discourse_ynh/conf/nginx.conf

  # maximum file upload size (keep up to date when changing the corresponding site setting)
  client_max_body_size 10m;

  # path to discourse's public directory
  set $public __FINALPATH__/public/;

  # without weak etags we get zero benefit from etags on dynamically compressed content
  # further more etags are based on the file in nginx not sha of data
  # use dates, it solves the problem fine even cross server
  etag off;

  # prevent direct download of backups
  location ^~ __PATH__/backups/ {
    internal;
  }

  # bypass rails stack with a cheap 204 for favicon.ico requests
  location __PATH__/favicon.ico {
    return 204;
    access_log off;
    log_not_found off;
  }

  location __PATH__ {
    alias $public;
    add_header ETag "";

    if ($scheme = http) {
            rewrite ^ https://$server_name$request_uri? permanent;
    }

    # auth_basic on;
    # auth_basic_user_file /etc/nginx/htpasswd;

    # Include SSOWAT user panel.
    include conf.d/yunohost_panel.conf.inc;


    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {
      expires 1y;
      add_header Cache-Control public,immutable;
      add_header Access-Control-Allow-Origin *;
     }

    location = __PATH__/srv/status {
      access_log off;
      log_not_found off;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
      break;
    }

    # some minimal caching here so we don't keep asking
    # longer term we should increas probably to 1y
    location ~ ^/javascripts/ {
      expires 1d;
      add_header Cache-Control public,immutable;
    }

    location ~ ^/assets/(?<asset_path>.+)$ {
      expires 1y;
      # asset pipeline enables this
      # brotli_static on;
      gzip_static on;
      add_header Cache-Control public,immutable;
      # HOOK in asset location (used for extensibility)
      # TODO I don't think this break is needed, it just breaks out of rewrite
      break;
    }

    location ~ ^/plugins/ {
      expires 1y;
      add_header Cache-Control public,immutable;
    }

    # cache emojis
    location ~ /images/emoji/ {
      expires 1y;
      add_header Cache-Control public,immutable;
    }

    location ~ ^/uploads/ {

      # NOTE: it is really annoying that we can't just define headers
      # at the top level and inherit.
      #
      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
      # otherwise headers are not set correctly
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      expires 1y;
      add_header Cache-Control public,immutable;

      ## optional upload anti-hotlinking rules
      #valid_referers none blocked mysite.com *.mysite.com;
      #if ($invalid_referer) { return 403; }

      # custom CSS
      location ~ /stylesheet-cache/ {
          try_files $uri =404;
      }
      # this allows us to bypass rails
      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ {
          try_files $uri =404;
      }
      # thumbnails & optimized images
      location ~ /_?optimized/ {
          try_files $uri =404;
      }

      proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
      break;
    }

    location ~ ^/admin/backups/ {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
      break;
    }

    # This big block is needed so we can selectively enable
    # acceleration for backups and avatars
    # see note about repetition above
    location ~ ^/(letter_avatar/|user_avatar|highlight-js|stylesheets|favicon/proxied|service-worker) {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;

      # if Set-Cookie is in the response nothing gets cached
      # this is double bad cause we are not passing last modified in
      proxy_ignore_headers "Set-Cookie";
      proxy_hide_header "Set-Cookie";

      # note x-accel-redirect can not be used with proxy_cache
#      proxy_cache one;
      proxy_cache_valid 200 301 302 7d;
      proxy_cache_valid any 1m;
      proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
      break;
    }

#    location /letter_avatar_proxy/ {
#      # Don't send any client headers to the avatars service
#      proxy_method GET;
#      proxy_pass_request_headers off;
#      proxy_pass_request_body off;
#
#      # Don't let cookies interrupt caching, and don't pass them to the
#      # client
#      proxy_ignore_headers "Set-Cookie";
#      proxy_hide_header "Set-Cookie";
#
#      proxy_cache one;
#      proxy_cache_key $uri;
#      proxy_cache_valid 200 7d;
#      proxy_cache_valid 404 1m;
#      proxy_set_header Connection "";
#
#      proxy_pass https://avatars.discourse.org/;
#      break;
#    }

    # we need buffering off for message bus
    location __PATH__/message-bus/ {
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_http_version 1.1;
      proxy_buffering off;
      proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
      break;
    }

    # this means every file in public is tried first
    try_files $uri @__NAME__;
  }

  location __PATH__/downloads/ {
    internal;
    alias $public/;
  }

  location @__NAME__ {
    add_header Referrer-Policy 'no-referrer-when-downgrade';
    proxy_set_header Host $http_host;
    proxy_set_header X-Request-Start "t=${msec}";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;
}
Initial commit 2018-04-02 16:36:02 +02:00			`# maximum file upload size (keep up to date when changing the corresponding site setting)`
			`client_max_body_size 10m;`

			`# path to discourse's public directory`
			`set $public __FINALPATH__/public/;`

			`# without weak etags we get zero benefit from etags on dynamically compressed content`
			`# further more etags are based on the file in nginx not sha of data`
			`# use dates, it solves the problem fine even cross server`
			`etag off;`

