Merge branch 'master' into fix-tar-exclude-folder

bin/v-add-backup-host

@@ -38,8 +38,8 @@ EOF
 sftpc() {
     expect -f "-" <<EOF "$@"
         set count 0
-        spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o \
-            Port=$port $user@$host
+        spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
+            Port=$port '$user@$host'"
         expect {
             "password:" {
                 send "$password\r"
@@ -94,12 +94,14 @@ EOF
 
 if [ "$type" != 'local' ];then
     check_args '4' "$#" "TYPE HOST USERNAME PASSWORD [PATH] [PORT]"
-    is_format_valid 'host'
+    is_format_valid 'user' 'host' 'path' 'port'
     is_password_valid
     if [ "$type" = 'sftp' ]; then
         which expect >/dev/null 2>&1
         check_result $? "expect command not found"  $E_NOTEXIST
     fi
+    host "$host" >/dev/null 2>&1
+    check_result $? "host connection failed" "$E_CONNECT"
 fi
 
 

bin/v-add-user-package

@@ -30,37 +30,37 @@ is_package_new() {
 is_package_consistent() {
     source $pkg_dir/$package.pkg
     if [ "$WEB_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $WEB_DOMAINS 'WEB_DOMAINS'
+        is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS'
     fi
     if [ "$WEB_ALIASES" != 'unlimited' ]; then
-        is_format_valid_int $WEB_ALIASES 'WEB_ALIASES'
+        is_int_format_valid $WEB_ALIASES 'WEB_ALIASES'
     fi
     if [ "$DNS_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $DNS_DOMAINS 'DNS_DOMAINS'
+        is_int_format_valid $DNS_DOMAINS 'DNS_DOMAINS'
     fi
     if [ "$DNS_RECORDS" != 'unlimited' ]; then
-        is_format_valid_int $DNS_RECORDS 'DNS_RECORDS'
+        is_int_format_valid $DNS_RECORDS 'DNS_RECORDS'
     fi
     if [ "$MAIL_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $MAIL_DOMAINS 'MAIL_DOMAINS'
+        is_int_format_valid $MAIL_DOMAINS 'MAIL_DOMAINS'
     fi
     if [ "$MAIL_ACCOUNTS" != 'unlimited' ]; then
-        is_format_valid_int $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
+        is_int_format_valid $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
     fi
     if [ "$DATABASES" != 'unlimited' ]; then
-        is_format_valid_int $DATABASES 'DATABASES'
+        is_int_format_valid $DATABASES 'DATABASES'
     fi
     if [ "$CRON_JOBS" != 'unlimited' ]; then
-        is_format_valid_int $CRON_JOBS 'CRON_JOBS'
+        is_int_format_valid $CRON_JOBS 'CRON_JOBS'
     fi
     if [ "$DISK_QUOTA" != 'unlimited' ]; then
-        is_format_valid_int $DISK_QUOTA 'DISK_QUOTA'
+        is_int_format_valid $DISK_QUOTA 'DISK_QUOTA'
     fi
     if [ "$BANDWIDTH" != 'unlimited' ]; then
-        is_format_valid_int $BANDWIDTH 'BANDWIDTH'
+        is_int_format_valid $BANDWIDTH 'BANDWIDTH'
     fi
     if [ "$BACKUPS" != 'unlimited' ]; then
-        is_format_valid_int $BACKUPS 'BACKUPS'
+        is_int_format_valid $BACKUPS 'BACKUPS'
     fi
     is_format_valid_shell $SHELL
 }

bin/v-add-web-domain

@@ -113,9 +113,12 @@ if [ "$aliases" = 'none' ]; then
     ALIAS=''
 else
     ALIAS="www.$domain"
-    if [ ! -z "$aliases" ]; then
-        ALIAS="$ALIAS,$aliases"
+    if [ -z "$aliases" ]; then
+        ALIAS="www.$domain"
+    else
+        ALIAS="$aliases"
     fi
+    
     ip_alias=$(get_ip_alias $domain)
     if [ ! -z "$ip_alias" ]; then
         ALIAS="$ALIAS,$ip_alias"

bin/v-backup-user

@@ -216,6 +216,9 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
             cp $USER_DATA/ssl/$domain.* vesta/
         fi
 
