zafranf · April 14, 2018 14:51 · Oct 27, 2016 · Oct 27, 2016 · Oct 13, 2016 · Oct 13, 2016
diff --git a/08-drupal8.nginxconf b/08-drupal8.nginxconf
@@ -84,6 +84,11 @@ location @cleanurl {
     rewrite ^/(.*)$ /index.php?q=$1 last;
 }
 
+error_page 404 = @drupal
+location @drupal {
+    rewrite ^/(.*)$ /index.php?q=$uri&$args
+}
+
 location ~* \.php$ {
     # filter out problem conditions
     try_files $uri $uri/ =404;

diff --git a/01-README.md b/01-README.md
@@ -91,5 +91,6 @@ Then you'll want to flush your local DNS cache to ensure `dnsmasq` takes over:
 ```bash
 sudo launchctl unload /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
 sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
+sudo killall -9 mDNSResponder && sudo killall -9 dnsmasq
 dscacheutil -flushcache
 ```
diff --git a/02-nginx.nginxconf b/02-nginx.nginxconf
@@ -36,37 +36,56 @@ http {
     # compression
     gzip on;
     gzip_buffers 16 8k;
-    gzip_comp_level 2;
-    gzip_disable "MSIE [1-6].(?!.*SV1)";
+    gzip_comp_level 6;
+    gzip_disable "msie6";
     gzip_http_version 1.0;
-    gzip_min_length 10240;
+    gzip_min_length 1100;
     gzip_proxied any;
     gzip_static on;
-    gzip_types text/plain text/css application/x-javascript text/comma-separated-values
-        text/xml application/xml application/xml+rss application/atom+xml text/javascript;
+    gzip_types
+        text/plain
+        text/css
+        text/js
+        text/xml
+        text/javascript
+        text/comma-separated-values
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/xml+rss
+        application/atom+xml
+        image/svg+xml;
     gzip_vary on;
 
+
     # general options
-    client_body_buffer_size 512k;
-    client_body_timeout 15;
-    client_header_timeout 15;
-    client_max_body_size 64m;
+    directio off;
+    disable_symlinks off;
     ignore_invalid_headers on;
-    keepalive_timeout 2 2;
-    keepalive_requests 200;
     merge_slashes on;
     recursive_error_pages on;
-    reset_timedout_connection on;
-    sendfile on;
-    send_timeout 15;
-    server_names_hash_bucket_size 128;
+    sendfile off;
     server_name_in_redirect off;
     server_tokens off;
-    tcp_nodelay off;
+    tcp_nodelay on;
     tcp_nopush on;
-    types_hash_max_size 2048;
     underscores_in_headers on;
 
+    # timeouts
+    keepalive_timeout 2 2;
+    keepalive_requests 200;
+    send_timeout 30;
+    client_body_timeout 15;
+    client_header_timeout 15;
+    reset_timedout_connection on;
+
+    # sizes
+    client_body_buffer_size 512k;
+    client_max_body_size 64m;
+    server_names_hash_bucket_size 128;
+    types_hash_max_size 2048;
+
     # detect https
     map $scheme $fastcgi_https {
         default "";
@@ -76,7 +95,6 @@ http {
     # PHP-FPM
     upstream phpfpm {
         server unix:/usr/local/var/run/php-fpm.sock;
-        #server 127.0.0.1:9000;
     }
 
     # include active sites

diff --git a/03-fastcgi_params.nginxconf b/03-fastcgi_params.nginxconf
@@ -2,7 +2,6 @@
 # FILE: /usr/local/etc/nginx/fastcgi_params
 
 
-fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
@@ -13,6 +12,7 @@ fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  DOCUMENT_URI       $document_uri;
 fastcgi_param  DOCUMENT_ROOT      $document_root;
 fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
 fastcgi_param  HTTPS              $https if_not_empty;
 
 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;

diff --git a/04-assets.nginxconf b/04-assets.nginxconf
@@ -2,19 +2,6 @@
 # FILE: /usr/local/etc/nginx/conf.d/assets.conf
 
 
-# Directives to send expires headers and turn off 404 error logging for Static assets
-location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
-    access_log off;
-    log_not_found off;
-    expires max;
-
-    # CORS headers; this is wide-open, you want to tight it up a bit
-    add_header Cache-Control public;
-    add_header Access-Control-Allow-Origin *;
-    add_header Access-Control-Allow-Methods GET,OPTIONS;
-    add_header Access-Control-Allow-Headers *;
-}
-
 location = /robots.txt {
     access_log off;
     log_not_found off;

diff --git a/06-fastcgi.nginxconf b/06-fastcgi.nginxconf
@@ -3,33 +3,32 @@
 
 
 # Tell upstream who is making the request
-proxy_set_header                  Host $host;
-proxy_set_header                  X-Real-IP $remote_addr;
-proxy_set_header                  X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_redirect                    off;
+proxy_set_header                    Host $host;
+proxy_set_header                    X-Real-IP $remote_addr;
+proxy_set_header                    X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_redirect                      off;
 
 # Allow to complete long running requests
-proxy_read_timeout                600s;
-
-# Ensure PHP knows when to use HTTPS
-fastcgi_param  HTTPS              $fastcgi_https;
+proxy_read_timeout                  600s;
 
 # Do not cache dynamic content
-expires                           off;
+expires                             off;
 
 # PHP Settings
-include                           fastcgi_params;
-fastcgi_connect_timeout           15s;
-fastcgi_send_timeout              120s;
-fastcgi_read_timeout              120s;
-
-fastcgi_buffer_size               128k;
-fastcgi_buffers                   512 16k;
-fastcgi_busy_buffers_size         256k;
-fastcgi_temp_file_write_size      256k;
-
-fastcgi_intercept_errors          off;
-fastcgi_ignore_client_abort       off;
-
-fastcgi_split_path_info           ^(.+\.php)(/.+)$;
-fastcgi_index                     index.php;
+include                             /usr/local/etc/nginx/fastcgi_params;
+fastcgi_connect_timeout             15s;
+fastcgi_send_timeout                120s;
+fastcgi_read_timeout                120s;
+
+fastcgi_buffer_size                 128k;
+fastcgi_buffers                     16 16k;
+fastcgi_busy_buffers_size           256k;
+fastcgi_temp_file_write_size        256k;
+fastcgi_max_temp_file_size          0;
+
+fastcgi_intercept_errors            on;
+fastcgi_ignore_client_abort         on;
+
+fastcgi_split_path_info             ^(.+?\.php)(/.+)$;
+fastcgi_index                       index.php;
+fastcgi_pass_header                 *;
diff --git a/07-drupal.nginxconf b/07-drupal.nginxconf
@@ -18,6 +18,19 @@ location ~* ^/sites/.*/(private|files/backup_migrate)/ {
     return 404;
 }
 
+# Directives to send expires headers and turn off 404 error logging for Static assets
+location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
+    access_log off;
+    log_not_found off;
+    expires max;
+
+    # CORS headers; this is wide-open, you want to tight it up a bit
+    add_header Cache-Control public;
+    add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods GET,OPTIONS;
+    add_header Access-Control-Allow-Headers *;
+}
+
 # Attempt to serve the request by trying direct file, directory, Drupal Controller
 location / {
     try_files $uri $uri/ /index.php?q=$uri&$args;
@@ -56,7 +69,7 @@ location @image_rewrite {
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* \.php$ {
     # filter out problem conditions
-    location ~ \..*/.*\.php$ { return 404; }
+    try_files $uri $uri/ =404;
 
     # bring in parameters
     include conf.d/fastcgi.conf;

diff --git a/08-drupal8.nginxconf b/08-drupal8.nginxconf
@@ -85,15 +85,12 @@ location @cleanurl {
 }
 
 location ~* \.php$ {
-    # do not cache dynamic content
-    expires off;
-
     # filter out problem conditions
-    try_files $uri $uri/ @cleanurl =404;
-
-    # send requests to upstream
-    fastcgi_pass phpfpm;
+    try_files $uri $uri/ =404;
 
     # bring in parameters
     include conf.d/fastcgi.conf;
+
+    # send requests to upstream
+    fastcgi_pass phpfpm;
 }
diff --git a/09-magento.nginxconf b/09-magento.nginxconf
@@ -12,6 +12,19 @@ location /skin/m/ {
     rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
 }
 
+# Directives to send expires headers and turn off 404 error logging for Static assets
+location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
+    access_log off;
+    log_not_found off;
+    expires max;
+
+    # CORS headers; this is wide-open, you want to tight it up a bit
+    add_header Cache-Control public;
+    add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods GET,OPTIONS;
+    add_header Access-Control-Allow-Headers *;
+}
+
 # Deny access to files the public doesn't need
 location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|report/config.xml|shell|var)/ {
     internal;
@@ -38,7 +51,7 @@ location /api {
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* \.php$ {
     # filter out problem conditions
-    location ~ \..*/.*\.php$ { return 404; }
+    try_files $uri $uri/ =404;
 
     # bring in parameters
     include conf.d/fastcgi.conf;

diff --git a/10-magento2.nginxconf b/10-magento2.nginxconf
@@ -5,33 +5,76 @@
 root $MAGE_ROOT/pub;
 index index.php;
 autoindex off;
-charset off;
+charset UTF-8;
+error_page 404 403 = /errors/404.php;
+#add_header "X-UA-Compatible" "IE=Edge";
 
-location /setup {
+# PHP entry point for setup application
+location ~* ^/setup($|/) {
     root $MAGE_ROOT;
-
     location ~ ^/setup/index.php {
         fastcgi_pass   phpfpm;
         fastcgi_index  index.php;
         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
         include        /usr/local/etc/nginx/fastcgi_params;
     }
+
+    location ~ ^/setup/(?!pub/). {
+        deny all;
+    }
+
+    location ~ ^/setup/pub/ {
+        add_header X-Frame-Options "SAMEORIGIN";
+    }
+}
+
+# PHP entry point for update application
+location ~* ^/update($|/) {
+    root $MAGE_ROOT;
+
+    location ~ ^/update/index.php {
+        fastcgi_split_path_info ^(/update/index.php)(/.+)$;
+        fastcgi_pass   phpfpm;
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        fastcgi_param  PATH_INFO        $fastcgi_path_info;
+        include        /usr/local/etc/nginx/fastcgi_params;
+    }
+
+    # Deny everything but index.php
+    location ~ ^/update/(?!pub/). {
+        deny all;
+    }
+
+    location ~ ^/update/pub/ {
+        add_header X-Frame-Options "SAMEORIGIN";
+    }
 }
 
 location / {
     try_files $uri $uri/ /index.php?$args;
 }
 
-location /pub {
-    alias $MAGE_ROOT/pub;
+location /pub/ {
+    location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
+        deny all;
+    }
+    alias $MAGE_ROOT/pub/;
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /static/ {
-    if ($MAGE_MODE = "production") {
-        expires max;
+    # Uncomment the following line in production mode
+    # expires max;
+
+    # Remove signature of the static files that is used to overcome the browser cache
+    location ~ ^/static/version {
+        rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
     }
+
     location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
         add_header Cache-Control "public";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires +1y;
 
         if (!-f $request_filename) {
@@ -40,6 +83,7 @@ location /static/ {
     }
     location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
         add_header Cache-Control "no-store";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires    off;
 
         if (!-f $request_filename) {
@@ -49,20 +93,29 @@ location /static/ {
     if (!-f $request_filename) {
         rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
     }
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /media/ {
     try_files $uri $uri/ /get.php?$args;
+
+    location ~ ^/media/theme_customization/.*\.xml {
+        deny all;
+    }
+
     location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
         add_header Cache-Control "public";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires +1y;
         try_files $uri $uri/ /get.php?$args;
     }
     location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
         add_header Cache-Control "no-store";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires    off;
         try_files $uri $uri/ /get.php?$args;
     }
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /media/customer/ {
@@ -73,33 +126,27 @@ location /media/downloadable/ {
     deny all;
 }
 
-location ~ /media/theme_customization/.*\.xml$ {
-    deny all;
-}
-
-location /errors/ {
-    try_files $uri =404;
-}
-
-location ~ ^/errors/.*\.(xml|phtml)$ {
-    deny all;
-}
-
-location ~ cron\.php {
+location /media/import/ {
     deny all;
 }
 
