mike wrote:
> a) drupal should not include scripts/etc. that should not be ran via
> the web -in- the webroot, or
> b) they should be localized to only one directory
Those were/are options of the Drupal Development Team.
>> ((cron\.php|settings\.php)|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$
> That is ugly as sin to me, and could change at any given time. Is
> there a true need to protect all of these?
Yes
> Is it only a specific folder?
No.
> You could always use location /folder { internal; } then too.
That is an interesting idea, but the level of complexity would be quite
the same.
> you can add these to fastcgi_params, no need for repetition:
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> fastcgi_index index.php;
In what way would that contribute to reduce complexity, or better
document the procedure?
> and actually, since drupal has nothing really specific besides a
> single line,
On the contrary, it has.
> you could get away with:
> try_files $uri $uri/ /index.php?q=$request_uri;
That does not work. You could at least have tried it...
> I don't really like the current wiki examples either. It's got a mix
> of parsing php and try_files and other wacky stuff that will just lead
> to confusion.
I am sure that you will provide a couple of cleaner examples to help us all.
M.