mirror of
https://github.com/discourse/discourse.git
synced 2025-01-04 12:34:05 +08:00
SECURITY: Scrub headers to prevent access to files via nginx
This commit is contained in:
Nat
=
parent
95564a3df2
commit
15b43a205b
|
|
@ -99,22 +99,23 @@ server {
|
|||
# auth_basic on;
|
||||
# auth_basic_user_file /etc/nginx/htpasswd;
|
||||
|
||||
# proxy_set_header directives are inherited from the previous configuration
|
||||
# level if and only if there are no proxy_set_header directives defined on
|
||||
# the current level.
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_set_header X-Sendfile-Type "";
|
||||
proxy_set_header X-Accel-Mapping "";
|
||||
|
||||
location ~ ^/uploads/short-url/ {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_pass http://discourse;
|
||||
break;
|
||||
}
|
||||
|
||||
location ~ ^/(secure-media-uploads/|secure-uploads)/ {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_pass http://discourse;
|
||||
break;
|
||||
}
|
||||
|
|
@ -128,11 +129,6 @@ server {
|
|||
location = /srv/status {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_pass http://discourse;
|
||||
break;
|
||||
}
|
||||
|
|
@ -170,12 +166,9 @@ server {
|
|||
}
|
||||
|
||||
location ~ ^/uploads/ {
|
||||
|
||||
# NOTE: it is really annoying that we can't just define headers
|
||||
# at the top level and inherit.
|
||||
#
|
||||
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
|
||||
# otherwise headers are not set correctly
|
||||
# proxy_set_header directives are inherited from the previous configuration
|
||||
# level if and only if there are no proxy_set_header directives defined on
|
||||
# the current level.
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
|
|
@ -183,6 +176,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
||||
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
||||
|
||||
expires 1y;
|
||||
add_header Cache-Control public,immutable;
|
||||
|
||||
|
|
@ -214,6 +208,9 @@ server {
|
|||
}
|
||||
|
||||
location ~ ^/admin/backups/ {
|
||||
# proxy_set_header directives are inherited from the previous configuration
|
||||
# level if and only if there are no proxy_set_header directives defined on
|
||||
# the current level.
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
|
|
@ -221,6 +218,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
||||
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
||||
|
||||
proxy_pass http://discourse;
|
||||
break;
|
||||
}
|
||||
|
|
@ -229,12 +227,6 @@ server {
|
|||
# acceleration for backups, avatars, sprites and so on.
|
||||
# see note about repetition above
|
||||
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
|
||||
# if Set-Cookie is in the response nothing gets cached
|
||||
# this is double bad cause we are not passing last modified in
|
||||
proxy_ignore_headers "Set-Cookie";
|
||||
|
|
@ -253,11 +245,6 @@ server {
|
|||
|
||||
# we need buffering off for message bus
|
||||
location /message-bus/ {
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
proxy_pass http://discourse;
|
||||
|
|
@ -274,12 +261,6 @@ server {
|
|||
}
|
||||
|
||||
location @discourse {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Request-Start "t=${msec}";
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||
proxy_pass http://discourse;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user