From 86085e60583456fd4e1d9cd47c37aaf2669ea14e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 11:54:26 -0500 Subject: [PATCH 01/25] Finishing up Nginx support. Just copying provision 3.x templates in as is for now. --- src/Service/Http/HttpNginxService.php | 51 ++- .../Configuration/ServerConfiguration.php | 26 ++ .../Nginx/Configuration/SiteConfiguration.php | 51 +++ .../Configuration/templates/server.tpl.php | 338 ++++++++++++++++++ .../Configuration/templates/vhost.tpl.php | 116 ++++++ .../templates/vhost_disabled.tpl.php | 18 + 6 files changed, 596 insertions(+), 4 deletions(-) create mode 100644 src/Service/Http/Nginx/Configuration/ServerConfiguration.php create mode 100644 src/Service/Http/Nginx/Configuration/SiteConfiguration.php create mode 100644 src/Service/Http/Nginx/Configuration/templates/server.tpl.php create mode 100644 src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php create mode 100644 src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php diff --git a/src/Service/Http/HttpNginxService.php b/src/Service/Http/HttpNginxService.php index 6e837c4b7..3d3c63607 100644 --- a/src/Service/Http/HttpNginxService.php +++ b/src/Service/Http/HttpNginxService.php @@ -8,6 +8,9 @@ namespace Aegir\Provision\Service\Http; +use Aegir\Provision\Service\Http\Nginx\Configuration\PlatformConfiguration; +use Aegir\Provision\Service\Http\Nginx\Configuration\ServerConfiguration; +use Aegir\Provision\Service\Http\Nginx\Configuration\SiteConfiguration; use Aegir\Provision\Service\HttpService; /** @@ -15,8 +18,48 @@ * * @package Aegir\Provision\Service\Http */ -class HttpNginxService extends HttpService -{ - const SERVICE_TYPE = 'nginx'; - const SERVICE_TYPE_NAME = 'NGINX'; +class HttpNginxService extends HttpService { + + const SERVICE_TYPE = 'nginx'; + + const SERVICE_TYPE_NAME = 'NGINX'; + + /** + * Returns array of Configuration classes for this service. + * + * @see Provision_Service_http_apache::init_server(); + * + * @return array + */ + public function getConfigurations() + { + $configs['server'][] = ServerConfiguration::class; + $configs['site'][] = SiteConfiguration::class; + return $configs; + } + + /** + * Determine nginx restart command based on available executables. + * @return string + */ + public static function default_restart_cmd() { + $command = '/etc/init.d/nginx'; // A proper default for most of the world + $options[] = $command; + // Try to detect the nginx restart command. + foreach (explode(':', $_SERVER['PATH']) as $path) { + $options[] = "$path/nginx"; + } + $options[] = '/usr/sbin/nginx'; + $options[] = '/usr/local/sbin/nginx'; + $options[] = '/usr/local/bin/nginx'; + + foreach ($options as $test) { + if (is_executable($test)) { + $command = ($test == '/etc/init.d/nginx') ? $test : $test . ' -s'; + break; + } + } + + return "sudo $command reload"; + } } diff --git a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php new file mode 100644 index 000000000..d405c0c5a --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -0,0 +1,26 @@ +service->getType()) { + $file = $this->service->getType() . '.conf'; + return $this->service->provider->getProvision()->getConfig()->get('config_path') . '/' . $this->service->provider->name . '/' . $file; + } + else { + return FALSE; + } + } +} \ No newline at end of file diff --git a/src/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Service/Http/Nginx/Configuration/SiteConfiguration.php new file mode 100644 index 000000000..82a5bee6a --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -0,0 +1,51 @@ +context->getProperty('uri') . '.conf'; + return $this->context->getProvision() + ->getConfig() + ->get('config_path') . '/' . $this->service->provider->name . '/' . $this->service->getType() . '/vhost.d/' . $file; + } + + function process() { + parent::process(); + $this->data['http_port'] = $this->context->getSubscription('http')->service->getProperty('http_port'); + $this->data['document_root'] = $this->context->platform->getProperty('document_root'); + $this->data['uri'] = $this->context->getProperty('uri'); + + $this->data['site_path'] = $this->data['document_root'] . '/sites/' . $this->data['uri']; + + $this->data['db_type'] = $this->context->getSubscription('db')->service->getType(); + + $this->data['db_name'] = $this->context->getSubscription('db') + ->getProperty('db_name'); + $this->data['db_user'] = $this->context->getSubscription('db') + ->getProperty('db_user'); + $this->data['db_passwd'] = $this->context->getSubscription('db') + ->getProperty('db_password'); + $this->data['db_host'] = $this->context->getSubscription('db')->service->provider->getProperty('remote_host'); + + $this->data['db_port'] = $this->context->getSubscription('db')->service->getCreds()['port']; + + $this->data['extra_config'] = ''; + } +} \ No newline at end of file diff --git a/src/Service/Http/Nginx/Configuration/templates/server.tpl.php b/src/Service/Http/Nginx/Configuration/templates/server.tpl.php new file mode 100644 index 000000000..542d08b52 --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/templates/server.tpl.php @@ -0,0 +1,338 @@ +# Aegir web server main configuration file + +####################################################### +### nginx.conf main +####################################################### + +script_user) { + $script_user = $server->script_user; +} + +$aegir_root = drush_get_option('aegir_root'); +if (!$aegir_root && $server->aegir_root) { + $aegir_root = $server->aegir_root; +} + +$nginx_config_mode = drush_get_option('nginx_config_mode'); +if (!$nginx_config_mode && $server->nginx_config_mode) { + $nginx_config_mode = $server->nginx_config_mode; +} + +$phpfpm_mode = drush_get_option('phpfpm_mode'); +if (!$phpfpm_mode && $server->phpfpm_mode) { + $phpfpm_mode = $server->phpfpm_mode; +} + +$nginx_is_modern = drush_get_option('nginx_is_modern'); +if (!$nginx_is_modern && $server->nginx_is_modern) { + $nginx_is_modern = $server->nginx_is_modern; +} + +$nginx_has_etag = drush_get_option('nginx_has_etag'); +if (!$nginx_has_etag && $server->nginx_has_etag) { + $nginx_has_etag = $server->nginx_has_etag; +} + +$nginx_has_http2 = drush_get_option('nginx_has_http2'); +if (!$nginx_has_http2 && $server->nginx_has_http2) { + $nginx_has_http2 = $server->nginx_has_http2; +} + +$nginx_has_gzip = drush_get_option('nginx_has_gzip'); +if (!$nginx_has_gzip && $server->nginx_has_gzip) { + $nginx_has_gzip = $server->nginx_has_gzip; +} + +$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); +if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) { + $nginx_has_upload_progress = $server->nginx_has_upload_progress; +} + +$satellite_mode = drush_get_option('satellite_mode'); +if (!$satellite_mode && $server->satellite_mode) { + $satellite_mode = $server->satellite_mode; +} + +if ($nginx_is_modern) { + print " limit_conn_zone \$binary_remote_addr zone=limreq:10m;\n"; +} +else { + print " limit_zone limreq \$binary_remote_addr 10m;\n"; +} + +if ($nginx_has_gzip) { + print " gzip_static on;\n"; +} + +if ($nginx_has_upload_progress) { + print " upload_progress uploads 1m;\n"; +} +?> + + + + ## FastCGI params + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE ApacheSolarisNginx/$nginx_version; + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + fastcgi_param USER_DEVICE $device; + fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code; + fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3; + fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_index index.php; + # Block https://httpoxy.org/ attacks. + fastcgi_param HTTP_PROXY ""; + + + ## Size Limits + client_body_buffer_size 64k; + client_header_buffer_size 32k; + + client_max_body_size 100m; + + connection_pool_size 256; + fastcgi_buffer_size 128k; + fastcgi_buffers 256 4k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + large_client_header_buffers 32 32k; + + map_hash_bucket_size 192; + + request_pool_size 4k; + server_names_hash_bucket_size 512; + + server_names_hash_max_size 8192; + types_hash_bucket_size 512; + variables_hash_max_size 1024; + + + ## Timeouts + client_body_timeout 180; + client_header_timeout 180; + send_timeout 180; + lingering_time 30; + lingering_timeout 5; + fastcgi_connect_timeout 10s; + fastcgi_send_timeout 180s; + fastcgi_read_timeout 180s; + + ## Open File Performance + open_file_cache max=8000 inactive=30s; + open_file_cache_valid 99s; + open_file_cache_min_uses 3; + open_file_cache_errors on; + + ## FastCGI Caching + fastcgi_cache_path /var/lib/nginx/speed + levels=2:2 + keys_zone=speed:10m + inactive=15m + max_size=3g; + + ## General Options + ignore_invalid_headers on; + recursive_error_pages on; + reset_timedout_connection on; + fastcgi_intercept_errors on; + + server_tokens off; + fastcgi_hide_header 'Link'; + fastcgi_hide_header 'X-Generator'; + fastcgi_hide_header 'X-Powered-By'; + + + ## SSL performance + ssl_session_cache shared:SSL:10m; + + + ## SSL protocols, ciphers and settings + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + ## GeoIP support + geoip_country /usr/share/GeoIP/GeoIP.dat; + + + ## Compression + gzip_buffers 16 8k; + gzip_comp_level 8; + gzip_http_version 1.0; + gzip_min_length 50; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-opentype + application/x-font-ttf + application/x-javascript + application/xhtml+xml + application/xml + application/xml+rss + font/opentype + image/svg+xml + image/x-icon + text/css + text/javascript + text/plain + text/xml; + gzip_vary on; + gzip_proxied any; + + +## Default index files +index index.php index.html; + +## Log Format +log_format main '"$proxy_add_x_forwarded_for" $host [$time_local] ' +'"$request" $status $body_bytes_sent ' +'$request_length $bytes_sent "$http_referer" ' +'"$http_user_agent" $request_time "$gzip_ratio"'; + +client_body_temp_path /var/lib/nginx/body 1 2; +access_log /var/log/nginx/access.log main; + + + + + error_log /var/log/nginx/error.log crit; + +####################################################### +### nginx default maps +####################################################### + +### +### Support separate Speed Booster caches for various mobile devices. +### +map $http_user_agent $device { +default normal; +~*Nokia|BlackBerry.+MIDP|240x|320x|Palm|NetFront|Symbian|SonyEricsson mobile-other; +~*iPhone|iPod|Android|BlackBerry.+AppleWebKit mobile-smart; +~*iPad|Tablet mobile-tablet; +} + +### +### Set a cache_uid variable for authenticated users (by @brianmercer and @perusio, fixed by @omega8cc). +### +map $http_cookie $cache_uid { +default ''; +~SESS[[:alnum:]]+=(?[[:graph:]]+) $session_id; + } + + ### + ### Live switch of $key_uri for Speed Booster cache depending on $args. + ### + map $request_uri $key_uri { + default $request_uri; + ~(?[[:graph:]]+)\?(.*)(utm_|__utm|_campaign|gclid|source=|adv=|req=) $no_args_uri; + } + + ### + ### Deny crawlers. + ### + map $http_user_agent $is_crawler { + default ''; + ~*HTTrack|BrokenLinkCheck|2009042316.*Firefox.*3\.0\.10 is_crawler; + ~*SiteBot|PECL|Automatic|CCBot|BuzzTrack|Sistrix|Offline is_crawler; + ~*SWEB|Morfeus|GSLFbot|HiScan|Riddler|DBot|SEOkicks|MJ12 is_crawler; + ~*PChomebot|Scrap|HTMLParser|Nutch|Mireo|Semrush|Ahrefs is_crawler; + } + + ### + ### Block semalt botnet. + ### + map $http_referer $is_botnet { + default ''; + ~*semalt\.com|kambasoft\.com|savetubevideo\.com|bottlenose\.com|yapoga\.com is_botnet; + ~*descargar-musica-gratis\.net|baixar-musicas-gratis\.com is_botnet; + } + + ### + ### Deny all known bots/spiders on some URIs. + ### + map $http_user_agent $is_bot { + default ''; + ~*crawl|bot|spider|tracker|click|parser|google|yahoo|yandex|baidu|bing is_bot; + } + + ### + ### Deny almost all crawlers under high load. + ### + map $http_user_agent $deny_on_high_load { + default ''; + ~*crawl|spider|tracker|click|parser|google|yahoo|yandex|baidu|bing deny_on_high_load; + } + + ### + ### Deny listed requests for security reasons. + ### + map $args $is_denied { + default ''; + ~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\;|\.\.\/ is_denied; + } + + + ####################################################### + ### nginx default server + ####################################################### + + server { + listen *:; + server_name _; + location / { + + expires 99s; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + root /var/www/nginx-default; + index index.html index.htm; + + return 404; + + } + } + + + server { + listen *:; + server_name 127.0.0.1; + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + } + + + ####################################################### + ### nginx virtual domains + ####################################################### + + # virtual hosts + include /*; + include /*; + include /*; + include /*; diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php new file mode 100644 index 000000000..955288ed6 --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php @@ -0,0 +1,116 @@ +redirection) { + $aegir_root = d('@server_master')->aegir_root; + $satellite_mode = d('@server_master')->satellite_mode; + // Redirect all aliases to the main http url using separate vhosts blocks to avoid if{} in Nginx. + foreach ($this->aliases as $alias_url) { + print "# alias redirection virtual host\n"; + print "server {\n"; + print " listen *:{$http_port};\n"; + // if we use redirections, we need to change the redirection + // target to be the original site URL ($this->uri instead of + // $alias_url) + if ($this->redirection && $alias_url == $this->redirection) { + $this->uri = str_replace('/', '.', $this->uri); + print " server_name {$this->uri};\n"; + } else { + $alias_url = str_replace('/', '.', $alias_url); + print " server_name {$alias_url};\n"; + } + print " access_log off;\n"; + if ($satellite_mode == 'boa') { + print "\n"; + print " ###\n"; + print " ### Allow access to letsencrypt.org ACME challenges directory.