* Major refactoring of the config. Upstream fallbacks. Nginx status

  and more.

cron_allowed_hosts.conf

@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for specifying which hosts can invoke Drupal's
+### cron. This only applies if you're not using drush to run cron.
+
+geo $not_allowed_cron {
+    default 1;
+    ## Add your set of hosts.
+    127.0.0.1 0; # allow the localhost
+    192.168.1.0/24 0; # (V)LAN hosts allowed
+}

nginx.conf

@@ -98,10 +98,16 @@ http {
     ## Enable clickjacking protection in modern browsers. Available in
     ## IE8 also. See
     ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-    add_header X-Frame-Options sameorigin;
+    add_header X-Frame-Options SAMEORIGIN;
 
     ## Include the upstream servers for PHP FastCGI handling config.
-    include upstream_phpcgi.conf;
+    ## This one uses the FCGI process listening on TCP sockets.
+    include upstream_phpcgi_tcp.conf;
+
+    ## Include the upstream servers for PHP FastCGI handling
+    ## configuration. This setup uses UNIX sockets for talking with the
+    ## upstream.
+    #include upstream_phpcgi_unix.conf;
 
     ## Include the upstream servers for Apache handling the PHP
     ## processes. In this case Nginx functions as a reverse proxy.
@@ -112,6 +118,14 @@ http {
     ## Uncomment to enable if you're running php-fpm.
     #include php_fpm_status_allowed_hosts.conf;
 
+    ## Include the Nginx stub status allowed hosts configuration block.
+    include nginx_status_allowed_hosts.conf;
+
+    ## If you want to run cron using Drupal cron.php. i.e., you're not
+    ## using drush then uncomment the line below. Specify in
+    ## cron_allowed_hosts.conf which hosts can invole cron.
+    # include cron_allowed_hosts.conf;
+
     ## Include blacklist for bad bot and referer blocking.
     include blacklist.conf;
 

nginx_status_allowed_hosts.conf

@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Configuration of nginx stub status page. Here we define the
+### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule
+
+geo $dont_show_nginx_status {
+    default 1;
+    127.0.0.1 0; # allow on the loopback
+    192.168.1.0/24 0; # allow on an internal network
+}

nginx_status_vhost.conf

@@ -0,0 +1,16 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*-
+
+### The configuration for Nginx status page. As described in
+### http://wiki.nginx.org/HttpStubStatusModule.
+
+### php-fpm provides a status and a heartbeat page that is served through the web server.
+### Here's an example configuration for them.
+
+## Get the nginx status.
+location /nginx_status {
+    if ($dont_show_nginx_status) {
+        return 404;
+    }
+    stub_status on;
+    access_log off;
+}

php_fpm_status_vhost.conf

@@ -6,25 +6,68 @@
 ### php-fpm provides a status and a heartbeat page that is served through the web server.
 ### Here's an example configuration for them.
 
-
 ## The status page is at /fpm-status. Only local access is
 ## allowed. Non authorized access returns a 404 through the error_page
 ## directive.
 location = /fpm-status {
     if ($dont_show_fpm_status) {
         return 404;
     }
+    fastcgi_pass phpcgi;
+}
 
+## The ping page is at /ping and returns the string configured at the php-fpm level.
+## Also only local network connections (loopback and LAN) are permitted.
+location = /ping {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
     fastcgi_pass phpcgi;
 }
 
+## This is for the second pool. It assumes that you've configured
+## php-fpm to have two pools and the URIs configured for the status
+## and ping pages are as specified below. Zwei is 2 in german.
+
+## The status page is at /fpm-status. Only local access is
+## allowed. Non authorized access returns a 404 through the error_page
+## directive.
+location = /fpm-status-zwei {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
+    fastcgi_pass phpcgi;
+}
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
 ## Also only local network connections (loopback and LAN) are permitted.
-location = /ping {
+location = /ping-zwei {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
+    fastcgi_pass phpcgi;
+}
+
+## This is for the third pool that acts as backup. It assumes that
+## you've configured php-fpm to have two pools and the URIs configured
+## for the status and ping pages are as specified below. Drei is 3 in
+## german.
+
+## The status page is at /fpm-status. Only local access is
+## allowed. Non authorized access returns a 404 through the error_page
+## directive.
+location = /fpm-status-drei {
     if ($dont_show_fpm_status) {
         return 404;
     }
+    fastcgi_pass phpcgi;
+}
 
