Merge with master

Pierre Paul Lefebvre · Pierre Paul Lefebvre · commit ac9d1b967e8e · 2014-10-02T10:32:09.000-04:00
diff --git a/README.md b/README.md
@@ -61,37 +61,54 @@ The following variables are available to configure the role:
   (cf. http://wiki.nginx.org/HttpFlvStreamModule), defaults to false.
 - **nginx_drupal_mp4_streaming**: Whether or not to use MP4 streaming, (cf.
   http://nginx.org/en/docs/http/ngx_http_mp4_module.html) defaults to false.
-- **nginx_drupal_http_pre_includes**: A list of file to include in the ```http```
-  context (in ```nginx.conf```), before any other directives.
-- **nginx_drupal_http_post_includes**: A list of file to include in the ```http```
-  context (in ```nginx.conf```), after any other directives except the enabled
+- **nginx_drupal_http_pre_includes**: A list of file to include in the
+  ```http```  context (in ```nginx.conf```), before any other directives.
+- **nginx_drupal_http_post_includes**: A list of file to include in the
+  ```http``` context (in ```nginx.conf```), after any other directives except
+  the enabled
   site configuration files.
-- **nginx_drupal_upstream_servers**: The list of PHP upstream servers, each item
-  is a server address (and parameters, see
+- **nginx_drupal_upstream_servers**: The list of PHP upstream servers, each
+  item is a server address (and parameters, see
   http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server), defaults
   to ```["unix:/var/run/php-fpm.sock", "php-fpm-zwei.sock"]```.
 - **nginx_drupal_upstream_backup_servers**: The list of PHP upstream backup
   servers, defaults to ```["unix:/var/run/php-fpm-bkp.sock"]```.
+- **nginx_drupal_language_path_prefixes**: (optional) The list of enabled
+  language path prefixes used on the site.
+- **nginx_drupal_x_frame_options**: (optional) Value of the X-Frame-Options
+  response header, defaults to `DENY`. If the site uses frames, set to
+  `SAMEORIGIN`. `DENY` may conflicts with pseudo streaming (at least with Nginx
+  version 1.0.12)
 - **nginx_drupal_sites**: The list of available sites.
     Each site uses the following structure:
     - **file_name**: The name of the site configuration file.
     - **http**: HTTP server configuration (leave empty to disable HTTP)
         - **port**: The port to listen on
     - **https**: HTTPS server configuration  (leave empty to disable HTTPS)
-        - **port**: The port to listen on
-        - **certificate**: Path to the SSL certificate of the server (in the PEM
-          format).
+        - **port**: The port to listen on.
+        - **certificate**: Path to the SSL certificate of the server (in the
+          PEM format).
         - **certificate_key**: Path to the SSL secret key of the server (in the
           PEM format).
     - **server_name**: The (primary) server name.
     - **ipv6**: (optional) IPv6 address of the server
-    - **alternate_server_name**: (optional) Alternate server name, configured as
-      redirect to the primary server site. This can be used to remove the
+    - **alternate_server_name**: (optional) Alternate server name, configured
+      as redirect to the primary server site. This can be used to remove the
       ```www.``` prefix.
     - **root**: Path to the root directory for the site.
     - **limit_conn**: (optional) The limit_conn for the site (defaults to
       ```arbeit 32```).
     - **enabled**: Whether or not the site should be enabled (defaults to true).
+    - **rewrites**: (optional) A list of rewrites directives, using the
+      following structure:
+        - **regex**: The regular expression used to match the URI.
+        - **replacement**: The replacement pattern used for the rewrite.
+        - **flags**: (optional) The flag parameter for the rewrite.
+    - **includes**: (optional) A list of additional Nginx configuration files
+      to include for the site.
+    - **server_name_in_redirect**: (optional) Enables or disables the use of
+      the primary server name, specified by the server_name directive, in
+      redirects issued by nginx.
 
 
 Examples
@@ -125,8 +142,8 @@ HTTPS but disabled.
               certificate: /etc/nginx/ssl/bar.cert
               certificate_key: /etc/nginx/ssl/bar.key
 
-Nginx as a Reverse Proxy for a single Drupal 6 sites, without microcaching and
-with image hot linking protection.
+Nginx as a Reverse Proxy for a single Drupal 6 sites, without microcaching,
+with image hot linking protection and a rewrite directive.
 
