discourse/config/nginx.sample.conf

# Additional MIME types that you'd like nginx to handle go in here
types {
    text/csv csv;
}

upstream discourse {
  server unix:/var/www/discourse/tmp/sockets/thin.0.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.1.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.2.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.3.sock;
}

proxy_cache_path /var/nginx/cache keys_zone=one:10m max_size=200m;

# see: https://meta.discourse.org/t/x/74060
proxy_buffer_size 8k;

# If you are going to use Puma, use these:
#
# upstream discourse {
#   server unix:/var/www/discourse/tmp/sockets/puma.sock;
# }


# attempt to preserve the proto, must be in http context
map $http_x_forwarded_proto $thescheme {
  default $scheme;
  https https;
}

log_format log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$sent_http_x_discourse_username"';

server {

  access_log /var/log/nginx/access.log log_discourse;

  listen 80;
  gzip on;
  gzip_vary on;
  gzip_min_length 1000;
  gzip_comp_level 5;
  gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml;
  gzip_proxied any;

  # Uncomment and configure this section for HTTPS support
  # NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)
  #
  # rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent;
  #
  # listen 443 ssl;
  # ssl_certificate your-hostname-cert.pem;
  # ssl_certificate_key your-hostname-cert.key;
  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ssl_ciphers HIGH:!aNULL:!MD5;
  #

  server_name enter.your.web.hostname.here;
  server_tokens off;

  sendfile on;

  keepalive_timeout 65;

  # maximum file upload size (keep up to date when changing the corresponding site setting)
  client_max_body_size 10m;

  # path to discourse's public directory
  set $public /var/www/discourse/public;

  # without weak etags we get zero benefit from etags on dynamically compressed content
  # further more etags are based on the file in nginx not sha of data
  # use dates, it solves the problem fine even cross server
  etag off;

  # prevent direct download of backups
  location ^~ /backups/ {
    internal;
  }

  # bypass rails stack with a cheap 204 for favicon.ico requests
  location /favicon.ico {
    return 204;
    access_log off;
    log_not_found off;
  }

  location / {
    root $public;
    add_header ETag "";

    # auth_basic on;
    # auth_basic_user_file /etc/nginx/htpasswd;

    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {
      expires 1y;
      add_header Cache-Control public,immutable;
      add_header Access-Control-Allow-Origin *;
     }

    location = /srv/status {
      access_log off;
      log_not_found off;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_pass http://discourse;
      break;
    }

    # some minimal caching here so we don't keep asking
    # longer term we should increas probably to 1y
    location ~ ^/javascripts/ {
      expires 1d;
      add_header Cache-Control public,immutable;
    }

    location ~ ^/assets/(?<asset_path>.+)$ {
      expires 1y;
      # asset pipeline enables this
      brotli_static on;
      gzip_static on;
      add_header Cache-Control public,immutable;
      # HOOK in asset location (used for extensibility)
      # TODO I don't think this break is needed, it just breaks out of rewrite
      break;
    }

    location ~ ^/plugins/ {
      expires 1y;
      add_header Cache-Control public,immutable;
    }

    # cache emojis
    location ~ /images/emoji/ {
      expires 1y;
      add_header Cache-Control public,immutable;
    }

    location ~ ^/uploads/ {

      # NOTE: it is really annoying that we can't just define headers
      # at the top level and inherit.
      #
      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
      # otherwise headers are not set correctly
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      expires 1y;
      add_header Cache-Control public,immutable;

      ## optional upload anti-hotlinking rules
      #valid_referers none blocked mysite.com *.mysite.com;
      #if ($invalid_referer) { return 403; }

      # custom CSS
      location ~ /stylesheet-cache/ {
          try_files $uri =404;
      }
      # this allows us to bypass rails
      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ {
          try_files $uri =404;
      }
      # thumbnails & optimized images
      location ~ /_?optimized/ {
          try_files $uri =404;
      }

      proxy_pass http://discourse;
      break;
    }

    location ~ ^/admin/backups/ {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      proxy_pass http://discourse;
      break;
    }

