2024-01-26 22:16:29 +01:00
|
|
|
# maximum file upload size (keep up to date when changing the corresponding site setting)
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
|
|
|
# extend timeouts
|
|
|
|
proxy_connect_timeout 600;
|
|
|
|
proxy_send_timeout 600;
|
|
|
|
proxy_read_timeout 600;
|
|
|
|
send_timeout 600;
|
|
|
|
|
|
|
|
# path to discourse's public directory
|
|
|
|
set $public __INSTALL_DIR__/public/;
|
|
|
|
|
|
|
|
# without weak etags we get zero benefit from etags on dynamically compressed content
|
|
|
|
# further more etags are based on the file in nginx not sha of data
|
|
|
|
# use dates, it solves the problem fine even cross server
|
|
|
|
etag off;
|
|
|
|
|
|
|
|
# prevent direct download of backups
|
|
|
|
location ^~ __PATH__/backups/ {
|
|
|
|
internal;
|
|
|
|
}
|
|
|
|
|
|
|
|
# bypass rails stack with a cheap 204 for favicon.ico requests
|
|
|
|
location __PATH__/favicon.ico {
|
|
|
|
return 204;
|
|
|
|
access_log off;
|
|
|
|
log_not_found off;
|
|
|
|
}
|
|
|
|
|
|
|
|
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
|
|
|
|
location __PATH__/ {
|
|
|
|
alias __INSTALL_DIR__/public/ ;
|
|
|
|
proxy_hide_header ETag;
|
|
|
|
|
|
|
|
# auth_basic on;
|
|
|
|
# auth_basic_user_file /etc/nginx/htpasswd;
|
|
|
|
|
|
|
|
# Include SSOWAT user panel.
|
|
|
|
include conf.d/yunohost_panel.conf.inc;
|
|
|
|
|
|
|
|
|
|
|
|
location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {
|
|
|
|
expires 1y;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
more_set_headers "Access-Control-Allow-Origin : *";
|
|
|
|
}
|
|
|
|
|
|
|
|
location = __PATH__/srv/status {
|
|
|
|
access_log off;
|
|
|
|
log_not_found off;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
# some minimal caching here so we don't keep asking
|
|
|
|
# longer term we should increas probably to 1y
|
|
|
|
location ~ ^/javascripts/ {
|
|
|
|
expires 1d;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/assets/(?<asset_path>.+)$ {
|
|
|
|
expires 1y;
|
|
|
|
# asset pipeline enables this
|
|
|
|
# brotli_static on;
|
|
|
|
gzip_static on;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
# HOOK in asset location (used for extensibility)
|
|
|
|
# TODO I don't think this break is needed, it just breaks out of rewrite
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/plugins/ {
|
|
|
|
expires 1y;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
}
|
|
|
|
|
|
|
|
# cache emojis
|
|
|
|
location ~ /images/emoji/ {
|
|
|
|
expires 1y;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/uploads/ {
|
|
|
|
|
|
|
|
# NOTE: it is really annoying that we can't just define headers
|
|
|
|
# at the top level and inherit.
|
|
|
|
#
|
|
|
|
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
|
|
|
|
# otherwise headers are not set correctly
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
|
|
|
proxy_set_header X-Accel-Mapping __INSTALL_DIR__/public/=/downloads/;
|
|
|
|
expires 1y;
|
|
|
|
more_set_headers "Cache-Control : public,immutable";
|
|
|
|
|
|
|
|
## optional upload anti-hotlinking rules
|
|
|
|
#valid_referers none blocked mysite.com *.mysite.com;
|
|
|
|
#if ($invalid_referer) { return 403; }
|
|
|
|
|
|
|
|
# custom CSS
|
|
|
|
location ~ /stylesheet-cache/ {
|
|
|
|
try_files $uri =404;
|
|
|
|
}
|
|
|
|
# this allows us to bypass rails
|
|
|
|
location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ {
|
|
|
|
try_files $uri =404;
|
|
|
|
}
|
|
|
|
# thumbnails & optimized images
|
|
|
|
location ~ /_?optimized/ {
|
|
|
|
try_files $uri =404;
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/admin/backups/ {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
|
|
|
proxy_set_header X-Accel-Mapping __INSTALL_DIR__/public/=/downloads/;
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
# This big block is needed so we can selectively enable
|
|
|
|
# acceleration for backups and avatars
|
|
|
|
# see note about repetition above
|
|
|
|
location ~ ^/(letter_avatar/|user_avatar|highlight-js|stylesheets|favicon/proxied|service-worker) {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
|
|
|
|
# if Set-Cookie is in the response nothing gets cached
|
|
|
|
# this is double bad cause we are not passing last modified in
|
|
|
|
proxy_ignore_headers "Set-Cookie";
|
|
|
|
proxy_hide_header "Set-Cookie";
|
|
|
|
|
|
|
|
# note x-accel-redirect can not be used with proxy_cache
|
|
|
|
# proxy_cache one;
|
|
|
|
proxy_cache_valid 200 301 302 7d;
|
|
|
|
proxy_cache_valid any 1m;
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
# location /letter_avatar_proxy/ {
|
|
|
|
# # Don't send any client headers to the avatars service
|
|
|
|
# proxy_method GET;
|
|
|
|
# proxy_pass_request_headers off;
|
|
|
|
# proxy_pass_request_body off;
|
|
|
|
#
|
|
|
|
# # Don't let cookies interrupt caching, and don't pass them to the
|
|
|
|
# # client
|
|
|
|
# proxy_ignore_headers "Set-Cookie";
|
|
|
|
# proxy_hide_header "Set-Cookie";
|
|
|
|
#
|
|
|
|
# proxy_cache one;
|
|
|
|
# proxy_cache_key $uri;
|
|
|
|
# proxy_cache_valid 200 7d;
|
|
|
|
# proxy_cache_valid 404 1m;
|
|
|
|
# proxy_set_header Connection "";
|
|
|
|
#
|
|
|
|
# proxy_pass https://avatars.discourse.org/;
|
|
|
|
# break;
|
|
|
|
# }
|
|
|
|
|
|
|
|
# we need buffering off for message bus
|
|
|
|
location __PATH__/message-bus/ {
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
# this means every file in public is tried first
|
|
|
|
try_files $uri @__NAME__;
|
|
|
|
}
|
|
|
|
|
|
|
|
location __PATH__/downloads/ {
|
|
|
|
internal;
|
|
|
|
alias __INSTALL_DIR__/public/ ;
|
|
|
|
}
|
|
|
|
|
|
|
|
location @__NAME__ {
|
|
|
|
more_set_headers "Referrer-Policy : no-referrer-when-downgrade";
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_pass http://unix:__INSTALL_DIR__/tmp/sockets/unicorn.sock;
|
|
|
|
}
|