user www-data; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; gzip on; # Increase client body size for file uploads. client_max_body_size 64M; server { listen 80; server_name cms.${DOMAIN}; root /var/www/html; # JSON:API endpoint caching headers. location /jsonapi { try_files $uri /index.php$is_args$args; add_header Cache-Control "public, max-age=60"; add_header X-Content-Type-Options nosniff; } location / { try_files $uri /index.php$is_args$args; } location ~ \.php$ { fastcgi_pass drupal-fpm:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_read_timeout 120; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { try_files $uri @rewrite; expires max; log_not_found off; } location @rewrite { rewrite ^ /index.php; } # Don't allow direct access to PHP files in the vendor directory. location ~ /vendor/.*\.php$ { deny all; return 404; } # Protect files and directories from prying eyes. location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { deny all; return 404; } # Protect .git directory. location ~ /\.git { deny all; return 404; } } }