    # This big block is needed so we can selectively enable
    # acceleration for backups, avatars, sprites and so on.
    # see note about repetition above
    location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;

      # if Set-Cookie is in the response nothing gets cached
      # this is double bad cause we are not passing last modified in
      proxy_ignore_headers "Set-Cookie";
      proxy_hide_header "Set-Cookie";
      proxy_hide_header "X-Discourse-Username";
      proxy_hide_header "X-Runtime";

      # note x-accel-redirect can not be used with proxy_cache
      proxy_cache one;
      proxy_cache_key "$scheme,$host,$request_uri";
      proxy_cache_valid 200 301 302 7d;
      proxy_cache_valid any 1m;
      proxy_pass http://discourse;
      break;
    }

    # we need buffering off for message bus
    location /message-bus/ {
      proxy_set_header X-Request-Start "t=${msec}";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_http_version 1.1;
      proxy_buffering off;
      proxy_pass http://discourse;
      break;
    }

    # this means every file in public is tried first
    try_files $uri @discourse;
  }

  location /downloads/ {
    internal;
    alias $public/;
  }

  location @discourse {
    proxy_set_header Host $http_host;
    proxy_set_header X-Request-Start "t=${msec}";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $thescheme;
    proxy_pass http://discourse;
  }

}
Add section for additional MIME in nginx 2013-08-13 14:00:20 -04:00			`# Additional MIME types that you'd like nginx to handle go in here`
			`types {`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`text/csv csv;`
Add section for additional MIME in nginx 2013-08-13 14:00:20 -04:00			`}`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`upstream discourse {`
Update documentation * Change recommendation for install path to /var/www/discourse * Fix instructions for redis-server installation * Set yourself as system user during install * Clarify some instructions 2013-08-07 00:06:40 -04:00			`server unix:/var/www/discourse/tmp/sockets/thin.0.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.1.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.2.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.3.sock;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`}`

FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_cache_path /var/nginx/cache keys_zone=one:10m max_size=200m;`

bump up proxy buffer size 2017-12-10 17:29:47 -05:00			`# see: https://meta.discourse.org/t/x/74060`
			`proxy_buffer_size 8k;`

Locate the Puma config file. 2013-11-17 23:53:36 -05:00			`# If you are going to use Puma, use these:`
			`#`
			`# upstream discourse {`
Fix Puma socket name As mentioned in https://github.com/discourse/discourse/commit/f784a188c69ddfa329ec882cbfab9b216256d5fb#commitcomment-5277066 2014-05-07 21:58:49 -04:00			`# server unix:/var/www/discourse/tmp/sockets/puma.sock;`
Locate the Puma config file. 2013-11-17 23:53:36 -05:00			`# }`

correct nginx rule forwarding header 2014-01-09 00:39:30 -05:00
			`# attempt to preserve the proto, must be in http context`
			`map $http_x_forwarded_proto $thescheme {`
			`default $scheme;`
			`https https;`
			`}`

Include HTTP Host header in nginx logs This is crucial in multisite installations, because otherwise the nginx logs are fairly useless, however it can also be quite handy to know what hostnames are being sent to your site. The variable is quoted, because it is untrusted input (it is taken directly from the HTTP request), but nginx helpfully escapes the quoting character automagically, so we don't have to worry about that. For now, the log analysis plugin recognises the new log format (and continues to recognise the previous format, for backwards compatibility), but doesn't do anything with the new log entry field. This means your multisite performance plugin data is still broken, but it's no worse than it was before. 2017-06-28 00:34:41 -04:00			`log_format log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$sent_http_x_discourse_username"';`
FEATURE: add a custom log format for better analysis 2015-06-15 21:37:08 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`server {`

