SECURITY: Scrub headers to prevent access to files via nginx

config/nginx.sample.conf

@@ -106,22 +106,23 @@ server {
     # auth_basic on;
     # auth_basic_user_file /etc/nginx/htpasswd;
 
+    # proxy_set_header directives are inherited from the previous configuration
+    # level if and only if there are no proxy_set_header directives defined on
+    # the current level.
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Request-Start "t=${msec}";
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $thescheme;
+    proxy_set_header X-Sendfile-Type "";
+    proxy_set_header X-Accel-Mapping "";
+
     location ~ ^/uploads/short-url/ {
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Request-Start "t=${msec}";
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_pass http://discourse;
       break;
     }
 
     location ~ ^/(secure-media-uploads/|secure-uploads)/ {
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Request-Start "t=${msec}";
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_pass http://discourse;
       break;
     }
@@ -135,11 +136,6 @@ server {
     location = /srv/status {
       access_log off;
       log_not_found off;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Request-Start "t=${msec}";
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_pass http://discourse;
       break;
     }
@@ -177,12 +173,9 @@ server {
     }
 
     location ~ ^/uploads/ {
-
-      # NOTE: it is really annoying that we can't just define headers
-      # at the top level and inherit.
-      #
-      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
-      # otherwise headers are not set correctly
+      # proxy_set_header directives are inherited from the previous configuration
+      # level if and only if there are no proxy_set_header directives defined on
+      # the current level.
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Request-Start "t=${msec}";
@@ -190,6 +183,7 @@ server {
       proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_set_header X-Sendfile-Type X-Accel-Redirect;
       proxy_set_header X-Accel-Mapping $public/=/downloads/;
+
       expires 1y;
       add_header Cache-Control public,immutable;
 
@@ -221,6 +215,9 @@ server {
     }
 
     location ~ ^/admin/backups/ {
+      # proxy_set_header directives are inherited from the previous configuration
+      # level if and only if there are no proxy_set_header directives defined on
+      # the current level.
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Request-Start "t=${msec}";
@@ -228,6 +225,7 @@ server {
       proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_set_header X-Sendfile-Type X-Accel-Redirect;
       proxy_set_header X-Accel-Mapping $public/=/downloads/;
+
       proxy_pass http://discourse;
       break;
     }
@@ -236,12 +234,6 @@ server {
     # acceleration for backups, avatars, sprites and so on.
     # see note about repetition above
     location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) {
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Request-Start "t=${msec}";
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $thescheme;
-
       # if Set-Cookie is in the response nothing gets cached
       # this is double bad cause we are not passing last modified in
       proxy_ignore_headers "Set-Cookie";
@@ -260,11 +252,6 @@ server {
 
     # we need buffering off for message bus
     location /message-bus/ {
-      proxy_set_header X-Request-Start "t=${msec}";
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_http_version 1.1;
       proxy_buffering off;
       proxy_pass http://discourse;
@@ -281,12 +268,6 @@ server {
   }
 
   location @discourse {
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Request-Start "t=${msec}";
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $thescheme;
     proxy_pass http://discourse;
   }
-
 }