mirror of
https://github.com/discourse/discourse.git
synced 2025-01-06 15:24:04 +08:00
SECURITY: Scrub headers to prevent access to files via nginx
This commit is contained in:
Nat
=
parent
95564a3df2
commit
15b43a205b
|
|
@ -99,22 +99,23 @@ server {
|
||||||
# auth_basic on;
|
# auth_basic on;
|
||||||
# auth_basic_user_file /etc/nginx/htpasswd;
|
# auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
|
|
||||||
|
# proxy_set_header directives are inherited from the previous configuration
|
||||||
|
# level if and only if there are no proxy_set_header directives defined on
|
||||||
|
# the current level.
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Request-Start "t=${msec}";
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||||
|
proxy_set_header X-Sendfile-Type "";
|
||||||
|
proxy_set_header X-Accel-Mapping "";
|
||||||
|
|
||||||
location ~ ^/uploads/short-url/ {
|
location ~ ^/uploads/short-url/ {
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/(secure-media-uploads/|secure-uploads)/ {
|
location ~ ^/(secure-media-uploads/|secure-uploads)/ {
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -128,11 +129,6 @@ server {
|
||||||
location = /srv/status {
|
location = /srv/status {
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -170,12 +166,9 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/uploads/ {
|
location ~ ^/uploads/ {
|
||||||
|
# proxy_set_header directives are inherited from the previous configuration
|
||||||
# NOTE: it is really annoying that we can't just define headers
|
# level if and only if there are no proxy_set_header directives defined on
|
||||||
# at the top level and inherit.
|
# the current level.
|
||||||
#
|
|
||||||
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
|
|
||||||
# otherwise headers are not set correctly
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
proxy_set_header X-Request-Start "t=${msec}";
|
||||||
|
|
@ -183,6 +176,7 @@ server {
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||||
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
||||||
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
||||||
|
|
||||||
expires 1y;
|
expires 1y;
|
||||||
add_header Cache-Control public,immutable;
|
add_header Cache-Control public,immutable;
|
||||||
|
|
||||||
|
|
@ -214,6 +208,9 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/admin/backups/ {
|
location ~ ^/admin/backups/ {
|
||||||
|
# proxy_set_header directives are inherited from the previous configuration
|
||||||
|
# level if and only if there are no proxy_set_header directives defined on
|
||||||
|
# the current level.
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
proxy_set_header X-Request-Start "t=${msec}";
|
||||||
|
|
@ -221,6 +218,7 @@ server {
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
proxy_set_header X-Forwarded-Proto $thescheme;
|
||||||
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
||||||
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
proxy_set_header X-Accel-Mapping $public/=/downloads/;
|
||||||
|
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -229,12 +227,6 @@ server {
|
||||||
# acceleration for backups, avatars, sprites and so on.
|
# acceleration for backups, avatars, sprites and so on.
|
||||||
# see note about repetition above
|
# see note about repetition above
|
||||||
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
|
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
|
|
||||||
# if Set-Cookie is in the response nothing gets cached
|
# if Set-Cookie is in the response nothing gets cached
|
||||||
# this is double bad cause we are not passing last modified in
|
# this is double bad cause we are not passing last modified in
|
||||||
proxy_ignore_headers "Set-Cookie";
|
proxy_ignore_headers "Set-Cookie";
|
||||||
|
|
@ -253,11 +245,6 @@ server {
|
||||||
|
|
||||||
# we need buffering off for message bus
|
# we need buffering off for message bus
|
||||||
location /message-bus/ {
|
location /message-bus/ {
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
|
|
@ -274,12 +261,6 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location @discourse {
|
location @discourse {
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Request-Start "t=${msec}";
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
||||||
proxy_pass http://discourse;
|
proxy_pass http://discourse;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user