			`# prevent direct download of backups`
			`location ^~ __PATH__/backups/ {`
			`internal;`
			`}`

			`# bypass rails stack with a cheap 204 for favicon.ico requests`
			`location __PATH__/favicon.ico {`
			`return 204;`
			`access_log off;`
			`log_not_found off;`
			`}`

			`location __PATH__ {`
			`alias $public;`
			`add_header ETag "";`

			`if ($scheme = http) {`
			`rewrite ^ https://$server_name$request_uri? permanent;`
			`}`

			`# auth_basic on;`
			`# auth_basic_user_file /etc/nginx/htpasswd;`

			`# Include SSOWAT user panel.`
			`include conf.d/yunohost_panel.conf.inc;`


			`location ~* (assets\|plugins\|uploads)/.*\.(eot\|ttf\|woff\|woff2\|ico)$ {`
			`expires 1y;`
			`add_header Cache-Control public,immutable;`
			`add_header Access-Control-Allow-Origin *;`
			`}`

			`location = __PATH__/srv/status {`
			`access_log off;`
			`log_not_found off;`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`break;`
			`}`

			`# some minimal caching here so we don't keep asking`
			`# longer term we should increas probably to 1y`
			`location ~ ^/javascripts/ {`
			`expires 1d;`
			`add_header Cache-Control public,immutable;`
			`}`

			`location ~ ^/assets/(?<asset_path>.+)$ {`
			`expires 1y;`
			`# asset pipeline enables this`
			`# brotli_static on;`
			`gzip_static on;`
			`add_header Cache-Control public,immutable;`
			`# HOOK in asset location (used for extensibility)`
			`# TODO I don't think this break is needed, it just breaks out of rewrite`
			`break;`
			`}`

			`location ~ ^/plugins/ {`
			`expires 1y;`
			`add_header Cache-Control public,immutable;`
			`}`

			`# cache emojis`
			`location ~ /images/emoji/ {`
			`expires 1y;`
			`add_header Cache-Control public,immutable;`
			`}`

			`location ~ ^/uploads/ {`

			`# NOTE: it is really annoying that we can't just define headers`
			`# at the top level and inherit.`
			`#`
			`# proxy_set_header DOES NOT inherit, by design, we must repeat it,`
			`# otherwise headers are not set correctly`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
			`expires 1y;`
			`add_header Cache-Control public,immutable;`

			`## optional upload anti-hotlinking rules`
			`#valid_referers none blocked mysite.com *.mysite.com;`
			`#if ($invalid_referer) { return 403; }`

			`# custom CSS`
			`location ~ /stylesheet-cache/ {`
			`try_files $uri =404;`
			`}`
			`# this allows us to bypass rails`
			`location ~* \.(gif\|png\|jpg\|jpeg\|bmp\|tif\|tiff\|svg\|ico\|webp)$ {`
			`try_files $uri =404;`
			`}`
			`# thumbnails & optimized images`
			`location ~ /_?optimized/ {`
			`try_files $uri =404;`
			`}`

			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`break;`
			`}`

			`location ~ ^/admin/backups/ {`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`break;`
			`}`

			`# This big block is needed so we can selectively enable`
			`# acceleration for backups and avatars`
			`# see note about repetition above`
			`location ~ ^/(letter_avatar/\|user_avatar\|highlight-js\|stylesheets\|favicon/proxied\|service-worker) {`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`

			`# if Set-Cookie is in the response nothing gets cached`
			`# this is double bad cause we are not passing last modified in`
			`proxy_ignore_headers "Set-Cookie";`
			`proxy_hide_header "Set-Cookie";`

			`# note x-accel-redirect can not be used with proxy_cache`
			`# proxy_cache one;`
			`proxy_cache_valid 200 301 302 7d;`
			`proxy_cache_valid any 1m;`
			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`break;`
			`}`

			`# location /letter_avatar_proxy/ {`
			`# # Don't send any client headers to the avatars service`
			`# proxy_method GET;`
			`# proxy_pass_request_headers off;`
			`# proxy_pass_request_body off;`
			`#`
			`# # Don't let cookies interrupt caching, and don't pass them to the`
			`# # client`
			`# proxy_ignore_headers "Set-Cookie";`
			`# proxy_hide_header "Set-Cookie";`
			`#`
			`# proxy_cache one;`
			`# proxy_cache_key $uri;`
			`# proxy_cache_valid 200 7d;`
			`# proxy_cache_valid 404 1m;`
			`# proxy_set_header Connection "";`
			`#`
			`# proxy_pass https://avatars.discourse.org/;`
			`# break;`
			`# }`

			`# we need buffering off for message bus`
			`location __PATH__/message-bus/ {`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_http_version 1.1;`
			`proxy_buffering off;`
			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`break;`
			`}`

			`# this means every file in public is tried first`
			`try_files $uri @__NAME__;`
			`}`

			`location __PATH__/downloads/ {`
			`internal;`
			`alias $public/;`
			`}`

			`location @__NAME__ {`
			`add_header Referrer-Policy 'no-referrer-when-downgrade';`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Request-Start "t=${msec}";`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock;`
			`}`