Port d7 commits to master

apps/drupal/microcache_fcgi.conf

@@ -23,29 +23,9 @@ fastcgi_ignore_headers Cache-Control Expires;
 ## Bypass the cache.
 fastcgi_cache_bypass $no_cache;
 fastcgi_no_cache $no_cache;
-## Add a cache miss/hit status header.
-add_header X-Micro-Cache $upstream_cache_status;
 ## To avoid any interaction with the cache control headers we expire
 ## everything on this location immediately.
 expires epoch;
-## Enable clickjacking protection in modern browsers. Available in
-## IE8 also. See
-## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-## Uncomment the line below if you're not using media streaming.
-## For sites *not* using frames uncomment the line below.
-#add_header X-Frame-Options DENY;
-## For sites *using* frames uncomment the line below.
-#add_header X-Frame-Options SAMEORIGIN;
-
-## Block MIME type sniffing on IE.
-add_header X-Content-Options nosniff;
-
-## Strict Transport Security header for enhanced security. See
-## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-## whichever age you want.
-## Uncomment the line below if you're using HTTPS.
-#add_header Strict-Transport-Security max-age=7200;
 
 ## If you're using a Nginx version greater than 1.1.11 then uncomment
 ## the line below. See:

apps/drupal/microcache_fcgi_auth.conf

@@ -3,7 +3,7 @@
 ## The cache zone referenced.
 fastcgi_cache microcache;
 ## The cache key.
-fastcgi_cache_key $cache_uid@$scheme$host$request_uri;
+fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri;
 
 ## For 200 and 301 make the cache valid for 15s.
 fastcgi_cache_valid 200 301 15s;

nginx.conf

@@ -100,8 +100,8 @@ http {
     ## for crufty clients.
     ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
 
-    ## No SSL2 support. Legacy support of SSLv3.
-    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ## Enable TLS only. No SSL support.
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
     ## Pregenerated Diffie-Hellman parameters.
     ssl_dhparam /etc/nginx/dh_param.pem;
@@ -117,9 +117,6 @@ http {
     ## Fill in with your own resolver.
     resolver 8.8.8.8;
 
-    ## Use fast header compression for SPDY.
-    spdy_headers_comp 1;
-
     ## Uncomment to increase map_hash_bucket_size. If start getting
     ## [emerg]: could not build the map_hash, you should increase
     ## map_hash_bucket_size: 64 in your
@@ -148,9 +145,17 @@ http {
     ## line below.
     add_header X-Frame-Options DENY;
 
+    ## Enable this if using HTTPS. See sites-available/example.com.conf
+    ## for details.
+    #add_header Strict-Transport-Security "max-age=7200";
+
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Add a cache miss/hit status header. This can be disabled if not including
+    ## any of the apps/drupal/microcache* files.
+    add_header X-Micro-Cache $upstream_cache_status;
+
     ## Increase variables hash table
     ## See http://nginx.org/en/docs/hash.html
     variables_hash_max_size 1024;

php_fpm_status_vhost.conf

@@ -14,6 +14,7 @@ location = /fpm-status {
         return 404;
     }
     fastcgi_pass www0;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -23,6 +24,7 @@ location = /ping {
         return 404;
     }
     fastcgi_pass www0;
+    access_log off;
 }
 
 ## This is for the second pool. It assumes that you've configured
@@ -37,6 +39,7 @@ location = /fpm-status-zwei {
         return 404;
     }
     fastcgi_pass www1;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -46,6 +49,7 @@ location = /ping-zwei {
         return 404;
     }
     fastcgi_pass www1;
+    access_log off;
 }
 
 ## This is for the third pool that acts as backup. It assumes that
@@ -61,6 +65,7 @@ location = /fpm-status-drei {
         return 404;
     }
     fastcgi_pass www2;
+    access_log off;
 }
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
@@ -70,4 +75,5 @@ location = /ping-drei {
         return 404;
     }
     fastcgi_pass www2;
+    access_log off;
 }

sites-available/example.com.conf

@@ -173,8 +173,11 @@ server {
 
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-    ## whichever age you want.
-    add_header Strict-Transport-Security max-age=7200;
+    ## whichever age you want. However, we can't set this here because adding
+    ## a header will drop all other headers set earlier. See
+    ## http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+    ## for details.  Instead, uncomment this in nginx.conf.
+    ## add_header Strict-Transport-Security "max-age=7200";
 
     root /var/www/sites/example.com;
     index index.php;