FEATURE: add a custom log format for better analysis 2015-06-15 21:37:08 -04:00			`access_log /var/log/nginx/access.log log_discourse;`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`listen 80;`
			`gzip on;`
FIX: add vary encoding to gzip responses this ensures CDNs work correctly see: http://blog.maxcdn.com/accept-encoding-its-vary-important/ 2014-10-22 20:05:42 -04:00			`gzip_vary on;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`gzip_min_length 1000;`
FIX: serve statically compressed files when available PERF: default gzip to level 5 2014-07-08 02:45:18 -04:00			`gzip_comp_level 5;`
PERF: Add text/javascript to NGINX gzip_types 2019-02-07 18:47:42 -05:00			`gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml;`
PERF: enable gzip on proxied requests 2018-01-08 21:28:05 -05:00			`gzip_proxied any;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
add commented out SSL section to nginx config 2015-01-17 04:26:21 -05:00			`# Uncomment and configure this section for HTTPS support`
			`# NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)`
			`#`
			`# rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent;`
			`#`
			`# listen 443 ssl;`
			`# ssl_certificate your-hostname-cert.pem;`
			`# ssl_certificate_key your-hostname-cert.key;`
			`# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`# ssl_ciphers HIGH:!aNULL:!MD5;`
			`#`

documentation: merge & adapt suggestions from baus 2013-05-29 00:07:26 -04:00			`server_name enter.your.web.hostname.here;`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`server_tokens off;`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`sendfile on;`

			`keepalive_timeout 65;`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
			`# maximum file upload size (keep up to date when changing the corresponding site setting)`
FEATURE: raise min body size to 10m 2015-02-22 18:50:09 -05:00			`client_max_body_size 10m;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`# path to discourse's public directory`
			`set $public /var/www/discourse/public;`

FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`# without weak etags we get zero benefit from etags on dynamically compressed content`
			`# further more etags are based on the file in nginx not sha of data`
			`# use dates, it solves the problem fine even cross server`
			`etag off;`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00
SECURITY: prevent direct download of backups 2014-12-03 06:47:28 -05:00			`# prevent direct download of backups`
			`location ^~ /backups/ {`
			`internal;`
			`}`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00
Return 204 instead of 404 for favicon.ico requests 2015-12-21 07:13:56 -05:00			`# bypass rails stack with a cheap 204 for favicon.ico requests`
FIX: stop sending a blank /favicon.ico instead have nginx ship a 404 for it. 2015-11-17 03:34:05 -05:00			`location /favicon.ico {`
Return 204 instead of 404 for favicon.ico requests 2015-12-21 07:13:56 -05:00			`return 204;`
Do not log favicon.ico requests 2015-12-21 07:14:36 -05:00			`access_log off;`
			`log_not_found off;`
FIX: stop sending a blank /favicon.ico instead have nginx ship a 404 for it. 2015-11-17 03:34:05 -05:00			`}`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`location / {`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`root $public;`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`add_header ETag "";`
BUGFIX: attempt to forward on the protocol set by haproxy 2014-01-08 20:36:42 -05:00
Allow sites to set HTTP basic authentication through nginx. 2016-01-07 23:46:52 -05:00			`# auth_basic on;`
			`# auth_basic_user_file /etc/nginx/htpasswd;`

nginx sample config: also add A-C-A-O header to font files in uploads or plugins path 2018-01-18 16:41:16 -05:00			`location ~* (assets\|plugins\|uploads)/.*\.(eot\|ttf\|woff\|woff2\|ico)$ {`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`expires 1y;`
spaces matter 2017-02-23 17:37:53 -05:00			`add_header Cache-Control public,immutable;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`add_header Access-Control-Allow-Origin *;`
			`}`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
Put back `/srv/status` non-logging but include proxy details 2015-07-03 11:43:33 -04:00			`location = /srv/status {`
			`access_log off;`
			`log_not_found off;`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
Put back `/srv/status` non-logging but include proxy details 2015-07-03 11:43:33 -04:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
			`proxy_pass http://discourse;`
			`break;`
			`}`

PERF: add some minimal caching to javascripts folder 2018-01-08 20:38:15 -05:00			`# some minimal caching here so we don't keep asking`
			`# longer term we should increas probably to 1y`
			`location ~ ^/javascripts/ {`
			`expires 1d;`
			`add_header Cache-Control public,immutable;`
			`}`