 
     - hosts: all
@@ -144,6 +161,10 @@ with image hot linking protection.
             root: /var/www/foo
             http:
               port: 80
+            rewrites:
+             - regex: '^/foo-bar.htm$'
+               replacement: '/foo/bar'
+               flags: 'permanent'
 
 License
 -------
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -30,3 +30,5 @@ nginx_drupal_upstream_backup_servers: ["unix:/var/run/php-fpm-bkp.sock"]
 nginx_drupal_sites: none
 nginx_drupal_http_pre_includes: []
 nginx_drupal_http_post_includes: []
+nginx_drupal_language_path_prefixes: []
+nginx_drupal_x_frame_options: DENY
diff --git a/templates/apps/drupal/drupal.j2 b/templates/apps/drupal/drupal.j2
@@ -124,6 +124,18 @@ location / {
         }
     }
 
+    {% if nginx_drupal_language_path_prefixes %}
+    ## RSS feed support.
+    location ~* ^(?:\/(?:{{ nginx_drupal_language_path_prefixes|join('|') }}))?\/rss\.xml$ {
+        try_files $uri @drupal-no-args;
+    }
+
+    ## XML Sitemap support.
+    location ~* ^(?:\/(?:{{ nginx_drupal_language_path_prefixes|join('|') }}))?\/sitemap\.xml$ {
+        try_files $uri @drupal-no-args;
+    }
+    {% endif %}
+
     ## All static files will be served directly.
     location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
 
@@ -386,3 +398,7 @@ location ~* ^.+\.php$ {
     return 404;
 }
 
+## Add support for custom monitoring script.
+location = /monitor/index.php {
+  fastcgi_pass   phpcgi;
+}
diff --git a/templates/nginx.j2 b/templates/nginx.j2
@@ -162,16 +162,13 @@ http {
     ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
     add_header X-XSS-Protection '1; mode=block';
 
+    {% if nginx_drupal_x_frame_options %}
     ## Enable clickjacking protection in modern browsers. Available in
     ## IE8 also. See
     ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
     ## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-    ## Uncomment the line below if you're not using media streaming.
-    ## For sites being framing on the same domqin uncomment the line below.
-    #add_header X-Frame-Options SAMEORIGIN;
-    ## For sites accepting to be framed in any context comment the
-    ## line below.
-    add_header X-Frame-Options DENY;
+    add_header X-Frame-Options {{ nginx_drupal_x_frame_options }};
+    {% endif %}
 
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
@@ -213,10 +210,12 @@ http {
     ## Include the Nginx stub status allowed hosts configuration block.
     include nginx_status_allowed_hosts.conf;
 
+    {%- if not nginx_drupal_use_drush %}
     ## If you want to run cron using Drupal cron.php. i.e., you're not
     ## using drush then uncomment the line below. Specify in
     ## cron_allowed_hosts.conf which hosts can invole cron.
-    # include apps/drupal/cron_allowed_hosts.conf;
+    include apps/drupal/cron_allowed_hosts.conf;
+    {%- endif -%}
 
     ## Include blacklist for bad bot and referer blocking.
     include blacklist.conf;
diff --git a/templates/sites-available/drupal-site.j2 b/templates/sites-available/drupal-site.j2
@@ -25,7 +25,9 @@ server {
     {% endif %}
 
     server_name {{item.server_name}};
+    {% if item.limit_conn != 'None' %}
     limit_conn {{item.limit_conn|default('arbeit 32')}};
+    {% endif %}
 
     ## Access and error logs.
     access_log {{nginx_drupal_log_path}}/{{item.server_name}}_{{item.file_name}}_access.log;
@@ -60,6 +62,23 @@ server {
     proxy_http_version 1.1; # keep alive to the Apache upstream
     {% endif %}
 
+    server_name_in_redirect {{'on' if item.server_name_in_redirect|default(false) else 'off'}};
+
+    {% if item.rewrites is defined %}
+    ## URL rewriting
+    {% for rewrite in item.rewrites %}
+    rewrite {{rewrite.regex}} {{rewrite.replacement}} {{rewrite.flags|default('')}};
+    {% endfor %}
+    {%- endif %}
+
+    {% if item.includes is defined %}
+    ## Custom include(s)
+    {% for include in item.includes %}
+    include {{ include }};
+    {% endfor %}
+    {% endif %}
+
+
     {% if not nginx_drupal_use_boost -%}
     {% if not nginx_drupal_escape_uri -%}
     ################################################################
@@ -183,7 +202,9 @@ server {
 
     server_name {{item.server_name}};
 
+    {% if item.limit_conn != 'None' %}
     limit_conn {{item.limit_conn|default('arbeit 32')}};
+    {% endif %}
 
     ## Access and error logs.
     access_log {{nginx_drupal_log_path}}/{{item.server_name}}_access.log;
@@ -230,6 +251,22 @@ server {
         return 405;
     }
 
+    server_name_in_redirect {{'on' if item.server_name_in_redirect|default(false) else 'off'}};
+
+    {% if item.rewrites is defined %}
+    ## URL rewriting
+    {% for rewrite in item.rewrites %}
+    rewrite {{rewrite.regex}} {{rewrite.replacement}} {{rewrite.flags|default('')}};
+    {% endfor %}
+    {%- endif %}
+
+    {% if item.includes is defined %}
+    ## Custom include(s)
+    {% for include in item.includes %}
+    include {{ include }};
+    {% endfor %}
+    {% endif %}
+
     {% if not nginx_drupal_use_boost -%}
     {% if not nginx_drupal_escape_uri -%}
     ################################################################