\n"; + print " ###\n"; + print " location ^~ /.well-known/acme-challenge {\n"; + print " alias {$aegir_root}/tools/le/.acme-challenges;\n"; + print " try_files \$uri 404;\n"; + print " }\n"; + print "\n"; + } + print " return 301 \$scheme://{$this->redirection}\$request_uri;\n"; + print "}\n"; + } +} +?> + +server { + include fastcgi_params; + + # Block https://httpoxy.org/ attacks. + fastcgi_param HTTP_PROXY ""; + + fastcgi_param MAIN_SITE_NAME uri; ?>; + set $main_site_name "uri; ?>"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + fastcgi_param db_type ; + fastcgi_param db_name ; + fastcgi_param db_user ; + fastcgi_param db_passwd ; + fastcgi_param db_host ; +server->db_port ? $this->server->db_port : '3306'; + } +?> + fastcgi_param db_port ; + listen *:; + server_name uri) + if ($this->redirection) { + print str_replace('/', '.', $this->redirection); + } else { + print $this->uri; + } + if (!$this->redirection && is_array($this->aliases)) { + foreach ($this->aliases as $alias_url) { + if (trim($alias_url)) { + print " " . str_replace('/', '.', $alias_url); + } + } + } ?>; + root root}"; ?>; + +redirection || $ssl_redirection) { + if ($ssl_redirection && !$this->redirection) { + // redirect aliases in non-ssl to the same alias on ssl. + print "\n return 301 https://\$host\$request_uri;\n"; + } + elseif ($ssl_redirection && $this->redirection) { + // redirect all aliases + main uri to the main https uri. + print "\n return 301 https://{$this->redirection}\$request_uri;\n"; + } + elseif (!$ssl_redirection && $this->redirection) { + print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; + } +} +else { + print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; +} +$if_subsite = $this->data['http_subdird_path'] . '/' . $this->uri; +if (provision_hosting_feature_enabled('subdirs') && provision_file()->exists($if_subsite)->status()) { + print " include " . $if_subsite . "/*.conf;\n"; +} +?> +} diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php b/src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php new file mode 100644 index 000000000..0e450b806 --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php @@ -0,0 +1,18 @@ +satellite_mode) { + $satellite_mode = $server->satellite_mode; +} +?> + +server { + listen *:; + server_name uri . ' ' . implode(' ', str_replace('/', '.', $this->aliases)); ?>; + + root /var/www/nginx-default; + index index.html index.htm; + ### Do not reveal Aegir front-end URL here. + + return 302 platform->server->web_disable_url . '/' . $this->uri ?>; + +} From b3e8deb408b3b3b39f0508309d731eaac2be1a30 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 12:31:11 -0500 Subject: [PATCH 02/25] Add Provision::fs() for easy access to a filesystem in static functions. --- src/Provision.php | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/Provision.php b/src/Provision.php index d4eca9b2f..4b8622126 100644 --- a/src/Provision.php +++ b/src/Provision.php @@ -32,6 +32,7 @@ use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Logger\ConsoleLogger; use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Filesystem\Filesystem; /** * Class Provision @@ -465,6 +466,9 @@ static public function newProperty($description = '') { /** * Determine the web user group on this server. + * + * @TODO: This should move to the Service class. + * * @return mixed|null */ static function defaultWebGroup() { @@ -509,4 +513,20 @@ static function provision_posix_groupname($group) { } return $group; } + + /** + * Return a new Symfony Filesystem component. + * + * Replacement for provision_file(). + * + * Usage: + * + * Provision::fs()->exists(); + * + * + * @return \Symfony\Component\Filesystem\Filesystem + */ + public static function fs() { + return new Filesystem(); + } } From b1acb4ff9b7466381171a2f8022975ed99e778c4 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 13:30:05 -0500 Subject: [PATCH 03/25] Work on getting NGINX to work. --- src/Configuration.php | 6 + src/Context/ServerContext.php | 6 +- src/Service.php | 8 + src/Service/Http/HttpNginxService.php | 149 +++++++++++++++++- .../Configuration/ServerConfiguration.php | 7 + .../Configuration/templates/server.tpl.php | 130 --------------- src/Service/HttpService.php | 2 +- 7 files changed, 169 insertions(+), 139 deletions(-) diff --git a/src/Configuration.php b/src/Configuration.php index 2aea9154b..0dbc08cfe 100644 --- a/src/Configuration.php +++ b/src/Configuration.php @@ -117,10 +117,16 @@ function __construct($context, $service = NULL, $data = array()) { * This is a stub to be implemented by subclasses. */ function process() { + $this->data = []; + if (!empty($this->context->getProperties())) { $this->data = $this->context->getProperties(); } + if (isset($this->service) && !empty($this->service->getProperties())) { + $this->data = array_merge($this->data, $this->service->getProperties()); + } + // @TODO: Remove legacy code. // if (is_object($this->store)) { // $this->data['records'] = array_filter(array_merge($this->store->loaded_records, $this->store->records)); diff --git a/src/Context/ServerContext.php b/src/Context/ServerContext.php index 2704d8450..2134df34e 100644 --- a/src/Context/ServerContext.php +++ b/src/Context/ServerContext.php @@ -58,8 +58,6 @@ function __construct($name, Provision $provision, array $options = []) else { $this->server_config_path = $this->getProperty('server_config_path'); } - - $this->fs = new Filesystem(); } /** @@ -129,8 +127,8 @@ public function shell_exec($command, $dir = NULL, $return = 'stdout') { $original_command = $command; $tmpdir = sys_get_temp_dir() . '/provision'; - if (!$this->fs->exists($tmpdir)){ - $this->fs->mkdir($tmpdir); + if (!Provision::fs()->exists($tmpdir)){ + Provision::fs()->mkdir($tmpdir); } $datestamp = date('c'); diff --git a/src/Service.php b/src/Service.php index ed6832462..d40af379a 100644 --- a/src/Service.php +++ b/src/Service.php @@ -243,6 +243,14 @@ public function getName() return $this::SERVICE; } + /** + * Return all properties for this context. + * + * @return array + */ + public function getProperties() { + return $this->properties; + } /** * Get a specific property. diff --git a/src/Service/Http/HttpNginxService.php b/src/Service/Http/HttpNginxService.php index 3d3c63607..127a275f4 100644 --- a/src/Service/Http/HttpNginxService.php +++ b/src/Service/Http/HttpNginxService.php @@ -8,6 +8,8 @@ namespace Aegir\Provision\Service\Http; +use Aegir\Provision\Context\ServerContext; +use Aegir\Provision\Provision; use Aegir\Provision\Service\Http\Nginx\Configuration\PlatformConfiguration; use Aegir\Provision\Service\Http\Nginx\Configuration\ServerConfiguration; use Aegir\Provision\Service\Http\Nginx\Configuration\SiteConfiguration; @@ -24,6 +26,105 @@ class HttpNginxService extends HttpService { const SERVICE_TYPE_NAME = 'NGINX'; + /** + * Path to PHP FPM Socket file for php5. + */ + const SOCKET_PATH_PHP5 = '/var/run/php5-fpm.sock'; + + /** + * Path to PHP FPM Socket file for php7. + */ + const SOCKET_PATH_PHP7 = '/var/run/php/php7.0-fpm.sock'; + + /** + * Path to NGINX Control mode file. + */ + const NGINX_CONTROL_MODE_FILE = '/etc/nginx/basic_nginx.conf'; + + /** + * HttpNginxService constructor. + * + * Detects NGINX configuration and sets as service properties. + * + * @param $service_config + * @param \Aegir\Provision\Context\ServerContext $provider_context + */ + function __construct($service_config, ServerContext $provider_context) { + parent::__construct($service_config, $provider_context); +// +// } +// +// +// /** +// * Run when a `verify` command is invoked. +// * +// * @TODO: Should we move this to a different function? I don't want to store +// * these values in config files since they are read from the system. +// * +// * Are these values needed in other methods or commands? Is it ok for those +// * other methods to invoke verify() themselves if they need these properties? +// * +// * @return array +// */ +// public function verify() { + + $nginx_config = $this->provider->shell_exec(self::getNginxExecutable() . ' -V'); + $this->setProperty('nginx_is_modern', preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", $nginx_config, $match)); + $this->setProperty('nginx_has_etag', preg_match("/nginx\/1\.([12][0-9]|[3]\.([12][0-9]|[3-9]))/", $nginx_config, $match)); + $this->setProperty('nginx_has_http2', preg_match("/http_v2_module/", $nginx_config, $match)); + $this->setProperty('nginx_has_upload_progress', preg_match("/upload/", $nginx_config, $match)); + $this->setProperty('nginx_has_gzip', preg_match("/http_gzip_static_module/", $nginx_config, $match)); + + // Use basic nginx configuration if this control file exists. + if (Provision::fs()->exists(self::NGINX_CONTROL_MODE_FILE)) { + $this->setProperty('nginx_config_mode', 'basic'); + $this->getProvision()->getLogger()->info('Basic Nginx Config Active -SAVE- YES control file found {path}.', [ + 'path' => self::NGINX_CONTROL_MODE_FILE, + ]); + } + else { + $this->setProperty('nginx_config_mode', 'extended'); + $this->getProvision()->getLogger()->info('Extended Nginx Config Active -SAVE- NO control file found {path}.', [ + 'path' => self::NGINX_CONTROL_MODE_FILE, + ]); + } + + // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect + $this->setProperty('phpfpm_mode', self::getPhpFpmMode()); + + // @TODO: Work out a way for something like BOA to do this via a plugin. + // Check if there is BOA specific global.inc file to enable extra Nginx locations +// if ($this->provider->fs->exists('/data/conf/global.inc')) { +// $this->setProperty('satellite_mode', 'boa'); +// drush_log(dt('BOA mode detected -SAVE- YES file found @path.', array('@path' => '/data/conf/global.inc'))); +// } +// else { +// $this->server->satellite_mode = 'vanilla'; +// drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc'))); +// } + + return parent::verify(); + } + + /** + * Override restart_command task to use our default_restart_cmd() + * + * @TODO: Not sure why this is needed? Why does "self" not return this class's default_restart_cmd()? + * + * @return array + */ + static function server_options() { + $options = parent::server_options(); + $options['restart_command'] = Provision::newProperty() + ->description('The command to reload the web server configuration.') + ->defaultValue(function () { + return self::default_restart_cmd(); + }) + ->required() + ; + return $options; + } + /** * Returns array of Configuration classes for this service. * @@ -39,10 +140,25 @@ public function getConfigurations() } /** - * Determine nginx restart command based on available executables. + * Determine full nginx restart command. + * * @return string */ public static function default_restart_cmd() { + $command = self::getNginxExecutable(); + if ($command != '/etc/init.d/nginx') { + $command .= ' -s'; + } + + return "sudo $command reload"; + } + + /** + * Find the nginx executable and return the path to it. + * + * @return mixed|string + */ + public static function getNginxExecutable() { $command = '/etc/init.d/nginx'; // A proper default for most of the world $options[] = $command; // Try to detect the nginx restart command. @@ -55,11 +171,36 @@ public static function default_restart_cmd() { foreach ($options as $test) { if (is_executable($test)) { - $command = ($test == '/etc/init.d/nginx') ? $test : $test . ' -s'; - break; + return $test; } } + } - return "sudo $command reload"; + /** + * Determines the PHP FPM mode. + * + * @return string + * The mode, either 'socket' or 'port'. + */ + public static function getPhpFpmMode() { + + // Search for socket files or fall back to port mode. + switch (TRUE) { + case Provision::fs()->exists(self::SOCKET_PATH_PHP5): + $mode = 'socket'; + $socket_path = self::SOCKET_PATH_PHP5; + break; + case Provision::fs()->exists(self::SOCKET_PATH_PHP7): + $mode = 'socket'; + $socket_path = self::SOCKET_PATH_PHP7; + break; + default: + $mode = 'port'; + $socket_path = ''; + break; + } + + // Return the discovered mode. + return $mode; } } diff --git a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php index d405c0c5a..df3c59d1e 100644 --- a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php +++ b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -23,4 +23,11 @@ function filename() { return FALSE; } } + + function process() { + parent::process(); + + $this->data['script_user'] = $this->service->provider->getProperty('script_user'); + $this->data['aegir_root'] = $this->service->provider->getProperty('aegir_root'); + } } \ No newline at end of file diff --git a/src/Service/Http/Nginx/Configuration/templates/server.tpl.php b/src/Service/Http/Nginx/Configuration/templates/server.tpl.php index 542d08b52..c82fa1be2 100644 --- a/src/Service/Http/Nginx/Configuration/templates/server.tpl.php +++ b/src/Service/Http/Nginx/Configuration/templates/server.tpl.php @@ -5,55 +5,6 @@ ####################################################### script_user) { - $script_user = $server->script_user; -} - -$aegir_root = drush_get_option('aegir_root'); -if (!