SECURITY: Scrub headers to prevent access to files via nginx

This commit is contained in:
Nat 2024-11-29 11:08:33 +08:00 committed by =
parent 95564a3df2
commit 15b43a205b
1 changed files with 19 additions and 38 deletions

View File

@ -99,22 +99,23 @@ server {
# auth_basic on; # auth_basic on;
# auth_basic_user_file /etc/nginx/htpasswd; # auth_basic_user_file /etc/nginx/htpasswd;
# proxy_set_header directives are inherited from the previous configuration
# level if and only if there are no proxy_set_header directives defined on
# the current level.
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type "";
proxy_set_header X-Accel-Mapping "";
location ~ ^/uploads/short-url/ { location ~ ^/uploads/short-url/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
location ~ ^/(secure-media-uploads/|secure-uploads)/ { location ~ ^/(secure-media-uploads/|secure-uploads)/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -128,11 +129,6 @@ server {
location = /srv/status { location = /srv/status {
access_log off; access_log off;
log_not_found off; log_not_found off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -170,12 +166,9 @@ server {
} }
location ~ ^/uploads/ { location ~ ^/uploads/ {
# proxy_set_header directives are inherited from the previous configuration
# NOTE: it is really annoying that we can't just define headers # level if and only if there are no proxy_set_header directives defined on
# at the top level and inherit. # the current level.
#
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
# otherwise headers are not set correctly
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Request-Start "t=${msec}";
@ -183,6 +176,7 @@ server {
proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/; proxy_set_header X-Accel-Mapping $public/=/downloads/;
expires 1y; expires 1y;
add_header Cache-Control public,immutable; add_header Cache-Control public,immutable;
@ -214,6 +208,9 @@ server {
} }
location ~ ^/admin/backups/ { location ~ ^/admin/backups/ {
# proxy_set_header directives are inherited from the previous configuration
# level if and only if there are no proxy_set_header directives defined on
# the current level.
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Request-Start "t=${msec}";
@ -221,6 +218,7 @@ server {
proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/; proxy_set_header X-Accel-Mapping $public/=/downloads/;
proxy_pass http://discourse; proxy_pass http://discourse;
break; break;
} }
@ -229,12 +227,6 @@ server {
# acceleration for backups, avatars, sprites and so on. # acceleration for backups, avatars, sprites and so on.
# see note about repetition above # see note about repetition above
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) { location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
# if Set-Cookie is in the response nothing gets cached # if Set-Cookie is in the response nothing gets cached
# this is double bad cause we are not passing last modified in # this is double bad cause we are not passing last modified in
proxy_ignore_headers "Set-Cookie"; proxy_ignore_headers "Set-Cookie";
@ -253,11 +245,6 @@ server {
# we need buffering off for message bus # we need buffering off for message bus
location /message-bus/ { location /message-bus/ {
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_buffering off; proxy_buffering off;
proxy_pass http://discourse; proxy_pass http://discourse;
@ -274,12 +261,6 @@ server {
} }
location @discourse { location @discourse {
proxy_set_header Host $http_host;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse; proxy_pass http://discourse;
} }
} }