+# PHP entry point for main application
 location ~ (index|get|static|report|404|503)\.php$ {
-    try_files $uri =404;
-    fastcgi_pass   phpfpm;
+    try_files       $uri =404;
+    fastcgi_pass    phpfpm;
+    fastcgi_buffers 1024 4k;
 
     fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
-    fastcgi_param  PHP_VALUE "memory_limit=256M \n max_execution_time=600";
-    fastcgi_param  MAGE_MODE $MAGE_MODE;
+    fastcgi_param  PHP_VALUE "memory_limit=768M \n max_execution_time=600";
     fastcgi_read_timeout 600s;
     fastcgi_connect_timeout 600s;
 
     fastcgi_index  index.php;
     fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
     include        /usr/local/etc/nginx/fastcgi_params;
 }
+
+# Banned locations (only reached if the earlier PHP entry point regexes don't match)
+location ~* (\.php$|\.htaccess$|\.git) {
+    deny all;
+}
diff --git a/11-wordpress.nginxconf b/11-wordpress.nginxconf
@@ -9,6 +9,19 @@ location ~* /(?:uploads|files)/.*\.php$ {
     deny all;
 }
 
+# Directives to send expires headers and turn off 404 error logging for Static assets
+location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
+    access_log off;
+    log_not_found off;
+    expires max;
+
+    # CORS headers; this is wide-open, you want to tight it up a bit
+    add_header Cache-Control public;
+    add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods GET,OPTIONS;
+    add_header Access-Control-Allow-Headers *;
+}
+
 # Attempted to match last if rules below fail.
 location / {
     try_files $uri $uri/ /index.php?$args;
@@ -21,7 +34,7 @@ rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* \.php$ {
     # filter out problem conditions
-    location ~ \..*/.*\.php$ { return 404; }
+    try_files $uri $uri/ =404;
 
     # bring in parameters
     include conf.d/fastcgi.conf;

diff --git a/12-default-site.nginxconf b/12-default-site.nginxconf
@@ -13,9 +13,10 @@ server {
     index index.html index.htm index.php;
 
     # security
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+    ssl_ecdh_curve secp384r1;
     ssl_certificate /usr/local/etc/nginx/ssl/localhost.pem;
     ssl_certificate_key /usr/local/etc/nginx/ssl/localhost.key;
 

diff --git a/14-pool-www.ini b/14-pool-www.ini
@@ -31,17 +31,17 @@ pm = dynamic
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
-pm.max_children = 10
+pm.max_children = 4
 
 ; The number of child processes created on startup.
 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 3
+pm.start_servers = 1
 
 ; The desired minimum number of idle server processes.
-pm.min_spare_servers = 2
+pm.min_spare_servers = 1
 
 ; The desired maximum number of idle server processes.
-pm.max_spare_servers = 5
+pm.max_spare_servers = 3
 
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
@@ -55,12 +55,12 @@ pm.status_path = /status
 
 ; The ping URI to call the monitoring page of FPM.
 ; Default Value: not set
-;ping.path = /ping
+ping.path = /ping
 
 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
-;ping.response = pong
+ping.response = pong
 
 ; The log file for slow requests
 ; Default Value: not set

diff --git a/15-zzz.ini b/15-zzz.ini
@@ -5,12 +5,22 @@
 ; Custom php.ini overrides
 date.timezone = Etc/UTC
 memory_limit = 512M
+output_buffering = 4096
 display_errors = On
 log_errors = On
 expose_php = On
 error_reporting = E_ALL
 realpath_cache_ttl = 120
-realpath_cache_size = 128k
+realpath_cache_size = 512k
 error_log = /usr/local/var/log/php-errors.log
 cgi.fix_pathinfo = 0
 max_execution_time = 120
+opcache.enable=1
+opcache.enable_cli=1
+opcache.memory_consumption=256
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=4000
+opcache.max_wasted_percentage=5
+opcache.use_cwd=1
+opcache.validate_timestamps=0
+opcache.fast_shutdown=1
diff --git a/01-README.md b/01-README.md
@@ -12,20 +12,20 @@ Before any of this will work you'll need to have both Xcode Command Line tools a
 
 ```bash
 xcode-select --install
-ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
+/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
 ```
 
 ## Nginx
 
-Files numbered `02` through `11` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
+Files numbered `02` through `12` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew install nginx
 ```
 
 ### Running on Port 80
 
-To run Nginx on as your primary web server on port 80, the configuration files need to be owned and run as the user `root`. I have found it easiest to use the system's `LaunchAgents` directory rather than the one in my user's folder.
+To run Nginx on as your primary web server on port 80, the configuration files need to be owned and run as the user `root`. I have found it easiest to use the system's `LaunchAgents` directory rather than the one in my user's folder -- in fact, it may be required.
 
 ```bash
 sudo cp /usr/local/opt/nginx/*.plist /Library/LaunchAgents
@@ -34,27 +34,29 @@ sudo chown root:wheel /Library/LaunchAgents/*.plist
 
 ## PHP
 
-Files numbered `12` through `14` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
+Files numbered `13` through `15` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew tap homebrew/php
-brew install php56 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
-brew install php56-mcrypt
-brew install php56-ioncubeloader
+brew install php71 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
+brew install php71-intl
+brew install php71-mcrypt
+brew install php71-opcache
+brew install php71-xdebug
 ```
 
 ### Change PHP Versions
 
 As a developer you may find that you need to change between versions of PHP. Homebrew makes this process easy! The basic steps are to `brew unlink` the current version of PHP and link another installed version.
 
 ```bash
-brew unlink php56
-brew link php70
+brew unlink php71
+brew link php56
 ```
 
 ## MySQL
 
-Files numbered `15` through `17` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
+Files numbered `16` through `18` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
 
 ```bash
 brew install percona-server
@@ -70,7 +72,7 @@ mkdir -p ~/.my.cnf.d/
 
 ## dnsmasq
 
-Files numbered `18` through `19` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
+Files numbered `19` through `20` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew install dnsmasq

diff --git a/02-nginx.nginxconf b/02-nginx.nginxconf
@@ -1,24 +1,25 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/nginx.conf
 
-#----------------------------------------------------------------------
+
+#------------------------------------------------------------------------------#
 #  http://nginx.org/en/docs/ngx_core_module.html
-#----------------------------------------------------------------------
+#------------------------------------------------------------------------------#
 user prm staff;
 worker_processes 2;
 pid /usr/local/var/run/nginx/nginx.pid;
 
-#----------------------------------------------------------------------
+#------------------------------------------------------------------------------#
 # http://nginx.org/en/docs/ngx_core_module.html#events
-#----------------------------------------------------------------------
+#------------------------------------------------------------------------------#
 events {
     worker_connections 1024;
     accept_mutex off;
 }
 
-#----------------------------------------------------------------------
+#------------------------------------------------------------------------------#
 # http://nginx.org/en/docs/http/ngx_http_core_module.html
-#----------------------------------------------------------------------
+#------------------------------------------------------------------------------#
 http {
     include mime.types;
     access_log /usr/local/var/log/nginx/access.log;

diff --git a/03-fastcgi_params.nginxconf b/03-fastcgi_params.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/fastcgi_params
 
+
 fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;

diff --git a/04-assets.nginxconf b/04-assets.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/assets.conf
 
+
 # Directives to send expires headers and turn off 404 error logging for Static assets
 location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
     access_log off;

diff --git a/05-security.nginxconf b/05-security.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/security.conf
 
+
 # Disable all methods besides HEAD, GET, and POST
 if ($request_method !~ ^(GET|HEAD|POST)$) {
     return 444;

diff --git a/06-fastcgi.nginxconf b/06-fastcgi.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/fastcgi.conf
 
+
 # Tell upstream who is making the request
 proxy_set_header                  Host $host;
 proxy_set_header                  X-Real-IP $remote_addr;

diff --git a/07-drupal.nginxconf b/07-drupal.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/drupal.conf
 
+
 # Deny access to files the public does not need
 location ~* ^.+(\.(txt|log|engine|inc|info|install|make|module|profile|test|po|sh|sql|theme|tpl(\.php)?|xtmpl))$ {
     internal;

diff --git a/08-drupal8.nginxconf b/08-drupal8.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/drupal8.conf
 
+
 location ~ \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$ {
     access_log off;
     log_not_found off;

diff --git a/09-magento.nginxconf b/09-magento.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/magento.conf
 
+
 # Forward Fooman Speedster requests to minify controller
 location /minify/ {
     rewrite ^/minify/([0-9]+)(/.*\.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;

diff --git a/10-magento2.nginxconf b/10-magento2.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/magento2.conf
 
+
 root $MAGE_ROOT/pub;
 index index.php;
 autoindex off;
@@ -101,4 +102,4 @@ location ~ (index|get|static|report|404|503)\.php$ {
     fastcgi_index  index.php;
     fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
     include        /usr/local/etc/nginx/fastcgi_params;
-}
+}
diff --git a/11-wordpress.nginxconf b/11-wordpress.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/wordpress.conf
 
+
 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)

diff --git a/12-default-site.nginxconf b/12-default-site.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/sites-enabled/default.conf
 
+
 server {
     # Server settings
     listen 80;
@@ -20,14 +21,16 @@ server {
 
     # Logging
     access_log off;
-    error_log  /usr/local/var/log/nginx/error.log warn;
+    error_log /usr/local/var/log/nginx/error.log warn;
 
     # Routes
     include /usr/local/etc/nginx/conf.d/security.conf;
     include /usr/local/etc/nginx/conf.d/assets.conf;
 
     # Uncomment the desired platform
     #include /usr/local/etc/nginx/conf.d/magento.conf;
+    #include /usr/local/etc/nginx/conf.d/magento2.conf;
     #include /usr/local/etc/nginx/conf.d/drupal.conf;
+    #include /usr/local/etc/nginx/conf.d/drupal8.conf;
     #include /usr/local/etc/nginx/conf.d/wordpress.conf;
 }
diff --git a/13-php-fpm.ini b/13-php-fpm.ini
@@ -1,5 +1,6 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.6/php-fpm.conf
+; FILE: /usr/local/etc/php/7.1/php-fpm.conf
+
 
 ;;;;;;;;;;;;;;;;;;;;;
 ; FPM Configuration ;
@@ -47,4 +48,4 @@ process_control_timeout = 10s
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-include=/usr/local/etc/php/5.6/pool.d/*.conf
+include=/usr/local/etc/php/7.1/pool.d/*.conf
diff --git a/14-pool-www.ini b/14-pool-www.ini
@@ -1,5 +1,6 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.6/pool.d/www.conf
+; FILE: /usr/local/etc/php/7.1/pool.d/www.conf
+
 
 ;;;;;;;;;;;;;;;;;;;;
 ; Pool Definitions ;

diff --git a/15-zzz.ini b/15-zzz.ini
@@ -1,5 +1,6 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.6/conf.d/zzz.ini
+; FILE: /usr/local/etc/php/7.1/conf.d/zzz.ini
+
 
 ; Custom php.ini overrides
 date.timezone = Etc/UTC

diff --git a/16-my.cnf b/16-my.cnf
@@ -1,8 +1,10 @@
 # MYSQL
 # FILE: ~/.my.cnf
 
+
 # For advice on how to change settings please see
 # http://dev.mysql.com/doc/refman/5.6/en/server-configuration-defaults.html
+#------------------------------------------------------------------------------#
 
 [mysqld]
 

diff --git a/17-client.cnf b/17-client.cnf
@@ -1,9 +1,9 @@
 # MYSQL
 # FILE: ~/.my.cnf.d/client.cnf
 
-#
+
 # This group is read by the client library. Use it for options that affect all
 # clients, but not the server
-#
+#------------------------------------------------------------------------------#
 
 [client]
diff --git a/18-server.cnf b/18-server.cnf
@@ -1,26 +1,26 @@
 # MYSQL
 # FILE: ~/.my.cnf.d/server.cnf
 
-#
+
 # This group is read by the server. Use it for options that only affect the
 # server.
-#
+#------------------------------------------------------------------------------#
 
 [server]
 
 [mysqld]
 
 # Logging
-general_log = 1
-general_log_file = /usr/local/var/log/mysql/mysql-errors.log
+general_log                         = 1
+general_log_file                    = /usr/local/var/log/mysql/mysql-errors.log
 
 # Query cache
-query_cache_type            = 1
-query_cache_limit           = 2M
-query_cache_size            = 64M
+query_cache_type                    = 1
+query_cache_limit                   = 2M
+query_cache_size                    = 64M
 
 # InnoDB
-innodb_data_file_path       = ibdata1:1G;ibdata2:512M:autoextend
-innodb_autoextend_increment = 512
-innodb_log_file_size        = 512M
-innodb_buffer_pool_size     = 2G
+innodb_data_file_path               = ibdata1:512M;ibdata2:256M:autoextend
+innodb_autoextend_increment         = 128
+innodb_log_file_size                = 256M
+innodb_buffer_pool_size             = 2G
diff --git a/19-dnsmasq.conf b/19-dnsmasq.conf
@@ -1,6 +1,7 @@
 # DNS
 # FILE: /usr/local/etc/dnsmasq.conf
 
