* Moved php-fpm status to a geo block setup.

Author: António P. P. Almeida

README.md

@@ -518,6 +518,10 @@ This is strictly a **drupal 6** issue.
    of IP addresses. In the suggested configuration only from
    localhost and non-routable IPs of the 192.168.1.0 network.
 
+   The allowed hosts are defined in a geo block in file
+   `php_fpm_status_allowed_hosts.conf`. You should edit the predefined
+   IP addresses to suit your setup. 
+ 
    To enable the status and ping pages uncomment the line in the
    `example.com.conf` virtual host configuration file.
 

nginx.conf

@@ -42,14 +42,14 @@ http {
     limit_zone arbeit $binary_remote_addr 1m;
 
     ## Timeouts.
-    client_body_timeout             60;   
+    client_body_timeout             60;
     client_header_timeout           60;
     keepalive_timeout            10 10;
     send_timeout                    60;
 
     ## Reset lingering timed out connections. Deflect DDoS.
     reset_timedout_connection on;
-    
+
     ## Body size.
     client_max_body_size 10m;
 
@@ -84,7 +84,7 @@ http {
     ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 10m;
-    
+
     ## For the filefield_nginx_progress module to work. From the
     ## README. Reserve 1MB under the name 'uploads' to track uploads.
     upload_progress uploads 1m;
@@ -102,9 +102,13 @@ http {
     #include reverse_proxy.conf;
     #include upstream_phpapache.conf;
 
+    ## Include the php-fpm status allowed hosts configuration block.
+    ## Uncomment to enable if you're running php-fpm.
+    #include php_fpm_status_allowed_hosts.conf;
+
     ## Include blacklist for bad bot and referer blocking.
     include blacklist.conf;
-    
-    ## Include all vhosts. 
+
+    ## Include all vhosts.
     include /etc/nginx/sites-enabled/*;
 }

php_fpm_status_allowed_hosts.conf

@@ -0,0 +1,9 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Configuration of php-fpm status and ping pages. Here we define the
+### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule
+
+geo $dont_show_fpm_status {
+    default 1;
+    127.0.0.1 0; # allow on the loopback
+    192.168.1.0/24 0; # allow on an internal network
+}

php_fpm_status.conf renamed to php_fpm_status_vhost.conf

@@ -1,6 +1,7 @@
 # -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*-
+
 ### The configuration for the status pages of php-fpm. As described in
-### http://www.php.net/manual/en/install.fpm.configuration.php. 
+### http://www.php.net/manual/en/install.fpm.configuration.php.
 
 ### php-fpm provides a status and a heartbeat page that is served through the web server.
 ### Here's an example configuration for them.
@@ -10,20 +11,20 @@
 ## allowed. Non authorized access returns a 404 through the error_page
 ## directive.
 location = /fpm-status {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
+
     fastcgi_pass phpcgi;
-    allow 127.0.0.1;
-    allow 192.168.1.0/24;
-    error_page 403 =404;
-    deny all;
 }
 
 
 ## The ping page is at /ping and returns the string configured at the php-fpm level.
 ## Also only local network connections (loopback and LAN) are permitted.
 location = /ping {
+    if ($dont_show_fpm_status) {
+        return 404;
+    }
+
     fastcgi_pass phpcgi;
-    allow 127.0.0.1;
-    allow 192.168.1.0/24;
-    error_page 403 =404;
-    deny all;
 }

sites-available/example.com.conf

@@ -7,6 +7,7 @@ server {
     ## rewriting. See http://wiki.nginx.org/Pitfalls#Server_Name.
     server_name www.example.com;
     rewrite ^ $scheme://example.com$request_uri? permanent;
+
 } # server domain rewrite.
 
 
@@ -29,7 +30,7 @@ server {
     if ($bad_referer) {
         return 444;
     }
-    
+
     ## Filesystem root of the site and index.
     root /var/www/sites/example.com;
     index index.php;
@@ -80,8 +81,8 @@ server {
     ### the configuration below.
     #################################################################
     #include sites-available/drupal_cron_update.conf;
- 
-    
+
+
     ## For upload progress to work. From the README of the
     ## filefield_nginx_progress module.
     location ~ (.*)/x-progress-id:(\w*) {
@@ -94,7 +95,7 @@ server {
 
     ## Including the php-fpm status and ping pages config.
     ## Uncomment to enable if you're running php-fpm.
-    #include php_fpm_status.conf;
+    #include php_fpm_status_vhost.conf;
 
 } # HTTP server
 
@@ -111,7 +112,7 @@ server {
 
     ## Keep alive timeout set to a greater value for SSL/TLS.
     keepalive_timeout 75 75;
-    
+
     ## Disable all methods besides HEAD, GET and POST.
     if ($request_method !~ ^(GET|HEAD|POST)$ ) {
         return 444;
@@ -121,7 +122,7 @@ server {
     ## Server certificate and key.
     ssl_certificate /etc/ssl/certs/example-cert.pem;
     ssl_certificate_key /etc/ssl/private/example.key;
-    
+
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
     ## whichever age you want.
@@ -186,7 +187,7 @@ server {
     ### the configuration below.
     #################################################################
     #include sites-available/drupal_cron_update.conf;
-        
+
     ## For upload progress to work. From the README of the
     ## filefield_nginx_progress module.
     location ~ (.*)/x-progress-id:(\w*) {