With version 8 recently released and a community of over 1 million supporters, Drupal remains a popular choice when it comes to a highly flexible and functional CMS platform. Version 8 has over 200 new features compared to version 7, aimed at improving both the usability and manageability of the system. This cookbook will be using version 8.0.5.
Getting ready
This example assumes you already have a working instance of Drupal or are familiar with the installation process. You can also follow the installation guide available at https://www.drupal.org/documentation/install.
How to do it...
This recipe is for a basic Drupal configuration, with the Drupal files located in /var/www/html.
Here's the configuration to use:
server {
listen 80;
server_name drupal.nginxcookbook.com;
access_log /var/log/nginx/drupal.access.log combined;
index index.php;
root /var/www/html/;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ (^|/)\. {
return 403;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ \.php$|^/update.php {
fastcgi_pass unix:/var/run/php7.0-fpm.sock;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
} How it works...
Based on a simple PHP-FPM structure, we make a few key changes specific to the Drupal environment. The first change is as follows:
location ~ (^|/)\. {
return 403;
} We put a block in for any files beginning with a dot, which are normally hidden and/or system files. This is to prevent accidental information leakage:
location ~ /vendor/.*\.php$ {
deny all;
return 404;
} Any PHP file within the vendor directory is also blocked, as they shouldn't be called directly. Blocking the PHP files limits any potential exploit opportunity which could be discovered in third-party code.
Lastly, Drupal 8 changed the way the PHP functions are called for updates, which causes any old configuration to break. The location directive for the PHP files looks like this:
location ~ \.php$|^/update.php { This is to allow the distinct pattern that Drupal uses, where the PHP filename could be midway through the URI.
We also modify how the FastCGI process splits the string, so that we ensure we always get the correct answer:
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
See also
NGINX recipe: https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