+## The ping page is at /ping and returns the string configured at the php-fpm level.
+## Also only local network connections (loopback and LAN) are permitted.
+location = /ping-drei {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
     fastcgi_pass phpcgi;
 }

sites-available/drupal.conf

@@ -136,6 +136,8 @@ location / {
 ## Restrict access to the strictly necessary PHP files. Reducing the
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location = /index.php {
+    ## This enables a fallback for whenever the 'default' upstream fails.
+    error_page 502 504 @fallback;
     fastcgi_pass phpcgi;
     ## To use Apache for serving PHP uncomment the line bellow and
     ## comment out the above.

sites-available/drupal_boost.conf

@@ -172,6 +172,8 @@ location @no_cache {
 ## Restrict access to the strictly necessary PHP files. Reducing the
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location = /index.php {
+    ## This enables a fallback for whenever the 'default' upstream fails.
+    error_page 502 504 @fallback;
     fastcgi_pass phpcgi;
     ## To use Apache for serving PHP uncomment the line bellow and
     ## comment out the above.

sites-available/drupal_cron_update.conf

@@ -9,17 +9,17 @@ location = /xmlrpc.php {
     #proxy_pass http://phpapache;
 }
 
-
 ## Restrict cron access to a specific host.
 location = /cron.php {
-    allow 127.0.0.1;
-    allow 192.168.1.0/24;
+    ## If not allowed to run cron then issue a 404 and redirect to the
+    ## site root.
+    if ($not_allowed_cron) {
+        return 404 /;
+    }
     fastcgi_pass phpcgi;
     ## To use Apache for serving PHP uncomment the line bellow and
     ## comment out the above.
     #proxy_pass http://phpapache;
-    error_page 403 =404;
-    deny all;
 }
 
 ## Run the update from the web interface with Drupal 7.
@@ -31,13 +31,10 @@ location = /authorize.php {
 }
 
 location = /update.php {
-    auth_basic "Restricted Access"; # auth realm                          
+    auth_basic "Restricted Access"; # auth realm
     auth_basic_user_file .htpasswd-users; # htpasswd file
     fastcgi_pass phpcgi;
     ## To use Apache for serving PHP uncomment the line bellow and
     ## comment out the above.
     #proxy_pass http://phpapache;
 }
-
-
-

sites-available/drupal_spaces.conf

@@ -141,6 +141,8 @@ location / {
 ## Restrict access to the strictly necessary PHP files. Reducing the
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location = /index.php {
+    ## This enables a fallback for whenever the 'default' upstream fails.
+    error_page 502 504 @fallback;
     fastcgi_pass phpcgi;
     ## To use Apache for serving PHP uncomment the line bellow and
     ## comment out the above.

sites-available/drupal_spaces_boost.conf

@@ -171,6 +171,8 @@ location @cache {
 ## Restrict access to the strictly necessary PHP files. Reducing the
 ## scope for exploits. Handling of PHP code and the Drupal event loop.
 location = /index.php {
+    ## This enables a fallback for whenever the 'default' upstream fails.
+    error_page 502 504 @fallback;
     fastcgi_pass phpcgi;
     # To use Apache for serving PHP uncomment the line bellow and
     # comment out the above.

sites-available/example.com.conf

@@ -11,12 +11,11 @@ server {
 
 } # server domain return.
 
-
 ## HTTP server.
 server {
     listen [::]:80;
     server_name example.com;
-    limit_conn arbeit 16;
+    limit_conn arbeit 32;
 
     ## Access and error logs.
     access_log  /var/log/nginx/example.com_access.log;
@@ -36,6 +35,14 @@ server {
     root /var/www/sites/example.com;
     index index.php;
 
+    ## If you're using a Nginx version greater or equal to 1.1.4 then
+    ## you can use keep alive connections to the upstream be it
+    ## FastCGI or Apache. If that's not the case comment out the line below.
+    fastcgi_keep_conn on; # keep alive to the FCGI upstream
+
+    ## Uncomment if you're proxying to Apache for handling PHP.
+    #proxy_http_version 1.1; # keep alive to the Apache upstream
+
     ################################################################
     ### Generic configuration: for most Drupal 6 and Drupal 7 sites.
     ################################################################
@@ -83,7 +90,6 @@ server {
     #################################################################
     #include sites-available/drupal_cron_update.conf;
 
-
     ## For upload progress to work. From the README of the
     ## filefield_nginx_progress module.
     location ~ (.*)/x-progress-id:(\w*) {
@@ -98,6 +104,10 @@ server {
     ## Uncomment to enable if you're running php-fpm.
     #include php_fpm_status_vhost.conf;
 