+
 # Configuration file for dnsmasq.
 #
 # Format is one option per line, legal options are the same
@@ -255,6 +256,13 @@ address=/.dev/127.0.0.1
 # the IP address 192.168.0.60
 #dhcp-host=id:01:02:02:04,192.168.0.60
 
+# Always give the Infiniband interface with hardware address
+# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
+# ip address 192.168.0.61. The client id is derived from the prefix
+# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
+# hex digits of the hardware address.
+#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
+
 # Always give the host with client identifier "marjorie"
 # the IP address 192.168.0.60
 #dhcp-host=id:marjorie,192.168.0.60
@@ -349,6 +357,14 @@ address=/.dev/127.0.0.1
 # Ask client to poll for option changes every six hours. (RFC4242)
 #dhcp-option=option6:information-refresh-time,6h
 
+# Set option 58 client renewal time (T1). Defaults to half of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T1:1m
+
+# Set option 59 rebinding time (T2). Defaults to 7/8 of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T2:2m
+
 # Set the NTP time server address to be the same machine as
 # is running dnsmasq
 #dhcp-option=42,0.0.0.0
@@ -490,6 +506,9 @@ address=/.dev/127.0.0.1
 # Set the root directory for files available via FTP.
 #tftp-root=/var/ftpd
 
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
 # Make the TFTP server more secure: with this set, only files owned by
 # the user dnsmasq is running as will be send over the net.
 #tftp-secure
@@ -649,4 +668,4 @@ address=/.dev/127.0.0.1
 #conf-dir=/etc/dnsmasq.d,.bak
 
 # Include all files in a directory which end in .conf
-#conf-dir=/etc/dnsmasq.d/*.conf
+#conf-dir=/etc/dnsmasq.d/,*.conf
diff --git a/20-resolver.conf b/20-resolver.conf
@@ -1,6 +1,7 @@
 # DNS
 # FILE: /etc/resolver/dev
 
+
 nameserver 127.0.0.1
 domain dev
 search_order 1
diff --git a/08-drupal8.nginxconf b/08-drupal8.nginxconf
@@ -0,0 +1,98 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/drupal8.conf
+
+location ~ \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ ^/private/ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ ^/sites/default/files/private/ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ ^/sites/default/config/ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ ^/sites/default/files/config/ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ /sites/default/files/.*\.php$ {
+    access_log off;
+    log_not_found off;
+    return 403;
+}
+
+location ~ ^/(favicon.ico|robots.txt) {
+    access_log off;
+    log_not_found off;
+    add_header Cache-Control max-age=86400;
+}
+
+# web fonts
+location ~* \.(eot|ttf|woff|otf|svg)$ {
+    try_files $uri $uri/ @cleanurl;
+    access_log off;
+    log_not_found off;
+    expires max;
+    add_header Access-Control-Allow-Origin *;
+}
+
+location ~* \.(svgz)$ {
+    try_files $uri $uri/ @cleanurl;
+    access_log off;
+    log_not_found off;
+    expires max;
+    add_header Content-encoding gzip;
+    gzip off;
+}
+
+location ~* ^.+\.(ogg|ogv|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
+    access_log off;
+    log_not_found off;
+    expires max;
+    add_header Cache-Control "public";
+    add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods "GET,OPTIONS";
+    add_header Access-Control-Allow-Headers Content-Type;
+    add_header Access-Control-Max-Age 86400;
+}
+
+# page reqeusts
+location / {
+    try_files $uri $uri/ @cleanurl;
+    error_page 403 /403.html;
+    ### add_header X-Proxy-Cache $upstream_cache_status;
+}
+
+location @cleanurl {
+    rewrite ^/(.*)$ /index.php?q=$1 last;
+}
+
+location ~* \.php$ {
+    # do not cache dynamic content
+    expires off;
+
+    # filter out problem conditions
+    try_files $uri $uri/ @cleanurl =404;
+
+    # send requests to upstream
+    fastcgi_pass phpfpm;
+
+    # bring in parameters
+    include conf.d/fastcgi.conf;
+}
diff --git a/08-magento.nginxconf → 09-magento.nginxconf b/08-magento.nginxconf → 09-magento.nginxconf
diff --git a/09-magento2.nginxconf → 10-magento2.nginxconf b/09-magento2.nginxconf → 10-magento2.nginxconf
diff --git a/10-wordpress.nginxconf → 11-wordpress.nginxconf b/10-wordpress.nginxconf → 11-wordpress.nginxconf
diff --git a/11-default-site.nginxconf → 12-default-site.nginxconf b/11-default-site.nginxconf → 12-default-site.nginxconf
diff --git a/12-php-fpm.ini → 13-php-fpm.ini b/12-php-fpm.ini → 13-php-fpm.ini
diff --git a/13-pool-www.ini → 14-pool-www.ini b/13-pool-www.ini → 14-pool-www.ini
diff --git a/14-zzz.ini → 15-zzz.ini b/14-zzz.ini → 15-zzz.ini
diff --git a/15-my.cnf → 16-my.cnf b/15-my.cnf → 16-my.cnf
diff --git a/16-client.cnf → 17-client.cnf b/16-client.cnf → 17-client.cnf
diff --git a/17-server.cnf → 18-server.cnf b/17-server.cnf → 18-server.cnf
diff --git a/18-dnsmasq.conf → 19-dnsmasq.conf b/18-dnsmasq.conf → 19-dnsmasq.conf
diff --git a/19-resolver.conf → 20-resolver.conf b/19-resolver.conf → 20-resolver.conf
diff --git a/12-php-fpm.ini b/12-php-fpm.ini
@@ -1,5 +1,5 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.5/php-fpm.conf
+; FILE: /usr/local/etc/php/5.6/php-fpm.conf
 
 ;;;;;;;;;;;;;;;;;;;;;
 ; FPM Configuration ;
@@ -47,4 +47,4 @@ process_control_timeout = 10s
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-include=/usr/local/etc/php/5.5/pool.d/*.conf
+include=/usr/local/etc/php/5.6/pool.d/*.conf
diff --git a/13-pool-www.ini b/13-pool-www.ini
@@ -1,5 +1,5 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.5/pool.d/www.conf
+; FILE: /usr/local/etc/php/5.6/pool.d/www.conf
 
 ;;;;;;;;;;;;;;;;;;;;
 ; Pool Definitions ;

diff --git a/14-zzz.ini b/14-zzz.ini
@@ -1,5 +1,5 @@
 ; PHP
-; FILE: /usr/local/etc/php/5.5/conf.d/zzz.ini
+; FILE: /usr/local/etc/php/5.6/conf.d/zzz.ini
 
 ; Custom php.ini overrides
 date.timezone = Etc/UTC

diff --git a/01-README.md b/01-README.md
@@ -37,9 +37,19 @@ sudo chown root:wheel /Library/LaunchAgents/*.plist
 Files numbered `12` through `14` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
-brew install php55 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
-brew install php55-mcrypt
-brew install php55-ioncubeloader
+brew tap homebrew/php
+brew install php56 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
+brew install php56-mcrypt
+brew install php56-ioncubeloader
+```
+
+### Change PHP Versions
+
+As a developer you may find that you need to change between versions of PHP. Homebrew makes this process easy! The basic steps are to `brew unlink` the current version of PHP and link another installed version.
+
+```bash
+brew unlink php56
+brew link php70
 ```
 
 ## MySQL

diff --git a/01-README.md b/01-README.md
@@ -17,7 +17,7 @@ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/
 
 ## Nginx
 
-Files numbered `02` through `10` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
+Files numbered `02` through `11` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew install nginx
@@ -34,7 +34,7 @@ sudo chown root:wheel /Library/LaunchAgents/*.plist
 
 ## PHP
 
-Files numbered `11` through `13` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
+Files numbered `12` through `14` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew install php55 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
@@ -44,7 +44,7 @@ brew install php55-ioncubeloader
 
 ## MySQL
 
-Files numbered `14` through `16` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
+Files numbered `15` through `17` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
 
 ```bash
 brew install percona-server
@@ -60,7 +60,7 @@ mkdir -p ~/.my.cnf.d/
 
 ## dnsmasq
 
-Files numbered `17` through `18` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
+Files numbered `18` through `19` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
 brew install dnsmasq

diff --git a/09-magento2.nginxconf b/09-magento2.nginxconf
@@ -0,0 +1,104 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/magento2.conf
+
+root $MAGE_ROOT/pub;
+index index.php;
+autoindex off;
+charset off;
+
+location /setup {
+    root $MAGE_ROOT;
+
+    location ~ ^/setup/index.php {
+        fastcgi_pass   phpfpm;
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        include        /usr/local/etc/nginx/fastcgi_params;
+    }
+}
+
+location / {
+    try_files $uri $uri/ /index.php?$args;
+}
+
+location /pub {
+    alias $MAGE_ROOT/pub;
+}
+
+location /static/ {
+    if ($MAGE_MODE = "production") {
+        expires max;
+    }
+    location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
+        add_header Cache-Control "public";
+        expires +1y;
+
+        if (!-f $request_filename) {
+            rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
+        }
+    }
+    location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
+        add_header Cache-Control "no-store";
+        expires    off;
+
+        if (!-f $request_filename) {
+           rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
+        }
+    }
+    if (!-f $request_filename) {
+        rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
+    }
+}
+
+location /media/ {
+    try_files $uri $uri/ /get.php?$args;
+    location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
+        add_header Cache-Control "public";
+        expires +1y;
+        try_files $uri $uri/ /get.php?$args;
+    }
+    location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
+        add_header Cache-Control "no-store";
+        expires    off;
+        try_files $uri $uri/ /get.php?$args;
+    }
+}
+
+location /media/customer/ {
+    deny all;
+}
+
+location /media/downloadable/ {
+    deny all;
+}
+
+location ~ /media/theme_customization/.*\.xml$ {
+    deny all;
+}
+
+location /errors/ {
+    try_files $uri =404;
+}
+
+location ~ ^/errors/.*\.(xml|phtml)$ {
+    deny all;
+}
+
+location ~ cron\.php {
+    deny all;
+}
+
+location ~ (index|get|static|report|404|503)\.php$ {
+    try_files $uri =404;
+    fastcgi_pass   phpfpm;
+
+    fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
+    fastcgi_param  PHP_VALUE "memory_limit=256M \n max_execution_time=600";
+    fastcgi_param  MAGE_MODE $MAGE_MODE;
+    fastcgi_read_timeout 600s;
+    fastcgi_connect_timeout 600s;
+
+    fastcgi_index  index.php;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    include        /usr/local/etc/nginx/fastcgi_params;
+}
diff --git a/09-wordpress.nginxconf → 10-wordpress.nginxconf b/09-wordpress.nginxconf → 10-wordpress.nginxconf
diff --git a/10-default-site.nginxconf → 11-default-site.nginxconf b/10-default-site.nginxconf → 11-default-site.nginxconf
diff --git a/11-php-fpm.ini → 12-php-fpm.ini b/11-php-fpm.ini → 12-php-fpm.ini
diff --git a/12-pool-www.ini → 13-pool-www.ini b/12-pool-www.ini → 13-pool-www.ini
diff --git a/13-zzz.ini → 14-zzz.ini b/13-zzz.ini → 14-zzz.ini
diff --git a/14-my.cnf → 15-my.cnf b/14-my.cnf → 15-my.cnf
diff --git a/15-client.cnf → 16-client.cnf b/15-client.cnf → 16-client.cnf
diff --git a/16-server.cnf → 17-server.cnf b/16-server.cnf → 17-server.cnf
diff --git a/17-dnsmasq.conf → 18-dnsmasq.conf b/17-dnsmasq.conf → 18-dnsmasq.conf
diff --git a/18-resolver.conf → 19-resolver.conf b/18-resolver.conf → 19-resolver.conf
diff --git a/01-README.md b/01-README.md
@@ -6,6 +6,15 @@ Files in this repository are numbered and named for ordering purposes only. At t
 
 **Note: some configuration files have hard-coded paths to my user directory -- fix it for your setup**
 
+## Setup
+
+Before any of this will work you'll need to have both Xcode Command Line tools and [Homebrew](http://brew.sh/) installed. Here are a few shortcuts to get you started:
+
+```bash
+xcode-select --install
+ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
+```
+
 ## Nginx
 
 Files numbered `02` through `10` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:

diff --git a/03-fastcgi_params.nginxconf b/03-fastcgi_params.nginxconf
@@ -1,6 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/fastcgi_params
 
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;

diff --git a/06-fastcgi.nginxconf b/06-fastcgi.nginxconf
@@ -30,7 +30,5 @@ fastcgi_temp_file_write_size      256k;
 fastcgi_intercept_errors          off;
 fastcgi_ignore_client_abort       off;
 
-fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
 fastcgi_split_path_info           ^(.+\.php)(/.+)$;
 fastcgi_index                     index.php;
diff --git a/01-README.md b/01-README.md
@@ -28,7 +28,7 @@ sudo chown root:wheel /Library/LaunchAgents/*.plist
 Files numbered `11` through `13` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
 
 ```bash
-brew install php55 --with-fpm --without-apache
+brew install php55 --with-fpm --without-apache --with-homebrew-curl --with-homebrew-openssl --without-snmp
 brew install php55-mcrypt
 brew install php55-ioncubeloader
 ```

diff --git a/01-README.md b/01-README.md
@@ -4,6 +4,8 @@
 
 Files in this repository are numbered and named for ordering purposes only. At the top of each file is a section of metadata that denote what component the file belongs to and the default name & location of the file. Feel free to implement it however you want.
 
