changes from uselagoon/lagoon#2110

images/nginx-drupal/drupal.conf

@@ -1,4 +1,4 @@
-### Nginx configuration for Drupal 7 and 8.
+## Nginx configuration for Drupal 7 and above
 server {
   include /etc/nginx/conf.d/drupal/server_prepend*.conf;
 
@@ -9,39 +9,44 @@ server {
   root /app/${WEBROOT:-};
   index  index.php;
 
-  ## rewriting /index.php to / because after https://www.drupal.org/node/2599326
-  ## autocomplete URLs are forced to go to index.php
-  rewrite ^/index.php / last;
-
   ## The 'default' location.
   location / {
     include /etc/nginx/conf.d/drupal/location_prepend*.conf;
 
     ## Do not allow access to .txt and .md unless inside sites/*/files/
-    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md)$ {
+    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md|log)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Replicate the Apache <FilesMatch> directive of Drupal standard
     ## .htaccess. Disable access to any code files. Return a 404 to curtail
     ## information disclosure.
-    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|composer\.(lock|json)$|web\.config$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Expiring per default for four weeks and one second, Drupal will overwrite that if necessary
     expires ${NGINX_DEFAULT_EXPIRES:-2628001s};
 
-    ## Disallow access to any dot files, but send the request to Drupal
-    location ~* /\. {
-      try_files /dev/null @drupal;
+    ## Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+      allow all;
+    }
+
+    ## Block access to "hidden" files and directories whose names begin with a
+    ## period. This includes directories used by version control systems such
+    ## as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+      return 403;
     }
 
-    ### Directives for installing drupal.
+    ## Directives for installing drupal.
     location ~* ^(/install.php|/core/install.php) {
       try_files /dev/null @php;
     }
@@ -51,6 +56,12 @@ server {
       try_files /dev/null @drupal;
     }
 
+    ## Enforce clean URLs
+    ## Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+      return 301 $1$2;
+    }
+
     ## Try to find a file with given URL, if not pass to Drupal
     try_files $uri @drupal;
 
@@ -90,34 +101,39 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to backup directory.
   location ^~ /backup/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vagrant directory.
   location ^~ /vagrant/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
   location ^~ /core/vendor/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
   location ^~ /vendor/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Support for the robotstxt module

images/nginx-drupal/drupal/favicon.conf

@@ -1,5 +1,4 @@
-## Support for favicon. Return an 1x1 transparent GIF if it doesn't
-## exist.
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't exist.
 location = /favicon.ico {
   expires 30d;
   try_files /favicon.ico @empty;