$aegir_root && $server->aegir_root) { - $aegir_root = $server->aegir_root; -} - -$nginx_config_mode = drush_get_option('nginx_config_mode'); -if (!$nginx_config_mode && $server->nginx_config_mode) { - $nginx_config_mode = $server->nginx_config_mode; -} - -$phpfpm_mode = drush_get_option('phpfpm_mode'); -if (!$phpfpm_mode && $server->phpfpm_mode) { - $phpfpm_mode = $server->phpfpm_mode; -} - -$nginx_is_modern = drush_get_option('nginx_is_modern'); -if (!$nginx_is_modern && $server->nginx_is_modern) { - $nginx_is_modern = $server->nginx_is_modern; -} - -$nginx_has_etag = drush_get_option('nginx_has_etag'); -if (!$nginx_has_etag && $server->nginx_has_etag) { - $nginx_has_etag = $server->nginx_has_etag; -} - -$nginx_has_http2 = drush_get_option('nginx_has_http2'); -if (!$nginx_has_http2 && $server->nginx_has_http2) { - $nginx_has_http2 = $server->nginx_has_http2; -} - -$nginx_has_gzip = drush_get_option('nginx_has_gzip'); -if (!$nginx_has_gzip && $server->nginx_has_gzip) { - $nginx_has_gzip = $server->nginx_has_gzip; -} - -$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); -if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) { - $nginx_has_upload_progress = $server->nginx_has_upload_progress; -} - -$satellite_mode = drush_get_option('satellite_mode'); -if (!$satellite_mode && $server->satellite_mode) { - $satellite_mode = $server->satellite_mode; -} if ($nginx_is_modern) { print " limit_conn_zone \$binary_remote_addr zone=limreq:10m;\n"; @@ -72,57 +23,18 @@ ?> - - ## FastCGI params - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param REQUEST_URI $request_uri; - fastcgi_param DOCUMENT_URI $document_uri; - fastcgi_param DOCUMENT_ROOT $document_root; - fastcgi_param SERVER_PROTOCOL $server_protocol; - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE ApacheSolarisNginx/$nginx_version; - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param REMOTE_PORT $remote_port; - fastcgi_param SERVER_ADDR $server_addr; - fastcgi_param SERVER_PORT $server_port; - fastcgi_param SERVER_NAME $server_name; - fastcgi_param USER_DEVICE $device; - fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code; - fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3; - fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_index index.php; - # Block https://httpoxy.org/ attacks. - fastcgi_param HTTP_PROXY ""; - ## Size Limits client_body_buffer_size 64k; client_header_buffer_size 32k; - - client_max_body_size 100m; - connection_pool_size 256; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; large_client_header_buffers 32 32k; - - map_hash_bucket_size 192; - request_pool_size 4k; server_names_hash_bucket_size 512; - - server_names_hash_max_size 8192; - types_hash_bucket_size 512; - variables_hash_max_size 1024; - ## Timeouts client_body_timeout 180; @@ -152,26 +64,10 @@ recursive_error_pages on; reset_timedout_connection on; fastcgi_intercept_errors on; - - server_tokens off; - fastcgi_hide_header 'Link'; - fastcgi_hide_header 'X-Generator'; - fastcgi_hide_header 'X-Powered-By'; - ## SSL performance ssl_session_cache shared:SSL:10m; - - ## SSL protocols, ciphers and settings - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - ## GeoIP support - geoip_country /usr/share/GeoIP/GeoIP.dat; - - ## Compression gzip_buffers 16 8k; gzip_comp_level 8; @@ -214,9 +110,6 @@ - - error_log /var/log/nginx/error.log crit; - ####################################################### ### nginx default maps ####################################################### @@ -300,33 +193,10 @@ listen *:; server_name _; location / { - - expires 99s; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - add_header Access-Control-Allow-Origin *; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - root /var/www/nginx-default; - index index.html index.htm; - return 404; - } } - - server { - listen *:; - server_name 127.0.0.1; - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } - - ####################################################### ### nginx virtual domains ####################################################### diff --git a/src/Service/HttpService.php b/src/Service/HttpService.php index a3d7b6d67..295a989fc 100644 --- a/src/Service/HttpService.php +++ b/src/Service/HttpService.php @@ -134,7 +134,7 @@ function verifyPlatform() { /** * Return the default restart command for this service. */ - static function default_restart_cmd() { + public static function default_restart_cmd() { return ''; } From 294b625de904242c56a6995906053a6dfe470072 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 15:26:27 -0500 Subject: [PATCH 04/25] Output stout and sterr to the same file, and return the full output in ServerContext::shell_exec() --- src/Context/ServerContext.php | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/Context/ServerContext.php b/src/Context/ServerContext.php index 2134df34e..cc1dc4fc5 100644 --- a/src/Context/ServerContext.php +++ b/src/Context/ServerContext.php @@ -122,7 +122,7 @@ public function verify() * @return string * @throws \Exception */ - public function shell_exec($command, $dir = NULL, $return = 'stdout') { + public function shell_exec($command, $dir = NULL, $return = 'output') { $cwd = getcwd(); $original_command = $command; @@ -133,7 +133,6 @@ public function shell_exec($command, $dir = NULL, $return = 'stdout') { $datestamp = date('c'); $tmp_output_file = tempnam($tmpdir, 'task.' . $datestamp . '.output.'); - $tmp_error_file = tempnam($tmpdir, 'task.' . $datestamp . '.error.'); $effective_wd = $dir? $dir: $this->getProperty('server_config_path'); @@ -143,23 +142,22 @@ public function shell_exec($command, $dir = NULL, $return = 'stdout') { } // Output and Errors to files. - $command .= "> $tmp_output_file 2> $tmp_error_file"; + $command .= "> $tmp_output_file 2>&1"; chdir($effective_wd); exec($command, $output, $exit); chdir($cwd); - $stderr = file_get_contents($tmp_error_file); - $stdout = file_get_contents($tmp_output_file); + $output = file_get_contents($tmp_output_file); - if (!empty($stdout)){ + if (!empty($output)){ if ($this->getProvision()->getOutput()->isVerbose()) { - $this->getProvision()->io()->outputBlock($stdout); + $this->getProvision()->io()->outputBlock($output); } } if ($exit != ResultData::EXITCODE_OK) { - throw new \Exception($stderr); + throw new \Exception($output); } return ${$return}; From 0c17092df4648ffda760e167ab32956fc6c58352 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 15:45:42 -0500 Subject: [PATCH 05/25] Prepare web server config folders and variables for the nginx template. --- src/Service/Http/HttpNginxService.php | 41 +++++++++++-------- .../Configuration/ServerConfiguration.php | 17 ++++++++ 2 files changed, 42 insertions(+), 16 deletions(-) diff --git a/src/Service/Http/HttpNginxService.php b/src/Service/Http/HttpNginxService.php index 127a275f4..39132f426 100644 --- a/src/Service/Http/HttpNginxService.php +++ b/src/Service/Http/HttpNginxService.php @@ -51,22 +51,21 @@ class HttpNginxService extends HttpService { */ function __construct($service_config, ServerContext $provider_context) { parent::__construct($service_config, $provider_context); -// -// } -// -// -// /** -// * Run when a `verify` command is invoked. -// * -// * @TODO: Should we move this to a different function? I don't want to store -// * these values in config files since they are read from the system. -// * -// * Are these values needed in other methods or commands? Is it ok for those -// * other methods to invoke verify() themselves if they need these properties? -// * -// * @return array -// */ -// public function verify() { + + } + + /** + * Run when a `verify` command is invoked. + * + * @TODO: Should we move this to a different function? I don't want to store + * these values in config files since they are read from the system. + * + * Are these values needed in other methods or commands? Is it ok for those + * other methods to invoke verify() themselves if they need these properties? + * + * @return array + */ + public function verify() { $nginx_config = $this->provider->shell_exec(self::getNginxExecutable() . ' -V'); $this->setProperty('nginx_is_modern', preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", $nginx_config, $match)); @@ -106,6 +105,16 @@ function __construct($service_config, ServerContext $provider_context) { return parent::verify(); } + /** + * No tasks to run + * @return array + */ + function verifyPlatform() { + $tasks = []; + return $tasks; + } + + /** /** * Override restart_command task to use our default_restart_cmd() * diff --git a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php index df3c59d1e..a01266fcb 100644 --- a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php +++ b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -27,6 +27,23 @@ function filename() { function process() { parent::process(); + // Run verify to load in nginx properties. + $this->service->verify(); + + $app_dir = $this->context->getProvision()->getConfig()->get('config_path') . '/' . $this->context->name . '/' . $this->service->getType(); + $this->data['http_port'] = $this->service->properties['http_port']; + $this->data['include_statement'] = '# INCLUDE STATEMENT'; + $this->data['http_pred_path'] = "{$app_dir}/pre.d"; + $this->data['http_postd_path'] = "{$app_dir}/post.d"; + $this->data['http_platformd_path'] = "{$app_dir}/platform.d"; + $this->data['http_vhostd_path'] = "{$app_dir}/vhost.d"; + $this->data['extra_config'] = ""; + + $this->fs->mkdir($this->data['http_pred_path']); + $this->fs->mkdir($this->data['http_postd_path']); + $this->fs->mkdir($this->data['http_platformd_path']); + $this->fs->mkdir($this->data['http_vhostd_path']); + $this->data['script_user'] = $this->service->provider->getProperty('script_user'); $this->data['aegir_root'] = $this->service->provider->getProperty('aegir_root'); } From 7c63f50735eef48bbb0d95f3169d4fb488a53214 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 26 Jan 2018 17:03:00 -0500 Subject: [PATCH 06/25] Adding and changing additional template vars for the vhost. --- src/Service.php | 3 +- .../Nginx/Configuration/SiteConfiguration.php | 15 +++- .../Configuration/templates/vhost.tpl.php | 85 ++++++++++--------- 3 files changed, 59 insertions(+), 44 deletions(-) diff --git a/src/Service.php b/src/Service.php index d40af379a..712fd53c9 100644 --- a/src/Service.php +++ b/src/Service.php @@ -204,9 +204,10 @@ protected function writeConfigurations(Context $context = NULL) } catch (\Exception $e) { $context->getProvision()->getLogger()->info( - 'Unable to write {description} to {path}.', [ + 'Unable to write {description} to {path}: {message}', [ 'description' => $config->description, 'path' => $config->filename(), + 'message' => $e->getMessage(), ] ); $success = FALSE; diff --git a/src/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Service/Http/Nginx/Configuration/SiteConfiguration.php index 82a5bee6a..e9cccb8c3 100644 --- a/src/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -28,7 +28,7 @@ function filename() { function process() { parent::process(); - $this->data['http_port'] = $this->context->getSubscription('http')->service->getProperty('http_port'); + $this->data['http_port'] = $this->context->platform->getSubscription('http')->service->getProperty('http_port'); $this->data['document_root'] = $this->context->platform->getProperty('document_root'); $this->data['uri'] = $this->context->getProperty('uri'); @@ -47,5 +47,18 @@ function process() { $this->data['db_port'] = $this->context->getSubscription('db')->service->getCreds()['port']; $this->data['extra_config'] = ''; + + $this->data['redirection'] = $this->context->getProperty('redirection'); + $this->data['ssl_redirection'] = $this->context->getProperty('ssl_redirection'); + $this->data['aliases'] = $this->context->getProperty('aliases'); + + $this->data['script_user'] = $this->context->platform->getService('http')->provider->getProperty('script_user'); + $this->data['aegir_root'] = $this->service->provider->getProperty('aegir_root'); + $this->data['root'] = $this->context->platform->getProperty('root'); + $this->data['server_include_path'] = $this->context->platform->getProperty('root'); + + if (empty($this->data['db_port'])) { + $db_port = $this->context->getService('db')->getProperty('db_port ')? $this->context->getService('db')->getProperty('db_port ') : '3306'; + } } } \ No newline at end of file diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php index 955288ed6..7d39519b5 100644 --- a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php +++ b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php @@ -1,35 +1,35 @@ redirection) { - $aegir_root = d('@server_master')->aegir_root; - $satellite_mode = d('@server_master')->satellite_mode; +if ($redirection) { +// $aegir_root = d('@server_master')->aegir_root; +// $satellite_mode = d('@server_master')->satellite_mode; // Redirect all aliases to the main http url using separate vhosts blocks to avoid if{} in Nginx. - foreach ($this->aliases as $alias_url) { + foreach ($aliases as $alias_url) { print "# alias redirection virtual host\n"; print "server {\n"; print " listen *:{$http_port};\n"; // if we use redirections, we need to change the redirection // target to be the original site URL ($this->uri instead of // $alias_url) - if ($this->redirection && $alias_url == $this->redirection) { - $this->uri = str_replace('/', '.', $this->uri); - print " server_name {$this->uri};\n"; + if (isset($redirection_target) && $alias_url == $redirection_target) { + $uri = str_replace('/', '.', $uri); + print " server_name {$uri};\n"; } else { $alias_url = str_replace('/', '.', $alias_url); print " server_name {$alias_url};\n"; } print " access_log off;\n"; - if ($satellite_mode == 'boa') { - print "\n"; - print " ###\n"; - print " ### Allow access to letsencrypt.org ACME challenges directory.