Join the community today
Become a Member

Drupal Centmin Mod Nginx and Drupal 8 configuration

Discussion in 'Blogs & CMS usage' started by Damir, Nov 27, 2018.

  1. Damir

    Damir New Member

    2
    0
    1
    Oct 30, 2018
    Belgrade
    Ratings:
    +0
    Local Time:
    4:05 PM
    1.15
    10.36
    I have no experience using Nginx.
    I installed Drupal 8 ( centminmod 09beta01 ) locally and it's works well.
    My config file (example.com.conf):

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name example.com;
    #            return 301 $scheme://www.example.com$request_uri;
    #       }
    
    server {
     
      server_name example.com www.example.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/example.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/example.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/example.com/autoprotect-example.com.conf;
      root /home/nginx/domains/example.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      #include /usr/local/nginx/conf/503include-main.conf;
    
    # Common #
    
    location ~ ^/sites/.*/private/ {
      return 403;
    }
    
    # Block access to hidden files and directories (begin with a period).
    location ~ (^|/)\. {
      return 403;
    }
    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|twig|scss|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
      return 404;
    }
    # Dont allow direct access to composer and yml files
    location ~* /(.*)\.(?:yaml|yml|lock|json)$ {
      deny all;
      access_log off;
      log_not_found off;
    }
    
    # Dont allow direct access to PHP files in the vendor directory.
    location ~ /vendor/.*\.php$ {
      deny all;
      return 404;
    }
    
    location ^~ \.(png|jpg|jpeg|gif|ico|woff|woff2|svg)$ {
      expires max;
      log_not_found off;
    }
    
    gzip on;
    gzip_comp_level 5;
    gzip_disable "msie6";
    gzip_types
        text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
        text/javascript application/javascript application/x-javascript
        text/x-json application/json application/x-web-app-manifest+json
        text/css text/plain text/x-component
        font/opentype application/x-font-ttf application/vnd.ms-fontobject
        image/x-icon;
    
    # Drupal #
    # Update script
    rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1;
    # Remove trailing slash.
    rewrite ^/(.*)/$ /$1 permanent;
    # Styles.
    location ~ ^/sites/.*/files/styles/ {
      expires max;
      try_files $uri @rewrite;
      log_not_found off;
    }
    
    # Private files through Drupal.
    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
      try_files $uri /index.php?$query_string;
    }
    
    # Cache Files.
    location ~ ^/sites/.*/files/ {
      expires 30d;
      log_not_found off;
    }
    
    # Cache Core/Libs/Contrib
    location ~ /(core|libraries|modules/contrib)/.*\.(css|js|png|jpg|jpeg|gif|ico|woff|woff2|svg) {
      add_header Cache-Control public;
      expires     10d;
    }
    
    # Cache Theme CSS/JS
    location ~ /themes/.*\.(css|js)$ {
      etag off;
      log_not_found off;
    }
    
    # Custom Modules
    location ~ /modules/custom/.*\.(css|js)$ {
      etag off;
      log_not_found off;
    }
    
    # Cache Theme Images/Fonts
    location ~ /themes/.*\.(png|jpg|jpeg|gif|ico|woff|woff2|svg)$ {
      expires 30d;
      log_not_found off;
    }
    
    # letsencrypt #
     location ~* ^/.well-known/ {
            allow all;
      }
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    What should be added or removed from the file?

    I can install themes, modules, run update..., but I would like to have a configuration for Drupal 8 "on the right way".

    Thanks.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,186
    10,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,572
    Local Time:
    12:05 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    no drupal experience either but you can check other threads for clues Blogs & CMS usage
     
  3. Atrix

    Atrix New Member

    26
    8
    3
    Oct 7, 2018
    Ratings:
    +23
    Local Time:
    8:05 AM
    1.15.3
    MariaDB 10.1.36
    I am setting up a drupal 8 site this is working for me so far, it mixes recommended settings for drupal 8 on nginx with stuff from centmin, there might be extra stuff not needed here but it runs.

    file site.mysite.com.ssl.conf (disabled the non https one by adding -disabled to the file name)
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
           listen   80;
           server_name site.mysite.com www.site.mysite.com;
           return 302 https://$server_name$request_uri;
     }
    
    server {
       listen 443 ssl http2;
       server_name site.mysite.com www.site.mysite.com;
    
       ssl_dhparam /usr/local/nginx/conf/ssl/site.mysite.com/dhparam.pem;
       ssl_certificate      /usr/local/nginx/conf/ssl/site.mysite.com/site.mysite.com.crt;
       ssl_certificate_key  /usr/local/nginx/conf/ssl/site.mysite.com/site.mysite.com.key;
       include /usr/local/nginx/conf/ssl_include.conf;
    
       # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
       #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/site.mysite.com/origin.crt;
       #ssl_verify_client on;
       http2_max_field_size 16k;
       http2_max_header_size 32k;
       # mozilla recommended
       ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
       ssl_prefer_server_ciphers   on;
       #add_header Alternate-Protocol  443:npn-spdy/3;
    
       # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
       #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
       #add_header X-Frame-Options SAMEORIGIN;
       add_header X-Xss-Protection "1; mode=block" always;
       add_header X-Content-Type-Options "nosniff" always;
       #add_header Referrer-Policy "strict-origin-when-cross-origin";
       #spdy_headers_comp 5;
       ssl_buffer_size 1369;
       ssl_session_tickets on;
    
       # enable ocsp stapling
       #resolver 8.8.8.8 8.8.4.4 valid=10m;
       #resolver_timeout 10s;
       #ssl_stapling on;
       #ssl_stapling_verify on;
       #ssl_trusted_certificate /usr/local/nginx/conf/ssl/site.mysite.com/site.mysite.com-trusted.crt;
    
       # ngx_pagespeed & ngx_pagespeed handler
       #include /usr/local/nginx/conf/pagespeed.conf;
       #include /usr/local/nginx/conf/pagespeedhandler.conf;
       #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
       # limit_conn limit_per_ip 16;
       # ssi  on;
    
       access_log /home/nginx/domains/site.mysite.com/log/access.log combined buffer=256k flush=5m;
       error_log /home/nginx/domains/site.mysite.com/log/error.log;
    
       include /usr/local/nginx/conf/autoprotect/site.mysite.com/autoprotect-site.mysite.com.conf;
       root /home/nginx/domains/site.mysite.com/public/web;
       # uncomment cloudflare.conf include if using cloudflare for
       # server and/or vhost site
       #include /usr/local/nginx/conf/cloudflare.conf;
       include /usr/local/nginx/conf/503include-main.conf;
    
       ## DRUPAL 8 ##
       #location = /favicon.ico {
           #log_not_found off;
           #access_log off;
       #}
    
       #location = /robots.txt {
           #allow all;
           #log_not_found off;
           #access_log off;
       #}
    
       # Very rarely should these ever be accessed outside of your lan
       location ~* \.(txt|log)$ {
           allow 192.168.0.0/16;
           deny all;
       }
    
       location ~ \..*/.*\.php$ {
           return 403;
       }
    
       location ~ ^/sites/.*/private/ {
           return 403;
       }
    
       # Block access to scripts in site files directory
       location ~ ^/sites/[^/]+/files/.*\.php$ {
           deny all;
       }
    
       # Allow "Well-Known URIs" as per RFC 5785
       location ~* ^/.well-known/ {
           allow all;
       }
    
       # Block access to "hidden" files and directories whose names begin with a
       # period. This includes directories used by version control systems such
       # as Subversion or Git to store control files.
       location ~ (^|/)\. {
           return 403;
       }
    
       location / {
           # try_files $uri @rewrite; # For Drupal <= 6
           try_files $uri /index.php?$query_string; # For Drupal >= 7
       }
    
       location @rewrite {
           rewrite ^/(.*)$ /index.php?q=$1;
       }
    
       # Don't allow direct access to PHP files in the vendor directory.
       location ~ /vendor/.*\.php$ {
           deny all;
           return 404;
       }
    
       # Protect files and directories from prying eyes.
       location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
           deny all;
           return 404;
       }
    
