Merge branch 'D7' of https://github.com/perusio/drupal-with-nginx into D7

* 'D7' of https://github.com/perusio/drupal-with-nginx:
  * Added woff2 support from PR perusio#255 by @iryston.
  Added an appropriate mime type for .woff2
  * Fix perusio#251 with PR from @kkomelin.
  * Include PR#11 from @kkomelin about CGI var vuln.
  Allowed "Well-Known URIs".
  Cache valid responses for 15s.
  disable access_log in php_fpm_status_vhost
  * Disabled SSL v3.
  * Enable OCSP stapling verification.
  Update fastcgi_cache_key
  Issue perusio#212 by colans: Move header-adding to nginx.conf to avoid losing headers.
  Disabled SSLv3 to fix POODLE vulnerability.

Author: jakobg

Diff for: apps/drupal/drupal.conf

@@ -122,7 +122,7 @@ location / {
     }
 
     ## All static files will be served directly.
-    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff2?|svg)$ {
 
         access_log off;
         expires 30d;
@@ -349,4 +349,3 @@ location @empty {
 location ~* ^.+\.php$ {
     return 404;
 }
-

Diff for: apps/drupal/drupal_boost.conf

@@ -116,7 +116,7 @@ location / {
     }
 
     ## All static files will be served directly.
-    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff2?|svg)$ {
         access_log off;
         expires 30d;
         ## No need to bleed constant updates. Send the all shebang in one
@@ -374,4 +374,3 @@ location = /boost_stats.php {
     ## comment out the above.
     #proxy_pass http://phpapache;
 }
-

Diff for: apps/drupal/drupal_boost_escaped.conf

@@ -119,7 +119,7 @@ location / {
     }
 
     ## All static files will be served directly.
-    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff2?|svg)$ {
         access_log off;
         expires 30d;
         ## No need to bleed constant updates. Send the all shebang in one
@@ -379,4 +379,3 @@ location = /boost_stats.php {
     #proxy_pass http://phpapache;
     #proxy_set_header Connection '';
 }
-

Diff for: apps/drupal/drupal_escaped.conf

@@ -120,7 +120,7 @@ location / {
     }
 
     ## All static files will be served directly.
-    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff2?|svg)$ {
         access_log off;
         expires 30d;
         ## No need to bleed constant updates. Send the all shebang in one
@@ -344,4 +344,3 @@ location @empty {
 location ~* ^.+\.php$ {
     return 404;
 }
-

Diff for: apps/drupal/microcache_fcgi.conf

@@ -8,8 +8,8 @@ fastcgi_cache microcache;
 ## The cache key.
 fastcgi_cache_key $scheme$request_method$host$request_uri;
 
-## For 200 and 301 make the cache valid for 1s seconds.
-fastcgi_cache_valid 200 301 1s;
+## For 200 and 301 make the cache valid for 15 seconds.
+fastcgi_cache_valid 200 301 15s;
 ## For 302 make it valid for 1 minute.
 fastcgi_cache_valid 302 1m;
 ## For 404 make it valid 1 second.
@@ -23,29 +23,10 @@ fastcgi_ignore_headers Cache-Control Expires;
 ## Bypass the cache.
 fastcgi_cache_bypass $no_cache;
 fastcgi_no_cache $no_cache;
-## Add a cache miss/hit status header.
-add_header X-Micro-Cache $upstream_cache_status;
+
 ## To avoid any interaction with the cache control headers we expire
 ## everything on this location immediately.
 expires epoch;
-## Enable clickjacking protection in modern browsers. Available in
-## IE8 also. See
-## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-## Uncomment the line below if you're not using media streaming.
-## For sites *not* using frames uncomment the line below.
-#add_header X-Frame-Options DENY;
-## For sites *using* frames uncomment the line below.
-#add_header X-Frame-Options SAMEORIGIN;
-
-## Block MIME type sniffing on IE.
-add_header X-Content-Options nosniff;
-
-## Strict Transport Security header for enhanced security. See
-## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-## whichever age you want.
-## Uncomment the line below if you're using HTTPS.
-#add_header Strict-Transport-Security max-age=7200;
 
 ## If you're using a Nginx version greater than 1.1.11 then uncomment
 ## the line below. See:

Diff for: fastcgi_params

@@ -30,3 +30,6 @@ fastcgi_param REDIRECT_STATUS 200;
 fastcgi_param HTTPS $fastcgi_https if_not_empty;
 ## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
 #fastcgi_param HTTPS $fastcgi_https;
+
+## Fix HTTPoxy vulnerability https://httpoxy.org/#mitigate-nginx.
+fastcgi_param HTTP_PROXY '';

Diff for: mime.types

@@ -97,6 +97,7 @@ types {
     font/opentype                         otf;
     application/vnd.ms-fontobject         eot;
     application/font-woff                 woff;
+    application/font-woff                 woff2;
 
     application/octet-stream              bin exe dll;
     application/octet-stream              deb;