FEATURE: add hook and asset path variable 2017-03-20 12:11:14 -04:00			`location ~ ^/assets/(?<asset_path>.+)$ {`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`expires 1y;`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`# asset pipeline enables this`
FEATURE: enable NGINX brotli support unconditionally Previously we would rely on enable brotli in the web template to turn this on, going forward this is default on 2019-04-10 22:41:16 -04:00			`brotli_static on;`
FIX: serve statically compressed files when available PERF: default gzip to level 5 2014-07-08 02:45:18 -04:00			`gzip_static on;`
spaces matter 2017-02-23 17:37:53 -05:00			`add_header Cache-Control public,immutable;`
FEATURE: add hook and asset path variable 2017-03-20 12:11:14 -04:00			`# HOOK in asset location (used for extensibility)`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00			`# TODO I don't think this break is needed, it just breaks out of rewrite`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`break;`
FIX: avatars in quotes/oneboxes Avatars in quotes/oneboxes are still pointing to the old `/users/:username/avatar(/:size)` route. So, this adds back the old avatar route for the transition period. 2013-08-14 06:20:05 -04:00			`}`

FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00			`location ~ ^/plugins/ {`
			`expires 1y;`
spaces matter 2017-02-23 17:37:53 -05:00			`add_header Cache-Control public,immutable;`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00			`}`
add commented out SSL section to nginx config 2015-01-17 04:26:21 -05:00
FIX: cache emojis for 1 year 2014-12-28 05:10:03 -05:00			`# cache emojis`
simplify emoji cache rule 2017-07-20 18:22:59 -04:00			`location ~ /images/emoji/ {`
FIX: cache emojis for 1 year 2014-12-28 05:10:03 -05:00			`expires 1y;`
spaces matter 2017-02-23 17:37:53 -05:00			`add_header Cache-Control public,immutable;`
FIX: cache emojis for 1 year 2014-12-28 05:10:03 -05:00			`}`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`location ~ ^/uploads/ {`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00
			`# NOTE: it is really annoying that we can't just define headers`
			`# at the top level and inherit.`
			`#`
			`# proxy_set_header DOES NOT inherit, by design, we must repeat it,`
			`# otherwise headers are not set correctly`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
FIX: pretending to support too many accelerated files This broke sidekiq web (sidekiq serves resources out of /vendor/ path) 2014-07-11 04:47:55 -04:00			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`expires 1y;`
spaces matter 2017-02-23 17:37:53 -05:00			`add_header Cache-Control public,immutable;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`## optional upload anti-hotlinking rules`
			`#valid_referers none blocked mysite.com *.mysite.com;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`#if ($invalid_referer) { return 403; }`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
Update nginx.config.sample to allow custom CSS cf. http://meta.discourse.org/t/changing-css-in-customize-section-has-no-effect/10036 2013-10-01 11:52:04 -04:00			`# custom CSS`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`location ~ /stylesheet-cache/ {`
			`try_files $uri =404;`
			`}`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# this allows us to bypass rails`
add 'ico' and 'webp' to image extensions list in order to bypass rails 2017-06-22 06:55:27 -04:00			`location ~* \.(gif\|png\|jpg\|jpeg\|bmp\|tif\|tiff\|svg\|ico\|webp)$ {`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`try_files $uri =404;`
			`}`
Update nginx.config.sample to allow custom CSS cf. http://meta.discourse.org/t/changing-css-in-customize-section-has-no-effect/10036 2013-10-01 11:52:04 -04:00			`# thumbnails & optimized images`
FIX: consistent and future-proof upload storage pattern 2015-05-19 06:31:12 -04:00			`location ~ /_?optimized/ {`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`try_files $uri =404;`
			`}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`proxy_pass http://discourse;`
			`break;`
			`}`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
FIX: backups not using x accl redirect 2014-09-24 02:51:14 -04:00			`location ~ ^/admin/backups/ {`
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
			`proxy_pass http://discourse;`
			`break;`
			`}`

FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# This big block is needed so we can selectively enable`
REFACTOR: Proxy letter avatars in rails instead of nginx Co-authored-by: Sam Saffron <sam.saffron@gmail.com> Co-authored-by: David Taylor <david@taylorhq.com> This gives more control over the request. In particular we can easily lookup DNS dynamically, instead of only upon NGINX startup. Previously, NGINX was looking up IP for the letter avatar service and caching the CDN IP address, this caused issues if CDN changed IP, in which letter avatars would be broken till a container restarted. NGINX config has been updated to add caching. This change will require a container rebuild. The proxy will now function in development environments, so the patch for `letter_avatar_proxy` has been removed. 2019-02-15 12:45:09 -05:00			`# acceleration for backups, avatars, sprites and so on.`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# see note about repetition above`
REFACTOR: Proxy letter avatars in rails instead of nginx Co-authored-by: Sam Saffron <sam.saffron@gmail.com> Co-authored-by: David Taylor <david@taylorhq.com> This gives more control over the request. In particular we can easily lookup DNS dynamically, instead of only upon NGINX startup. Previously, NGINX was looking up IP for the letter avatar service and caching the CDN IP address, this caused issues if CDN changed IP, in which letter avatars would be broken till a container restarted. NGINX config has been updated to add caching. This change will require a container rebuild. The proxy will now function in development environments, so the patch for `letter_avatar_proxy` has been removed. 2019-02-15 12:45:09 -05:00			`location ~ ^/(svg-sprite/\|letter_avatar/\|letter_avatar_proxy/\|user_avatar\|highlight-js\|stylesheets\|theme-javascripts\|favicon/proxied\|service-worker) {`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
PERF: NGINX caching invalid when server sets cookies 2015-05-22 00:23:47 -04:00
			`# if Set-Cookie is in the response nothing gets cached`
			`# this is double bad cause we are not passing last modified in`
			`proxy_ignore_headers "Set-Cookie";`
must also hide header so its not cached 2015-05-22 01:57:32 -04:00			`proxy_hide_header "Set-Cookie";`
correct multisite bleed in proxy cache 2018-04-10 21:02:03 -04:00			`proxy_hide_header "X-Discourse-Username";`
			`proxy_hide_header "X-Runtime";`
PERF: NGINX caching invalid when server sets cookies 2015-05-22 00:23:47 -04:00
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`# note x-accel-redirect can not be used with proxy_cache`
			`proxy_cache one;`
correct multisite bleed in proxy cache 2018-04-10 21:02:03 -04:00			`proxy_cache_key "$scheme,$host,$request_uri";`
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_cache_valid 200 301 302 7d;`
PERF: NGINX caching invalid when server sets cookies 2015-05-22 00:23:47 -04:00			`proxy_cache_valid any 1m;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`proxy_pass http://discourse;`
			`break;`
			`}`

clean up config file 2016-01-04 00:13:44 -05:00			`# we need buffering off for message bus`
Don't buffer message bus, this allows us to stream 2016-01-03 17:56:30 -05:00			`location /message-bus/ {`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
clean up config file 2016-01-04 00:13:44 -05:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
			`proxy_http_version 1.1;`
Don't buffer message bus, this allows us to stream 2016-01-03 17:56:30 -05:00			`proxy_buffering off;`
			`proxy_pass http://discourse;`
			`break;`
			`}`

FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# this means every file in public is tried first`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`try_files $uri @discourse;`
			`}`

			`location /downloads/ {`
			`internal;`
			`alias $public/;`
			`}`

			`location @discourse {`
BUGFIX: proxy_set_header is weird in particular no inheritance IF proxy_set_header is specified in child 2014-03-25 02:06:15 -04:00			`proxy_set_header Host $http_host;`
FEATURE: add request start time so we can track queueing 2018-03-26 01:29:20 -04:00			`proxy_set_header X-Request-Start "t=${msec}";`
BUGFIX: proxy_set_header is weird in particular no inheritance IF proxy_set_header is specified in child 2014-03-25 02:06:15 -04:00			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`proxy_pass http://discourse;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`}`

			`}`