++++++++++++------ v2/Sendy/Sendy | 80 +++++++++++++++++++++++++++ 4 files changed, 298 insertions(+), 49 deletions(-) create mode 100644 v2/Sendy/Sendy diff --git a/v2-varnish/Drupal/Drupal 10 b/v2-varnish/Drupal/Drupal 10 index fac3d6d..64f4669 100755 --- a/v2-varnish/Drupal/Drupal 10 +++ b/v2-varnish/Drupal/Drupal 10 @@ -20,9 +20,36 @@ server { auth_basic off; allow all; } - + rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1; + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to scripts in site files directory. + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } @@ -33,25 +60,29 @@ server { try_files $uri @rewrite; } - location / { - try_files $uri /index.php?$query_string; - } - location @rewrite { rewrite ^ /index.php; } - location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 + # Handle private files through Drupal. + location ~ ^(/[a-z\-]+)?/system/files/ { try_files $uri /index.php?$query_string; } + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + # Enforce clean URLs if ($request_uri ~* "^(.*/)index\.php/(.*)") { return 307 $1$2; } index index.php index.html; - location ~ ^/update.php { + location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; @@ -65,12 +96,58 @@ server { fastcgi_param PHP_VALUE "{{php_settings}}"; } - location ~ \.php$ { + location / { + {{varnish_proxy_pass}} + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_hide_header X-Varnish; + proxy_redirect off; + proxy_max_temp_file_size 0; + proxy_connect_timeout 720; + proxy_send_timeout 720; + proxy_read_timeout 720; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + proxy_temp_file_write_size 256k; + } + + # Protect files and directories from prying eyes. + location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { + deny all; + return 404; + } + + location ~* \.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { + add_header Access-Control-Allow-Origin "*"; + try_files $uri @rewrite; + expires max; + access_log off; + } + + if (-f $request_filename) { + break; + } +} + +server { + listen 8080; + listen [::]:8080; + {{server_name}} + {{root}} + + try_files $uri $uri/ /index.php?$args; + index index.php index.html; + + location ~ \.php$|^/update.php { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_intercept_errors on; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - try_files $uri =404; fastcgi_read_timeout 3600; fastcgi_send_timeout 3600; fastcgi_param HTTPS $fastcgi_https; @@ -78,13 +155,6 @@ server { fastcgi_param PHP_VALUE "{{php_settings}}"; } - location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|ico|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { - add_header Access-Control-Allow-Origin "*"; - try_files $uri @rewrite; - expires max; - access_log off; - } - if (-f $request_filename) { break; } diff --git a/v2-varnish/Drupal/Drupal 9 b/v2-varnish/Drupal/Drupal 9 index add8c84..65d92d4 100755 --- a/v2-varnish/Drupal/Drupal 9 +++ b/v2-varnish/Drupal/Drupal 9 @@ -20,9 +20,36 @@ server { auth_basic off; allow all; } - + rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1; + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to scripts in site files directory. + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } @@ -33,25 +60,29 @@ server { try_files $uri @rewrite; } - location / { - try_files $uri /index.php?$query_string; - } - location @rewrite { - rewrite ^/(.*)$ /index.php?q=$1; + rewrite ^ /index.php; } - location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 + # Handle private files through Drupal. + location ~ ^(/[a-z\-]+)?/system/files/ { try_files $uri /index.php?$query_string; } + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + # Enforce clean URLs if ($request_uri ~* "^(.*/)index\.php/(.*)") { return 307 $1$2; } index index.php index.html; - location ~ ^/update.php { + location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; @@ -65,12 +96,58 @@ server { fastcgi_param PHP_VALUE "{{php_settings}}"; } - location ~ \.php$ { + location / { + {{varnish_proxy_pass}} + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_hide_header X-Varnish; + proxy_redirect off; + proxy_max_temp_file_size 0; + proxy_connect_timeout 720; + proxy_send_timeout 720; + proxy_read_timeout 720; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + proxy_temp_file_write_size 256k; + } + + # Protect files and directories from prying eyes. + location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { + deny all; + return 404; + } + + location ~* \.