Reorganize configuration files

Author: Luis Elizondo

.gitignore

@@ -0,0 +1 @@
+.DS_Store

Dockerfile

@@ -11,13 +11,13 @@ ENV LC_ALL     en_US.UTF-8
 # Update system
 RUN apt-get update && apt-get dist-upgrade -y
 
-# Basic packages
-RUN apt-get -y install php5-fpm php5-mysql php-apc php5-imagick php5-imap php5-mcrypt php5-curl php5-cli php5-gd php5-pgsql php5-sqlite php5-common php-pear curl php5-json php5-redis php5-memcache
-RUN apt-get -y install nginx-extras
-RUN apt-get -y install git curl supervisor
-
+# Prevent restarts when installing
 RUN echo '#!/bin/sh\nexit 101' > /usr/sbin/policy-rc.d && chmod +x /usr/sbin/policy-rc.d
 
+# Basic packages
+RUN apt-get -y install php5-fpm php5-mysql php-apc php5-imagick php5-imap php5-mcrypt php5-curl php5-cli php5-gd php5-pgsql php5-sqlite php5-common php-pear curl php5-json php5-redis php5-memcache 
+RUN apt-get -y install nginx-extras git curl supervisor
+
 RUN php5enmod mcrypt
 
 RUN /usr/bin/curl -sS https://getcomposer.org/installer | /usr/bin/php
@@ -29,12 +29,7 @@ RUN /usr/local/bin/composer self-update
 RUN /usr/local/bin/composer global require drush/drush:6.*
 RUN ln -s /.composer/vendor/drush/drush/drush /usr/local/bin/drush
 
-# PHP
-RUN sed -i 's/memory_limit = .*/memory_limit = 196M/' /etc/php5/fpm/php.ini
-RUN sed -i 's/cgi.fix_pathinfo = .*/cgi.fix_pathinfo = 0/' /etc/php5/fpm/php.ini
-RUN sed -i 's/upload_max_filesize = .*/upload_max_filesize = 500M/' /etc/php5/fpm/php.ini
-RUN sed -i 's/post_max_size = .*/post_max_size = 500M/' /etc/php5/fpm/php.ini
-
+# Prepare directory
 RUN mkdir /var/www
 RUN usermod -u 1000 www-data
 RUN usermod -a -G users www-data
@@ -50,19 +45,31 @@ CMD ["/usr/bin/supervisord", "-n"]
 ADD ./startup.sh /opt/startup.sh
 RUN chmod +x /opt/startup.sh
 
-# Add configuration files
-#ADD ./config/realip.conf /etc/nginx/conf.d/realip.conf
-ADD ./config/supervisord-nginx.conf /etc/supervisor/conf.d/supervisord-nginx.conf
 RUN mkdir -p /var/cache/nginx/microcache
-ADD ./config/nginx.conf /etc/nginx/nginx.conf
-ADD ./config/mime.types /etc/nginx/mime.types
-ADD ./config/fastcgi.conf /etc/nginx/fastcgi.conf
-ADD ./config/blacklist.conf /etc/nginx/blacklist.conf
-ADD ./config/fastcgi_microcache_zone.conf /etc/nginx/fastcgi_microcache_zone.conf
-ADD ./config/drupal.conf /etc/nginx/drupal.conf
-ADD ./config/fastcgi_drupal.conf /etc/nginx/fastcgi_drupal.conf
-ADD ./config/map_cache.conf /etc/nginx/map_cache.conf
-ADD ./config/microcache_fcgi_auth.conf /etc/nginx/microcache_fcgi_auth.conf
-ADD ./config/fastcgi_no_args_drupal.conf /etc/nginx/fastcgi_no_args_drupal.conf
-ADD ./config/drupal_upload_progress.conf /etc/nginx/drupal_upload_progress.conf
-ADD ./config/default /etc/nginx/sites-enabled/default
+
+### Add configuration files
+# Supervisor
+ADD ./config/supervisor/supervisord-nginx.conf /etc/supervisor/conf.d/supervisord-nginx.conf
+
+# PHP
+ADD ./config/php/www.conf /etc/php5/fpm/pool.d/www.conf
+ADD ./config/php/php.ini /etc/php5/fpm/php.ini
+
+# Nginx
+ADD ./config/nginx/blacklist.conf /etc/nginx/blacklist.conf
+ADD ./config/nginx/drupal.conf /etc/nginx/drupal.conf
+ADD ./config/nginx/drupal_upload_progress.conf /etc/nginx/drupal_upload_progress.conf
+ADD ./config/nginx/fastcgi.conf /etc/nginx/fastcgi.conf
+ADD ./config/nginx/fastcgi_drupal.conf /etc/nginx/fastcgi_drupal.conf
+ADD ./config/nginx/fastcgi_microcache_zone.conf /etc/nginx/fastcgi_microcache_zone.conf
+ADD ./config/nginx/fastcgi_no_args_drupal.conf /etc/nginx/fastcgi_no_args_drupal.conf
+ADD ./config/nginx/map_cache.conf /etc/nginx/map_cache.conf
+ADD ./config/nginx/microcache_fcgi_auth.conf /etc/nginx/microcache_fcgi_auth.conf
+ADD ./config/nginx/mime.types /etc/nginx/mime.types
+ADD ./config/nginx/nginx.conf /etc/nginx/nginx.conf
+ADD ./config/nginx/upstream_phpcgi_unix.conf /etc/nginx/upstream_phpcgi_unix.conf
+ADD ./config/nginx/map_block_http_methods.conf /etc/nginx/map_block_http_methods.conf
+ADD ./config/nginx/map_https_fcgi.conf /etc/nginx/map_https_fcgi.conf
+ADD ./config/nginx/nginx_status_allowed_hosts.conf /etc/nginx/nginx_status_allowed_hosts.conf
+ADD ./config/nginx/cron_allowed_hosts.conf /etc/nginx/cron_allowed_hosts.conf
+ADD ./config/nginx/default /etc/nginx/sites-enabled/default