+    ## Including the Nginx stub status page for having stats about
+    ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule.
+    include nginx_status_vhost.conf;
+
 } # HTTP server
 
 
@@ -114,11 +124,6 @@ server {
     ## Keep alive timeout set to a greater value for SSL/TLS.
     keepalive_timeout 75 75;
 
-    ## Disable all methods besides HEAD, GET and POST.
-    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
-        return 444;
-    }
-
     ## See the keepalive_timeout directive in nginx.conf.
     ## Server certificate and key.
     ssl_certificate /etc/ssl/certs/example-cert.pem;
@@ -132,6 +137,14 @@ server {
     root /var/www/sites/example.com;
     index index.php;
 
+    ## If you're using a Nginx version greater or equal to 1.1.4 then
+    ## you can use keep alive connections to the upstream be it
+    ## FastCGI or Apache. If that's not the case comment out the line below.
+    fastcgi_keep_conn on; # keep alive to the FCGI upstream
+
+    ## Uncomment if you're proxying to Apache for handling PHP.
+    #proxy_http_version 1.1; # keep alive to the Apache upstream
+
     ## See the blacklist.conf file at the parent dir: /etc/nginx.
     ## Deny access based on the User-Agent header.
     if ($bad_bot) {
@@ -199,8 +212,21 @@ server {
         report_uploads uploads;
     }
 
+    ## Fallback location for 502 and 504 errors from upstream.
+    location @fallback {
+        ## If you're proxying to FastCGI.
+        fastcgi_pass phpcgi_backup;
+        ## Uncomment the line below if you're proxying to Apache for
+        ## PHP handling.
+        #proxy_pass phpapache_backup;
+    }
+
     ## Including the php-fpm status and ping pages config.
     ## Uncomment to enable if you're running php-fpm.
     #include php_fpm_status.conf;
 
+    ## Including the Nginx stub status page for having stats about
+    ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule.
+    include nginx_status_vhost.conf;
+
 } # HTTPS server

upstream_phpapache.conf

@@ -2,7 +2,32 @@
 
 ### Upstream configuration for Apache functioning has a PHP handler.
 
-## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule.
+## Add as many servers as needed.
+## Cf. http://wiki.nginx.org/HttpUpstreamModule.
+## Note that this configuration assumes by default that keepalive
+## upstream connections are supported and that you have a Nginx
+## version with the fair load balancer.
+
 upstream phpapache {
+    ## If your version of Nginx doesn't have the fair load balancer:
+    ## https://github.com/gnosek/nginx-upstream-fair comment out the
+    ## following line.
+    fair;
     server 127.0.0.1:8080;
+    server 127.0.0.1:8081;
+    ## Create a backend connection cache. Note that this requires
+    ## Nginx version greater or equal to 1.1.4.
+    ## Cf. http://nginx.org/en/CHANGES. Comment out the following
+    ## line if that's not the case.
+    keepalive 5;
+}
+
+## Add a third pool as a fallback.
+upstream phpapache_backup {
+    server 127.0.0.1:8082;
+    ## Create a backend connection cache. Note that this requires
+    ## Nginx version greater or equal to 1.1.4.
+    ## Cf. http://nginx.org/en/CHANGES. Comment out the
+    ## following line if that's not the case.
+    keepalive 1;
 }

upstream_phpcgi_tcp.conf

@@ -0,0 +1,33 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Upstream configuration for PHP FastCGI.
+
+## Add as many servers as needed:
+## Cf. http://wiki.nginx.org/HttpUpstreamModule.
+## Note that this configuration assumes by default that keepalive
+## upstream connections are supported and that you have a Nginx
+## version with the fair load balancer.
+
+upstream phpcgi {
+    ## If your version of Nginx doesn't have the fair load balancer:
+    ## https://github.com/gnosek/nginx-upstream-fair comment out the
+    ## following line.
+    fair;
+    server 127.0.0.1:9001;
+    server 127.0.0.1:9002;
+    ## Create a backend connection cache. Note that this requires
+    ## Nginx version greater or equal to 1.1.4.
+    ## Cf. http://nginx.org/en/CHANGES. Comment out the following
+    ## line if that's not the case.
+    keepalive 5;
+}
+
+## Add a third pool as a fallback.
+upstream phpcgi_backup {
+    server 127.0.0.1:9003;
+    ## Create a backend connection cache. Note that this requires
+    ## Nginx version greater or equal to 1.1.4.
+    ## Cf. http://nginx.org/en/CHANGES. Comment out the
+    ## following line if that's not the case.
+    keepalive 1;
+}