From b6002881e7e4ace2b146bab55fb2d86c3ec49b53 Mon Sep 17 00:00:00 2001 From: David Taylor Date: Thu, 19 Dec 2024 19:10:00 +0000 Subject: [PATCH] FIX: Simplify nginx config change (#30383) The security fix in 15b43a2 also introduced some unrelated refactoring to the file, which seems to be causing issues in some environments. This commit reverts the refactoring, and applies the security fix to each block individually. --- config/nginx.sample.conf | 69 +++++++++++++++++++++++++++++----------- 1 file changed, 50 insertions(+), 19 deletions(-) diff --git a/config/nginx.sample.conf b/config/nginx.sample.conf index 42dd47ac5b3..9b9b786a378 100644 --- a/config/nginx.sample.conf +++ b/config/nginx.sample.conf @@ -99,23 +99,26 @@ server { # auth_basic on; # auth_basic_user_file /etc/nginx/htpasswd; - # proxy_set_header directives are inherited from the previous configuration - # level if and only if there are no proxy_set_header directives defined on - # the current level. - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Request-Start "t=${msec}"; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $thescheme; - proxy_set_header X-Sendfile-Type ""; - proxy_set_header X-Accel-Mapping ""; - location ~ ^/uploads/short-url/ { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; proxy_pass http://discourse; break; } location ~ ^/(secure-media-uploads/|secure-uploads)/ { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; proxy_pass http://discourse; break; } @@ -129,6 +132,13 @@ server { location = /srv/status { access_log off; log_not_found off; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; proxy_pass http://discourse; break; } @@ -166,9 +176,12 @@ server { } location ~ ^/uploads/ { - # proxy_set_header directives are inherited from the previous configuration - # level if and only if there are no proxy_set_header directives defined on - # the current level. + + # NOTE: it is really annoying that we can't just define headers + # at the top level and inherit. + # + # proxy_set_header DOES NOT inherit, by design, we must repeat it, + # otherwise headers are not set correctly proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; @@ -176,7 +189,6 @@ server { proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Accel-Mapping $public/=/downloads/; - expires 1y; add_header Cache-Control public,immutable; @@ -208,9 +220,6 @@ server { } location ~ ^/admin/backups/ { - # proxy_set_header directives are inherited from the previous configuration - # level if and only if there are no proxy_set_header directives defined on - # the current level. proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; @@ -218,7 +227,6 @@ server { proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Accel-Mapping $public/=/downloads/; - proxy_pass http://discourse; break; } @@ -227,6 +235,14 @@ server { # acceleration for backups, avatars, sprites and so on. # see note about repetition above location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; + # if Set-Cookie is in the response nothing gets cached # this is double bad cause we are not passing last modified in proxy_ignore_headers "Set-Cookie"; @@ -245,6 +261,13 @@ server { # we need buffering off for message bus location /message-bus/ { + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; proxy_http_version 1.1; proxy_buffering off; proxy_pass http://discourse; @@ -261,6 +284,14 @@ server { } location @discourse { + proxy_set_header Host $http_host; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type ""; + proxy_set_header X-Accel-Mapping ""; proxy_pass http://discourse; } + }