diff --git a/roles/drupal/defaults/main.yml b/roles/drupal/defaults/main.yml index 35461c9..deced50 100644 --- a/roles/drupal/defaults/main.yml +++ b/roles/drupal/defaults/main.yml @@ -55,5 +55,10 @@ drupal_write_permissions: # nginx drupal_with_hotlink_protection: false +# see https://github.com/wodby/nginx/blob/master/templates/presets/drupal8.conf.tmpl +# see https://github.com/wodby/nginx/blob/master/templates/presets/drupal10.conf.tmpl +drupal_nginx_static_files: "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp" +drupal_nginx_not_found_regex: "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$" + # instance wide usage (for /etc/nginx/drupal.conf) drupal_multilanguage: [] diff --git a/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 b/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 index 1d4c84b..9343339 100644 --- a/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 +++ b/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 @@ -66,19 +66,6 @@ server { try_files $uri @drupal; } - # All static files will be served directly. - location ~* ^.+\.(?:css|js|jpe?g|gif|ico|png|html)$ { - access_log off; - expires 30d; - # No need to bleed constant updates. Send the all shebang in one fell swoop. - tcp_nodelay off; - # Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } - location ~* /sites/.+/files/optimized/(css|js)/ { expires max; add_header ETag ''; @@ -96,19 +83,22 @@ server { } } - # PDFs and powerpoint files handling. - location ~* ^.+\.(?:pdf|pptx?)$ { - expires 30d; - # No need to bleed constant updates. Send the all shebang in one - # fell swoop. - tcp_nodelay off; + # Replica of regex from Drupals core .htaccess. + location ~* {{ drupal_nginx_not_found_regex }} { + return 404; } - ## Replicate the Apache directive of Drupal standard - ## .htaccess. Disable access to any code files. Return a 404 to curtail - ## information disclosure. Hide also the text files. - location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { - return 404; + # All static files will be served directly. + location ~* ^.+\.(?:{{ drupal_nginx_not_found_regex }})$ { + access_log off; + expires 30d; + # No need to bleed constant updates. Send the all shebang in one fell swoop. + tcp_nodelay off; + # Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; } # Some modules enforce no slash (/) at the end of the URL