       # In Drupal 8, we must also match new paths where the '.php' appears in
       # the middle, such as update.php/selection. The rule we use is strict,
       # and only allows this pattern with the update.php front controller.
       # This allows legacy path aliases in the form of
       # blog/index.php/legacy-path to continue to route to Drupal nodes. If
       # you do not have any paths like that, then you might prefer to use a
       # laxer rule, such as:
       # The laxer rule will continue to work if Drupal uses this new URL
       # pattern with front controllers other than update.php in a future
       # release.
       location ~ '\.php$|^/update.php' {
           fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
           # Ensure the php file exists. Mitigates CVE-2019-11043
           try_files $fastcgi_script_name =404;
           # Security note: If you're running a version of PHP older than the
           # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
           # See http://serverfault.com/q/627903/94922 for details.
           include fastcgi_params;
           # Block httpoxy attacks. See https://httpoxy.org/.
           fastcgi_param HTTP_PROXY "";
           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
           fastcgi_param PATH_INFO $fastcgi_path_info;
           fastcgi_param QUERY_STRING $query_string;
           #fastcgi_intercept_errors on;
           # PHP 5 socket location.
           #fastcgi_pass unix:/var/run/php5-fpm.sock;
           # PHP 7 socket location.
           #fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
           include /usr/local/nginx/conf/503include-only.conf;
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
           if (!-f $document_root$fastcgi_script_name) {
               return 404;
           }
           fastcgi_pass   127.0.0.1:9000;
           #fastcgi_pass   unix:/tmp/php5-fpm.sock;
           fastcgi_index  index.php;
           #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
           #fastcgi_param  SCRIPT_FILENAME    $request_filename;
           #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    
           fastcgi_param HTTPS $server_https;
    
           fastcgi_param  PATH_INFO          $fastcgi_path_info;
           fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
    
           fastcgi_param  QUERY_STRING       $query_string;
           fastcgi_param  REQUEST_METHOD     $request_method;
           fastcgi_param  CONTENT_TYPE       $content_type;
           fastcgi_param  CONTENT_LENGTH     $content_length;
    
           fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
           fastcgi_param  REQUEST_URI        $request_uri;
           fastcgi_param  DOCUMENT_URI       $document_uri;
           fastcgi_param  DOCUMENT_ROOT      $document_root;
           fastcgi_param  SERVER_PROTOCOL    $server_protocol;
           fastcgi_param  REQUEST_SCHEME     $scheme;
           fastcgi_param  HTTPS              $https if_not_empty;
           fastcgi_param  HTTP_PROXY         "";
    
           fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
           fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
    
           fastcgi_param  REMOTE_ADDR        $remote_addr;
           fastcgi_param  REMOTE_PORT        $remote_port;
           fastcgi_param  SERVER_ADDR        $server_addr;
           fastcgi_param  SERVER_PORT        $server_port;
           fastcgi_param  SERVER_NAME        $server_name;
    
           # Set php-fpm geoip variables
           fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
           fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
           fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
           fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
           fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
           fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
           fastcgi_param GEOIP_REGION $geoip_region;
           fastcgi_param GEOIP_CITY $geoip_city;
           fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
           fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
           fastcgi_param GEOIP_LATITUDE $geoip_latitude;
           fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
    
           # PHP only, required if PHP was built with --enable-force-cgi-redirect
           fastcgi_param  REDIRECT_STATUS    200;
       }
    
       # Fighting with Styles? This little gem is amazing.
       location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
           try_files $uri @rewrite;
       }
    
       # Handle private files through Drupal. Private file's path can come
       # with a language prefix.
       location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
           try_files $uri /index.php?$query_string;
       }
    
       location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
           try_files $uri @rewrite;
           expires max;
           log_not_found off;
       }
       # Enforce clean URLs
       # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
       # Could be done with 301 for permanent or other redirect codes.
       if ($request_uri ~* "^(.*/)index\.php/(.*)") {
           return 307 $1$2;
       }
       ## END DRUPAL 8 ##
    
       #location / {
       #include /usr/local/nginx/conf/503include-only.conf;
    
       # block common exploits, sql injections etc
       #include /usr/local/nginx/conf/block.conf;
    
       # Enables directory listings when index file not found
       #autoindex  on;
    
       # Shows file listing times as local time
       #autoindex_localtime on;
    
       # Wordpress Permalinks example
       #try_files $uri $uri/ /index.php?q=$uri&$args;
       #}
    
       include /usr/local/nginx/conf/pre-staticfiles-local-site.mysite.com.conf;
       include /usr/local/nginx/conf/pre-staticfiles-global.conf;
       include /usr/local/nginx/conf/staticfiles.conf;
       #include /usr/local/nginx/conf/php.conf;
    
       include /usr/local/nginx/conf/drop.conf;
       #include /usr/local/nginx/conf/errorpage.conf;
       include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Note: I replied here because it shows up in google when you look for drupal configs for centminmod
     
    Last edited: May 24, 2020
  4. eva2000

    eva2000 Administrator Staff Member

    44,186
    10,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,572
    Local Time:
    12:05 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    very nice. Thanks for sharing ... in the right place too :D (y)