\n"; - print " ###\n"; - print " location ^~ /.well-known/acme-challenge {\n"; - print " alias {$aegir_root}/tools/le/.acme-challenges;\n"; - print " try_files \$uri 404;\n"; - print " }\n"; - print "\n"; - } - print " return 301 \$scheme://{$this->redirection}\$request_uri;\n"; +// if ($satellite_mode == 'boa') { +// print "\n"; +// print " ###\n"; +// print " ### Allow access to letsencrypt.org ACME challenges directory.\n"; +// print " ###\n"; +// print " location ^~ /.well-known/acme-challenge {\n"; +// print " alias {$aegir_root}/tools/le/.acme-challenges;\n"; +// print " try_files \$uri 404;\n"; +// print " }\n"; +// print "\n"; +// } + print " return 301 \$scheme://{$redirection_target}\$request_uri;\n"; print "}\n"; } } @@ -41,8 +41,8 @@ # Block https://httpoxy.org/ attacks. fastcgi_param HTTP_PROXY ""; - fastcgi_param MAIN_SITE_NAME uri; ?>; - set $main_site_name "uri; ?>"; + fastcgi_param MAIN_SITE_NAME ; + set $main_site_name ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; server->db_port ? $this->server->db_port : '3306'; - } +// if (!$db_port) { +// $db_port = $this->server->db_port ? $this->server->db_port : '3306'; +// } ?> fastcgi_param db_port ; listen *:; server_name uri) - if ($this->redirection) { - print str_replace('/', '.', $this->redirection); + // ($uri) + if ($redirection) { + print str_replace('/', '.', $redirection); } else { - print $this->uri; + print $uri; } - if (!$this->redirection && is_array($this->aliases)) { - foreach ($this->aliases as $alias_url) { + if (!$redirection && is_array($aliases)) { + foreach ($aliases as $alias_url) { if (trim($alias_url)) { print " " . str_replace('/', '.', $alias_url); } } } ?>; - root root}"; ?>; + root ; redirection || $ssl_redirection) { - if ($ssl_redirection && !$this->redirection) { +if ($redirection || $ssl_redirection) { + if ($ssl_redirection && !$redirection) { // redirect aliases in non-ssl to the same alias on ssl. print "\n return 301 https://\$host\$request_uri;\n"; } - elseif ($ssl_redirection && $this->redirection) { + elseif ($ssl_redirection && $redirection) { // redirect all aliases + main uri to the main https uri. - print "\n return 301 https://{$this->redirection}\$request_uri;\n"; + print "\n return 301 https://{$redirection}\$request_uri;\n"; } - elseif (!$ssl_redirection && $this->redirection) { - print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; + elseif (!$ssl_redirection && $redirection) { + // Commenting out until we fix where include_path is coming from. + // print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; } } else { - print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; -} -$if_subsite = $this->data['http_subdird_path'] . '/' . $this->uri; -if (provision_hosting_feature_enabled('subdirs') && provision_file()->exists($if_subsite)->status()) { - print " include " . $if_subsite . "/*.conf;\n"; +// print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; } +//$if_subsite = $this->data['http_subdird_path'] . '/' . $uri; +//if (provision_hosting_feature_enabled('subdirs') && provision_file()->exists($if_subsite)->status()) { +// print " include " . $if_subsite . "/*.conf;\n"; +//} ?> } From 9373dcef1c2a5458bb6dd34e2982b9b54f3587e1 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 5 Feb 2018 11:47:51 -0500 Subject: [PATCH 07/25] Put back code, but commented. --- src/Service/Http/HttpNginxService.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Service/Http/HttpNginxService.php b/src/Service/Http/HttpNginxService.php index 39132f426..91cc719cc 100644 --- a/src/Service/Http/HttpNginxService.php +++ b/src/Service/Http/HttpNginxService.php @@ -102,6 +102,10 @@ public function verify() { // drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc'))); // } +// // Set correct subdirs_support value on server save +// if (provision_hosting_feature_enabled('subdirs')) { +// $this->server->subdirs_support = TRUE; +// } return parent::verify(); } From aeade2b799b098a48f9f746a8337dd1811b4c94a Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 5 Feb 2018 12:04:48 -0500 Subject: [PATCH 08/25] Use server_config_path in NGINX Server Config --- src/Service/Http/Nginx/Configuration/ServerConfiguration.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php index a01266fcb..a1286ac77 100644 --- a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php +++ b/src/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -30,7 +30,7 @@ function process() { // Run verify to load in nginx properties. $this->service->verify(); - $app_dir = $this->context->getProvision()->getConfig()->get('config_path') . '/' . $this->context->name . '/' . $this->service->getType(); + $app_dir = $this->getContext()->server_config_path . DIRECTORY_SEPARATOR . $this->service->getType(); $this->data['http_port'] = $this->service->properties['http_port']; $this->data['include_statement'] = '# INCLUDE STATEMENT'; $this->data['http_pred_path'] = "{$app_dir}/pre.d"; From dd4dc8febb14fa6a423655639e873ca206075301 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 5 Feb 2018 12:57:34 -0500 Subject: [PATCH 09/25] Create the server_config_path before another tasks run. --- src/Context/ServerContext.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Context/ServerContext.php b/src/Context/ServerContext.php index cc1dc4fc5..a1d1b8ada 100644 --- a/src/Context/ServerContext.php +++ b/src/Context/ServerContext.php @@ -108,6 +108,9 @@ static function option_documentation() */ public function verify() { + // Create the server/service directory. We put this here because we need to make sure this is always run before any other tasks. + Provision::fs()->mkdir($this->server_config_path); + $tasks = []; return $tasks; } From aa84782136ce52d2f08c9f233d365634cf1a3598 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 5 Feb 2018 12:58:52 -0500 Subject: [PATCH 10/25] Add vhost include template for NGINX as class SiteCommonConfiguration --- src/Service/Http/HttpNginxService.php | 52 +- .../Configuration/SiteCommonConfiguration.php | 53 + .../Configuration/templates/vhost.tpl.php | 2 +- .../templates/vhost_include.tpl.php | 1376 +++++++++++++++++ 4 files changed, 1474 insertions(+), 9 deletions(-) create mode 100644 src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php create mode 100644 src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php diff --git a/src/Service/Http/HttpNginxService.php b/src/Service/Http/HttpNginxService.php index 91cc719cc..ea53c6ad3 100644 --- a/src/Service/Http/HttpNginxService.php +++ b/src/Service/Http/HttpNginxService.php @@ -12,6 +12,7 @@ use Aegir\Provision\Provision; use Aegir\Provision\Service\Http\Nginx\Configuration\PlatformConfiguration; use Aegir\Provision\Service\Http\Nginx\Configuration\ServerConfiguration; +use Aegir\Provision\Service\Http\Nginx\Configuration\SiteCommonConfiguration; use Aegir\Provision\Service\Http\Nginx\Configuration\SiteConfiguration; use Aegir\Provision\Service\HttpService; @@ -41,6 +42,11 @@ class HttpNginxService extends HttpService { */ const NGINX_CONTROL_MODE_FILE = '/etc/nginx/basic_nginx.conf'; + /** + * + */ + const BOA_CONFIG_PATH = '/data/conf/global.inc'; + /** * HttpNginxService constructor. * @@ -90,22 +96,26 @@ public function verify() { // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect $this->setProperty('phpfpm_mode', self::getPhpFpmMode()); + $this->setProperty('phpfpm_socket_path', self::getPhpFpmSocketPath()); // @TODO: Work out a way for something like BOA to do this via a plugin. // Check if there is BOA specific global.inc file to enable extra Nginx locations -// if ($this->provider->fs->exists('/data/conf/global.inc')) { -// $this->setProperty('satellite_mode', 'boa'); -// drush_log(dt('BOA mode detected -SAVE- YES file found @path.', array('@path' => '/data/conf/global.inc'))); -// } -// else { -// $this->server->satellite_mode = 'vanilla'; -// drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc'))); -// } + if ($this->provider->fs->exists(self::BOA_CONFIG_PATH)) { + $this->setProperty('satellite_mode', 'boa'); + $this->getProvision()->getLogger()->debug('BOA mode detected -SAVE- YES file found {path}.', ['path' => self::BOA_CONFIG_PATH]); + } + else { + $this->setProperty('satellite_mode', 'vanilla'); + $this->getProvision()->getLogger()->debug('Vanilla mode detected -SAVE- NO file found {path}.', ['path' => self::BOA_CONFIG_PATH]); + } // // Set correct subdirs_support value on server save // if (provision_hosting_feature_enabled('subdirs')) { // $this->server->subdirs_support = TRUE; // } + + $this->setProperty('server_config_path', $this->provider->server_config_path); + return parent::verify(); } @@ -148,6 +158,7 @@ static function server_options() { public function getConfigurations() { $configs['server'][] = ServerConfiguration::class; + $configs['server'][] = SiteCommonConfiguration::class; $configs['site'][] = SiteConfiguration::class; return $configs; } @@ -216,4 +227,29 @@ public static function getPhpFpmMode() { // Return the discovered mode. return $mode; } + + /** + * Gets the PHP FPM unix socket path. + * + * If we're running in port mode, there is no socket path. FALSE would be + * returned in this case. + * + * @return string + * The path, or FALSE if there isn't one. + */ + public static function getPhpFpmSocketPath() { + // Simply return FALSE if we're in port mode. + if (self::getPhpFpmMode() == 'port') { + return FALSE; + } + + // Return the socket path based on the PHP version. + if (strtok(phpversion(), '.') == 7) { + return self::SOCKET_PATH_PHP7; + } + else { + return self::SOCKET_PATH_PHP5; + } + } + } diff --git a/src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php b/src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php new file mode 100644 index 000000000..d733eb219 --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php @@ -0,0 +1,53 @@ +data['application_name'])) { +// $file = $this->data['application_name'] . '_vhost_common.conf'; +// $legacy_simple_file = $this->data['application_name'] . '_simple_include.conf'; +// $legacy_advanced_file = $this->data['application_name'] . '_advanced_include.conf'; +// // We link both legacy files on the remote server to the right version. +// $cmda = sprintf('ln -sf %s %s', +// escapeshellarg($this->data['server']->include_path . '/' . $file), +// escapeshellarg($this->data['server']->include_path . '/' . $legacy_simple_file) +// ); +// $cmdb = sprintf('ln -sf %s %s', +// escapeshellarg($this->data['server']->include_path . '/' . $file), +// escapeshellarg($this->data['server']->include_path . '/' . $legacy_advanced_file) +// ); +// if ($this->data['server']->shell_exec($cmda)) { +// drush_log(dt("Created legacy_simple_file symlink for %file on %server", array( +// '%file' => $file, +// '%server' => $this->data['server']->remote_host, +// ))); +// }; +// if ($this->data['server']->shell_exec($cmdb)) { +// drush_log(dt("Created legacy_advanced_file symlink for %file on %server", array( +// '%file' => $file, +// '%server' => $this->data['server']->remote_host, +// ))); +// }; +// } + } + + function filename() { + return $this->service->provider->server_config_path . '/nginx_vhost_common.conf'; + } +} \ No newline at end of file diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php index 7d39519b5..eed195e30 100644 --- a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php +++ b/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php @@ -107,7 +107,7 @@ } } else { -// print " include " . $server->include_path . "/nginx_vhost_common.conf;\n"; + print " include " . $server_config_path . "/nginx_vhost_common.conf;\n"; } //$if_subsite = $this->data['http_subdird_path'] . '/' . $uri; //if (provision_hosting_feature_enabled('subdirs') && provision_file()->exists($if_subsite)->status()) { diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php b/src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php new file mode 100644 index 000000000..ffb9532b4 --- /dev/null +++ b/src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php @@ -0,0 +1,1376 @@ +script_user) { +// $script_user = $server->script_user; +//} +// +//$aegir_root = drush_get_option('aegir_root'); +//if (!$aegir_root && $server->aegir_root) { +// $aegir_root = $server->aegir_root; +//} +// +//$nginx_config_mode = drush_get_option('nginx_config_mode'); +//if (!$nginx_config_mode && $server->nginx_config_mode) { +// $nginx_config_mode = $server->nginx_config_mode; +//} +// +//$phpfpm_mode = drush_get_option('phpfpm_mode'); +//if (!