From 0f60b39a6381718e1c564d97ec7c046bd153d1fd Mon Sep 17 00:00:00 2001
From: Toby Bellwood <toby.bellwood@amazee.io>
Date: Tue, 8 Mar 2022 11:16:01 +1100
Subject: [PATCH] changes from uselagoon/lagoon#2110

---
 images/nginx-drupal/drupal.conf         | 38 ++++++++++++++++++-------
 images/nginx-drupal/drupal/favicon.conf |  3 +-
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index 6a7aaa5ff..f11cb6d45 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -1,4 +1,4 @@
-### Nginx configuration for Drupal 7 and 8.
+## Nginx configuration for Drupal 7 and above
 server {
   include /etc/nginx/conf.d/drupal/server_prepend*.conf;
 
@@ -9,39 +9,44 @@ server {
   root /app/${WEBROOT:-};
   index  index.php;
 
-  ## rewriting /index.php to / because after https://www.drupal.org/node/2599326
-  ## autocomplete URLs are forced to go to index.php
-  rewrite ^/index.php / last;
-
   ## The 'default' location.
   location / {
     include /etc/nginx/conf.d/drupal/location_prepend*.conf;
 
     ## Do not allow access to .txt and .md unless inside sites/*/files/
-    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md)$ {
+    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md|log)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Replicate the Apache <FilesMatch> directive of Drupal standard
     ## .htaccess. Disable access to any code files. Return a 404 to curtail
     ## information disclosure.
-    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|composer\.(lock|json)$|web\.config$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Expiring per default for four weeks and one second, Drupal will overwrite that if necessary
     expires ${NGINX_DEFAULT_EXPIRES:-2628001s};
 
-    ## Disallow access to any dot files, but send the request to Drupal
-    location ~* /\. {
-      try_files /dev/null @drupal;
+    ## Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+      allow all;
+    }
+
+    ## Block access to "hidden" files and directories whose names begin with a
+    ## period. This includes directories used by version control systems such
+    ## as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+      return 403;
     }
 
-    ### Directives for installing drupal.
+    ## Directives for installing drupal.
     location ~* ^(/install.php|/core/install.php) {
       try_files /dev/null @php;
     }
@@ -51,6 +56,12 @@ server {
       try_files /dev/null @drupal;
     }
 
+    ## Enforce clean URLs
+    ## Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+      return 301 $1$2;
+    }
+
     ## Try to find a file with given URL, if not pass to Drupal
     try_files $uri @drupal;
 
@@ -90,6 +101,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to backup directory.
@@ -97,6 +109,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vagrant directory.
@@ -104,6 +117,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -111,6 +125,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -118,6 +133,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Support for the robotstxt module
diff --git a/images/nginx-drupal/drupal/favicon.conf b/images/nginx-drupal/drupal/favicon.conf
index bbe0d8427..5dbbdecd9 100644
--- a/images/nginx-drupal/drupal/favicon.conf
+++ b/images/nginx-drupal/drupal/favicon.conf
@@ -1,5 +1,4 @@
-## Support for favicon. Return an 1x1 transparent GIF if it doesn't
-## exist.
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't exist.
 location = /favicon.ico {
   expires 30d;
   try_files /favicon.ico @empty;