#information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log debug; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; server_names_hash_bucket_size 128; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name ""; return 444; } server { listen 443 ssl default_server; server_name _; ssl_certificate /etc/ssl/dactest.mydomain.com/fullchain3.pem; ssl_certificate_key /etc/ssl/dactest.mydomain.com/privkey3.pem; return 444; } server { listen 80; server_name dactest.mydomain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name dactest.mydomain.com; ssl_protocols TLSv1.3 TLSv1.2; ssl_certificate /etc/ssl/dactest.mydomain.com/fullchain3.pem; ssl_certificate_key /etc/ssl/dactest.mydomain.com/privkey3.pem; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dactest.mydomain.com/dhparam.pem; client_max_body_size 100M; root /var/www/html/dac/dacmarketplace/web; error_log /var/log/nginx/error.log debug; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Very rarely should these ever be accessed outside of your lan # location ~* \.(txt|log)$ { # allow 192.168.0.0/16; # deny all; # } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to scripts in site files directory location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; } # Allow "Well-Known URIs" as per RFC 5785 location ~* ^/.well-known/ { allow all; } # Block access to "hidden" files and directories whose names begin with a # period. This includes directories used by version control systems such # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } location / { # try_files $uri @rewrite; # For Drupal <= 6 try_files $uri /index.php?$query_string; # For Drupal >= 7 } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } # Don't allow direct access to PHP files in the vendor directory. location ~ /vendor/.*\.php$ { deny all; return 404; } # Protect files and directories from prying eyes. location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { deny all; return 404; } # In Drupal 8, we must also match new paths where the '.php' appears in # the middle, such as update.php/selection. The rule we use is strict, # and only allows this pattern with the update.php front controller. # This allows legacy path aliases in the form of # blog/index.php/legacy-path to continue to route to Drupal nodes. If # you do not have any paths like that, then you might prefer to use a # laxer rule, such as: # location ~ \.php(/|$) { # The laxer rule will continue to work if Drupal uses this new URL # pattern with front controllers other than update.php in a future # release. location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; # Ensure the php file exists. Mitigates CVE-2019-11043 try_files $fastcgi_script_name =404; # Security note: If you're running a version of PHP older than the # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. # See http://serverfault.com/q/627903/94922 for details. include fastcgi_params; # Block httpoxy attacks. See https://httpoxy.org/. fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; # PHP 5 socket location. #fastcgi_pass unix:/var/run/php5-fpm.sock; # PHP 7 socket location. #fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_pass 127.0.0.1:9000; } #location ^~ /simplesaml { # alias /var/www/drupal/marketplace-v2/mpV2/vendor/simplesamlphp/simplesamlphp/www; # allow all; # index index.php; # # location ~ ^(?/simplesaml)(?.+?\.php)(?/.*)?$ { # fastcgi_split_path_info ^(.+?\.php)(|/.*)$; # # Ensure the php file exists. Mitigates CVE-2019-11043 # try_files $fastcgi_script_name =404; # # Security note: If you're running a version of PHP older than the # # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. # # See http://serverfault.com/q/627903/94922 for details. # include fastcgi_params; # # Block httpoxy attacks. See https://httpoxy.org/. # fastcgi_param HTTP_PROXY ""; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_param PATH_INFO $fastcgi_path_info; # fastcgi_param QUERY_STRING $query_string; # fastcgi_intercept_errors on; # # PHP 5 socket location. # #fastcgi_pass unix:/var/run/php5-fpm.sock; # # PHP 7 socket location. # #fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; # fastcgi_pass php-fpm; # fastcgi_param SCRIPT_NAME /simplesaml$phpfile; # } # } location ^~ /simplesaml { alias /var/www/html/dac/dacmarketplace/web/simplesaml; index index.php index.htm index.html; allow all; location ~ ^(?