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { + add_header Access-Control-Allow-Origin "*"; + try_files $uri @rewrite; + expires max; + access_log off; + } + + if (-f $request_filename) { + break; + } +} + +server { + listen 8080; + listen [::]:8080; + {{server_name}} + {{root}} + + try_files $uri $uri/ /index.php?$args; + index index.php index.html; + + location ~ \.php$|^/update.php { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_intercept_errors on; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - try_files $uri =404; fastcgi_read_timeout 3600; fastcgi_send_timeout 3600; fastcgi_param HTTPS $fastcgi_https; @@ -78,13 +155,7 @@ server { fastcgi_param PHP_VALUE "{{php_settings}}"; } - location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|ico|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { - add_header Access-Control-Allow-Origin "*"; - expires max; - access_log off; - } - if (-f $request_filename) { break; } -} \ No newline at end of file +} diff --git a/v2/Drupal/Drupal 9 b/v2/Drupal/Drupal 9 index add8c84..3668474 100755 --- a/v2/Drupal/Drupal 9 +++ b/v2/Drupal/Drupal 9 @@ -20,9 +20,36 @@ server { auth_basic off; allow all; } - + rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1; + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to scripts in site files directory. + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } @@ -38,20 +65,28 @@ server { } location @rewrite { - rewrite ^/(.*)$ /index.php?q=$1; + rewrite ^ /index.php; } - location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 + # Handle private files through Drupal. + location ~ ^(/[a-z\-]+)?/system/files/ { try_files $uri /index.php?$query_string; } + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + # Enforce clean URLs. if ($request_uri ~* "^(.*/)index\.php/(.*)") { return 307 $1$2; } index index.php index.html; - location ~ ^/update.php { + location ~ \.php$|^/update.php { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; @@ -65,17 +100,10 @@ server { fastcgi_param PHP_VALUE "{{php_settings}}"; } - location ~ \.php$ { - include fastcgi_params; - fastcgi_intercept_errors on; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - try_files $uri =404; - fastcgi_read_timeout 3600; - fastcgi_send_timeout 3600; - fastcgi_param HTTPS $fastcgi_https; - fastcgi_pass 127.0.0.1:{{php_fpm_port}}; - fastcgi_param PHP_VALUE "{{php_settings}}"; + # Protect files and directories from prying eyes. + location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { + deny all; + return 404; } location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|ico|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { @@ -87,4 +115,4 @@ server { if (-f $request_filename) { break; } -} \ No newline at end of file +} diff --git a/v2/Sendy/Sendy b/v2/Sendy/Sendy new file mode 100644 index 0000000..594c224 --- /dev/null +++ b/v2/Sendy/Sendy @@ -0,0 +1,80 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + {{ssl_certificate_key}} + {{ssl_certificate}} + {{server_name}} + {{root}} + + {{nginx_access_log}} + {{nginx_error_log}} + + add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + + if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; + } + + location ~ /.well-known { + auth_basic off; + allow all; + } + + {{settings}} + + index index.php; + autoindex off; + + location / { + try_files $uri $uri/ $uri.html $uri.php$is_args$query_string; + } + + location /l/ { + rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; + } + + location /t/ { + rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; + } + + location /w/ { + rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; + } + + location /unsubscribe/ { + rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; + } + + location /subscribe/ { + rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; + } + + location /confirm/ { + rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last; + } + + location ~ \.php$ { + include fastcgi_params; + fastcgi_intercept_errors on; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + try_files $uri =404; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_param HTTPS $fastcgi_https; + fastcgi_pass 127.0.0.1:{{php_fpm_port}}; + fastcgi_param PHP_VALUE "{{php_settings}}"; + } + + location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { + add_header Access-Control-Allow-Origin "*"; + expires max; + access_log off; + } + + if (-f $request_filename) { + break; + } +} From 9409e6b40d9dec6a302e8a1464d96cac8eb31c61 Mon Sep 17 00:00:00 2001 From: Glyn Gray Date: Sat, 20 Jan 2024 18:27:15 -0800 Subject: [PATCH 2/5] Tabs to spaces --- v2/Sendy/Sendy | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/v2/Sendy/Sendy b/v2/Sendy/Sendy index 594c224..fb7c2c8 100644 --- a/v2/Sendy/Sendy +++ b/v2/Sendy/Sendy @@ -14,12 +14,12 @@ server { add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; if ($scheme != "https") { - rewrite ^ https://$host$uri permanent; + rewrite ^ https://$host$uri permanent; } location ~ /.well-known { - auth_basic off; - allow all; + auth_basic off; + allow all; } {{settings}} @@ -28,53 +28,53 @@ server { autoindex off; location / { - try_files $uri $uri/ $uri.html $uri.php$is_args$query_string; + try_files $uri $uri/ $uri.html $uri.php$is_args$query_string; } location /l/ { - rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; + rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; } location /t/ { - rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; + rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; } location /w/ { - rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; + rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; } - location /unsubscribe/ { - rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; + location /unsubscribe/ { + rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; } location /subscribe/ { - rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; + rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; } location /confirm/ { - rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last; + rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last; } location ~ \.php$ { - include fastcgi_params; - fastcgi_intercept_errors on; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - try_files $uri =404; - fastcgi_read_timeout 3600; - fastcgi_send_timeout 3600; - fastcgi_param HTTPS $fastcgi_https; - fastcgi_pass 127.0.0.1:{{php_fpm_port}}; - fastcgi_param PHP_VALUE "{{php_settings}}"; + include fastcgi_params; + fastcgi_intercept_errors on; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + try_files $uri =404; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_param HTTPS $fastcgi_https; + fastcgi_pass 127.0.0.1:{{php_fpm_port}}; + fastcgi_param PHP_VALUE "{{php_settings}}"; } location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ { - add_header Access-Control-Allow-Origin "*"; - expires max; - access_log off; + add_header Access-Control-Allow-Origin "*"; + expires max; + access_log off; } if (-f $request_filename) { - break; + break; } } From d329a7a7beffcc1fb7d947e178a02ea2836b53fa Mon Sep 17 00:00:00 2001 From: Glyn Gray Date: Thu, 25 Apr 2024 02:51:24 -0700 Subject: [PATCH 3/5] Update Drupal 10 Added files support (css|js|styles) --- v2-varnish/Drupal/Drupal 10 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2-varnish/Drupal/Drupal 10 b/v2-varnish/Drupal/Drupal 10 index 64f4669..36850d3 100755 --- a/v2-varnish/Drupal/Drupal 10 +++ b/v2-varnish/Drupal/Drupal 10 @@ -56,7 +56,7 @@ server { {{settings}} - location ~ ^/sites/.*/files/styles/ { + location ~ ^/sites/.*/files/(css|js|styles)/ { try_files $uri @rewrite; } From 214f3b5a15a74cf895589b7e96d871ca853b9c38 Mon Sep 17 00:00:00 2001 From: Glyn Gray Date: Thu, 25 Apr 2024 02:52:01 -0700 Subject: [PATCH 4/5] Update Drupal 9 Updated files support (css|js|styles) --- v2-varnish/Drupal/Drupal 9 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2-varnish/Drupal/Drupal 9 b/v2-varnish/Drupal/Drupal 9 index 65d92d4..57cb72c 100755 --- a/v2-varnish/Drupal/Drupal 9 +++ b/v2-varnish/Drupal/Drupal 9 @@ -56,7 +56,7 @@ server { {{settings}} - location ~ ^/sites/.*/files/styles/ { + location ~ ^/sites/.*/files/(css|js|styles)/ { try_files $uri @rewrite; } From 9f8ae5a954ac86239fb85b2723c8dcc438caec26 Mon Sep 17 00:00:00 2001 From: Glyn Gray Date: Thu, 25 Apr 2024 02:53:58 -0700 Subject: [PATCH 5/5] Update Drupal 9 Updated files support (css|js|styles) --- v2/Drupal/Drupal 9 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/Drupal/Drupal 9 b/v2/Drupal/Drupal 9 index 3668474..95b2003 100755 --- a/v2/Drupal/Drupal 9 +++ b/v2/Drupal/Drupal 9 @@ -56,7 +56,7 @@ server { {{settings}} - location ~ ^/sites/.*/files/styles/ { + location ~ ^/sites/.*/files/(css|js|styles)/ { try_files $uri @rewrite; }