Makefile

@@ -3,5 +3,8 @@ CURRENT_DIRECTORY := $(shell pwd)
 build:
 	@docker build --tag=iiiepe/nginx-drupal $(CURRENT_DIRECTORY)
 
+build-no-cache:
+	@docker build --no-cache --tag=iiiepe/nginx-drupal $(CURRENT_DIRECTORY)
+
 .PHONY: build
 

config/blacklist.conf renamed to config/nginx/blacklist.conf

@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for specifying which hosts can invoke Drupal's
+### cron. This only applies if you're not using drush to run cron.
+
+geo $not_allowed_cron {
+    default 1;
+    ## Add your set of hosts.
+    127.0.0.1 0; # allow the localhost
+    192.168.1.0/24 0; # allow on an internal network
+}

config/nginx/cron_allowed_hosts.conf

@@ -96,21 +96,21 @@ location / {
 
 ## Run the update from the web interface with Drupal 7.
 location = /authorize.php {
-    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_pass phpcgi;
 }
 
 location = /update.php {
     #auth_basic "Restricted Access"; # auth realm
     #auth_basic_user_file .htpasswd-users; # htpasswd file
-    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_pass phpcgi;
 }
 
 ## Restrict access to the strictly necessary PHP files. Reducing the
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location @drupal {
     ## Include the FastCGI config.
     include fastcgi_drupal.conf;
-    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_pass phpcgi;
 
     ## FCGI microcache for authenticated users also.
     include microcache_fcgi_auth.conf;
@@ -125,7 +125,7 @@ location @drupal-no-args {
     ## Include the specific FastCGI configuration. This is for a
     ## FCGI backend like php-cgi or php-fpm.
     include fastcgi_no_args_drupal.conf;
-    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_pass phpcgi;
 
     ## FCGI microcache for authenticated users also.
     include microcache_fcgi_auth.conf;

config/default renamed to config/nginx/default

@@ -0,0 +1,11 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### This file contains a map directive that is used to block the
+### invocation of HTTP methods. Out of the box it allows for HEAD, GET and POST.
+
+map $request_method $not_allowed_method {
+    default 1;
+    GET 0;
+    HEAD 0;
+    POST 0;
+}

config/drupal.conf renamed to config/nginx/drupal.conf

@@ -0,0 +1,7 @@
+# -*- mode: conf; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Implement the $https_if_not_empty variable for Nginx versions below 1.1.11.
+
+map $scheme $https {
+    default '';
+    https on;
+}

config/drupal_upload_progress.conf renamed to config/nginx/drupal_upload_progress.conf

@@ -1,10 +1,14 @@
-# https://github.com/perusio/drupal-with-nginx
-
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
 user www-data;
 
-# Main error log
+## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
+## the line below and set it to the number of cores of the
+## server. Otherwise nginx will determine it automatically.
+#worker_processes 4;
+
 error_log /var/log/supervisor/nginx.log;
 pid /var/run/nginx.pid;
+
 worker_rlimit_nofile 8192;
 
 events {
@@ -19,7 +23,7 @@ http {
     default_type application/octet-stream;
 
     ## FastCGI.
-    include /etc/nginx/fastcgi.conf;
+    include fastcgi.conf;
 
     ## Default log and error files.
     access_log /var/log/supervisor/nginx-access.log;
@@ -43,6 +47,13 @@ http {
     ## ** one if not using nginx version >= 1.1.8.
     limit_conn_zone $binary_remote_addr zone=arbeit:10m;
 
+    ## Define a zone for limiting the number of simultaneous
+    ## connections nginx accepts. 1m means 32000 simultaneous
+    ## sessions. We need to define for each server the limit_conn
+    ## value refering to this or other zones.
+    ## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below.
+    #limit_zone arbeit $binary_remote_addr 10m;
+
     ## Timeouts.
     client_body_timeout 60;
     client_header_timeout 60;
@@ -53,7 +64,7 @@ http {
     reset_timedout_connection on;
 