$phpfpm_mode && $server->phpfpm_mode) { +// $phpfpm_mode = $server->phpfpm_mode; +//} + +// We can use $server here once we have proper inheritance. +// See Provision_Service_http_nginx_ssl for details. +//$phpfpm_socket_path = Provision_Service_http_nginx::getPhpFpmSocketPath(); +// +//$nginx_is_modern = drush_get_option('nginx_is_modern'); +//if (!$nginx_is_modern && $server->nginx_is_modern) { +// $nginx_is_modern = $server->nginx_is_modern; +//} +// +//$nginx_has_etag = drush_get_option('nginx_has_etag'); +//if (!$nginx_has_etag && $server->nginx_has_etag) { +// $nginx_has_etag = $server->nginx_has_etag; +//} +// +//$nginx_has_http2 = drush_get_option('nginx_has_http2'); +//if (!$nginx_has_http2 && $server->nginx_has_http2) { +// $nginx_has_http2 = $server->nginx_has_http2; +//} +// +//$nginx_has_gzip = drush_get_option('nginx_has_gzip'); +//if (!$nginx_has_gzip && $server->nginx_has_gzip) { +// $nginx_has_gzip = $server->nginx_has_gzip; +//} +// +//$nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); +//if (!$nginx_has_upload_progress && $server->nginx_has_upload_progress) { +// $nginx_has_upload_progress = $server->nginx_has_upload_progress; +//} +// +//$satellite_mode = drush_get_option('satellite_mode'); +//if (!$satellite_mode && $server->satellite_mode) { +// $satellite_mode = $server->satellite_mode; +//} +?> +####################################################### + +### nginx.conf site level extended vhost include start + +### nginx.conf site level basic vhost include start + +####################################################### + +### +### Use the main site name if available, instead of +### potentially virtual server_name when alias is set +### as redirection target. See #2358977 for details. +### +if ($main_site_name = '') { + set $main_site_name "$server_name"; +} + + +set $nocache_details "Cache"; + + +### +### Deny crawlers. +### +if ($is_crawler) { + return 403; +} + +### +### Block semalt botnet. +### +if ($is_botnet) { + return 403; +} + +### +### Include high load protection config if exists. +### +include /data/conf/nginx_high_load.c*; + + +### +### Deny not compatible request methods without 405 response. +### +if ( $request_method !~ ^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { + return 403; +} + + +### +### Deny listed requests for security reasons. +### +if ($is_denied) { + return 403; +} + +### +### Add recommended HTTP headers +### +add_header Access-Control-Allow-Origin *; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; + + + +### +### Force clean URLs for Drupal 8. +### +rewrite ^/index.php/(.*)$ $scheme://$host/$1 permanent; + +### +### Include high level local configuration override if exists. +### +include /config/server_master/nginx/post.d/nginx_force_include*; + +### +### Include PHP-FPM version override logic if exists. +### +include /config/server_master/nginx/post.d/fpm_include*; + +### +### Allow to use non-default PHP-FPM version for the site +### listed in the special include file. +### +if ($user_socket = '') { + set $user_socket ""; +} + + +### +### HTTPRL standard support. +### +location ^~ /httprl_async_function_callback { + location ~* ^/httprl_async_function_callback { + access_log off; + set $nocache_details "Skip"; + try_files $uri @nobots; + } +} + +### +### HTTPRL test mode support. +### +location ^~ /admin/httprl-test { + location ~* ^/admin/httprl-test { + access_log off; + set $nocache_details "Skip"; + try_files $uri @nobots; + } +} + +### +### CDN Far Future expiration support. +### +location ^~ /cdn/farfuture/ { + tcp_nodelay off; + access_log off; + log_not_found off; + + etag off; + + add_header ETag ""; + + gzip_http_version 1.0; + if_modified_since exact; + set $nocache_details "Skip"; + location ~* ^/cdn/farfuture/.+\.(?:css|js|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|pptx?|tiff?|txt|rtf|class|otf|ttf|woff|eot|less)$ { + expires max; + add_header X-Header "CDN Far Future Generator 1.0"; + add_header Cache-Control "no-transform, public"; + add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; + try_files $uri @nobots; + } + location ~* ^/cdn/farfuture/ { + expires epoch; + add_header X-Header "CDN Far Future Generator 1.1"; + add_header Cache-Control "private, must-revalidate, proxy-revalidate"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break; + try_files $uri @nobots; + } + try_files $uri @nobots; +} + + +### +### If favicon else return error 204. +### +location = /favicon.ico { + access_log off; + log_not_found off; + expires 30d; + try_files /sites/$main_site_name/files/favicon.ico $uri =204; +} + +### +### Support for https://drupal.org/project/robotstxt module +### and static file in the sites/domain/files directory. +### +location = /robots.txt { + access_log off; + log_not_found off; + + try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @cache; + + try_files /sites/$main_site_name/files/$host.robots.txt /sites/$main_site_name/files/robots.txt $uri @drupal; + +} + + +### +### Allow local access to the FPM status page. +### +location = /fpm-status { + access_log off; + allow 127.0.0.1; + deny all; + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + +### +### Allow local access to the FPM ping URI. +### +location = /fpm-ping { + access_log off; + allow 127.0.0.1; + deny all; + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + + + +### +### Allow local access to support wget method in Aegir settings +### for running sites cron. +### +location = /cron.php { + tcp_nopush off; + keepalive_requests 0; + + allow 127.0.0.1; + deny all; + + try_files $uri =404; + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + +### +### Allow local access to support wget method in Aegir settings +### for running sites cron in Drupal 8. +### +location ^~ /cron/ { + + allow 127.0.0.1; + deny all; + + + set $nocache_details "Skip"; + + try_files $uri @drupal; +} + +### +### Send search to php-fpm early so searching for node.js will work. +### Deny bots on search uri. +### +location ^~ /search { + location ~* ^/search { + if ($is_bot) { + return 403; + } + try_files $uri @cache; + } +} + +### +### Support for https://drupal.org/project/js module. +### +location ^~ /js/ { + location ~* ^/js/ { + if ($is_bot) { + return 403; + } + rewrite ^/(.*)$ /js.php?q=$1 last; + } +} + + +### +### Upload progress support. +### https://drupal.org/project/filefield_nginx_progress +### http://github.com/masterzen/nginx-upload-progress-module +### +location ~ (?.*)/x-progress-id:(?\d*) { + access_log off; + rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; +} +location ^~ /progress { + access_log off; + upload_progress_json_output; + report_uploads uploads; +} + + + +### +### Deny access to Hostmaster web/db server node. +### It is still possible to edit or break web/db server +### node at /node/2/edit, if you know what are you doing. +### +location ^~ /hosting/c/server_master { + if ($cache_uid = '') { + return 403; + } + if ($is_bot) { + return 403; + } + access_log off; + return 301 $scheme://$host/hosting/sites; +} + +### +### Deny access to Hostmaster db server node. +### It is still possible to edit or break db server +### node at /node/4/edit, if you know what are you doing. +### +location ^~ /hosting/c/server_localhost { + if ($cache_uid = '') { + return 403; + } + if ($is_bot) { + return 403; + } + access_log off; + return 301 $scheme://$host/hosting/sites; +} + + +### +### Fix for #2005116 +### +location ^~ /hosting/sites { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Fix for Aegir & .info .pl domain extensions. +### +location ^~ /hosting { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @cache; +} + + +### +### Deny cache details display. +### +location ^~ /admin/settings/performance/cache-backend { + access_log off; + return 301 $scheme://$host/admin/settings/performance; +} + +### +### Deny cache details display. +### +location ^~ /admin/config/development/performance/redis { + access_log off; + return 301 $scheme://$host/admin/config/development/performance; +} + + +### +### Support for backup_migrate module download/restore/delete actions. +### +location ^~ /admin { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Avoid caching /civicrm* and protect it from bots. +### +location ^~ /civicrm { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Support for audio module. +### +location ^~ /audio/download { + location ~* ^/audio/download/.*/.*\.(?:mp3|mp4|m4a|ogg)$ { + if ($is_bot) { + return 403; + } + tcp_nopush off; + access_log off; + log_not_found off; + set $nocache_details "Skip"; + try_files $uri @drupal; + } +} + + +### +### Deny listed requests for security reasons. +### +location ~* (\.(?:git.*|htaccess|engine|config|inc|ini|info|install|make|module|profile|test|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save))$ { + access_log off; + return 404; +} + +### +### Deny listed requests for security reasons. +### +location ~* /(?:modules|themes|libraries)/.*\.(?:txt|md)$ { + access_log off; + return 404; +} + +### +### Deny listed requests for security reasons. +### +location ~* ^/sites/.*/files/civicrm/(?:ConfigAndLog|custom|upload|templates_c) { + access_log off; + return 404; +} + + +### +### Deny often flooded URI for performance reasons +### +location = /autodiscover/autodiscover.xml { + access_log off; + return 404; +} + +### +### Deny some not supported URI like cgi-bin on the Nginx level. +### +location ~* (?:cgi-bin|vti-bin) { + access_log off; + return 404; +} + +### +### Deny bots on some weak modules uri. +### +location ~* (?:validation|aggregator|vote_up_down|captcha|vbulletin|glossary/) { + if ($is_bot) { + return 403; + } + access_log off; + try_files $uri @cache; +} + +### +### Responsive Images support. +### https://drupal.org/project/responsive_images +### +location ~* \.r\.(?:jpe?g|png|gif) { + if ( $http_cookie ~* "rwdimgsize=large" ) { + rewrite ^/(.*)/mobile/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1/desktop/$2$3 last; + } + rewrite ^/(.*)\.r(\.(?:jpe?g|png|gif))$ /$1$2 last; + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Adaptive Image Styles support. +### https://drupal.org/project/ais +### +location ~* /(?:.+)/files/styles/adaptive/(?:.+)$ { + if ( $http_cookie ~* "ais=(?[a-z0-9-_]+)" ) { + rewrite ^/(.+)/files/styles/adaptive/(.+)$ /$1/files/styles/$ais_cookie/$2 last; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + + +### +### The files/styles support. +### +location ~* /sites/.*/files/styles/(.*)$ { + access_log off; + log_not_found off; + expires 30d; + + set $nocache_details "Skip"; + + try_files /sites/$main_site_name/files/styles/$1 $uri @drupal; +} + +### +### The s3/files/styles (s3fs) support. +### +location ~* /s3/files/styles/(.*)$ { + access_log off; + log_not_found off; + expires 30d; + + set $nocache_details "Skip"; + + try_files /sites/$main_site_name/files/styles/$1 $uri @drupal; +} + +### +### The files/imagecache support. +### +location ~* /sites/.*/files/imagecache/(.*)$ { + access_log off; + log_not_found off; + expires 30d; + + # fix common problems with old paths after import from standalone to Aegir multisite + rewrite ^/sites/(.*)/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last; + rewrite ^/sites/(.*)/files/imagecache/(.*)/files/(.*)$ /sites/$main_site_name/files/imagecache/$2/$3 last; + set $nocache_details "Skip"; + + try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal; +} + +### +### Send requests with /external/ and /system/ URI keywords to @drupal. +### +location ~* /(?:external|system)/ { + access_log off; + log_not_found off; + expires 30d; + + set $nocache_details "Skip"; + + try_files $uri @drupal; +} + +### +### Deny direct access to backups. +### +location ~* ^/sites/.*/files/backup_migrate/ { + access_log off; + deny all; +} + +### +### Deny direct access to config files in Drupal 8. +### +location ~* ^/sites/.*/files/config_.* { + access_log off; + deny all; +} + + +### +### Include local configuration override if exists. +### +include /config/server_master/nginx/post.d/nginx_vhost_include*; + + + +### +### Private downloads are always sent to the drupal backend. +### Note: this location doesn't work with X-Accel-Redirect. +### +location ~* ^/sites/.*/files/private/ { + if ($is_bot) { + return 403; + } + access_log off; + rewrite ^/sites/.*/files/private/(.*)$ $scheme://$host/system/files/private/$1 permanent; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + + +### +### Deny direct access to private downloads in sites/domain/private. +### Note: this location works with X-Accel-Redirect. +### +location ~* ^/sites/.*/private/ { + internal; + + if ($is_bot) { + return 403; + } + + access_log off; +} + + +### +### Deny direct access to private downloads also for short, rewritten URLs. +### Note: this location works with X-Accel-Redirect. +### +location ~* /files/private/ { + internal; + if ($is_bot) { + return 403; + } + access_log off; +} + +### +### Wysiwyg Fields support. +### +location ~* wysiwyg_fields/(?:plugins|scripts)/.*\.(?:js|css) { + access_log off; + log_not_found off; + try_files $uri @nobots; +} + +### +### Advagg_css and Advagg_js support. +### +location ~* files/advagg_(?:css|js)/ { + expires max; + access_log off; + + etag off; + + add_header ETag ""; + + rewrite ^/files/advagg_(.*)/(.