Diff for: nginx.conf

@@ -22,9 +22,6 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    ## FastCGI.
-    include /etc/nginx/fastcgi.conf;
-
     ## Default log and error files.
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
@@ -40,11 +37,6 @@ http {
     ## connections nginx accepts. 1m means 32000 simultaneous
     ## sessions. We need to define for each server the limit_conn
     ## value refering to this or other zones.
-    ## ** This syntax requires nginx version >=
-    ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
-    ## ** version then use the limit_zone directive below
-    ## ** instead. Comment out this
-    ## ** one if not using nginx version >= 1.1.8.
     limit_conn_zone $binary_remote_addr zone=arbeit:10m;
 
     ## Define a zone for limiting the number of simultaneous
@@ -109,7 +101,7 @@ http {
     ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
 
     ## No SSL2 support. Legacy support of SSLv3.
-    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
     ## Pregenerated Diffie-Hellman parameters.
     ssl_dhparam /etc/nginx/dh_param.pem;
@@ -119,6 +111,9 @@ http {
 
     ## Enable OCSP stapling. A better way to revocate server certificates.
     ssl_stapling on;
+    ## Enable verification of OCSP stapling responses by the server.
+    ssl_stapling_verify on;
+
     ## Fill in with your own resolver.
     resolver 8.8.8.8;
 
@@ -163,9 +158,20 @@ http {
     ## line below.
     #add_header X-Frame-Options DENY;
 
+    ## Enable this if using HTTPS. See sites-available/example.com.conf
+    ## for details.
+    #add_header Strict-Transport-Security "max-age=7200";
+
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Add a cache miss/hit status header. This can be disabled if not including
+    ## any of the apps/drupal/microcache* files.
+    add_header X-Micro-Cache $upstream_cache_status;
+
+    ## FastCGI.
+    include /etc/nginx/fastcgi.conf;
+
     ## Include the upstream servers for PHP FastCGI handling config.
     ## This one uses the FCGI process listening on TCP sockets.
     #include upstream_phpcgi_tcp.conf;
@@ -186,11 +192,11 @@ http {
     ## previous version then uncomment out the line below.
     # include map_https_fcgi.conf;
 
-    # Support the X-Forwarded-Proto header for fastcgi.
+    ## Support the X-Forwarded-Proto header for fastcgi.
     map $http_x_forwarded_proto $fastcgi_https {
-      default $https;
-      http '';
-      https on;
+        default $https;
+        http '';
+        https on;
     }
 
     ## Include the upstream servers for Apache handling the PHP

Diff for: php_fpm_status_vhost.conf

@@ -14,6 +14,7 @@ location = /fpm-status {
         return 404;
     }
     fastcgi_pass www0;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -23,6 +24,7 @@ location = /ping {
         return 404;
     }
     fastcgi_pass www0;
+    access_log off;
 }
 
 ## This is for the second pool. It assumes that you've configured
@@ -37,6 +39,7 @@ location = /fpm-status-zwei {
         return 404;
     }
     fastcgi_pass www1;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -46,6 +49,7 @@ location = /ping-zwei {
         return 404;
     }
     fastcgi_pass www1;
+    access_log off;
 }
 
 ## This is for the third pool that acts as backup. It assumes that
@@ -61,6 +65,7 @@ location = /fpm-status-drei {
         return 404;
     }
     fastcgi_pass phpcgi;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -70,4 +75,5 @@ location = /ping-drei {
         return 404;
     }
     fastcgi_pass phpcgi;
+    access_log off;
 }

Diff for: sites-available/example.com.conf

@@ -56,6 +56,12 @@ server {
     ## Uncomment if you're proxying to Apache for handling PHP.
     #proxy_http_version 1.1; # keep alive to the Apache upstream
 
+    # Allow "Well-Known URIs" as per RFC 5785.
+    # Necessary for Let’s Encrypt validation server.
+    location ~* ^/.well-known/ {
+        allow all;
+    }
+
     ################################################################
     ### Generic configuration: for most Drupal 7 sites.
     ################################################################
@@ -171,10 +177,16 @@ server {
     ssl_certificate /etc/ssl/certs/example-cert.pem;
     ssl_certificate_key /etc/ssl/private/example.key;
 
+    # Disable SSL v3 protocol to fix POODLE bug.
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-    ## whichever age you want.
-    add_header Strict-Transport-Security "max-age=7200";
+    ## whichever age you want. However, we can't set this here because adding
+    ## a header will drop all other headers set earlier. See
+    ## http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+    ## for details.  Instead, uncomment this in nginx.conf.
+    ## add_header Strict-Transport-Security "max-age=7200";
 
     root /var/www/sites/example.com;
     index index.php;