+**Note: some configuration files have hard-coded paths to my user directory -- fix it for your setup**
+
 ## Nginx
 
 Files numbered `02` through `10` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:

diff --git a/07-drupal.nginxconf b/07-drupal.nginxconf
@@ -1,7 +1,7 @@
 # NGINX
 # FILE: /usr/local/etc/nginx/conf.d/drupal.conf
 
-# Deny access to files the public doesn't need
+# Deny access to files the public does not need
 location ~* ^.+(\.(txt|log|engine|inc|info|install|make|module|profile|test|po|sh|sql|theme|tpl(\.php)?|xtmpl))$ {
     internal;
 }

diff --git a/01-README.md b/01-README.md
@@ -0,0 +1,72 @@
+# Mac OS X LEMP Configuration
+
+[This Gist](https://gist.github.com/petemcw/9265670) is a collection of configuration files that can be used to easily setup a [Homebrew](http://brew.sh/)-based LEMP stack on Mac OS X.
+
+Files in this repository are numbered and named for ordering purposes only. At the top of each file is a section of metadata that denote what component the file belongs to and the default name & location of the file. Feel free to implement it however you want.
+
+## Nginx
+
+Files numbered `02` through `10` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install nginx
+```
+
+### Running on Port 80
+
+To run Nginx on as your primary web server on port 80, the configuration files need to be owned and run as the user `root`. I have found it easiest to use the system's `LaunchAgents` directory rather than the one in my user's folder.
+
+```bash
+sudo cp /usr/local/opt/nginx/*.plist /Library/LaunchAgents
+sudo chown root:wheel /Library/LaunchAgents/*.plist
+```
+
+## PHP
+
+Files numbered `11` through `13` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install php55 --with-fpm --without-apache
+brew install php55-mcrypt
+brew install php55-ioncubeloader
+```
+
+## MySQL
+
+Files numbered `14` through `16` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
+
+```bash
+brew install percona-server
+```
+
+Before you start the MySQL service, create the configuration directory and place the configuration files:
+
+```bash
+mkdir -p ~/.my.cnf.d/
+```
+
+**Note:** if you have trouble getting MySQL to start, you probably need to remove the default `ib_logfile` and `ibdata` files in `/usr/local/var/mysql`.
+
+## dnsmasq
+
+Files numbered `17` through `18` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install dnsmasq
+```
+
+DNS takes slightly more setup than the others. You'll need to create the configuration files and update with the edited one from this repo:
+
+```bash
+sudo mkdir -p /etc/resolver/
+sudo touch /etc/resolver/dev
+touch /usr/local/etc/dnsmasq.conf
+```
+
+Then you'll want to flush your local DNS cache to ensure `dnsmasq` takes over:
+
+```bash
+sudo launchctl unload /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
+sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
+dscacheutil -flushcache
+```
diff --git a/nginx.conf → 02-nginx.nginxconf b/nginx.conf → 02-nginx.nginxconf
@@ -1,20 +1,23 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/nginx.conf
+
 #----------------------------------------------------------------------
-#  http://wiki.nginx.org/NginxMainModule
+#  http://nginx.org/en/docs/ngx_core_module.html
 #----------------------------------------------------------------------
 user prm staff;
 worker_processes 2;
 pid /usr/local/var/run/nginx/nginx.pid;
 
 #----------------------------------------------------------------------
-# http://wiki.nginx.org/NginxEventsModule
+# http://nginx.org/en/docs/ngx_core_module.html#events
 #----------------------------------------------------------------------
 events {
     worker_connections 1024;
     accept_mutex off;
 }
 
 #----------------------------------------------------------------------
-# http://wiki.nginx.org/NginxHttpCoreModule
+# http://nginx.org/en/docs/http/ngx_http_core_module.html
 #----------------------------------------------------------------------
 http {
     include mime.types;
@@ -38,14 +41,15 @@ http {
     gzip_min_length 10240;
     gzip_proxied any;
     gzip_static on;
-    gzip_types text/plain text/css application/x-javascript text/comma-separated-values text/xml application/xml application/xml+rss application/atom+xml text/javascript;
+    gzip_types text/plain text/css application/x-javascript text/comma-separated-values
+        text/xml application/xml application/xml+rss application/atom+xml text/javascript;
     gzip_vary on;
 
     # general options
     client_body_buffer_size 512k;
     client_body_timeout 15;
     client_header_timeout 15;
-    client_max_body_size 24m;
+    client_max_body_size 64m;
     ignore_invalid_headers on;
     keepalive_timeout 2 2;
     keepalive_requests 200;
@@ -62,12 +66,6 @@ http {
     types_hash_max_size 2048;
     underscores_in_headers on;
 
-    # cache options
-    #open_file_cache max=10000 inactive=30s;
-    #open_file_cache_valid 5m;
-    #open_file_cache_min_uses 5;
-    #open_file_cache_errors off;
-
     # detect https
     map $scheme $fastcgi_https {
         default "";
@@ -77,8 +75,6 @@ http {
     # PHP-FPM
     upstream phpfpm {
         server unix:/usr/local/var/run/php-fpm.sock;
-        #server unix:/var/run/php-fpm/php-fpm.sock1 weight=1 max_fails=5 fail_timeout=10;
-        #server unix:/var/run/php-fpm/php-fpm.sock2 weight=1 max_fails=5 fail_timeout=10;
         #server 127.0.0.1:9000;
     }
 

diff --git a/fastcgi_params → 03-fastcgi_params.nginxconf b/fastcgi_params → 03-fastcgi_params.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/fastcgi_params
+
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
@@ -20,4 +23,4 @@ fastcgi_param  SERVER_PORT        $server_port;
 fastcgi_param  SERVER_NAME        $server_name;
 
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param  REDIRECT_STATUS    200;
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/assets.conf → 04-assets.nginxconf b/assets.conf → 04-assets.nginxconf
@@ -1,8 +1,13 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/assets.conf
+
 # Directives to send expires headers and turn off 404 error logging for Static assets
 location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
     access_log off;
     log_not_found off;
     expires max;
+
+    # CORS headers; this is wide-open, you want to tight it up a bit
     add_header Cache-Control public;
     add_header Access-Control-Allow-Origin *;
     add_header Access-Control-Allow-Methods GET,OPTIONS;

diff --git a/drop.conf → 05-security.nginxconf b/drop.conf → 05-security.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/security.conf
+
 # Disable all methods besides HEAD, GET, and POST
 if ($request_method !~ ^(GET|HEAD|POST)$) {
     return 444;
@@ -15,3 +18,8 @@ location /. {
     log_not_found off;
     return 404;
 }
+
+# Deny obviously bad requests
+location ~ \.(aspx|asp|jsp|cgi)$ {
+    return 410;
+}
diff --git a/fastcgi.conf → 06-fastcgi.nginxconf b/fastcgi.conf → 06-fastcgi.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/fastcgi.conf
+
 # Tell upstream who is making the request
 proxy_set_header                  Host $host;
 proxy_set_header                  X-Real-IP $remote_addr;
@@ -7,14 +10,17 @@ proxy_redirect                    off;
 # Allow to complete long running requests
 proxy_read_timeout                600s;
 
+# Ensure PHP knows when to use HTTPS
+fastcgi_param  HTTPS              $fastcgi_https;
+
 # Do not cache dynamic content
 expires                           off;
 
 # PHP Settings
 include                           fastcgi_params;
 fastcgi_connect_timeout           15s;
-fastcgi_send_timeout              3600s;
-fastcgi_read_timeout              3600s;
+fastcgi_send_timeout              120s;
+fastcgi_read_timeout              120s;
 
 fastcgi_buffer_size               128k;
 fastcgi_buffers                   512 16k;

diff --git a/drupal.conf → 07-drupal.nginxconf b/drupal.conf → 07-drupal.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/drupal.conf
+
 # Deny access to files the public doesn't need
 location ~* ^.+(\.(txt|log|engine|inc|info|install|make|module|profile|test|po|sh|sql|theme|tpl(\.php)?|xtmpl))$ {
     internal;
@@ -21,8 +24,9 @@ location / {
 
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* (install|update|apc|info)\.php$ {
-    auth_basic "Restricted";
-    auth_basic_user_file .htpasswd;
+    # Uncomment to protect these files
+    #auth_basic "Restricted";
+    #auth_basic_user_file .htpasswd;
 
     # filter out problem conditions
     location ~ \..*/.*\.php$ { return 404; }
@@ -34,14 +38,15 @@ location ~* (install|update|apc|info)\.php$ {
     fastcgi_pass phpfpm;
 }
 
-# Below locations are for image cache
+# D7 location for image cache
 location ~* files/styles {
     access_log off;
     log_not_found off;
     expires max;
     try_files $uri @image_rewrite;
 }
 
+# D6 location for image cache
 location @image_rewrite {
     rewrite ^/(.*)$ /index.php?q=$1;
 }

diff --git a/magento.conf → 08-magento.nginxconf b/magento.conf → 08-magento.nginxconf
@@ -1,3 +1,16 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/magento.conf
+
+# Forward Fooman Speedster requests to minify controller
+location /minify/ {
+    rewrite ^/minify/([0-9]+)(/.*\.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
+}
+
+# Show correct errors caused when a store owner enables built-in minification
+location /skin/m/ {
+    rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
+}
+
 # Deny access to files the public doesn't need
 location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|report/config.xml|shell|var)/ {
     internal;
@@ -6,7 +19,6 @@ location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|
 # Attempt to serve the request by trying direct file, directory, Magento front controller
 location / {
     try_files $uri $uri/ /index.php?$args;
-    expires max;
 }
 
 # The downloader has its own index.php that needs to be used
@@ -33,7 +45,7 @@ location ~* \.php$ {
     fastcgi_param MAGE_RUN_CODE default;
     fastcgi_param MAGE_RUN_TYPE store;
 
-    # send requests to Upstream, but blacklist media location from fcgi
+    # send requests to Upstream, but blacklist media location from fastcgi
     if ($uri !~ "^/(media)/") {
         fastcgi_pass phpfpm;
     }

diff --git a/wordpress.conf → 09-wordpress.nginxconf b/wordpress.conf → 09-wordpress.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/wordpress.conf
+
 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
@@ -6,7 +9,6 @@ location ~* /(?:uploads|files)/.*\.php$ {
 }
 
 # Attempted to match last if rules below fail.
-# http://wiki.nginx.org/HttpCoreModule
 location / {
     try_files $uri $uri/ /index.php?$args;
 }

diff --git a/default-site.conf → 10-default-site.nginxconf b/default-site.conf → 10-default-site.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/sites-enabled/default.conf
+
 server {
     # Server settings
     listen 80;
@@ -9,7 +12,6 @@ server {
     index index.html index.htm index.php;
 
     # security
-    ssl_session_timeout 7m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers RC4:HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers on;
@@ -19,13 +21,13 @@ server {
     # Logging
     access_log off;
     error_log  /usr/local/var/log/nginx/error.log warn;
-    location = /robots.txt  { access_log off; log_not_found off; }
-    location = /favicon.ico { access_log off; log_not_found off; }
 
     # Routes
+    include /usr/local/etc/nginx/conf.d/security.conf;
+    include /usr/local/etc/nginx/conf.d/assets.conf;
+
+    # Uncomment the desired platform
     #include /usr/local/etc/nginx/conf.d/magento.conf;
     #include /usr/local/etc/nginx/conf.d/drupal.conf;
     #include /usr/local/etc/nginx/conf.d/wordpress.conf;
-    include /usr/local/etc/nginx/conf.d/drop.conf;
-    include /usr/local/etc/nginx/conf.d/assets.conf;
 }
diff --git a/php-fpm.conf → 11-php-fpm.ini b/php-fpm.conf → 11-php-fpm.ini
@@ -1,3 +1,6 @@
+; PHP
+; FILE: /usr/local/etc/php/5.5/php-fpm.conf
+
 ;;;;;;;;;;;;;;;;;;;;;
 ; FPM Configuration ;
 ;;;;;;;;;;;;;;;;;;;;;
@@ -44,4 +47,4 @@ process_control_timeout = 10s
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-include=/usr/local/etc/php/5.5/pool.d/*.conf
+include=/usr/local/etc/php/5.5/pool.d/*.conf
diff --git a/www.conf → 12-pool-www.ini b/www.conf → 12-pool-www.ini
@@ -1,12 +1,15 @@
+; PHP
+; FILE: /usr/local/etc/php/5.5/pool.d/www.conf
+
 ;;;;;;;;;;;;;;;;;;;;
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
 [www]
 