*)$ /sites/$main_site_name/files/advagg_$1/$2 last; + add_header X-Header "AdvAgg Generator 2.0"; + add_header Cache-Control "max-age=31449600, no-transform, public"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + set $nocache_details "Skip"; + try_files $uri @nobots; +} + +### +### Make css files compatible with boost caching. +### +location ~* \.css$ { + if ( $request_method = POST ) { + return 405; + } + if ( $cache_uid ) { + return 405; + } + error_page 405 = @uncached; + access_log off; + tcp_nodelay off; + expires max; #if using aggregator + try_files /cache/perm/$host${uri}_.css $uri =404; +} + +### +### Make js files compatible with boost caching. +### +location ~* \.(?:js|htc)$ { + if ( $request_method = POST ) { + return 405; + } + if ( $cache_uid ) { + return 405; + } + error_page 405 = @uncached; + access_log off; + tcp_nodelay off; + expires max; # if using aggregator + try_files /cache/perm/$host${uri}_.js $uri =404; +} + +### +### Support for static .json files with fast 404 +Boost compatibility. +### +location ~* ^/sites/.*/files/.*\.json$ { + if ( $cache_uid ) { + return 405; + } + error_page 405 = @uncached; + access_log off; + tcp_nodelay off; + expires max; ### if using aggregator + try_files /cache/normal/$host${uri}_.json $uri =404; +} + +### +### Support for dynamic .json requests. +### +location ~* \.json$ { + try_files $uri @cache; +} + +### +### Helper location to bypass boost static files cache for logged in users. +### +location @uncached { + access_log off; + expires max; # max if using aggregator, otherwise sane expire time +} + + +### +### Map /files/ shortcut early to avoid overrides in other locations. +### +location ^~ /files/ { + + ### + ### Sub-location to support files/styles with short URIs. + ### + location ~* /files/styles/(.*)$ { + access_log off; + log_not_found off; + expires 30d; + + set $nocache_details "Skip"; + + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files /sites/$main_site_name/files/styles/$1 $uri @drupal; + } + + ### + ### Sub-location to support files/imagecache with short URIs. + ### + location ~* /files/imagecache/(.*)$ { + access_log off; + log_not_found off; + expires 30d; + + # fix common problems with old paths after import from standalone to Aegir multisite + rewrite ^/files/imagecache/(.*)/sites/default/files/(.*)$ /sites/$main_site_name/files/imagecache/$1/$2 last; + rewrite ^/files/imagecache/(.*)/files/(.*)$ /sites/$main_site_name/files/imagecache/$1/$2 last; + set $nocache_details "Skip"; + + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files /sites/$main_site_name/files/imagecache/$1 $uri @drupal; + } + + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa|css|js)$ { + expires 30d; + tcp_nodelay off; + access_log off; + log_not_found off; + rewrite ^/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; + } + + try_files $uri @cache; + + try_files $uri @drupal; + +} + +### +### Map /downloads/ shortcut early to avoid overrides in other locations. +### +location ^~ /downloads/ { + location ~* ^.+\.(?:pdf|jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { + expires 30d; + tcp_nodelay off; + access_log off; + log_not_found off; + rewrite ^/downloads/(.*)$ /sites/$main_site_name/files/downloads/$1 last; + try_files $uri =404; + } + + try_files $uri @cache; + + try_files $uri @drupal; + +} + +### +### Serve & no-log static files & images directly, +### without all standard drupal rewrites, php-fpm etc. +### +location ~* ^.+\.(?:jpe?g|gif|png|ico|bmp|svg|swf|docx?|xlsx?|pptx?|tiff?|txt|rtf|cgi|bat|pl|dll|class|otf|ttf|woff|eot|less|mp3|wav|midi)$ { + expires 30d; + tcp_nodelay off; + access_log off; + log_not_found off; + rewrite ^/images/(.*)$ /sites/$main_site_name/files/images/$1 last; + rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; +} + +### +### Serve bigger media/static/archive files directly, +### without all standard drupal rewrites, php-fpm etc. +### +location ~* ^.+\.(?:avi|mpe?g|mov|wmv|ogg|ogv|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { + expires 30d; + tcp_nodelay off; + tcp_nopush off; + access_log off; + log_not_found off; + rewrite ^/.+/sites/.+/files/(.*)$ /sites/$main_site_name/files/$1 last; + try_files $uri =404; +} + +### +### Serve & no-log some static files directly, +### but only from the files directory to not break +### dynamically created pdf files or redirects for +### legacy URLs with asp/aspx extension. +### +location ~* ^/sites/.+/files/.+\.(?:pdf|aspx?)$ { + expires 30d; + tcp_nodelay off; + access_log off; + log_not_found off; + try_files $uri =404; +} + + +### +### Pseudo-streaming server-side support for Flash Video (FLV) files. +### +location ~* ^.+\.flv$ { + flv; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + try_files $uri =404; +} + +### +### Pseudo-streaming server-side support for H.264/AAC files. +### +location ~* ^.+\.(?:mp4|m4a)$ { + mp4; + mp4_buffer_size 1m; + mp4_max_buffer_size 5m; + tcp_nodelay off; + tcp_nopush off; + expires 30d; + access_log off; + log_not_found off; + try_files $uri =404; +} + + +### +### Serve & no-log some static files as is, without forcing default_type. +### +location ~* /(?:cross-?domain)\.xml$ { + access_log off; + tcp_nodelay off; + expires 30d; + try_files $uri =404; +} + + +### +### Allow some known php files (like serve.php in the ad module). +### +location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tinymce|wysiwyg_spellcheck|ecc|civicrm|fbconnect|radioactivity)/.*\.php$ { + + limit_conn limreq 88; + + tcp_nopush off; + keepalive_requests 0; + access_log off; + if ($is_bot) { + return 403; + } + try_files $uri =404; + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + +### +### Deny crawlers and never cache known AJAX requests. +### +location ~* /(?:ahah|ajax|batch|autocomplete|done|progress/|x-progress-id|js/.*) { + if ($is_bot) { + return 403; + } + access_log off; + log_not_found off; + + set $nocache_details "Skip"; + try_files $uri @nobots; + + try_files $uri @drupal; + +} + +### +### Serve & no-log static helper files used in some wysiwyg editors. +### +location ~* ^/sites/.*/(?:modules|libraries)/(?:contrib/)?(?:tinybrowser|f?ckeditor|tinymce|flowplayer|jwplayer|videomanager)/.*\.(?:html?|xml)$ { + if ($is_bot) { + return 403; + } + access_log off; + tcp_nodelay off; + expires 30d; + try_files $uri =404; +} + +### +### Serve & no-log any not specified above static files directly. +### +location ~* ^/sites/.*/files/ { + access_log off; + tcp_nodelay off; + expires 30d; + try_files $uri =404; +} + +### +### Make feeds compatible with boost caching and set correct mime type. +### +location ~* \.xml$ { + location ~* ^/autodiscover/autodiscover\.xml { + access_log off; + return 400; + } + if ( $request_method = POST ) { + return 405; + } + if ( $cache_uid ) { + return 405; + } + error_page 405 = @drupal; + access_log off; + add_header X-Header "Boost Citrus 1.0"; + add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; + add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + charset utf-8; + types { } + default_type text/xml; + try_files /cache/normal/$host${uri}_.xml /cache/normal/$host${uri}_.html $uri @drupal; +} + +### +### Deny bots on never cached uri. +### +location ~* ^/(?:.*/)?(?:admin|user|cart|checkout|logout|comment/reply) { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Protect from DoS attempts on never cached uri. +### +location ~* ^/(?:.*/)?(?:node/[0-9]+/edit|node/add) { + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + +### +### Protect from DoS attempts on never cached uri. +### +location ~* ^/(?:.*/)?(?:node/[0-9]+/delete|approve) { + if ($cache_uid = '') { + return 403; + } + if ($is_bot) { + return 403; + } + access_log off; + set $nocache_details "Skip"; + try_files $uri @drupal; +} + + +### +### Support for ESI microcaching: http://groups.drupal.org/node/197478. +### +### This may enhance not only anonymous visitors, but also +### logged in users experience, as it allows you to separate +### microcache for ESI/SSI includes (valid for just 5 seconds) +### from both default Speed Booster cache for anonymous visitors +### (valid by default for 10s or 1h, unless purged on demand via +### recently introduced Purge/Expire modules) and also from +### Speed Booster cache per logged in user (valid for 10 seconds). +### +### Now you have three different levels of Speed Booster cache +### to leverage and deliver the 'live content' experience for +### all visitors, and still protect your server from DoS or +### simply high load caused by unexpected high traffic etc. +### +location ~ ^/(?esi/.*)"$ { + ssi on; + ssi_silent_errors on; + internal; + limit_conn limreq 888; + add_header X-Device "$device"; + add_header X-Speed-Micro-Cache "$upstream_cache_status"; + add_header X-Speed-Micro-Cache-Expire "5s"; + add_header X-NoCache "$nocache_details"; + add_header X-GeoIP-Country-Code "$geoip_country_code"; + add_header X-GeoIP-Country-Name "$geoip_country_name"; + add_header X-This-Proto "$http_x_forwarded_proto"; + add_header X-Server-Name "$main_site_name"; + add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + ### + ### Set correct, local $uri. + ### + fastcgi_param QUERY_STRING q=$esi; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + + ### + ### Use Nginx cache for all visitors. + ### + set $nocache ""; + if ( $http_cookie ~* "NoCacheID" ) { + set $nocache "NoCache"; + } + fastcgi_cache speed; + fastcgi_cache_methods GET HEAD; + fastcgi_cache_min_uses 1; + fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; + fastcgi_cache_valid 200 5s; + fastcgi_cache_valid 301 1m; + fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_lock on; + fastcgi_ignore_headers Cache-Control Expires; + fastcgi_pass_header Set-Cookie; + fastcgi_pass_header X-Accel-Expires; + fastcgi_pass_header X-Accel-Redirect; + fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; + tcp_nopush off; + keepalive_requests 0; + expires epoch; +} + +### +### Workaround for https://www.drupal.org/node/2599326. +### +if ( $args ~* "/autocomplete/" ) { + return 405; +} +error_page 405 = @drupal; + +### +### Rewrite legacy requests with /index.php to extension-free URL. +### +if ( $args ~* "^q=(?.*)" ) { + rewrite ^/index.php$ $scheme://$host/?q=$query_value? permanent; +} + + + +### +### Catch all unspecified requests. +### +location / { + + + if ( $http_user_agent ~* wget ) { + return 403; + } + + try_files $uri @cache; + + try_files $uri @drupal; + +} + + +### +### Boost compatible cache check. +### +location @cache { + if ( $request_method = POST ) { + set $nocache_details "Method"; + return 405; + } + if ( $args ~* "nocache=1" ) { + set $nocache_details "Args"; + return 405; + } + if ( $sent_http_x_force_nocache = "YES" ) { + set $nocache_details "Skip"; + return 405; + } + if ( $http_cookie ~* "NoCacheID" ) { + set $nocache_details "AegirCookie"; + return 405; + } + if ( $cache_uid ) { + set $nocache_details "DrupalCookie"; + return 405; + } + error_page 405 = @drupal; + add_header X-Header "Boost Citrus 1.0"; + add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT"; + add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + charset utf-8; + try_files /cache/normal/$host${uri}_$args.html @drupal; +} + + +### +### Send all not cached requests to drupal with clean URLs support. +### +location @drupal { + + error_page 418 = @nobots; + if ($args) { + return 418; + } + + ### + ### For Drupal >= 7 + ### + if ($sent_http_x_generator) { + add_header X-Info-Gen "Modern"; + rewrite ^ /index.php?$query_string last; + } + ### + ### For Drupal <= 6 + ### + rewrite ^/(.*)$ /index.php?q=$1 last; +} + + +### +### Special location for bots custom restrictions; can be overridden. +### +location @nobots { + ### + ### Support for Accelerated Mobile Pages (AMP) when bots are redirected below + ### + # if ( $query_string ~ "^amp$" ) { + # rewrite ^/(.*)$ /index.php?q=$1 last; + # } + + ### + ### Send all known bots to $args free URLs (optional) + ### + # if ($is_bot) { + # return 301 $scheme://$host$request_uri; + # } + + ### + ### Return 404 on special PHP URLs to avoid revealing version used, + ### even indirectly. See also: https://drupal.org/node/2116387 + ### + if ( $args ~* "=PHP[A-Z0-9]{8}-" ) { + return 404; + } + + ### + ### For Drupal >= 7 + ### + if ($sent_http_x_generator) { + add_header X-Info-Gen "Modern"; + rewrite ^ /index.php?$query_string last; + } + ### + ### For Drupal <= 6 + ### + rewrite ^/(.*)$ /index.php?q=$1 last; +} + +### +### Send all non-static requests to php-fpm, restricted to known php file. +### +location = /index.php { + + limit_conn limreq 88; + add_header X-Device "$device"; + add_header X-GeoIP-Country-Code "$geoip_country_code"; + add_header X-GeoIP-Country-Name "$geoip_country_name"; + + + add_header X-Speed-Cache "$upstream_cache_status"; + add_header X-Speed-Cache-UID "$cache_uid"; + add_header X-Speed-Cache-Key "$key_uri"; + add_header X-NoCache "$nocache_details"; + add_header X-This-Proto "$http_x_forwarded_proto"; + add_header X-Server-Name "$main_site_name"; + add_header Access-Control-Allow-Origin *; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; + tcp_nopush off; + keepalive_requests 0; + try_files $uri =404; ### check for existence of php file first + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + + + track_uploads uploads 60s; ### required for upload progress + + ### + ### Use Nginx cache for all visitors. + ### + set $nocache ""; + if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) { + set $nocache "NoCache"; + } + fastcgi_cache speed; + fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity + fastcgi_cache_min_uses 1; + fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; + fastcgi_cache_valid 200 10s; + fastcgi_cache_valid 301 1m; + fastcgi_cache_valid 302 403 404 1s; + fastcgi_cache_lock on; + fastcgi_ignore_headers Cache-Control Expires; + fastcgi_pass_header Set-Cookie; + fastcgi_pass_header X-Accel-Expires; + fastcgi_pass_header X-Accel-Redirect; + fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; + fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; +} + + +### +### Send other known php requests/files to php-fpm without any caching. +### + +location ~* ^/(?:core/)?