discourse/config/nginx.sample.conf

# Additional MIME types that you'd like nginx to handle go in here
types {
    text/csv csv;
}

upstream discourse {
  server unix:/var/www/discourse/tmp/sockets/thin.0.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.1.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.2.sock;
  server unix:/var/www/discourse/tmp/sockets/thin.3.sock;
}

proxy_cache_path /var/nginx/cache keys_zone=one:10m max_size=200m;

# If you are going to use Puma, use these:
#
# upstream discourse {
#   server unix:/var/www/discourse/tmp/sockets/puma.sock;
# }


# attempt to preserve the proto, must be in http context
map $http_x_forwarded_proto $thescheme {
  default $scheme;
  https https;
}

server {

  listen 80;
  gzip on;
  gzip_vary on;
  gzip_min_length 1000;
  gzip_comp_level 5;
  gzip_types application/json text/css application/x-javascript application/javascript;

  # Uncomment and configure this section for HTTPS support
  # NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)
  #
  # rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent;
  #
  # listen 443 ssl;
  # ssl_certificate your-hostname-cert.pem;
  # ssl_certificate_key your-hostname-cert.key;
  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ssl_ciphers HIGH:!aNULL:!MD5;
  #

  server_name enter.your.web.hostname.here;
  server_tokens off;

  sendfile on;

  keepalive_timeout 65;

  # maximum file upload size (keep up to date when changing the corresponding site setting)
  client_max_body_size 10m;

  # path to discourse's public directory
  set $public /var/www/discourse/public;

  # Prevent Internet Explorer 10 "compatibility mode", which breaks Discourse.
  # If other subdomains under your domain are supposed to use Internet Explorer Compatibility mode,
  # it may be used for this one too, unless you explicitly tell IE not to use it.  Alternatively,
  # some people have reported having compatibility mode "stuck" on for some reason.
  # (This will also prevent compatibility mode in IE 8 and 9, but those browsers aren't supported anyway.
  add_header X-UA-Compatible "IE=edge";

  # without weak etags we get zero benefit from etags on dynamically compressed content
  # further more etags are based on the file in nginx not sha of data
  # use dates, it solves the problem fine even cross server
  etag off;

  # prevent direct download of backups
  location ^~ /backups/ {
    internal;
  }

  location / {
    root $public;
    add_header ETag "";

    location ~* \.(eot|ttf|woff|woff2|ico)$ {
      expires 1y;
      add_header Cache-Control public;
      add_header Access-Control-Allow-Origin *;
     }

    location ~ ^/assets/ {
      expires 1y;
      # asset pipeline enables this
      gzip_static on;
      add_header Cache-Control public;
      # TODO I don't think this break is needed, it just breaks out of rewrite
      break;
    }

    location ~ ^/plugins/ {
      expires 1y;
      add_header Cache-Control public;
    }

    # cache emojis
    location ~ /_?emoji/ {
      expires 1y;
      add_header Cache-Control public;
    }

    location ~ ^/uploads/ {

      # NOTE: it is really annoying that we can't just define headers
      # at the top level and inherit.
      #
      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
      # otherwise headers are not set correctly
#
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      expires 1y;
      add_header Cache-Control public;

      ## optional upload anti-hotlinking rules
      #valid_referers none blocked mysite.com *.mysite.com;
      #if ($invalid_referer) { return 403; }

      # custom CSS
      location ~ /stylesheet-cache/ {
          try_files $uri =404;
      }
      # this allows us to bypass rails
      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff)$ {
          try_files $uri =404;
      }
      # thumbnails & optimized images
      location ~ /_optimized/ {
          try_files $uri =404;
      }

      proxy_pass http://discourse;
      break;
    }

    location ~ ^/admin/backups/ {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
      proxy_set_header X-Accel-Mapping $public/=/downloads/;
      proxy_pass http://discourse;
      break;
    }

    # This big block is needed so we can selectively enable
    # acceleration for backups and avatars
    # see note about repetition above
    location ~ ^/(letter_avatar|user_avatar|highlight-js) {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $thescheme;
      # note x-accel-redirect can not be used with proxy_cache
      proxy_cache one;
      proxy_cache_valid any 1m;
      proxy_cache_valid 200 301 302 7d;
      proxy_pass http://discourse;
      break;
    }

    # this means every file in public is tried first
    try_files $uri @discourse;
  }

  location /downloads/ {
    internal;
    alias $public/;
  }

  location @discourse {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $thescheme;
    proxy_pass http://discourse;
  }

