github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-11 05:55:29 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Scrub headers to prevent access to files via nginx

Browse Source
This commit is contained in:
Nat 2024-11-29 11:17:32 +08:00 committed by =
parent 7324bc35a2
commit 438abaa504
1 changed files with 19 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
config/nginx.sample.conf
View File

@ -106,22 +106,23 @@ server {
# auth_basic on; # auth_basic on;
# auth_basic_user_file /etc/nginx/htpasswd; # auth_basic_user_file /etc/nginx/htpasswd;
# proxy_set_header directives are inherited from the previous configuration
# level if and only if there are no proxy_set_header directives defined on
# the current level.
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type "";
proxy_set_header X-Accel-Mapping "";
location ~ ^/uploads/short-url/ { location ~ ^/uploads/short-url/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
location ~ ^/(secure-media-uploads/|secure-uploads)/ { location ~ ^/(secure-media-uploads/|secure-uploads)/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -135,11 +136,6 @@ server {
location = /srv/status { location = /srv/status {
access_log off; access_log off;
log_not_found off; log_not_found off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -177,12 +173,9 @@ server {
} }
location ~ ^/uploads/ { location ~ ^/uploads/ {
# proxy_set_header directives are inherited from the previous configuration
# NOTE: it is really annoying that we can't just define headers # level if and only if there are no proxy_set_header directives defined on
# at the top level and inherit. # the current level.
#
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
# otherwise headers are not set correctly
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Request-Start "t=${msec}";
@ -190,6 +183,7 @@ server {
proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/; proxy_set_header X-Accel-Mapping $public/=/downloads/;
expires 1y; expires 1y;
add_header Cache-Control public,immutable; add_header Cache-Control public,immutable;
@ -221,6 +215,9 @@ server {
} }
location ~ ^/admin/backups/ { location ~ ^/admin/backups/ {
# proxy_set_header directives are inherited from the previous configuration
# level if and only if there are no proxy_set_header directives defined on
# the current level.
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Request-Start "t=${msec}";
@ -228,6 +225,7 @@ server {
proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/; proxy_set_header X-Accel-Mapping $public/=/downloads/;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -236,12 +234,6 @@ server {
# acceleration for backups, avatars, sprites and so on. # acceleration for backups, avatars, sprites and so on.
# see note about repetition above # see note about repetition above
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) { location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
# if Set-Cookie is in the response nothing gets cached # if Set-Cookie is in the response nothing gets cached
# this is double bad cause we are not passing last modified in # this is double bad cause we are not passing last modified in
proxy_ignore_headers "Set-Cookie"; proxy_ignore_headers "Set-Cookie";
@ -260,11 +252,6 @@ server {
# we need buffering off for message bus # we need buffering off for message bus
location /message-bus/ { location /message-bus/ {
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_buffering off; proxy_buffering off;
proxy_pass http://discourse; proxy_pass http://discourse;
@ -281,12 +268,6 @@ server {
} }
location @discourse { location @discourse {
proxy_set_header Host $http_host;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
} }
} }