From eb1b9567df23cbec4ee082af3e333a863b0e702d Mon Sep 17 00:00:00 2001
From: Jeremy Gonyea <jeremy.gonyea@gmail.com>
Date: Thu, 3 Oct 2019 16:54:05 -0400
Subject: [PATCH] Updated for latest ddev version (#2676)

---
 webserver-configs/nginx-ddev-site.conf | 140 +++++++++++++++----------
 1 file changed, 82 insertions(+), 58 deletions(-)

diff --git a/webserver-configs/nginx-ddev-site.conf b/webserver-configs/nginx-ddev-site.conf
index e75cf2ff1..be3cf3721 100644
--- a/webserver-configs/nginx-ddev-site.conf
+++ b/webserver-configs/nginx-ddev-site.conf
@@ -2,7 +2,7 @@
 
 # You can override ddev's configuration by placing an edited copy
 # of this config (or one of the other ones) in .ddev/nginx-site.conf
-# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration
+# See https://ddev.readthedocs.io/en/stable/users/extend/customization-extendibility/#providing-custom-nginx-configuration
 
 # Set https to 'on' if x-forwarded-proto is https
 map $http_x_forwarded_proto $fcgi_https {
@@ -11,11 +11,16 @@ map $http_x_forwarded_proto $fcgi_https {
 }
 
 server {
-    listen 80; ## listen for ipv4; this line is default and implied
-    listen [::]:80 default ipv6only=on; ## listen for ipv6
-    # The NGINX_DOCROOT variable is substituted with
+    listen 80;
+    listen [::]:80 default ipv6only=on;
+
+    # The WEBSERVER_DOCROOT variable is substituted with
     # its value when the container is started.
-    root $NGINX_DOCROOT;
+    root $WEBSERVER_DOCROOT;
+
+    include /etc/nginx/monitoring.conf;
+
+
     index index.php index.htm index.html;
 
     # Make site accessible from http://localhost/
@@ -23,15 +28,20 @@ server {
 
     # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
     sendfile off;
-    error_log /var/log/nginx/error.log info;
+    error_log /dev/stdout info;
     access_log /var/log/nginx/access.log;
 
+    ## Begin - Index
+    # for subfolders, simply adjust:
+    # `location /subfolder {`
+    # and the rewrite to use `/subfolder/index.php`
     location / {
-        absolute_redirect off;
         try_files $uri $uri/ /index.php?$query_string;
     }
+    ## End - Index
 
-    # pass the PHP scripts to FastCGI server listening on socket
+
+     # pass the PHP scripts to FastCGI server listening on socket
     location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
@@ -42,38 +52,78 @@ server {
         fastcgi_param SCRIPT_NAME $fastcgi_script_name;
         fastcgi_index index.php;
         include fastcgi_params;
-        fastcgi_intercept_errors on;
+        fastcgi_intercept_errors off;
         # fastcgi_read_timeout should match max_execution_time in php.ini
         fastcgi_read_timeout 10m;
         fastcgi_param SERVER_NAME $host;
         fastcgi_param HTTPS $fcgi_https;
     }
 
-    # Expire rules for static content
-    # Feed
-    location ~* \.(?:rss|atom|cache)$ {
-        expires 1h;
-    }
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
 
-    # Media: images, icons, video, audio, HTC
-    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
-        expires 1M;
-        access_log off;
-        add_header Cache-Control "public";
-    }
+    include /mnt/ddev_config/nginx/*.conf;
+}
 
-    # Prevent clients from accessing hidden files (starting with a dot)
-    # This is particularly important if you store .htpasswd files in the site hierarchy
-    # Access to `/.well-known/` is allowed.
-    # https://www.mnot.net/blog/2010/04/07/well-known
-    # https://tools.ietf.org/html/rfc5785
-    location ~* /\.(?!well-known\/) {
-        deny all;
-    }
 
-    # Prevent clients from accessing to backup/config/source files
-    location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
-        deny all;
+server {
+    listen 443 ssl;
+    listen [::]:443 default ipv6only=on;
+
+    # The WEBSERVER_DOCROOT variable is substituted with
+    # its value when the container is started.
+    root $WEBSERVER_DOCROOT;
+
+    ssl_certificate /etc/ssl/certs/master.crt;
+    ssl_certificate_key /etc/ssl/certs/master.key;
+
+    include /etc/nginx/monitoring.conf;
+
+
+    index index.php index.htm index.html;
+
+    # Make site accessible from http://localhost/
+    server_name _;
+
+    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
+    sendfile off;
+    error_log /dev/stdout info;
+    access_log /var/log/nginx/access.log;
+
+    ## Begin - Index
+    # for subfolders, simply adjust:
+    # `location /subfolder {`
+    # and the rewrite to use `/subfolder/index.php`
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    ## End - Index
+
+
+     # pass the PHP scripts to FastCGI server listening on socket
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php-fpm.sock;
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_intercept_errors off;
+        # fastcgi_read_timeout should match max_execution_time in php.ini
+        fastcgi_read_timeout 10m;
+        fastcgi_param SERVER_NAME $host;
+        fastcgi_param HTTPS $fcgi_https;
     }
 
     ## Begin - Security
@@ -88,31 +138,5 @@ server {
     ## End - Security
 
 
-    ## provide a health check endpoint
-    location /healthcheck {
-        access_log off;
-        stub_status     on;
-        keepalive_timeout 0;    # Disable HTTP keepalive
-        return 200;
-    }
-
-    error_page 400 401 /40x.html;
-    location = /40x.html {
-            root   /usr/share/nginx/html;
-    }
-
-    location ~ ^/(fpmstatus|ping)$ {
-        access_log off;
-        stub_status     on;
-        keepalive_timeout 0;    # Disable HTTP keepalive
-        allow 127.0.0.1;
-        allow all;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        include fastcgi_params;
-        fastcgi_pass unix:/run/php-fpm.sock;
-    }
-
-
+    include /mnt/ddev_config/nginx/*.conf;
 }
-