}
Add section for additional MIME in nginx 2013-08-13 14:00:20 -04:00			`# Additional MIME types that you'd like nginx to handle go in here`
			`types {`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`text/csv csv;`
Add section for additional MIME in nginx 2013-08-13 14:00:20 -04:00			`}`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`upstream discourse {`
Update documentation * Change recommendation for install path to /var/www/discourse * Fix instructions for redis-server installation * Set yourself as system user during install * Clarify some instructions 2013-08-07 00:06:40 -04:00			`server unix:/var/www/discourse/tmp/sockets/thin.0.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.1.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.2.sock;`
			`server unix:/var/www/discourse/tmp/sockets/thin.3.sock;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`}`

FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_cache_path /var/nginx/cache keys_zone=one:10m max_size=200m;`

Locate the Puma config file. 2013-11-17 23:53:36 -05:00			`# If you are going to use Puma, use these:`
			`#`
			`# upstream discourse {`
Fix Puma socket name As mentioned in https://github.com/discourse/discourse/commit/f784a188c69ddfa329ec882cbfab9b216256d5fb#commitcomment-5277066 2014-05-07 21:58:49 -04:00			`# server unix:/var/www/discourse/tmp/sockets/puma.sock;`
Locate the Puma config file. 2013-11-17 23:53:36 -05:00			`# }`

correct nginx rule forwarding header 2014-01-09 00:39:30 -05:00
			`# attempt to preserve the proto, must be in http context`
			`map $http_x_forwarded_proto $thescheme {`
			`default $scheme;`
			`https https;`
			`}`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`server {`

			`listen 80;`
			`gzip on;`
FIX: add vary encoding to gzip responses this ensures CDNs work correctly see: http://blog.maxcdn.com/accept-encoding-its-vary-important/ 2014-10-22 20:05:42 -04:00			`gzip_vary on;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`gzip_min_length 1000;`
FIX: serve statically compressed files when available PERF: default gzip to level 5 2014-07-08 02:45:18 -04:00			`gzip_comp_level 5;`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00			`gzip_types application/json text/css application/x-javascript application/javascript;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
add commented out SSL section to nginx config 2015-01-17 04:26:21 -05:00			`# Uncomment and configure this section for HTTPS support`
			`# NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)`
			`#`
			`# rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent;`
			`#`
			`# listen 443 ssl;`
			`# ssl_certificate your-hostname-cert.pem;`
			`# ssl_certificate_key your-hostname-cert.key;`
			`# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`# ssl_ciphers HIGH:!aNULL:!MD5;`
			`#`

documentation: merge & adapt suggestions from baus 2013-05-29 00:07:26 -04:00			`server_name enter.your.web.hostname.here;`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`server_tokens off;`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`sendfile on;`

			`keepalive_timeout 65;`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
			`# maximum file upload size (keep up to date when changing the corresponding site setting)`
FEATURE: raise min body size to 10m 2015-02-22 18:50:09 -05:00			`client_max_body_size 10m;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`# path to discourse's public directory`
			`set $public /var/www/discourse/public;`

Prevent IE Compatibility Mode As discussed at https://meta.discourse.org/t/ie10-user-is-getting-your-browser-is-too-old/15289 2014-05-07 22:16:20 -04:00			`# Prevent Internet Explorer 10 "compatibility mode", which breaks Discourse.`
FEATURE: get window.onerror working for CDNs 2014-05-14 22:59:26 -04:00			`# If other subdomains under your domain are supposed to use Internet Explorer Compatibility mode,`
Prevent IE Compatibility Mode As discussed at https://meta.discourse.org/t/ie10-user-is-getting-your-browser-is-too-old/15289 2014-05-07 22:16:20 -04:00			`# it may be used for this one too, unless you explicitly tell IE not to use it. Alternatively,`
			`# some people have reported having compatibility mode "stuck" on for some reason.`
			`# (This will also prevent compatibility mode in IE 8 and 9, but those browsers aren't supported anyway.`
			`add_header X-UA-Compatible "IE=edge";`

FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`# without weak etags we get zero benefit from etags on dynamically compressed content`
			`# further more etags are based on the file in nginx not sha of data`
			`# use dates, it solves the problem fine even cross server`
			`etag off;`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00
SECURITY: prevent direct download of backups 2014-12-03 06:47:28 -05:00			`# prevent direct download of backups`
			`location ^~ /backups/ {`
			`internal;`
			`}`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`location / {`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`root $public;`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`add_header ETag "";`
BUGFIX: attempt to forward on the protocol set by haproxy 2014-01-08 20:36:42 -05:00
FIX: add CORS header for .woff2 2015-03-27 08:30:18 -04:00			`location ~* \.(eot\|ttf\|woff\|woff2\|ico)$ {`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`expires 1y;`
			`add_header Cache-Control public;`
			`add_header Access-Control-Allow-Origin *;`
			`}`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
			`location ~ ^/assets/ {`
			`expires 1y;`
FIX: properly support sendfile on all routes FIX: disable unused etags 2014-07-10 01:18:31 -04:00			`# asset pipeline enables this`
FIX: serve statically compressed files when available PERF: default gzip to level 5 2014-07-08 02:45:18 -04:00			`gzip_static on;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`add_header Cache-Control public;`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00			`# TODO I don't think this break is needed, it just breaks out of rewrite`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`break;`
FIX: avatars in quotes/oneboxes Avatars in quotes/oneboxes are still pointing to the old `/users/:username/avatar(/:size)` route. So, this adds back the old avatar route for the transition period. 2013-08-14 06:20:05 -04:00			`}`

FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00			`location ~ ^/plugins/ {`
			`expires 1y;`
			`add_header Cache-Control public;`
			`}`
add commented out SSL section to nginx config 2015-01-17 04:26:21 -05:00
FIX: cache emojis for 1 year 2014-12-28 05:10:03 -05:00			`# cache emojis`
			`location ~ /_?emoji/ {`
			`expires 1y;`
			`add_header Cache-Control public;`
			`}`
FIX: cache all public resources registered by plugins. Plugins are responsible for expiry 2014-12-08 22:49:02 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`location ~ ^/uploads/ {`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00
			`# NOTE: it is really annoying that we can't just define headers`
			`# at the top level and inherit.`
			`#`
			`# proxy_set_header DOES NOT inherit, by design, we must repeat it,`
			`# otherwise headers are not set correctly`
			`#`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
FIX: pretending to support too many accelerated files This broke sidekiq web (sidekiq serves resources out of /vendor/ path) 2014-07-11 04:47:55 -04:00			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`expires 1y;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`add_header Cache-Control public;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`## optional upload anti-hotlinking rules`
			`#valid_referers none blocked mysite.com *.mysite.com;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`#if ($invalid_referer) { return 403; }`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
Update nginx.config.sample to allow custom CSS cf. http://meta.discourse.org/t/changing-css-in-customize-section-has-no-effect/10036 2013-10-01 11:52:04 -04:00			`# custom CSS`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`location ~ /stylesheet-cache/ {`
			`try_files $uri =404;`
			`}`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# this allows us to bypass rails`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`location ~* \.(gif\|png\|jpg\|jpeg\|bmp\|tif\|tiff)$ {`
			`try_files $uri =404;`
			`}`
Update nginx.config.sample to allow custom CSS cf. http://meta.discourse.org/t/changing-css-in-customize-section-has-no-effect/10036 2013-10-01 11:52:04 -04:00			`# thumbnails & optimized images`
Hide version of the web server 2014-05-14 01:08:29 -04:00			`location ~ /_optimized/ {`
			`try_files $uri =404;`
			`}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`proxy_pass http://discourse;`
			`break;`
			`}`
Add X-Forwarded-Proto to nginx config to support SSL. Fixes #293 2013-02-28 11:24:03 -05:00
FIX: backups not using x accl redirect 2014-09-24 02:51:14 -04:00			`location ~ ^/admin/backups/ {`
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
			`proxy_set_header X-Sendfile-Type X-Accel-Redirect;`
			`proxy_set_header X-Accel-Mapping $public/=/downloads/;`
			`proxy_pass http://discourse;`
			`break;`
			`}`

FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# This big block is needed so we can selectively enable`
			`# acceleration for backups and avatars`
			`# see note about repetition above`
FEATURE: Allow selection of highlight js languages PERF: stop loading highlight js on load To get latest highlight js run bin/rake highlightjs:update 2015-03-13 01:15:13 -04:00			`location ~ ^/(letter_avatar\|user_avatar\|highlight-js) {`
FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
FIX: cache avatars in NGINX 2014-07-14 20:30:27 -04:00			`# note x-accel-redirect can not be used with proxy_cache`
			`proxy_cache one;`
			`proxy_cache_valid any 1m;`
			`proxy_cache_valid 200 301 302 7d;`
update NGINX sample to allow admin to download backups 2014-02-12 23:36:51 -05:00			`proxy_pass http://discourse;`
			`break;`
			`}`

FIX: multisite uploads broken 2014-07-14 00:26:25 -04:00			`# this means every file in public is tried first`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`try_files $uri @discourse;`
			`}`

			`location /downloads/ {`
			`internal;`
			`alias $public/;`
			`}`

			`location @discourse {`
BUGFIX: proxy_set_header is weird in particular no inheritance IF proxy_set_header is specified in child 2014-03-25 02:06:15 -04:00			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $thescheme;`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`proxy_pass http://discourse;`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`}`

			`}`