From fd86957e1586ee5e871837866cbe49d20631e6f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Wulliamoz?= <gwulliamoz@greenmotion.ch>
Date: Mon, 17 Aug 2020 07:55:22 +0200
Subject: [PATCH] Configure nginx for drupal on Linux 2 platforms

---
 .../nginx/conf.d/elasticbeanstalk/drupal.conf | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 .platform/nginx/conf.d/elasticbeanstalk/drupal.conf

diff --git a/.platform/nginx/conf.d/elasticbeanstalk/drupal.conf b/.platform/nginx/conf.d/elasticbeanstalk/drupal.conf
new file mode 100644
index 0000000..ccff7b8
--- /dev/null
+++ b/.platform/nginx/conf.d/elasticbeanstalk/drupal.conf
@@ -0,0 +1,87 @@
+location = /favicon.ico {
+	log_not_found off;
+	access_log off;
+}
+
+location = /robots.txt {
+	allow all;
+	log_not_found off;
+	access_log off;
+}
+
+# Very rarely should these ever be accessed outside of your lan
+location ~* \.(txt|log)$ {
+	allow 192.168.0.0/16;
+	deny all;
+}
+
+location ~ \..*/.*\.php$ {
+	return 403;
+}
+
+location ~ ^/sites/.*/private/ {
+	return 403;
+}
+
+# Block access to scripts in site files directory
+location ~ ^/sites/[^/]+/files/.*\.php$ {
+	deny all;
+}
+
+# Allow "Well-Known URIs" as per RFC 5785
+location ~* ^/.well-known/ {
+	allow all;
+}
+
+# Block access to "hidden" files and directories whose names begin with a
+# period. This includes directories used by version control systems such
+# as Subversion or Git to store control files.
+location ~ (^|/)\. {
+	return 403;
+}
+
+location / {
+	# try_files $uri @rewrite; # For Drupal <= 6
+	try_files $uri /index.php?$query_string; # For Drupal >= 7
+}
+
+location @rewrite {
+	rewrite ^/(.*)$ /index.php?q=$1;
+}
+
+# Don't allow direct access to PHP files in the vendor directory.
+location ~ /vendor/.*\.php$ {
+	deny all;
+	return 404;
+}
+
+# Protect files and directories from prying eyes.
+location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|composer\.(lock|json)$|web\.config$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+	deny all;
+	return 404;
+}
+
+location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+	try_files $uri @rewrite;
+	expires max;
+	log_not_found off;
+}
+
+# Fighting with Styles? This little gem is amazing.
+# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+	try_files $uri @rewrite;
+}
+
+# Handle private files through Drupal. Private file's path can come
+# with a language prefix.
+location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+	try_files $uri /index.php?$query_string;
+}
+
+# Enforce clean URLs
+# Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+# Could be done with 301 for permanent or other redirect codes.
+if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+	return 307 $1$2;
+}
\ No newline at end of file