# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/ # https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/ server { listen [::]:80; server_name DOMAIN.LTD; return 301 https://$server_name$request_uri; } server { listen [::]:443 ssl; server_name DOMAIN.LTD; root /var/www/DOMAIN.LTD/app/web; #SSL Certificates ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem"; ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem; # ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; #includeSubDomains" always; charset utf-8; location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { allow all; access_log off; log_not_found off; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to scripts in site files directory location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; } # Allow "Well-Known URIs" as per RFC 5785 location ~* ^/.well-known/ { allow all; } # Block access to "hidden" files and directories whose names begin with a # period. This includes directories used by version control systems such # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } location / { # try_files $uri @rewrite; # For Drupal <= 6 try_files $uri /index.php?$query_string; # For Drupal >= 7 } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } # Don't allow direct access to PHP files in the vendor directory. location ~ /vendor/.*\.php$ { deny all; return 404; } location ~ /\.ht { deny all; } access_log on; error_log /var/www/DOMAIN.LTD/log/error.log; sendfile off; client_max_body_size 100m; # In Drupal 8, we must also match new paths where the '.php' appears in # the middle, such as update.php/selection. The rule we use is strict, # and only allows this pattern with the update.php front controller. # This allows legacy path aliases in the form of # blog/index.php/legacy-path to continue to route to Drupal nodes. If # you do not have any paths like that, then you might prefer to use a # laxer rule, such as: # location ~ \.php(/|$) { # The laxer rule will continue to work if Drupal uses this new URL # pattern with front controllers other than update.php in a future # release. location ~ '\.php$|^/update.php' { # fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+?\.php)(|/.*)$; include fastcgi.conf; # Block httpoxy attacks. See https://httpoxy.org/. fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; # fastcgi_buffer_size 16k; # fastcgi_buffers 4 16k; fastcgi_pass 127.0.0.1:9000; } # Fighting with Styles? This little gem is amazing. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } # website should not be displayed inside a , an