     ## Body size.
-    client_max_body_size 500m;
+    client_max_body_size 10m;
 
     ## TCP options.
     tcp_nodelay on;
@@ -107,7 +118,7 @@ http {
     ssl_ecdh_curve secp521r1;
 
     ## Enable OCSP stapling. A better way to revocate server certificates.
-    ssl_stapling on;
+    #ssl_stapling on;
     ## Fill in with your own resolver.
     resolver 8.8.8.8;
 
@@ -127,7 +138,7 @@ http {
     ## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size
     ## The line variables_hash_bucket_size was added for completeness but not
     ## changed from default.
-    #variables_hash_max_size 1024; # default 512
+    variables_hash_max_size 1024; # default 512
     #variables_hash_bucket_size 64; # default is 64
 
     ## For the filefield_nginx_progress module to work. From the
@@ -155,25 +166,49 @@ http {
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Include the upstream servers for PHP FastCGI handling config.
+    ## This one uses the FCGI process listening on TCP sockets.
+    #include upstream_phpcgi_tcp.conf;
+
+    ## Include the upstream servers for PHP FastCGI handling
+    ## configuration. This setup uses UNIX sockets for talking with the
+    ## upstream.
+    include upstream_phpcgi_unix.conf;
+
+    ## Include the map to block HTTP methods.
+    include map_block_http_methods.conf;
+
+    ## If using Nginx version >= 1.1.11 then there's a $https variable
+    ## that has the value 'on' if the used scheme is https and '' if not.
+    ## See: http://trac.nginx.org/nginx/changeset/4380/nginx
+    ## http://trac.nginx.org/nginx/changeset/4333/nginx and
+    ## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a
+    ## previous version then uncomment out the line below.
+    #include map_https_fcgi.conf;
+
     # Support the X-Forwarded-Proto header for fastcgi.
     map $http_x_forwarded_proto $fastcgi_https {
       default $https;
       http '';
       https on;
     }
 
-    ##########################################################
     ## Include the upstream servers for Apache handling the PHP
     ## processes. In this case Nginx functions as a reverse proxy.
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $http_host;
-    ## Hide the X-Drupal-Cache header provided by Pressflow.
-    proxy_hide_header 'X-Drupal-Cache';
-    ## Hide the Drupal 7 header X-Generator.
-    proxy_hide_header 'X-Generator';
-    proxy_hide_header 'X-Powered-By';
-    ############################################################
+    #include reverse_proxy.conf;
+    #include upstream_phpapache.conf;
+
+    ## Include the php-fpm status allowed hosts configuration block.
+    ## Uncomment to enable if you're running php-fpm.
+    #include php_fpm_status_allowed_hosts.conf;
+
+    ## Include the Nginx stub status allowed hosts configuration block.
+    include nginx_status_allowed_hosts.conf;
+
+    ## If you want to run cron using Drupal cron.php. i.e., you're not
+    ## using drush then uncomment the line below. Specify in
+    ## cron_allowed_hosts.conf which hosts can invole cron.
+    include cron_allowed_hosts.conf;
 
     ## Include blacklist for bad bot and referer blocking.
     include blacklist.conf;
@@ -184,6 +219,10 @@ http {
     ## Microcache zone definition for FastCGI.
     include fastcgi_microcache_zone.conf;
 
+    ## If you're using Apache for handling PHP then comment the line
+    ## above and uncomment the line below.
+    #include proxy_microcache_zone.conf
+
     ## Include all vhosts.
     include /etc/nginx/sites-enabled/*;
 }

config/fastcgi.conf renamed to config/nginx/fastcgi.conf

@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Configuration of nginx stub status page. Here we define the
+### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule
+
+geo $dont_show_nginx_status {
+    default 1;
+    127.0.0.1 0; # allow on the loopback
+    192.168.1.0/24 0; # allow on an internal network
+}

config/fastcgi_drupal.conf renamed to config/nginx/fastcgi_drupal.conf

@@ -0,0 +1,23 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Upstream configuration for PHP FastCGI.
+
+## Add as many servers as needed:
+## Cf. http://wiki.nginx.org/HttpUpstreamModule.
+## Note that this configuration assumes by default that keepalive
+## upstream connections are supported and that you have a Nginx
+## version with the fair load balancer.
+
+## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule.
+upstream phpcgi {
+    ## Use the least connection algorithm for load balancing. This
+    ## algorithm was introduced in versions 1.3.1 and 1.2.2.
+    least_conn;
+
+    server unix:/var/run/php-fpm.sock;
+    ## Create a backend connection cache. Note that this requires
+    ## Nginx version greater or equal to 1.1.4.
+    ## Cf. http://nginx.org/en/CHANGES. Comment out the following
+    ## line if that's not the case.
+    keepalive 5;
+}