cleanup drupal vhost for nginx, use variables for files and page not …

…found mattern
alphanodes · Aug 2, 2024 · e39e794 · e39e794
1 parent 1082406
commit e39e794
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 24 deletions.
diff --git a/roles/drupal/defaults/main.yml b/roles/drupal/defaults/main.yml
@@ -55,5 +55,10 @@ drupal_write_permissions:
 # nginx
 drupal_with_hotlink_protection: false
 
+# see https://github.com/wodby/nginx/blob/master/templates/presets/drupal8.conf.tmpl
+# see https://github.com/wodby/nginx/blob/master/templates/presets/drupal10.conf.tmpl
+drupal_nginx_static_files: "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp"
+drupal_nginx_not_found_regex: "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$"
+
 # instance wide usage (for /etc/nginx/drupal.conf)
 drupal_multilanguage: []
diff --git a/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 b/roles/drupal/templates/etc/nginx/sites-available/drupal.j2
@@ -66,19 +66,6 @@ server {
     try_files $uri @drupal;
   }
 
-  # All static files will be served directly.
-  location ~* ^.+\.(?:css|js|jpe?g|gif|ico|png|html)$ {
-    access_log off;
-    expires 30d;
-    # No need to bleed constant updates. Send the all shebang in one fell swoop.
-    tcp_nodelay off;
-    # Set the OS file cache.
-    open_file_cache max=3000 inactive=120s;
-    open_file_cache_valid 45s;
-    open_file_cache_min_uses 2;
-    open_file_cache_errors off;
-  }
-
   location ~* /sites/.+/files/optimized/(css|js)/ {
     expires max;
     add_header ETag '';
@@ -96,19 +83,22 @@ server {
     }
   }
 
-  # PDFs and powerpoint files handling.
-  location ~* ^.+\.(?:pdf|pptx?)$ {
-    expires 30d;
-    # No need to bleed constant updates. Send the all shebang in one
-    # fell swoop.
-    tcp_nodelay off;
+  # Replica of regex from Drupals core .htaccess.
+  location ~* {{ drupal_nginx_not_found_regex }} {
+      return 404;
   }
 
-  ## Replicate the Apache <FilesMatch> directive of Drupal standard
-  ## .htaccess. Disable access to any code files. Return a 404 to curtail
-  ## information disclosure. Hide also the text files.
-  location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
-      return 404;
+  # All static files will be served directly.
+  location ~* ^.+\.(?:{{ drupal_nginx_not_found_regex }})$ {
+    access_log off;
+    expires 30d;
+    # No need to bleed constant updates. Send the all shebang in one fell swoop.
+    tcp_nodelay off;
+    # Set the OS file cache.
+    open_file_cache max=3000 inactive=120s;
+    open_file_cache_valid 45s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors off;
   }
 
   # Some modules enforce no slash (/) at the end of the URL