 ; Unix user/group of processes
-;user  = prm
-;group = staff
+;user  =
+;group =
 
 ; The address on which to accept FastCGI requests.
 listen = /usr/local/var/run/php-fpm.sock
@@ -66,7 +69,7 @@ slowlog = /usr/local/var/log/$pool.log.slow
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
-request_slowlog_timeout = 8s
+request_slowlog_timeout = 2s
 
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
@@ -102,3 +105,6 @@ catch_workers_output = yes
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 php_flag[display_errors] = on
 php_admin_flag[log_errors] = on
+
+; Only process files with following extensions
+security.limit_extensions = .php .phtml
diff --git a/zzz.ini → 13-zzz.ini b/zzz.ini → 13-zzz.ini
@@ -1,5 +1,7 @@
-; Custom php.ini overrides
+; PHP
+; FILE: /usr/local/etc/php/5.5/conf.d/zzz.ini
 
+; Custom php.ini overrides
 date.timezone = Etc/UTC
 memory_limit = 512M
 display_errors = On

diff --git a/14-my.cnf b/14-my.cnf
@@ -0,0 +1,14 @@
+# MYSQL
+# FILE: ~/.my.cnf
+
+# For advice on how to change settings please see
+# http://dev.mysql.com/doc/refman/5.6/en/server-configuration-defaults.html
+
+[mysqld]
+
+sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
+
+#
+# Include all files from the config directory
+#
+!includedir /Users/prm/.my.cnf.d
diff --git a/15-client.cnf b/15-client.cnf
@@ -0,0 +1,9 @@
+# MYSQL
+# FILE: ~/.my.cnf.d/client.cnf
+
+#
+# This group is read by the client library. Use it for options that affect all
+# clients, but not the server
+#
+
+[client]
diff --git a/16-server.cnf b/16-server.cnf
@@ -0,0 +1,26 @@
+# MYSQL
+# FILE: ~/.my.cnf.d/server.cnf
+
+#
+# This group is read by the server. Use it for options that only affect the
+# server.
+#
+
+[server]
+
+[mysqld]
+
+# Logging
+general_log = 1
+general_log_file = /usr/local/var/log/mysql/mysql-errors.log
+
+# Query cache
+query_cache_type            = 1
+query_cache_limit           = 2M
+query_cache_size            = 64M
+
+# InnoDB
+innodb_data_file_path       = ibdata1:1G;ibdata2:512M:autoextend
+innodb_autoextend_increment = 512
+innodb_log_file_size        = 512M
+innodb_buffer_pool_size     = 2G
diff --git a/17-dnsmasq.conf b/17-dnsmasq.conf
@@ -0,0 +1,652 @@
+# DNS
+# FILE: /usr/local/etc/dnsmasq.conf
+
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+address=/.dev/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# [email protected]#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC alogrithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overriden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also the they [] around the IPv6 address are obilgatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=tag:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fasion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come from /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/*.conf
diff --git a/18-resolver.conf b/18-resolver.conf
@@ -0,0 +1,6 @@
+# DNS
+# FILE: /etc/resolver/dev
+
+nameserver 127.0.0.1
+domain dev
+search_order 1
diff --git a/01-README.md b/01-README.md
@@ -0,0 +1,72 @@
+# Mac OS X LEMP Configuration
+
+[This Gist](https://gist.github.com/petemcw/9265670) is a collection of configuration files that can be used to easily setup a [Homebrew](http://brew.sh/)-based LEMP stack on Mac OS X.
+
+Files in this repository are numbered and named for ordering purposes only. At the top of each file is a section of metadata that denote what component the file belongs to and the default name & location of the file. Feel free to implement it however you want.
+
+## Nginx
+
+Files numbered `02` through `10` are [Nginx](http://nginx.org/) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install nginx
+```
+
+### Running on Port 80
+
+To run Nginx on as your primary web server on port 80, the configuration files need to be owned and run as the user `root`. I have found it easiest to use the system's `LaunchAgents` directory rather than the one in my user's folder.
+
+```bash
+sudo cp /usr/local/opt/nginx/*.plist /Library/LaunchAgents
+sudo chown root:wheel /Library/LaunchAgents/*.plist
+```
+
+## PHP
+
+Files numbered `11` through `13` are [PHP-FPM](http://php-fpm.org/) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install php55 --with-fpm --without-apache
+brew install php55-mcrypt
+brew install php55-ioncubeloader
+```
+
+## MySQL
+
+Files numbered `14` through `16` are [MySQL](http://www.percona.com/software/percona-server) configuration files. I personally use Percona Server as my flavor of MySQL. If you haven't already, install via Homebrew:
+
+```bash
+brew install percona-server
+```
+
+Before you start the MySQL service, create the configuration directory and place the configuration files:
+
+```bash
+mkdir -p ~/.my.cnf.d/
+```
+
+**Note:** if you have trouble getting MySQL to start, you probably need to remove the default `ib_logfile` and `ibdata` files in `/usr/local/var/mysql`.
+
+## dnsmasq
+
+Files numbered `17` through `18` are [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) configuration files. If you haven't already, install via Homebrew:
+
+```bash
+brew install dnsmasq
+```
+
+DNS takes slightly more setup than the others. You'll need to create the configuration files and update with the edited one from this repo:
+
+```bash
+sudo mkdir -p /etc/resolver/
+sudo touch /etc/resolver/dev
+touch /usr/local/etc/dnsmasq.conf
+```
+
+Then you'll want to flush your local DNS cache to ensure `dnsmasq` takes over:
+
+```bash
+sudo launchctl unload /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
+sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
+dscacheutil -flushcache
+```
diff --git a/nginx.conf → 02-nginx.nginxconf b/nginx.conf → 02-nginx.nginxconf
@@ -1,20 +1,23 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/nginx.conf
+
 #----------------------------------------------------------------------
-#  http://wiki.nginx.org/NginxMainModule
+#  http://nginx.org/en/docs/ngx_core_module.html
 #----------------------------------------------------------------------
 user prm staff;
 worker_processes 2;
 pid /usr/local/var/run/nginx/nginx.pid;
 
 #----------------------------------------------------------------------
-# http://wiki.nginx.org/NginxEventsModule
+# http://nginx.org/en/docs/ngx_core_module.html#events
 #----------------------------------------------------------------------
 events {
     worker_connections 1024;
     accept_mutex off;
 }
 
 #----------------------------------------------------------------------
-# http://wiki.nginx.org/NginxHttpCoreModule
+# http://nginx.org/en/docs/http/ngx_http_core_module.html
 #----------------------------------------------------------------------
 http {
     include mime.types;
@@ -38,14 +41,15 @@ http {
     gzip_min_length 10240;
     gzip_proxied any;
     gzip_static on;
-    gzip_types text/plain text/css application/x-javascript text/comma-separated-values text/xml application/xml application/xml+rss application/atom+xml text/javascript;
+    gzip_types text/plain text/css application/x-javascript text/comma-separated-values
+        text/xml application/xml application/xml+rss application/atom+xml text/javascript;
     gzip_vary on;
 
     # general options
     client_body_buffer_size 512k;
     client_body_timeout 15;
     client_header_timeout 15;
-    client_max_body_size 24m;
+    client_max_body_size 64m;
     ignore_invalid_headers on;
     keepalive_timeout 2 2;
     keepalive_requests 200;
@@ -62,12 +66,6 @@ http {
     types_hash_max_size 2048;
     underscores_in_headers on;
 
-    # cache options
-    #open_file_cache max=10000 inactive=30s;
-    #open_file_cache_valid 5m;
-    #open_file_cache_min_uses 5;
-    #open_file_cache_errors off;
-
     # detect https
     map $scheme $fastcgi_https {
         default "";
@@ -77,8 +75,6 @@ http {
     # PHP-FPM
     upstream phpfpm {
         server unix:/usr/local/var/run/php-fpm.sock;
-        #server unix:/var/run/php-fpm/php-fpm.sock1 weight=1 max_fails=5 fail_timeout=10;
-        #server unix:/var/run/php-fpm/php-fpm.sock2 weight=1 max_fails=5 fail_timeout=10;
         #server 127.0.0.1:9000;
     }
 

diff --git a/fastcgi_params → 03-fastcgi_params.nginxconf b/fastcgi_params → 03-fastcgi_params.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/fastcgi_params
+
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
@@ -20,4 +23,4 @@ fastcgi_param  SERVER_PORT        $server_port;
 fastcgi_param  SERVER_NAME        $server_name;
 
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param  REDIRECT_STATUS    200;
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/assets.conf → 04-assets.nginxconf b/assets.conf → 04-assets.nginxconf
@@ -1,8 +1,13 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/assets.conf
+
 # Directives to send expires headers and turn off 404 error logging for Static assets
 location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
     access_log off;
     log_not_found off;
     expires max;
+
+    # CORS headers; this is wide-open, you want to tight it up a bit
     add_header Cache-Control public;
     add_header Access-Control-Allow-Origin *;
     add_header Access-Control-Allow-Methods GET,OPTIONS;

diff --git a/drop.conf → 05-security.nginxconf b/drop.conf → 05-security.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/security.conf
+
 # Disable all methods besides HEAD, GET, and POST
 if ($request_method !~ ^(GET|HEAD|POST)$) {
     return 444;
@@ -15,3 +18,8 @@ location /. {
     log_not_found off;
     return 404;
 }
+
+# Deny obviously bad requests
+location ~ \.(aspx|asp|jsp|cgi)$ {
+    return 410;
+}
diff --git a/fastcgi.conf → 06-fastcgi.nginxconf b/fastcgi.conf → 06-fastcgi.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/fastcgi.conf
+
 # Tell upstream who is making the request
 proxy_set_header                  Host $host;
 proxy_set_header                  X-Real-IP $remote_addr;
@@ -7,14 +10,17 @@ proxy_redirect                    off;
 # Allow to complete long running requests
 proxy_read_timeout                600s;
 
+# Ensure PHP knows when to use HTTPS
+fastcgi_param  HTTPS              $fastcgi_https;
+
 # Do not cache dynamic content
 expires                           off;
 
 # PHP Settings
 include                           fastcgi_params;
 fastcgi_connect_timeout           15s;
-fastcgi_send_timeout              3600s;
-fastcgi_read_timeout              3600s;
+fastcgi_send_timeout              120s;
+fastcgi_read_timeout              120s;
 
 fastcgi_buffer_size               128k;
 fastcgi_buffers                   512 16k;

diff --git a/drupal.conf → 07-drupal.nginxconf b/drupal.conf → 07-drupal.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/drupal.conf
+
 # Deny access to files the public doesn't need
 location ~* ^.+(\.(txt|log|engine|inc|info|install|make|module|profile|test|po|sh|sql|theme|tpl(\.php)?|xtmpl))$ {
     internal;
@@ -21,8 +24,9 @@ location / {
 
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* (install|update|apc|info)\.php$ {
-    auth_basic "Restricted";
-    auth_basic_user_file .htpasswd;
+    # Uncomment to protect these files
+    #auth_basic "Restricted";
+    #auth_basic_user_file .htpasswd;
 
     # filter out problem conditions
     location ~ \..*/.*\.php$ { return 404; }
@@ -34,14 +38,15 @@ location ~* (install|update|apc|info)\.php$ {
     fastcgi_pass phpfpm;
 }
 
-# Below locations are for image cache
+# D7 location for image cache
 location ~* files/styles {
     access_log off;
     log_not_found off;
     expires max;
     try_files $uri @image_rewrite;
 }
 
+# D6 location for image cache
 location @image_rewrite {
     rewrite ^/(.*)$ /index.php?q=$1;
 }

diff --git a/magento.conf → 08-magento.nginxconf b/magento.conf → 08-magento.nginxconf
@@ -1,3 +1,16 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/magento.conf
+
+# Forward Fooman Speedster requests to minify controller
+location /minify/ {
+    rewrite ^/minify/([0-9]+)(/.*\.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
+}
+
+# Show correct errors caused when a store owner enables built-in minification
+location /skin/m/ {
+    rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
+}
+
 # Deny access to files the public doesn't need
 location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|report/config.xml|shell|var)/ {
     internal;
@@ -6,7 +19,6 @@ location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|
 # Attempt to serve the request by trying direct file, directory, Magento front controller
 location / {
     try_files $uri $uri/ /index.php?$args;
-    expires max;
 }
 
