From a82a1081881d9a67e459b9e66ae3170e6de2df8a Mon Sep 17 00:00:00 2001
From: Sean Hamlin <sean.hamlin@amazee.io>
Date: Sat, 13 Apr 2024 13:32:00 +1200
Subject: [PATCH 1/4] Remove index.php from the URLs using HTTP 301s.

---
 images/nginx-drupal/drupal.conf         | 13 ++++++++-----
 images/nginx-drupal/drupal/favicon.conf |  3 +--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index 0a485faf4..8ace84f42 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -1,4 +1,5 @@
-### Nginx configuration for Drupal.
+## Nginx configuration for Drupal
+## @see https://www.drupal.org/project/drupal/issues/2937161
 server {
   include /etc/nginx/conf.d/drupal/server_prepend*.conf;
 
@@ -9,10 +10,6 @@ server {
   root /app/${WEBROOT:-};
   index  index.php;
 
-  ## rewriting /index.php to / because after https://www.drupal.org/node/2599326
-  ## autocomplete URLs are forced to go to index.php
-  rewrite ^/index.php / last;
-
   ## The 'default' location.
   location / {
     include /etc/nginx/conf.d/drupal/location_prepend*.conf;
@@ -61,6 +58,12 @@ server {
       try_files /dev/null @drupal;
     }
 
+    ## Enforce clean URLs
+    ## Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    location ~* (.*/)index\.php/(.*) {
+      return 301 $1$2$is_args$args;
+    }
+
     ## Try to find a file with given URL, if not pass to Drupal
     try_files $uri @drupal;
 
diff --git a/images/nginx-drupal/drupal/favicon.conf b/images/nginx-drupal/drupal/favicon.conf
index bbe0d8427..5dbbdecd9 100644
--- a/images/nginx-drupal/drupal/favicon.conf
+++ b/images/nginx-drupal/drupal/favicon.conf
@@ -1,5 +1,4 @@
-## Support for favicon. Return an 1x1 transparent GIF if it doesn't
-## exist.
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't exist.
 location = /favicon.ico {
   expires 30d;
   try_files /favicon.ico @empty;

From bbe5dc58c563d54e7d4aed8d2ef2eb9e016e44bb Mon Sep 17 00:00:00 2001
From: Sean Hamlin <sean.hamlin@amazee.io>
Date: Sat, 13 Apr 2024 13:32:29 +1200
Subject: [PATCH 2/4] Block log files outside public files.

---
 images/nginx-drupal/drupal.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index 8ace84f42..fb14ff34d 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -24,10 +24,11 @@ server {
     }
 
     ## Do not allow access to .txt and .md unless inside sites/*/files/
-    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md)$ {
+    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md|log)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Replicate the Apache <FilesMatch> directive of Drupal standard

From 3110018a2f7d81b370a35d5942c1860ecf33b24c Mon Sep 17 00:00:00 2001
From: Sean Hamlin <sean.hamlin@amazee.io>
Date: Sat, 13 Apr 2024 13:33:01 +1200
Subject: [PATCH 3/4] Allow static well-known files to be served from Nginx.

---
 images/nginx-drupal/drupal.conf | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index fb14ff34d..e9aeb79f0 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -44,9 +44,16 @@ server {
     ## Expiring per default for four weeks and one second, Drupal will overwrite that if necessary
     expires ${NGINX_DEFAULT_EXPIRES:-2628001s};
 
-    ## Disallow access to any dot files, but send the request to Drupal
-    location ~* /\. {
-      try_files /dev/null @drupal;
+    ## Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+      allow all;
+    }
+
+    ## Block access to "hidden" files and directories whose names begin with a
+    ## period. This includes directories used by version control systems such
+    ## as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+      return 403;
     }
 
     ### Directives for installing drupal.

From 6d330bc3fbb12324acdee9b44003d76d4b5f34b1 Mon Sep 17 00:00:00 2001
From: Sean Hamlin <sean.hamlin@amazee.io>
Date: Sat, 13 Apr 2024 13:33:24 +1200
Subject: [PATCH 4/4] Return 404s and not 403s to prevent information
 disclosure.

---
 images/nginx-drupal/drupal.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index e9aeb79f0..ecc3087e2 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -56,7 +56,7 @@ server {
       return 403;
     }
 
-    ### Directives for installing drupal.
+    ## Directives for installing drupal.
     location ~* ^(/install.php|/core/install.php) {
       try_files /dev/null @php;
     }
@@ -111,6 +111,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to backup directory.
@@ -118,6 +119,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vagrant directory.
@@ -125,6 +127,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -132,6 +135,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -139,6 +143,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Support for the robotstxt module