(?:boost_stats|rtoc|js)\.php$ { + +location ~* ^/(?:index|cron|boost_stats|update|authorize|xmlrpc)\.php$ { + + + limit_conn limreq 88; + if ($is_bot) { + return 404; + } + + tcp_nopush off; + keepalive_requests 0; + access_log off; + try_files $uri =404; ### check for existence of php file first + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + + +### +### Allow access to /authorize.php and /update.php only for logged in admin user. +### +location ~* ^/(?:core/)?(?:authorize|update)\.php$ { + error_page 418 = @allowupdate; + if ( $cache_uid ) { + return 418; + } + return 404; +} + +### +### Internal location for /authorize.php and /update.php restricted access. +### +location @allowupdate { + limit_conn limreq 88; + tcp_nopush off; + keepalive_requests 0; + access_log off; + try_files $uri =404; ### check for existence of php file first + + fastcgi_pass unix:/var/run/$user_socket.fpm.socket; + + fastcgi_pass 127.0.0.1:9000; + + fastcgi_pass unix:; + +} + + +### +### Deny access to any not listed above php files with 404 error. +### +location ~* ^.+\.php$ { + return 404; +} + +####################################################### + +### nginx.conf site level extended vhost include end + +### nginx.conf site level basic vhost include end + +####################################################### From 3bfcc402219c8bd31313dac90559d10a799a364e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 5 Feb 2018 13:07:22 -0500 Subject: [PATCH 11/25] Updating gitignore --- .gitignore | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.gitignore b/.gitignore index 36071b82e..4666bd6ae 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,17 @@ GRTAGS GSYMS GTAGS +# Development +.idea + # Composer vendor + +# Bin +bin/drush +bin/drush.complete.sh +bin/drush.launcher +bin/drush.php +bin/php-parse +bin/psysh +bin/robo From 2485e89735a4502556a29d277e9096e0b3dad36e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Fri, 30 Mar 2018 16:15:27 -0400 Subject: [PATCH 12/25] Moving classes. --- .../Service/Http/Nginx/Configuration/ServerConfiguration.php | 4 ++-- .../Http/Nginx/Configuration/SiteCommonConfiguration.php | 2 -- .../Service/Http/Nginx/Configuration/SiteConfiguration.php | 4 ++-- .../Service/Http/Nginx/Configuration/templates/server.tpl.php | 0 .../Service/Http/Nginx/Configuration/templates/vhost.tpl.php | 0 .../Http/Nginx/Configuration/templates/vhost_disabled.tpl.php | 0 .../Http/Nginx/Configuration/templates/vhost_include.tpl.php | 0 7 files changed, 4 insertions(+), 6 deletions(-) rename src/{ => Provision}/Service/Http/Nginx/Configuration/ServerConfiguration.php (95%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php (98%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/SiteConfiguration.php (96%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/templates/server.tpl.php (100%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/templates/vhost.tpl.php (100%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php (100%) rename src/{ => Provision}/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php (100%) diff --git a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php similarity index 95% rename from src/Service/Http/Nginx/Configuration/ServerConfiguration.php rename to src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php index a1286ac77..eba18bb67 100644 --- a/src/Service/Http/Nginx/Configuration/ServerConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -7,9 +7,9 @@ namespace Aegir\Provision\Service\Http\Nginx\Configuration; -use Aegir\Provision\Configuration; +use Aegir\Provision\ConfigFile; -class ServerConfiguration extends Configuration { +class ServerConfiguration extends ConfigFile { public $template = 'templates/server.tpl.php'; public $description = 'web server configuration file'; diff --git a/src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php similarity index 98% rename from src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php rename to src/Provision/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php index d733eb219..bd4ccee9e 100644 --- a/src/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteCommonConfiguration.php @@ -7,8 +7,6 @@ namespace Aegir\Provision\Service\Http\Nginx\Configuration; -use Aegir\Provision\Configuration; - class SiteCommonConfiguration extends ServerConfiguration { public $template = 'templates/vhost_include.tpl.php'; diff --git a/src/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php similarity index 96% rename from src/Service/Http/Nginx/Configuration/SiteConfiguration.php rename to src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index e9cccb8c3..23c70cd28 100644 --- a/src/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -7,9 +7,9 @@ namespace Aegir\Provision\Service\Http\Nginx\Configuration; -use Aegir\Provision\Configuration; +use Aegir\Provision\ConfigFile; -class SiteConfiguration extends Configuration { +class SiteConfiguration extends ConfigFile { public $template = 'templates/vhost.tpl.php'; diff --git a/src/Service/Http/Nginx/Configuration/templates/server.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php similarity index 100% rename from src/Service/Http/Nginx/Configuration/templates/server.tpl.php rename to src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php similarity index 100% rename from src/Service/Http/Nginx/Configuration/templates/vhost.tpl.php rename to src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php similarity index 100% rename from src/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php rename to src/Provision/Service/Http/Nginx/Configuration/templates/vhost_disabled.tpl.php diff --git a/src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php similarity index 100% rename from src/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php rename to src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php From 3a63e2c76edfc4eb2c97f61540b1376570202b60 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 15:36:47 -0400 Subject: [PATCH 13/25] Populate dummy variables for aliases, redirection and ssl_redirection for now. --- .../Service/Http/Apache/Configuration/SiteConfigFile.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Provision/Service/Http/Apache/Configuration/SiteConfigFile.php b/src/Provision/Service/Http/Apache/Configuration/SiteConfigFile.php index 8aed5c224..11dc960d9 100644 --- a/src/Provision/Service/Http/Apache/Configuration/SiteConfigFile.php +++ b/src/Provision/Service/Http/Apache/Configuration/SiteConfigFile.php @@ -48,6 +48,10 @@ function process() { $extra_apache_configs = $this->getContext()->servicesInvoke('extraApacheConfig', [$this]); $this->data['extra_config'] = implode("\n", $extra_apache_configs); + $this->data['aliases'] = []; + $this->data['redirection'] = FALSE; + $this->data['ssl_redirection'] = FALSE; + // if ($this->aliases && !is_array($this->aliases)) { // $this->aliases = explode(",", $this->aliases); // } From e4da2d8bc38e0af824cd840259782e900d83b83e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 15:37:12 -0400 Subject: [PATCH 14/25] Inherit SiteConfigFile from apache, it's 99% the same. --- .../Nginx/Configuration/SiteConfiguration.php | 54 ++----------------- 1 file changed, 4 insertions(+), 50 deletions(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index 23c70cd28..e9e0498b4 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -7,58 +7,12 @@ namespace Aegir\Provision\Service\Http\Nginx\Configuration; -use Aegir\Provision\ConfigFile; +use Aegir\Provision\Service\Http\Apache\Configuration\SiteConfigFile as BaseSiteConfigFile; -class SiteConfiguration extends ConfigFile { +class SiteConfiguration extends BaseSiteConfigFile { - public $template = 'templates/vhost.tpl.php'; - - // The template file to use when the site has been disabled. - public $disabled_template = 'templates/vhost_disabled.tpl.php'; - - public $description = 'virtual host configuration file'; - - - function filename() { - $file = $this->context->getProperty('uri') . '.conf'; - return $this->context->getProvision() - ->getConfig() - ->get('config_path') . '/' . $this->service->provider->name . '/' . $this->service->getType() . '/vhost.d/' . $file; - } - - function process() { - parent::process(); - $this->data['http_port'] = $this->context->platform->getSubscription('http')->service->getProperty('http_port'); - $this->data['document_root'] = $this->context->platform->getProperty('document_root'); - $this->data['uri'] = $this->context->getProperty('uri'); - - $this->data['site_path'] = $this->data['document_root'] . '/sites/' . $this->data['uri']; + const SERVICE_TYPE = 'nginx'; - $this->data['db_type'] = $this->context->getSubscription('db')->service->getType(); - - $this->data['db_name'] = $this->context->getSubscription('db') - ->getProperty('db_name'); - $this->data['db_user'] = $this->context->getSubscription('db') - ->getProperty('db_user'); - $this->data['db_passwd'] = $this->context->getSubscription('db') - ->getProperty('db_password'); - $this->data['db_host'] = $this->context->getSubscription('db')->service->provider->getProperty('remote_host'); - - $this->data['db_port'] = $this->context->getSubscription('db')->service->getCreds()['port']; - - $this->data['extra_config'] = ''; - - $this->data['redirection'] = $this->context->getProperty('redirection'); - $this->data['ssl_redirection'] = $this->context->getProperty('ssl_redirection'); - $this->data['aliases'] = $this->context->getProperty('aliases'); - - $this->data['script_user'] = $this->context->platform->getService('http')->provider->getProperty('script_user'); - $this->data['aegir_root'] = $this->service->provider->getProperty('aegir_root'); - $this->data['root'] = $this->context->platform->getProperty('root'); - $this->data['server_include_path'] = $this->context->platform->getProperty('root'); + public $template = 'templates/vhost.tpl.php'; - if (empty($this->data['db_port'])) { - $db_port = $this->context->getService('db')->getProperty('db_port ')? $this->context->getService('db')->getProperty('db_port ') : '3306'; - } - } } \ No newline at end of file From e37832af9dbce6eb456b02b6dba32dd774973b31 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 15:37:37 -0400 Subject: [PATCH 15/25] Fix vhost to use document_root_full variable. --- .../Service/Http/Nginx/Configuration/templates/vhost.tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php index eed195e30..cfa30107a 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php +++ b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost.tpl.php @@ -89,7 +89,7 @@ } } } ?