 # The downloader has its own index.php that needs to be used
@@ -33,7 +45,7 @@ location ~* \.php$ {
     fastcgi_param MAGE_RUN_CODE default;
     fastcgi_param MAGE_RUN_TYPE store;
 
-    # send requests to Upstream, but blacklist media location from fcgi
+    # send requests to Upstream, but blacklist media location from fastcgi
     if ($uri !~ "^/(media)/") {
         fastcgi_pass phpfpm;
     }

diff --git a/wordpress.conf → 09-wordpress.nginxconf b/wordpress.conf → 09-wordpress.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/conf.d/wordpress.conf
+
 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
@@ -6,7 +9,6 @@ location ~* /(?:uploads|files)/.*\.php$ {
 }
 
 # Attempted to match last if rules below fail.
-# http://wiki.nginx.org/HttpCoreModule
 location / {
     try_files $uri $uri/ /index.php?$args;
 }

diff --git a/default-site.conf → 10-default-site.nginxconf b/default-site.conf → 10-default-site.nginxconf
@@ -1,3 +1,6 @@
+# NGINX
+# FILE: /usr/local/etc/nginx/sites-enabled/default.conf
+
 server {
     # Server settings
     listen 80;
@@ -9,7 +12,6 @@ server {
     index index.html index.htm index.php;
 
     # security
-    ssl_session_timeout 7m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers RC4:HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers on;
@@ -19,13 +21,13 @@ server {
     # Logging
     access_log off;
     error_log  /usr/local/var/log/nginx/error.log warn;
-    location = /robots.txt  { access_log off; log_not_found off; }
-    location = /favicon.ico { access_log off; log_not_found off; }
 
     # Routes
+    include /usr/local/etc/nginx/conf.d/security.conf;
+    include /usr/local/etc/nginx/conf.d/assets.conf;
+
+    # Uncomment the desired platform
     #include /usr/local/etc/nginx/conf.d/magento.conf;
     #include /usr/local/etc/nginx/conf.d/drupal.conf;
     #include /usr/local/etc/nginx/conf.d/wordpress.conf;
-    include /usr/local/etc/nginx/conf.d/drop.conf;
-    include /usr/local/etc/nginx/conf.d/assets.conf;
 }
diff --git a/php-fpm.conf → 11-php-fpm.ini b/php-fpm.conf → 11-php-fpm.ini
@@ -1,3 +1,6 @@
+; PHP
+; FILE: /usr/local/etc/php/5.5/php-fpm.conf
+
 ;;;;;;;;;;;;;;;;;;;;;
 ; FPM Configuration ;
 ;;;;;;;;;;;;;;;;;;;;;
@@ -44,4 +47,4 @@ process_control_timeout = 10s
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-include=/usr/local/etc/php/5.5/pool.d/*.conf
+include=/usr/local/etc/php/5.5/pool.d/*.conf
diff --git a/www.conf → 12-pool-www.ini b/www.conf → 12-pool-www.ini
@@ -1,12 +1,15 @@
+; PHP
+; FILE: /usr/local/etc/php/5.5/pool.d/www.conf
+
 ;;;;;;;;;;;;;;;;;;;;
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
 [www]
 
 ; Unix user/group of processes
-;user  = prm
-;group = staff
+;user  =
+;group =
 
 ; The address on which to accept FastCGI requests.
 listen = /usr/local/var/run/php-fpm.sock
@@ -66,7 +69,7 @@ slowlog = /usr/local/var/log/$pool.log.slow
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
-request_slowlog_timeout = 8s
+request_slowlog_timeout = 2s
 
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
@@ -102,3 +105,6 @@ catch_workers_output = yes
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 php_flag[display_errors] = on
 php_admin_flag[log_errors] = on
+
+; Only process files with following extensions
+security.limit_extensions = .php .phtml
diff --git a/zzz.ini → 13-zzz.ini b/zzz.ini → 13-zzz.ini
@@ -1,5 +1,7 @@
-; Custom php.ini overrides
+; PHP
+; FILE: /usr/local/etc/php/5.5/conf.d/zzz.ini
 
+; Custom php.ini overrides
 date.timezone = Etc/UTC
 memory_limit = 512M
 display_errors = On

diff --git a/14-my.cnf b/14-my.cnf
@@ -0,0 +1,14 @@
+# MYSQL
+# FILE: ~/.my.cnf
+
+# For advice on how to change settings please see
+# http://dev.mysql.com/doc/refman/5.6/en/server-configuration-defaults.html
+
+[mysqld]
+
+sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
+
+#
+# Include all files from the config directory
+#
+!includedir /Users/prm/.my.cnf.d
diff --git a/15-client.cnf b/15-client.cnf
@@ -0,0 +1,9 @@
+# MYSQL
+# FILE: ~/.my.cnf.d/client.cnf
+
+#
+# This group is read by the client library. Use it for options that affect all
+# clients, but not the server
+#
+
+[client]
diff --git a/16-server.cnf b/16-server.cnf
@@ -0,0 +1,26 @@
+# MYSQL
+# FILE: ~/.my.cnf.d/server.cnf
+
+#
+# This group is read by the server. Use it for options that only affect the
+# server.
+#
+
+[server]
+
+[mysqld]
+
+# Logging
+general_log = 1
+general_log_file = /usr/local/var/log/mysql/mysql-errors.log
+
+# Query cache
+query_cache_type            = 1
+query_cache_limit           = 2M
+query_cache_size            = 64M
+
+# InnoDB
+innodb_data_file_path       = ibdata1:1G;ibdata2:512M:autoextend
+innodb_autoextend_increment = 512
+innodb_log_file_size        = 512M
+innodb_buffer_pool_size     = 2G
diff --git a/17-dnsmasq.conf b/17-dnsmasq.conf
@@ -0,0 +1,652 @@
+# DNS
+# FILE: /usr/local/etc/dnsmasq.conf
+
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+address=/.dev/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# [email protected]#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC alogrithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overriden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also the they [] around the IPv6 address are obilgatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=tag:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fasion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come from /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/*.conf
diff --git a/18-resolver.conf b/18-resolver.conf
@@ -0,0 +1,6 @@
+# DNS
+# FILE: /etc/resolver/dev
+
+nameserver 127.0.0.1
+domain dev
+search_order 1
diff --git a/assets.conf b/assets.conf
@@ -4,4 +4,17 @@ location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|i
     log_not_found off;
     expires max;
     add_header Cache-Control public;
+    add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods GET,OPTIONS;
+    add_header Access-Control-Allow-Headers *;
+}
+
+location = /robots.txt {
+    access_log off;
+    log_not_found off;
+}
+
+location = /favicon.ico {
+    access_log off;
+    log_not_found off;
 }
diff --git a/default-site.conf b/default-site.conf
@@ -1,27 +1,31 @@
 server {
     # Server settings
     listen 80;
+    #listen 443 ssl;
     server_name localhost;
 
-    # Options
-    limit_conn limit_per_ip 16;
+    # Project location
+    root /Users/prm/Projects/;
+    index index.html index.htm index.php;
+
+    # security
+    ssl_session_timeout 7m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate /usr/local/etc/nginx/ssl/localhost.pem;
+    ssl_certificate_key /usr/local/etc/nginx/ssl/localhost.key;
 
     # Logging
-    access_log /usr/local/var/log/nginx/access.log main;
+    access_log off;
     error_log  /usr/local/var/log/nginx/error.log warn;
     location = /robots.txt  { access_log off; log_not_found off; }
     location = /favicon.ico { access_log off; log_not_found off; }
 
-    # Configuration
+    # Routes
+    #include /usr/local/etc/nginx/conf.d/magento.conf;
+    #include /usr/local/etc/nginx/conf.d/drupal.conf;
+    #include /usr/local/etc/nginx/conf.d/wordpress.conf;
     include /usr/local/etc/nginx/conf.d/drop.conf;
-    include /usr/local/etc/nginx/conf.d/php5.conf;
     include /usr/local/etc/nginx/conf.d/assets.conf;
-
-    fastcgi_param MAGE_IS_DEVELOPER_MODE true;
-
-    include /usr/local/etc/nginx/conf.d/magento.conf;
-
-    # Environment
-    root /Users/prm/Projects/;
-    index index.php index.html index.htm;
 }
diff --git a/drop.conf b/drop.conf
@@ -1,3 +1,8 @@
+# Disable all methods besides HEAD, GET, and POST
+if ($request_method !~ ^(GET|HEAD|POST)$) {
+    return 444;
+}
+
 # Do not log attempts for common files
 location ~ ^/(favicon.ico|robots.txt) {
     access_log off;
@@ -10,8 +15,3 @@ location /. {
     log_not_found off;
     return 404;
 }
-
-# Deny obviously bad requests
-location ~ \.(aspx|asp|jsp|cgi)$ {
-    return 410;
-}
diff --git a/drupal.conf b/drupal.conf
@@ -17,16 +17,21 @@ location ~* ^/sites/.*/(private|files/backup_migrate)/ {
 # Attempt to serve the request by trying direct file, directory, Drupal Controller
 location / {
     try_files $uri $uri/ /index.php?q=$uri&$args;
-    expires max;
 }
 
 # Check: http://wiki.nginx.org/Pitfalls
 location ~* (install|update|apc|info)\.php$ {
-    # do not cache dynamic content
-    expires off;
+    auth_basic "Restricted";
+    auth_basic_user_file .htpasswd;
+
+    # filter out problem conditions
+    location ~ \..*/.*\.php$ { return 404; }
 
-    # php5 specific configuration options
-    include /usr/local/etc/nginx/fastcgi_params;
+    # bring in parameters
+    include conf.d/fastcgi.conf;
+
+    # send to upstream
+    fastcgi_pass phpfpm;
 }
 
 # Below locations are for image cache
@@ -38,5 +43,18 @@ location ~* files/styles {
 }
 
 location @image_rewrite {
-    rewrite ^/(.*)$ /index.php?q=$1 last;
+    rewrite ^/(.*)$ /index.php?q=$1;
+}
+
+# Pass PHP scripts to PHP-FPM daemon
+# Check: http://wiki.nginx.org/Pitfalls
+location ~* \.php$ {
+    # filter out problem conditions
+    location ~ \..*/.*\.php$ { return 404; }
+
+    # bring in parameters
+    include conf.d/fastcgi.conf;
+
+    # send requests to upstream
+    fastcgi_pass phpfpm;
 }
diff --git a/fastcgi.conf b/fastcgi.conf
@@ -0,0 +1,30 @@
+# Tell upstream who is making the request
+proxy_set_header                  Host $host;
+proxy_set_header                  X-Real-IP $remote_addr;
+proxy_set_header                  X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_redirect                    off;
+
+# Allow to complete long running requests
+proxy_read_timeout                600s;
+
+# Do not cache dynamic content
+expires                           off;
+
+# PHP Settings
+include                           fastcgi_params;
+fastcgi_connect_timeout           15s;
+fastcgi_send_timeout              3600s;
+fastcgi_read_timeout              3600s;
+
+fastcgi_buffer_size               128k;
+fastcgi_buffers                   512 16k;
+fastcgi_busy_buffers_size         256k;
+fastcgi_temp_file_write_size      256k;
+
+fastcgi_intercept_errors          off;
+fastcgi_ignore_client_abort       off;
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_split_path_info           ^(.+\.php)(/.+)$;
+fastcgi_index                     index.php;
diff --git a/fastcgi_params b/fastcgi_params
@@ -1,42 +1,23 @@
-fastcgi_param QUERY_STRING        $query_string;
-fastcgi_param REQUEST_METHOD      $request_method;
-fastcgi_param CONTENT_TYPE        $content_type;
-fastcgi_param CONTENT_LENGTH      $content_length;
-
-fastcgi_param SCRIPT_FILENAME     $request_filename;
-fastcgi_param SCRIPT_NAME         $fastcgi_script_name;
-fastcgi_param REQUEST_URI         $request_uri;
-fastcgi_param DOCUMENT_URI        $document_uri;
-fastcgi_param DOCUMENT_ROOT       $document_root;
-fastcgi_param SERVER_PROTOCOL     $server_protocol;
-fastcgi_param PATH_INFO           $fastcgi_path_info;
-
-fastcgi_param GATEWAY_INTERFACE   CGI/1.1;
-fastcgi_param SERVER_SOFTWARE     nginx/$nginx_version;
-
-fastcgi_param REMOTE_ADDR         $remote_addr;
-fastcgi_param REMOTE_PORT         $remote_port;
-fastcgi_param SERVER_ADDR         $server_addr;
-fastcgi_param SERVER_PORT         $server_port;
-fastcgi_param SERVER_NAME         $server_name;
-
-fastcgi_param HTTPS               $https if_not_empty;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
 