/simplesaml)(?.+?\.php)(?/.*)?$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+?\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$phpfile; #fastcgi_param SCRIPT_NAME /simplesaml$phpfile; fastcgi_param PATH_INFO $pathinfo if_not_empty; } } # Fighting with Styles? This little gem is amazing. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } # Enforce clean URLs # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page # Could be done with 301 for permanent or other redirect codes. if ($request_uri ~* "^(.*/)index\.php/(.*)") { return 307 $1$2; } #-----------------subsite start -------------------------- # # #location ^~ /retail/(.*)$ { # # # #root /var/www/drupalsubsite/marketplace-v2/mpV2/web; # #alias /var/www/drupalsubsite/marketplace-v2/mpV2/web/$1; #allow all; #index index.php index.htm index.html; # ##try_files $uri /retail/index.php?$query_string; # For Drupal >= 7 # ##try_files /$1 @rewrite; # ##try_files $uri $uri/ @nested; # # # #} # # location @nested { # try_files $uri $uri/ /subsite/index.php?$query_string; # } # #-----------------subsite end -------------------------- #-----------------subsite start -------------------------- #rewrite ^/(retail.*) /var/www/drupalsubsite/marketplace-v2/mpV2/webi/$1; #location /retail/ { # rewrite ^(.*)$ /var/www/drupalsubsite/marketplace-v2/mpV2/web/$1 permanent; # rewrite ^(.*)$ $1 permanent; # index index.php; #} #location /retail { #root /var/www/drupalsubsite/marketplace-v2/mpV2/web; #root /var/www/drupalsubsite/marketplace-v2/mpV2/web/dacdeveloperportal.digitalapicraft.com; # root /var/www/drupalsubsite/marketplace-v2/mpV2/web; # disable_symlinks off; # index index.php; #} #location ^~ /retail { # alias /var/www/drupalsubsite/marketplace-v2/mpV2/web; # index index.php index.htm index.html; # allow all; #location ~ ^(?/retail)(?.+?\.php)(?/.*)?$ { # include fastcgi_params; # fastcgi_pass 127.0.0.1:9000; # fastcgi_split_path_info ^(.+?\.php)(/.+)$; # fastcgi_param SCRIPT_FILENAME $document_root$phpfile; # fastcgi_param PATH_INFO $pathinfo if_not_empty; # } #} location ^~ /retail { alias /var/www/html/dac/dacmarketplace/web; index index.php; if (!-e $request_filename) { rewrite ^ /retail/index.php last; } location ~ \.php$ { if (!-f $request_filename) { return 404; } fastcgi_pass 127.0.0.1:9000; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; } } location ^~ /newtheme { alias /var/www/html/dac/dacmarketplace/web; index index.php; if (!-e $request_filename) { rewrite ^ /newtheme/index.php last; } location ~ \.php$ { if (!-f $request_filename) { return 404; } fastcgi_pass 127.0.0.1:9000; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; } } #disable_symlinks off; #rewrite ^/$ /var/www/drupalsubsite/marketplace-v2/mpV2/web; #location ~ ^/retail/(.*) { # return 301 /var/www/drupalsubsite/marketplace-v2/mpV2/web; # index index.php; #} #location /retail { # root /var/www/drupalsubsite/marketplace-v2/mpV2/web; # root /var/www/drupal/marketplace-v2/mpV2/web; # index index.php; #} #-----------------subsite end -------------------------- } # Settings for a TLS enabled server. # # server { # listen 443 ssl http2 default_server; # listen [::]:443 ssl http2 default_server; # server_name _; # root /usr/share/nginx/html; # # ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 10m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # # # Load configuration files for the default server block. # include /etc/nginx/default.d/*.conf; # # location / { # } # # error_page 404 /404.html; # location = /40x.html { # } # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } # } #fastcgi_buffers 16 16k; #fastcgi_buffer_size 32k; #proxy_buffer_size 128k; #proxy_buffers 4 256k; #proxy_busy_buffers_size 256k; }