>; - root ; + root ; Date: Mon, 2 Apr 2018 14:16:14 -0400 Subject: [PATCH 16/25] Adding php_fpm_sock_location as a server property to NGINX service. --- .../Service/Http/HttpNginxService.php | 27 +++++++++++++++++++ .../Nginx/Configuration/SiteConfiguration.php | 11 +++++--- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/src/Provision/Service/Http/HttpNginxService.php b/src/Provision/Service/Http/HttpNginxService.php index ea53c6ad3..c66cc531a 100644 --- a/src/Provision/Service/Http/HttpNginxService.php +++ b/src/Provision/Service/Http/HttpNginxService.php @@ -252,4 +252,31 @@ public static function getPhpFpmSocketPath() { } } + /** + * Find the path to PHP FPM socket from common options. + * + * @return mixed + */ + public static function getPhpFpmLocation() { + $options[] = '/run/php-fpm/www.sock'; + $options[] = '/run/php/php7.2-fpm.sock'; + $options[] = '/run/php/php7.1-fpm.sock'; + $options[] = '/run/php/php7.0-fpm.sock'; + $options[] = '/var/run/php7-fpm.sock'; + $options[] = '/var/run/php5-fpm.sock'; + $options[] = '/var/run/php/php7.2-fpm.sock'; + $options[] = '/var/run/php/php7.1-fpm.sock'; + $options[] = '/var/run/php/php7.0-fpm.sock'; + $options[] = '/opt/remi/php72/root/tmp/php-fpm.sock'; + $options[] = '/opt/remi/php71/root/tmp/php-fpm.sock'; + $options[] = '/opt/remi/php70/root/tmp/php-fpm.sock'; + + foreach ($options as $test) { + if (Provision::fs()->exists($test)) { + return $test; + } + } + + return '127.0.0.1:5000'; + } } diff --git a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index e9e0498b4..c3dfcf6b9 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -1,8 +1,10 @@ data['php_sock_location'] = $this->context->getSubscription('http')->getProperty('php_sock_location');; + } } \ No newline at end of file From b32ceaf321949458d1d74b31c15e7196b481802e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:17:10 -0400 Subject: [PATCH 17/25] Load command line options from all available service type classes, Service::server_options() --- src/Provision/Command/ServicesCommand.php | 26 +++++++++++++---------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/Provision/Command/ServicesCommand.php b/src/Provision/Command/ServicesCommand.php index c7774441f..b199ca467 100644 --- a/src/Provision/Command/ServicesCommand.php +++ b/src/Provision/Command/ServicesCommand.php @@ -99,21 +99,25 @@ public static function getCommandOptions() { // Load all service options $options = Context::getServiceOptions(); - + // For each service type... foreach ($options as $service => $service_name) { - $class = Service::getClassName($service); - - // Load option_documentation() into input options. - foreach (Context::getContextTypeOptions() as $type => $type_name) { - $method = "{$type}_options"; - foreach ($class::$method() as $option => $description) { - $description = "$type_name $service service: $description"; - $inputDefinition[] = new InputOption($option, NULL, InputOption::VALUE_OPTIONAL, $description); + // Load every available service type. + foreach (Context::getServiceTypeOptions($service) as $service_type => $service_name) { + $class = Service::getClassName($service, $service_type); + + Provision::getProvision()->getLogger()->debug("Loading options from $class $service_type"); + + // Load option_documentation() into input options. + foreach (Context::getContextTypeOptions() as $type => $type_name) { + $method = "{$type}_options"; + foreach ($class::$method() as $option => $description) { + $description = "$type_name $service $service_name service: $description"; + $inputDefinition[] = new InputOption($option, NULL, InputOption::VALUE_OPTIONAL, $description); + } } } - } return $inputDefinition; @@ -288,7 +292,7 @@ private function askForServiceProperties($service, $service_type = NULL) { } // If option does not exist, ask for it. - if (!empty($this->input->getOption($name))) { + if ($this->input->hasOption($name) && !empty($this->input->getOption($name))) { $properties[$name] = $this->input->getOption($name); $this->io->comment("Using option {$name}={$properties[$name]}"); } From 8f4bc5cd691e8e15e7db1d99654b4532931ce63f Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:56:07 -0400 Subject: [PATCH 18/25] Throw an exception message when cannot write file, add method for hasProperty() to services. --- src/Provision/Service.php | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/src/Provision/Service.php b/src/Provision/Service.php index 712fd53c9..e76176a1b 100644 --- a/src/Provision/Service.php +++ b/src/Provision/Service.php @@ -203,13 +203,13 @@ protected function writeConfigurations(Context $context = NULL) ); } catch (\Exception $e) { - $context->getProvision()->getLogger()->info( + throw new \Exception(strtr( 'Unable to write {description} to {path}: {message}', [ - 'description' => $config->description, - 'path' => $config->filename(), - 'message' => $e->getMessage(), + '{description}' => $config->description, + '{path}' => $config->filename(), + '{message}' => $e->getMessage(), ] - ); + )); $success = FALSE; } } @@ -253,6 +253,21 @@ public function getProperties() { return $this->properties; } + /** + * Whether or not this Services has a property. + * + * @param $type + * @return bool + */ + public function hasProperty($name) { + if (isset($this->properties[$name])) { + return TRUE; + } + else { + return FALSE; + } + } + /** * Get a specific property. * From 0901594feb1448f07d4320665828cef45ec4cdb2 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:56:48 -0400 Subject: [PATCH 19/25] Check for property, in case it was removed we don't want to throw an exception. --- src/Provision/Command/ServicesCommand.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Provision/Command/ServicesCommand.php b/src/Provision/Command/ServicesCommand.php index b199ca467..ae702883f 100644 --- a/src/Provision/Command/ServicesCommand.php +++ b/src/Provision/Command/ServicesCommand.php @@ -287,7 +287,7 @@ private function askForServiceProperties($service, $service_type = NULL) { $property = Provision::newProperty($property); } - if ($this->context->hasService($service) && $this->context->getService($service)->getProperty($name)) { + if ($this->context->hasService($service) && $this->context->getService($service)->hasProperty($name) && $this->context->getService($service)->getProperty($name)) { $property->default = $this->context->getService($service)->getProperty($name); } From 04a982376220073561d8df064b4eb98862247b4e Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:57:37 -0400 Subject: [PATCH 20/25] Return php fpm location with "unix:" in front if a sock file is found. --- src/Provision/Service/Http/HttpNginxService.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Provision/Service/Http/HttpNginxService.php b/src/Provision/Service/Http/HttpNginxService.php index c66cc531a..c7e68208a 100644 --- a/src/Provision/Service/Http/HttpNginxService.php +++ b/src/Provision/Service/Http/HttpNginxService.php @@ -273,7 +273,7 @@ public static function getPhpFpmLocation() { foreach ($options as $test) { if (Provision::fs()->exists($test)) { - return $test; + return 'unix:' . $test; } } From 46768a7db48a26e71a0f70f314c48028b16c99b7 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:57:56 -0400 Subject: [PATCH 21/25] Fixing mis-named php_fpm_sock_location option. --- .../Service/Http/Nginx/Configuration/SiteConfiguration.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index c3dfcf6b9..242d7a5e4 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -13,11 +13,8 @@ class SiteConfiguration extends BaseSiteConfigFile { - const SERVICE_TYPE = 'nginx'; - function process() { parent::process(); - $this->data['php_sock_location'] = $this->context->getSubscription('http')->getProperty('php_sock_location');; + $this->data['php_fpm_sock_location'] = $this->service->getProperty('php_fpm_sock_location'); } - } \ No newline at end of file From a5a8f36be312fea4f7e29bd7a3ffba4e3106c535 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 16:05:51 -0400 Subject: [PATCH 22/25] Update vhost_include with "fastcgi_pass" variable: PHP FPM Socket Location. --- .../Nginx/Configuration/templates/vhost_include.tpl.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php index ffb9532b4..98aa2e4b7 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php +++ b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php @@ -920,12 +920,9 @@ return 403; } try_files $uri =404; - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; + + + fastcgi_pass } From bfa22ff516acc1b76c15489fe93811d90010b403 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Mon, 2 Apr 2018 14:16:14 -0400 Subject: [PATCH 23/25] Set an nginx upstream for our configured php-fpm server. Replace dynamic fastcgi_pass with named upstream. --- src/Provision/Service/Http/HttpNginxService.php | 7 ++++++- .../Service/Http/Nginx/Configuration/SiteConfiguration.php | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/Provision/Service/Http/HttpNginxService.php b/src/Provision/Service/Http/HttpNginxService.php index c7e68208a..c5c39bf50 100644 --- a/src/Provision/Service/Http/HttpNginxService.php +++ b/src/Provision/Service/Http/HttpNginxService.php @@ -145,6 +145,11 @@ static function server_options() { }) ->required() ; + $options['php_fpm_sock_location'] = Provision::newProperty() + ->description('Path to PHP FPM socket, or address and port that PHP-FPM is listening on (127.0.0.1:5000). NOTE: If installed using yum or apt, you may already have a configured "upstream" named "php-fpm", if so use "php-fpm" here.') + ->defaultValue(self::getPhpFpmLocation()) + ->hidden() + ; return $options; } @@ -180,7 +185,7 @@ public static function default_restart_cmd() { /** * Find the nginx executable and return the path to it. * - * @return mixed|string + * @return array */ public static function getNginxExecutable() { $command = '/etc/init.d/nginx'; // A proper default for most of the world diff --git a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index 242d7a5e4..2babd6f65 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -13,8 +13,10 @@ class SiteConfiguration extends BaseSiteConfigFile { + const SERVICE_TYPE = 'nginx'; + function process() { parent::process(); - $this->data['php_fpm_sock_location'] = $this->service->getProperty('php_fpm_sock_location'); + $this->data['php_sock_location'] = $this->context->getSubscription('http')->getProperty('php_sock_location');; } } \ No newline at end of file From 4b64c20761c8a13ffb4c593eed31653549faab79 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Tue, 3 Apr 2018 09:36:05 -0400 Subject: [PATCH 24/25] Move our upstream for phpfpm to server template. Replace all dynamic fastcgi_pass settings with static named upstream. --- .../Configuration/ServerConfiguration.php | 7 ++- .../Nginx/Configuration/SiteConfiguration.php | 4 +- .../Configuration/templates/server.tpl.php | 7 +++ .../templates/vhost_include.tpl.php | 61 +++---------------- 4 files changed, 23 insertions(+), 56 deletions(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php index eba18bb67..95b2b5465 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/ServerConfiguration.php @@ -24,7 +24,7 @@ function filename() { } } - function process() { + function process() { parent::process(); // Run verify to load in nginx properties. @@ -46,5 +46,8 @@ function process() { $this->data['script_user'] = $this->service->provider->getProperty('script_user'); $this->data['aegir_root'] = $this->service->provider->getProperty('aegir_root'); - } + + $this->data['php_fpm_sock_location'] = $this->service->getProperty('php_fpm_sock_location'); + + } } \ No newline at end of file diff --git a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php index 2babd6f65..fb54f9c11 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php +++ b/src/Provision/Service/Http/Nginx/Configuration/SiteConfiguration.php @@ -13,10 +13,10 @@ class SiteConfiguration extends BaseSiteConfigFile { - const SERVICE_TYPE = 'nginx'; + public $template = 'templates/vhost.tpl.php'; function process() { parent::process(); - $this->data['php_sock_location'] = $this->context->getSubscription('http')->getProperty('php_sock_location');; + $this->data['php_fpm_sock_location'] = $this->service->getProperty('php_fpm_sock_location'); } } \ No newline at end of file diff --git a/src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php index c82fa1be2..a704da603 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php +++ b/src/Provision/Service/Http/Nginx/Configuration/templates/server.tpl.php @@ -197,6 +197,13 @@ } } + # PHP-FPM FastCGI server + # network or unix domain socket configuration + + upstream provision-php-fpm { + server ; + } + ####################################################### ### nginx virtual domains ####################################################### diff --git a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php index 98aa2e4b7..7671835e1 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php +++ b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php @@ -236,13 +236,7 @@ access_log off; allow 127.0.0.1; deny all; - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; } ### @@ -252,13 +246,7 @@ access_log off; allow 127.0.0.1; deny all; - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; } @@ -275,13 +263,7 @@ deny all; try_files $uri =404; - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; } ### @@ -921,9 +903,7 @@ } try_files $uri =404; - - fastcgi_pass - + fastcgi_pass provision-php-fpm; } ### @@ -1072,13 +1052,8 @@ ### fastcgi_param QUERY_STRING q=$esi; fastcgi_param SCRIPT_FILENAME $document_root/index.php; - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; + ### ### Use Nginx cache for all visitors. ### @@ -1264,13 +1239,7 @@ tcp_nopush off; keepalive_requests 0; try_files $uri =404; ### check for existence of php file first - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm track_uploads uploads 60s; ### required for upload progress @@ -1317,13 +1286,7 @@ keepalive_requests 0; access_log off; try_files $uri =404; ### check for existence of php file first - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; } @@ -1347,13 +1310,7 @@ keepalive_requests 0; access_log off; try_files $uri =404; ### check for existence of php file first - - fastcgi_pass unix:/var/run/$user_socket.fpm.socket; - - fastcgi_pass 127.0.0.1:9000; - - fastcgi_pass unix:; - + fastcgi_pass provision-php-fpm; } From 9cffb8c549595670bebea2bd99064f3f0e7bf7b5 Mon Sep 17 00:00:00 2001 From: Jon Pugh Date: Tue, 3 Apr 2018 09:39:35 -0400 Subject: [PATCH 25/25] forgot a trailing ;in nginx config. --- .../Http/Nginx/Configuration/templates/vhost_include.tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php index 7671835e1..7bcb0e0e6 100644 --- a/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php +++ b/src/Provision/Service/Http/Nginx/Configuration/templates/vhost_include.tpl.php @@ -1239,7 +1239,7 @@ tcp_nopush off; keepalive_requests 0; try_files $uri =404; ### check for existence of php file first - fastcgi_pass provision-php-fpm + fastcgi_pass provision-php-fpm; track_uploads uploads 60s; ### required for upload progress