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param REDIRECT_STATUS     200;
-
-fastcgi_connect_timeout           60;
-fastcgi_send_timeout              18000;
-fastcgi_read_timeout              18000;
-
-fastcgi_buffer_size               4k;
-fastcgi_buffers                   512 4k;
-fastcgi_busy_buffers_size         8k;
-fastcgi_temp_file_write_size      256k;
-
-fastcgi_intercept_errors          off;
-fastcgi_ignore_client_abort       off;
-
-fastcgi_pass_header               *;
-fastcgi_split_path_info           ^(.+\.php)(/.+)$;
-fastcgi_index                     index.php;
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/magento.conf b/magento.conf
@@ -3,14 +3,7 @@ location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|
     internal;
 }
 
-# Restrict access to admins
-location /var/export {
-    auth_basic "Restricted";
-    auth_basic_user_file /etc/nginx/.htpasswd;
-    autoindex on;
-}
-
-# Attempt to serve the request by trying direct file, directory, Magento controller
+# Attempt to serve the request by trying direct file, directory, Magento front controller
 location / {
     try_files $uri $uri/ /index.php?$args;
     expires max;
@@ -24,4 +17,24 @@ location ~* ^(/downloader)(.*) {
 # REST API endpoint
 location /api {
     rewrite ^/api/rest /api.php?type=rest last;
+    rewrite ^/api/v2_soap /api.php?type=v2_soap last;
+    rewrite ^/api/soap /api.php?type=soap last;
+}
+
+# Pass PHP scripts to PHP-FPM daemon
+# Check: http://wiki.nginx.org/Pitfalls
+location ~* \.php$ {
+    # filter out problem conditions
+    location ~ \..*/.*\.php$ { return 404; }
+
+    # bring in parameters
+    include conf.d/fastcgi.conf;
+    fastcgi_param MAGE_IS_DEVELOPER_MODE true;
+    fastcgi_param MAGE_RUN_CODE default;
+    fastcgi_param MAGE_RUN_TYPE store;
+
+    # send requests to Upstream, but blacklist media location from fcgi
+    if ($uri !~ "^/(media)/") {
+        fastcgi_pass phpfpm;
+    }
 }
diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,4 @@
-----------------------------------------------------------------------
+#----------------------------------------------------------------------
 #  http://wiki.nginx.org/NginxMainModule
 #----------------------------------------------------------------------
 user prm staff;
@@ -17,67 +17,71 @@ events {
 # http://wiki.nginx.org/NginxHttpCoreModule
 #----------------------------------------------------------------------
 http {
+    include mime.types;
     access_log /usr/local/var/log/nginx/access.log;
     error_log  /usr/local/var/log/nginx/error.log warn;
 
-    include mime.types;
     default_type application/octet-stream;
 
     log_format main '$remote_addr - $remote_user [$time_local] $request '
                     '"$status" $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
 
-    # This tells Nginx to ignore the contents of a file it is sending
-    # and uses the kernel sendfile instead
-    sendfile on;
-
-    # Set this to on if you have sendfile on
-    # It will prepend the HTTP response headers before
-    # calling sendfile()
-    tcp_nopush on;
-
-    # This disables the "Nagle buggering algorithm" (Nginx Docs)
-    # Good for websites that send a lot of small requests that
-    # don't need a response
-    tcp_nodelay on;
-
-    # timeouts
-    keepalive_timeout 25;
-    send_timeout 30;
-
-    # general options
     charset utf-8;
-    server_tokens off;
-    server_name_in_redirect off;
-    ignore_invalid_headers on;
-    recursive_error_pages on;
-    merge_slashes on;
-    underscores_in_headers on;
-    limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
-    types_hash_max_size 2048;
-    server_names_hash_bucket_size 128;
-    client_max_body_size 24m;
-    client_body_buffer_size 128k;
-    #proxy_read_timeout 18000;
 
     # compression
     gzip on;
+    gzip_buffers 16 8k;
+    gzip_comp_level 2;
+    gzip_disable "MSIE [1-6].(?!.*SV1)";
     gzip_http_version 1.0;
+    gzip_min_length 10240;
     gzip_proxied any;
-    gzip_vary on;
     gzip_static on;
-    gzip_min_length 1024;
-    gzip_buffers 32 8k;
-    gzip_comp_level 6;
     gzip_types text/plain text/css application/x-javascript text/comma-separated-values text/xml application/xml application/xml+rss application/atom+xml text/javascript;
-    gzip_disable "MSIE [1-6].(?!.*SV1)";
+    gzip_vary on;
+
+    # general options
+    client_body_buffer_size 512k;
+    client_body_timeout 15;
+    client_header_timeout 15;
+    client_max_body_size 24m;
+    ignore_invalid_headers on;
+    keepalive_timeout 2 2;
+    keepalive_requests 200;
+    merge_slashes on;
+    recursive_error_pages on;
+    reset_timedout_connection on;
+    sendfile on;
+    send_timeout 15;
+    server_names_hash_bucket_size 128;
+    server_name_in_redirect off;
+    server_tokens off;
+    tcp_nodelay off;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    underscores_in_headers on;
+
+    # cache options
+    #open_file_cache max=10000 inactive=30s;
+    #open_file_cache_valid 5m;
+    #open_file_cache_min_uses 5;
+    #open_file_cache_errors off;
+
+    # detect https
+    map $scheme $fastcgi_https {
+        default "";
+        https on;
+    }
 
     # PHP-FPM
     upstream phpfpm {
-      #server unix:/usr/local/var/run/nginx/phpfpm.sock;
-      server 127.0.0.1:9000;
+        server unix:/usr/local/var/run/php-fpm.sock;
+        #server unix:/var/run/php-fpm/php-fpm.sock1 weight=1 max_fails=5 fail_timeout=10;
+        #server unix:/var/run/php-fpm/php-fpm.sock2 weight=1 max_fails=5 fail_timeout=10;
+        #server 127.0.0.1:9000;
     }
 
     # include active sites
     include /usr/local/etc/nginx/sites-enabled/*;
-}
+}
diff --git a/php-fpm.conf b/php-fpm.conf
@@ -2,48 +2,19 @@
 ; FPM Configuration ;
 ;;;;;;;;;;;;;;;;;;;;;
 
-; All relative paths in this configuration file are relative to PHP's install
-; prefix (/usr/local/Cellar/php54/5.4.22). This prefix can be dynamically changed by using the
-; '-p' argument from the command line.
-
-; Include one or more files. If glob(3) exists, it is used to include a bunch of
-; files from a glob(3) pattern. This directive can be used everywhere in the
-; file.
-; Relative path can also be used. They will be prefixed by:
-;  - the global prefix if it's been set (-p argument)
-;  - /usr/local/Cellar/php54/5.4.22 otherwise
-include=/usr/local/etc/php/5.4/fpm.d/*.conf
-
 ;;;;;;;;;;;;;;;;;;
 ; Global Options ;
 ;;;;;;;;;;;;;;;;;;
 
 [global]
 ; Pid file
-; Note: the default prefix is /usr/local/var
 ; Default Value: none
-;pid = run/php-fpm.pid
+pid = /usr/local/var/run/php-fpm.pid
 
 ; Error log file
-; If it's set to "syslog", log is sent to syslogd instead of being written
-; in a local file.
-; Note: the default prefix is /usr/local/var
 ; Default Value: log/php-fpm.log
 error_log = /usr/local/var/log/php-fpm.log
 
-; syslog_facility is used to specify what type of program is logging the
-; message. This lets syslogd specify that messages from different facilities
-; will be handled differently.
-; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
-; Default Value: daemon
-;syslog.facility = daemon
-
-; syslog_ident is prepended to every message. If you have multiple FPM
-; instances running on the same server, you can change the default value
-; which must suit common needs.
-; Default Value: php-fpm
-;syslog.ident = php-fpm
-
 ; Log level
 ; Possible Values: alert, error, warning, notice, debug
 ; Default Value: notice
@@ -67,56 +38,10 @@ emergency_restart_interval = 1m
 ; Available units: s(econds), m(inutes), h(ours), or d(ays)
 ; Default Unit: seconds
 ; Default Value: 0
-process_control_timeout = 0
-
-; The maximum number of processes FPM will fork. This has been design to control
-; the global number of processes when using dynamic PM within a lot of pools.
-; Use it with caution.
-; Note: A value of 0 indicates no limit
-; Default Value: 0
-; process.max = 128
-
-; Specify the nice(2) priority to apply to the master process (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool process will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
-; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
-; Default Value: yes
-daemonize = no
-
-; Set open file descriptor rlimit for the master process.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit for the master process.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Specify the event mechanism FPM will use. The following is available:
-; - select     (any POSIX os)
-; - poll       (any POSIX os)
-; - epoll      (linux >= 2.5.44)
-; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
-; - /dev/poll  (Solaris >= 7)
-; - port       (Solaris >= 10)
-; Default Value: not set (auto detection)
-;events.mechanism = epoll
-
-; When FPM is build with systemd integration, specify the interval,
-; in second, between health report notification to systemd.
-; Set to 0 to disable.
-; Available Units: s(econds), m(inutes), h(ours)
-; Default Unit: seconds
-; Default value: 10
-;systemd_interval = 10
+process_control_timeout = 10s
 
 ;;;;;;;;;;;;;;;;;;;;
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-include=/usr/local/etc/php/5.4/pool.d/*.conf
+include=/usr/local/etc/php/5.5/pool.d/*.conf
diff --git a/php5.conf b/php5.conf
@@ -1,16 +0,0 @@
-# Pass PHP scripts to PHP-FPM daemon
-# Check: http://wiki.nginx.org/Pitfalls
-
-location ~* \.php$ {
-    # do not cache dynamic content
-    expires off;
-
-    # filter out problem conditions
-    location ~ \..*/.*\.php$ { return 404; }
-
-    # bring in parameters
-    include /usr/local/etc/nginx/fastcgi_params;
-
-    # send requests to Upstream
-    fastcgi_pass phpfpm;
-}

diff --git a/wordpress.conf b/wordpress.conf
@@ -9,8 +9,20 @@ location ~* /(?:uploads|files)/.*\.php$ {
 # http://wiki.nginx.org/HttpCoreModule
 location / {
     try_files $uri $uri/ /index.php?$args;
-    expires max;
 }
 
 # Add trailing slash to */wp-admin requests.
 rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+
+# Pass PHP scripts to PHP-FPM daemon
+# Check: http://wiki.nginx.org/Pitfalls
+location ~* \.php$ {
+    # filter out problem conditions
+    location ~ \..*/.*\.php$ { return 404; }
+
+    # bring in parameters
+    include conf.d/fastcgi.conf;
+
+    # send requests to upstream
+    fastcgi_pass phpfpm;
+}
diff --git a/www.conf b/www.conf
@@ -2,99 +2,22 @@
 ; Pool Definitions ;
 ;;;;;;;;;;;;;;;;;;;;
 
-; Multiple pools of child processes may be started with different listening
-; ports and different management options.  The name of the pool will be
-; used in logs and stats. There is no limitation on the number of pools which
-; FPM can handle. Your system will tell you anyway :)
-
-; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('www' here)
 [www]
 
-; Per pool prefix
-; It only applies on the following directives:
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr/local/Cellar/php54/5.4.22) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
 ; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-;user = prm
+;user  = prm
 ;group = staff
 
 ; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses on a
-;                            specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = 127.0.0.1:9000
-;listen = /usr/local/var/run/nginx/phpfpm.sock
-
-; Set listen(2) backlog.
-; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 65535
+listen = /usr/local/var/run/php-fpm.sock
 
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0666
-;listen.owner = _www
-;listen.group = _www
-listen.mode = 0666
+; Set permissions for unix socket, if one is used.
+listen.mode  = 0666
 
 ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
 listen.allowed_clients = 127.0.0.1
 
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; priority = -19
-
 ; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
 pm = dynamic
 
 ; The number of child processes to be created when pm is set to 'static' and the
@@ -104,144 +27,29 @@ pm = dynamic
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
 pm.max_children = 10
 
 ; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
 pm.start_servers = 3
 
 ; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
 pm.min_spare_servers = 2
 
 ; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 5
 
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
-;pm.max_requests = 500
+pm.max_requests = 500
 
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: ${prefix}/share/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
+; The URI to view the FPM status page.
 ; Default Value: not set
-;pm.status_path = /status
+pm.status_path = /status
 
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
+; The ping URI to call the monitoring page of FPM.
 ; Default Value: not set
 ;ping.path = /ping
 