+        # Changin dir to documentroot
+        cd $HOMEDIR/$user/web/$domain
+
         # Define exclude arguments
         exlusion=$(echo -e "$WEB" |tr ',' '\n' |grep "^$domain:")
         set -f
@@ -224,15 +227,20 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
         if [ ! -z "$exlusion" ]; then
             xdirs="$(echo -e "$exlusion" |tr ':' '\n' |grep -v $domain)"
             for xpath in $xdirs; do
-                fargs+=(--exclude=$xpath/*)
-                echo "$(date "+%F %T") excluding directory $xpath"
-                msg="$msg\n$(date "+%F %T") excluding directory $xpath"
+                if [ -d "$xpath" ]; then
+                    fargs+=(--exclude=$xpath/*)
+                    echo "$(date "+%F %T") excluding directory $xpath"
+                    msg="$msg\n$(date "+%F %T") excluding directory $xpath"
+                else
+                    echo "$(date "+%F %T") excluding file $xpath"
+                    msg="$msg\n$(date "+%F %T") excluding file $xpath"
+                    fargs+=(--exclude=$xpath)
+                fi
             done
         fi
         set +f
 
         # Backup files
-        cd $HOMEDIR/$user/web/$domain
         tar -cpf- ${fargs[@]} * |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
     done
 
@@ -392,14 +400,17 @@ if [ ! -z "$DB_SYSTEM" ] && [ "$DB" != '*' ]; then
         grep "DB='$database'" $conf > vesta/db.conf
 
         dump="$tmpdir/db/$database/$database.$TYPE.sql"
+        dumpgz="$tmpdir/db/$database/$database.$TYPE.sql.gz"
         grants="$tmpdir/db/$database/conf/$database.$TYPE.$DBUSER"
-        case $TYPE in
-            mysql) dump_mysql_database ;;
-            pgsql) dump_pgsql_database ;;
-        esac
-
-        # Compress dump
-        gzip -$BACKUP_GZIP $dump
+        if [ ! -f "$dumpgz" ]; then
+            case $TYPE in
+                mysql) dump_mysql_database ;;
+                pgsql) dump_pgsql_database ;;
+            esac
+
+            # Compress dump
+            gzip -$BACKUP_GZIP $dump
+        fi
     done
 
     # Print total

bin/v-backup-users

@@ -28,6 +28,9 @@ if [ -z "$BACKUP_SYSTEM" ]; then
     exit
 fi
 for user in $(grep '@' /etc/passwd |cut -f1 -d:); do
+    if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
+        continue;
+    fi
     check_suspend=$(grep "SUSPENDED='no'" $VESTA/data/users/$user/user.conf)
     log=$VESTA/log/backup.log
     if [ ! -z "$check_suspend" ]; then

bin/v-list-users

@@ -15,9 +15,14 @@ format=${1-shell}
 # JSON list function
 json_list() {
     echo '{'
-    object_count=$(grep '@' /etc/passwd |wc -l)
     i=1
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
+        if [ $i -gt 1 ]; then
+            echo ","
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n '    "'$USER'": {
         "FNAME": "'$FNAME'",
@@ -74,14 +79,8 @@ json_list() {
         "TIME": "'$TIME'",
         "DATE": "'$DATE'"
         }'
-        if [ "$i" -lt "$object_count" ]; then
-            echo ','
-        else
-            echo
-        fi
         ((i++))
     done < <(grep '@' /etc/passwd |cut -f1 -d:)
-
     echo '}'
 }
 
@@ -90,6 +89,9 @@ shell_list() {
     echo "USER   PKG   WEB   DNS   MAIL   DB   DISK   BW   SPND   DATE"
     echo "----   ---   ---   ---   ---    --   ----   --   ----   ----"
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n "$USER $PACKAGE $U_WEB_DOMAINS $U_DNS_DOMAINS $U_MAIL_DOMAINS"
         echo " $U_DATABASES $U_DISK $U_BANDWIDTH $SUSPENDED $DATE"
@@ -99,6 +101,9 @@ shell_list() {
 # PLAIN list function
 plain_list() {
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -ne "$USER\t$FNAME\t$LNAME\t$PACKAGE\t$WEB_TEMPLATE\t"
         echo -ne "$BACKEND_TEMPLATE\t$PROXY_TEMPLATE\t$DNS_TEMPLATE\t"
@@ -131,6 +136,9 @@ csv_list() {
     echo -n "U_MAIL_DOMAINS,U_MAIL_DKIM,U_MAIL_ACCOUNTS,U_DATABASES"
     echo "U_CRON_JOBS,U_BACKUPS,LANGUAGE,TIME,DATE"
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n "$USER,\"$FNAME\",\"$LNAME\",$PACKAGE,$WEB_TEMPLATE,"
         echo -n "$BACKEND_TEMPLATE,$PROXY_TEMPLATE,$DNS_TEMPLATE,"
@@ -151,6 +159,9 @@ csv_list() {
 # Raw list function
 raw_list() {
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         echo $VESTA/data/users/$USER/user.conf
         cat $VESTA/data/users/$USER/user.conf
     done < <(grep '@' /etc/passwd |cut -f1 -d:)