@@ -250,107 +58,36 @@ pm.max_spare_servers = 5
 ; Default Value: pong
 ;ping.response = pong
 
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: output header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
 ; The log file for slow requests
 ; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
+slowlog = /usr/local/var/log/$pool.log.slow
 
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
-;request_slowlog_timeout = 0
+request_slowlog_timeout = 8s
 
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
-request_terminate_timeout = 18000
+request_terminate_timeout = 0
 
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
-;rlimit_files = 131072
+rlimit_files = 131072
 
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 rlimit_core = unlimited
 
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
-;chdir = /var/www
+;chdir =
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
@@ -359,44 +96,9 @@ rlimit_core = unlimited
 ; Default Value: no
 catch_workers_output = yes
 
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
 ; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
+; overwrite the values previously defined in the php.ini.
+;
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr/local/Cellar/php54/5.4.22)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M
+php_flag[display_errors] = on
+php_admin_flag[log_errors] = on
diff --git a/zzz.ini b/zzz.ini
@@ -0,0 +1,13 @@
+; Custom php.ini overrides
+
+date.timezone = Etc/UTC
+memory_limit = 512M
+display_errors = On
+log_errors = On
+expose_php = On
+error_reporting = E_ALL
+realpath_cache_ttl = 120
+realpath_cache_size = 128k
+error_log = /usr/local/var/log/php-errors.log
+cgi.fix_pathinfo = 0
+max_execution_time = 120
diff --git a/php-fpm.conf b/php-fpm.conf
@@ -0,0 +1,122 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix (/usr/local/Cellar/php54/5.4.22). This prefix can be dynamically changed by using the
+; '-p' argument from the command line.
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+; Relative path can also be used. They will be prefixed by:
+;  - the global prefix if it's been set (-p argument)
+;  - /usr/local/Cellar/php54/5.4.22 otherwise
+include=/usr/local/etc/php/5.4/fpm.d/*.conf
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Note: the default prefix is /usr/local/var
+; Default Value: none
+;pid = run/php-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; in a local file.
+; Note: the default prefix is /usr/local/var
+; Default Value: log/php-fpm.log
+error_log = /usr/local/var/log/php-fpm.log
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+log_level = notice
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+emergency_restart_threshold = 10
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated.  This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+emergency_restart_interval = 1m
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been design to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+; process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool process will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+daemonize = no
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select     (any POSIX os)
+; - poll       (any POSIX os)
+; - epoll      (linux >= 2.5.44)
+; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
+; - /dev/poll  (Solaris >= 7)
+; - port       (Solaris >= 10)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is build with systemd integration, specify the interval,
+; in second, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+include=/usr/local/etc/php/5.4/pool.d/*.conf
diff --git a/www.conf b/www.conf
@@ -0,0 +1,402 @@
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options.  The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; Start a new pool named 'www'.
+; the variable $pool can we used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr/local/Cellar/php54/5.4.22) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used.
+;user = prm
+;group = staff
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses on a
+;                            specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = 127.0.0.1:9000
+;listen = /usr/local/var/run/nginx/phpfpm.sock
+
+; Set listen(2) backlog.
+; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 65535
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions.
+; Default Values: user and group are set as the running user
+;                 mode is set to 0666
+;listen.owner = _www
+;listen.group = _www
+listen.mode = 0666
+
+; List of ipv4 addresses of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; priority = -19
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 10
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
+pm.start_servers = 3
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 2
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 5
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: ${prefix}/share/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{miliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some exemples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+request_terminate_timeout = 18000
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 131072
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+rlimit_core = unlimited
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+catch_workers_output = yes
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; exectute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr/local/Cellar/php54/5.4.22)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M
diff --git a/fastcgi_params b/fastcgi_params
@@ -0,0 +1,42 @@
+fastcgi_param QUERY_STRING        $query_string;
+fastcgi_param REQUEST_METHOD      $request_method;
+fastcgi_param CONTENT_TYPE        $content_type;
+fastcgi_param CONTENT_LENGTH      $content_length;
+
+fastcgi_param SCRIPT_FILENAME     $request_filename;
+fastcgi_param SCRIPT_NAME         $fastcgi_script_name;
+fastcgi_param REQUEST_URI         $request_uri;
+fastcgi_param DOCUMENT_URI        $document_uri;
+fastcgi_param DOCUMENT_ROOT       $document_root;
+fastcgi_param SERVER_PROTOCOL     $server_protocol;
+fastcgi_param PATH_INFO           $fastcgi_path_info;
+
+fastcgi_param GATEWAY_INTERFACE   CGI/1.1;
+fastcgi_param SERVER_SOFTWARE     nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR         $remote_addr;
+fastcgi_param REMOTE_PORT         $remote_port;
+fastcgi_param SERVER_ADDR         $server_addr;
+fastcgi_param SERVER_PORT         $server_port;
+fastcgi_param SERVER_NAME         $server_name;
+
+fastcgi_param HTTPS               $https if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS     200;
+
+fastcgi_connect_timeout           60;
+fastcgi_send_timeout              18000;
+fastcgi_read_timeout              18000;
+
+fastcgi_buffer_size               4k;
+fastcgi_buffers                   512 4k;
+fastcgi_busy_buffers_size         8k;
+fastcgi_temp_file_write_size      256k;
+
+fastcgi_intercept_errors          off;
+fastcgi_ignore_client_abort       off;
+
+fastcgi_pass_header               *;
+fastcgi_split_path_info           ^(.+\.php)(/.+)$;
+fastcgi_index                     index.php;
diff --git a/assets.conf b/assets.conf
@@ -0,0 +1,7 @@
+# Directives to send expires headers and turn off 404 error logging for Static assets
+location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpe?g|gif|png|ico|zip|pdf|t?gz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|swf|bmp|txt|rtf|md)$ {
+    access_log off;
+    log_not_found off;
+    expires max;
+    add_header Cache-Control public;
+}
diff --git a/default-site.conf b/default-site.conf
@@ -0,0 +1,27 @@
+server {
+    # Server settings
+    listen 80;
+    server_name localhost;
+
+    # Options
+    limit_conn limit_per_ip 16;
+
+    # Logging
+    access_log /usr/local/var/log/nginx/access.log main;
+    error_log  /usr/local/var/log/nginx/error.log warn;
+    location = /robots.txt  { access_log off; log_not_found off; }
+    location = /favicon.ico { access_log off; log_not_found off; }
+
+    # Configuration
+    include /usr/local/etc/nginx/conf.d/drop.conf;
+    include /usr/local/etc/nginx/conf.d/php5.conf;
+    include /usr/local/etc/nginx/conf.d/assets.conf;
+
+    fastcgi_param MAGE_IS_DEVELOPER_MODE true;
+
+    include /usr/local/etc/nginx/conf.d/magento.conf;
+
+    # Environment
+    root /Users/prm/Projects/;
+    index index.php index.html index.htm;
+}
diff --git a/drop.conf b/drop.conf
@@ -0,0 +1,17 @@
+# Do not log attempts for common files
+location ~ ^/(favicon.ico|robots.txt) {
+    access_log off;
+    log_not_found off;
+}
+
+# Deny access to hidden files
+location /. {
+    access_log off;
+    log_not_found off;
+    return 404;
+}
+
+# Deny obviously bad requests
+location ~ \.(aspx|asp|jsp|cgi)$ {
+    return 410;
+}
diff --git a/drupal.conf b/drupal.conf
@@ -0,0 +1,42 @@
+# Deny access to files the public doesn't need
+location ~* ^.+(\.(txt|log|engine|inc|info|install|make|module|profile|test|po|sh|sql|theme|tpl(\.php)?|xtmpl))$ {
+    internal;
+}
+
+# Deny access to other PHP files
+location ~ \..*/.*\.php {
+    internal;
+}
+
+# Deny access to private and backups
+location ~* ^/sites/.*/(private|files/backup_migrate)/ {
+    access_log off;
+    return 404;
+}
+
+# Attempt to serve the request by trying direct file, directory, Drupal Controller
+location / {
+    try_files $uri $uri/ /index.php?q=$uri&$args;
+    expires max;
+}
+
+# Check: http://wiki.nginx.org/Pitfalls
+location ~* (install|update|apc|info)\.php$ {
+    # do not cache dynamic content
+    expires off;
+
+    # php5 specific configuration options
+    include /usr/local/etc/nginx/fastcgi_params;
+}
+
+# Below locations are for image cache
+location ~* files/styles {
+    access_log off;
+    log_not_found off;
+    expires max;
+    try_files $uri @image_rewrite;
+}
+
+location @image_rewrite {
+    rewrite ^/(.*)$ /index.php?q=$1 last;
+}
diff --git a/magento.conf b/magento.conf
@@ -0,0 +1,27 @@
+# Deny access to files the public doesn't need
+location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|report/config.xml|shell|var)/ {
+    internal;
+}
+
+# Restrict access to admins
+location /var/export {
+    auth_basic "Restricted";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+    autoindex on;
+}
+
+# Attempt to serve the request by trying direct file, directory, Magento controller
+location / {
+    try_files $uri $uri/ /index.php?$args;
+    expires max;
+}
+
+# The downloader has its own index.php that needs to be used
+location ~* ^(/downloader)(.*) {
+    try_files $uri $uri/ /downloader/index.php$1;
+}
+
+# REST API endpoint
+location /api {
+    rewrite ^/api/rest /api.php?type=rest last;
+}
diff --git a/php5.conf b/php5.conf
@@ -0,0 +1,16 @@
+# Pass PHP scripts to PHP-FPM daemon
+# Check: http://wiki.nginx.org/Pitfalls
+
+location ~* \.php$ {
+    # do not cache dynamic content
+    expires off;
+
+    # filter out problem conditions
+    location ~ \..*/.*\.php$ { return 404; }
+
+    # bring in parameters
+    include /usr/local/etc/nginx/fastcgi_params;
+
+    # send requests to Upstream
+    fastcgi_pass phpfpm;
+}
diff --git a/wordpress.conf b/wordpress.conf
@@ -0,0 +1,16 @@
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+    deny all;
+}
+
+# Attempted to match last if rules below fail.
+# http://wiki.nginx.org/HttpCoreModule
+location / {
+    try_files $uri $uri/ /index.php?$args;
+    expires max;
+}
+
+# Add trailing slash to */wp-admin requests.
+rewrite /wp-admin$ $scheme://$host$uri/ permanent;
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,83 @@
+----------------------------------------------------------------------
+#  http://wiki.nginx.org/NginxMainModule
+#----------------------------------------------------------------------
+user prm staff;
+worker_processes 2;
+pid /usr/local/var/run/nginx/nginx.pid;
+
+#----------------------------------------------------------------------
+# http://wiki.nginx.org/NginxEventsModule
+#----------------------------------------------------------------------
+events {
+    worker_connections 1024;
+    accept_mutex off;
+}
+
+#----------------------------------------------------------------------
+# http://wiki.nginx.org/NginxHttpCoreModule
+#----------------------------------------------------------------------
+http {
+    access_log /usr/local/var/log/nginx/access.log;
+    error_log  /usr/local/var/log/nginx/error.log warn;
+
+    include mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] $request '
+                    '"$status" $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    # This tells Nginx to ignore the contents of a file it is sending
+    # and uses the kernel sendfile instead
+    sendfile on;
+
+    # Set this to on if you have sendfile on
+    # It will prepend the HTTP response headers before
+    # calling sendfile()
+    tcp_nopush on;
+
+    # This disables the "Nagle buggering algorithm" (Nginx Docs)
+    # Good for websites that send a lot of small requests that
+    # don't need a response
+    tcp_nodelay on;
+
+    # timeouts
+    keepalive_timeout 25;
+    send_timeout 30;
+
+    # general options
+    charset utf-8;
+    server_tokens off;
+    server_name_in_redirect off;
+    ignore_invalid_headers on;
+    recursive_error_pages on;
+    merge_slashes on;
+    underscores_in_headers on;
+    limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
+    types_hash_max_size 2048;
+    server_names_hash_bucket_size 128;
+    client_max_body_size 24m;
+    client_body_buffer_size 128k;
+    #proxy_read_timeout 18000;
+
+    # compression
+    gzip on;
+    gzip_http_version 1.0;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_static on;
+    gzip_min_length 1024;
+    gzip_buffers 32 8k;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/x-javascript text/comma-separated-values text/xml application/xml application/xml+rss application/atom+xml text/javascript;
+    gzip_disable "MSIE [1-6].(?!.*SV1)";
+
+    # PHP-FPM
+    upstream phpfpm {
+      #server unix:/usr/local/var/run/nginx/phpfpm.sock;
+      server 127.0.0.1:9000;
+    }
+
+    # include active sites
+    include /usr/local/etc/nginx/sites-enabled/*;
+}