bin/v-list-web-domain-ssl

@@ -19,6 +19,7 @@ source $VESTA/func/main.sh
 
 # JSON list function
 json_list() {
+    issuer=$(echo "$issuer" |sed -e 's/"/\\"/g' -e "s/%quote%/'/g")
     echo '{'
     echo -e "\t\"$domain\": {"
     echo "        \"CRT\": \"$crt\","

bin/v-open-fs-config

@@ -35,6 +35,11 @@ if [ ! -z "$src_file" ]; then
         echo "Error: invalid source path $src_file"
         exit 2
     fi
+    spath=$(echo "$rpath" |egrep "/etc|/var/lib")
+    if [ -z "$spath" ]; then
+        echo "Error: invalid source path $src_file"
+        exit 2
+    fi
 fi
 
 # Reading conf

bin/v-update-letsencrypt-ssl

@@ -31,7 +31,11 @@ for user in $users; do
     # Checking user certificates
     lecounter=0
     for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
-
+        # Working on Web domain check - if is suspended
+        webSuspended=$(grep "DOMAIN='$domain'" $USER_DATA/web.conf |grep "SUSPENDED='no")
+        if [ ! -z "$webSuspended" ]; then
+                continue;
+        fi;
         crt="$VESTA/data/users/$user/ssl/$domain.crt"
         crt_data=$(openssl x509 -text -in "$crt")
         expire=$(echo "$crt_data" |grep "Not After")

bin/v-update-user-stats

@@ -67,6 +67,9 @@ TOTAL_USERS=0
 
 # Updating user stats
 for user in $user_list; do
+    if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
+        continue;
+    fi
     USER_DATA=$VESTA/data/users/$user
     source $USER_DATA/user.conf
     next_month=$(date +'%m/01/%y' -d '+ 1 month')

func/main.sh

@@ -805,7 +805,16 @@ is_password_format_valid() {
         check_result $E_INVALID "invalid password format :: $1"
     fi
 }
-
+# Missing function - 
+# Before: validate_format_shell 
+# After: is_format_valid_shell
+is_format_valid_shell() {	
+    if [ -z "$(grep -w $1 /etc/shells)" ]; then	
+        echo "Error: shell $1 is not valid"	
+        log_event "$E_INVALID" "$EVENT"	
+        exit $E_INVALID	
+    fi	
+}
 # Format validation controller
 is_format_valid() {
     for arg_name in $*; do
@@ -872,7 +881,9 @@ is_format_valid() {
                 restart)        is_boolean_format_valid "$arg" 'restart' ;;
                 rtype)          is_dns_type_format_valid "$arg" ;;
                 rule)           is_int_format_valid "$arg" "rule id" ;;
-                soa)            is_domain_format_valid "$arg" 'SOA' ;;
+                soa)            is_domain_format_valid "$arg" 'SOA' ;;	
+                #missing command: is_format_valid_shell
+                shell)          is_format_valid_shell "$arg" ;;
                 stats_pass)     is_password_format_valid "$arg" ;;
                 stats_user)     is_user_format_valid "$arg" "$arg_name" ;;
                 template)       is_object_format_valid "$arg" "$arg_name" ;;
@@ -922,7 +933,7 @@ format_aliases() {
         aliases=$(echo "$aliases" |tr -s '.')
         aliases=$(echo "$aliases" |sed -e "s/[.]*$//g")
         aliases=$(echo "$aliases" |sed -e "s/^[.]*//")
-        aliases=$(echo "$aliases" |grep -v www.$domain |sed -e "/^$/d")
+        aliases=$(echo "$aliases" |sed -e "/^$/d")
         aliases=$(echo "$aliases" |tr '\n' ',' |sed -e "s/,$//")
     fi
 }

install/debian/7/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/7/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/7/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/nginx/nginx.conf

@@ -51,6 +51,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/8/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/8/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/nginx/nginx.conf

@@ -51,6 +51,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/9/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/9/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/rhel/5/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/rhel/5/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/rhel/6/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/rhel/6/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/rhel/7/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/rhel/7/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/ubuntu/12.04/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/ubuntu/12.10/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/ubuntu/13.04/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/ubuntu/13.10/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/ubuntu/14.04/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;