Commit Graph

135 Commits

Author SHA1 Message Date
David Taylor b6002881e7
FIX: Simplify nginx config change (#30383)
The security fix in 15b43a2 also introduced some unrelated refactoring to the file, which seems to be causing issues in some environments. This commit reverts the refactoring, and applies the security fix to each block individually.
2024-12-19 19:10:00 +00:00
Nat 15b43a205b SECURITY: Scrub headers to prevent access to files via nginx 2024-12-19 13:13:20 -03:00
David Taylor a254577688
PERF: Cache public extra-locales requests in nginx (#30340)
extra-locales bundles have unique digests in their URLs, and include an indefinite cache-control header. Therefore we should include them in the heavily-cached group of URLs in NGINX.
2024-12-18 13:59:27 +00:00
Alan Guo Xiang Tan c70816611f
DEV: Allow webp images to be served directly by nginx (#30050)
This fixes a typo that was introduced in baa5389a23
2024-12-03 06:26:13 +08:00
Alan Guo Xiang Tan d7a46e1702
DEV: Remove unused lines (#28940)
We don't support puma at all
2024-09-17 15:46:01 +10:00
Rafael dos Santos Silva baa5389a23
FEATURE: Add support for AVIF images (#21680) 2023-05-24 16:13:36 -03:00
David Taylor 584a6e3552
FIX: Update nginx config for v1.23 (#19651)
NGINX v1.23 concatenates duplicate headers into a single comma-separated string. We were doing an equality check on `x-forwarded-proto`. If the request includes multiple `x-forwarded-proto` headers then this check would fail under NGINX v1.23, and our config assumed an `http` connection.

This commit updates the config to check for `https` at the end of the header, thereby restoring the old behavior when multiple `x-forwarded-proto` request headers are sent.
2022-12-30 12:35:26 +00:00
David Taylor 4e0f5eac42
FIX: Increase NGINX request header buffer (#18758)
This allows a large volume of cookies in request headers. Discourse itself tries to minimise cookie size, but we cannot control other cookies set by other tools on the same domain.
2022-11-07 12:11:06 -03:00
Rafael dos Santos Silva 4d525a70be
DEV: Increase nginx proxy buffer size (#18530)
* DEV: Increase nginx proxy buffer size

This is needed so we can reland the patch to move our asset preloading
from link tags in the response document to response headers.
2022-10-11 11:33:07 -03:00
Martin Brennan 8ebd5edd1e
DEV: Rename secure_media to secure_uploads (#18376)
This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality.

This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site.

Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing.

This also keeps compatibility with the `secure-media-uploads` path, and changes new
secure URLs to be `secure-uploads`.

Deprecated settings:

* secure_media -> secure_uploads
* secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails
* secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 09:24:33 +10:00
Roman Rizzi 7b1ff41716
SECURITY: Do not cache error responses for static assets (#17693) 2022-07-27 16:41:44 -03:00
Rafael dos Santos Silva fa4a462517
FEATURE: Optimize images before upload (#13432)
Integrates [mozJPEG](https://github.com/mozilla/mozjpeg) and [Resize](https://github.com/PistonDevelopers/resize) using WebAssembly to optimize user uploads in the composer on the client-side.

NPM libraries are sourced from our [Squoosh fork](https://github.com/discourse/squoosh/tree/discourse), which was needed because we have an older asset pipeline.
2021-06-23 12:31:12 -03:00
Rafael dos Santos Silva 9118bb2076
FEATURE: Normalize the service worker route (#12343)
Re-lands the change initially proposed on #8359 but without a new nginx
location block, so it has less change surface.

Co-authored-by: Jeff Wong <awole20@gmail.com>

Co-authored-by: Jeff Wong <awole20@gmail.com>
2021-05-25 19:39:31 -03:00
Josh Soref 59097b207f
DEV: Correct typos and spelling mistakes (#12812)
Over the years we accrued many spelling mistakes in the code base. 

This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change 

- comments
- test descriptions
- other low risk areas
2021-05-21 11:43:47 +10:00
Vinoth Kannan 437c348598
DEV: add CORS header for all nginx rules of public folder files. (#12205)
* DEV: add CORS header for all nginx rules of public folder files.

This reverts commit d628c65af0 and adding CORS header in two more places individually.
2021-02-25 02:57:37 +05:30
Vinoth Kannan d628c65af0
DEV: add CORS header for all files served from public folder. (#12119)
It's required when we enable cors mod in service worker.
2021-02-18 08:41:13 +05:30
Vinoth Kannan cc1c4265c1
DEV: add allow origin header to public javascript files. (#12059) 2021-02-12 19:37:57 +05:30
David Taylor 60515547bc
DEV: Use $upstream for logging performance headers in NGINX (#11856)
This ensures that the logs will still work, even if the headers are
hidden with `proxy_hide_header`
2021-01-26 21:03:20 +00:00
David Taylor 67db5e97f8
FEATURE: Add extra response headers to nginx log format (#11840)
These headers are useful for debugging and performance analysis
2021-01-26 11:32:43 +00:00
Penar Musaraj fb57fe7e36
FIX: Allow .otf fonts to be delivered via cdn (#10787)
The discourse-fonts package includes NotoSansJP (bold and regular), but
it is an OTF font, and it results in 404s in CDN requests.
2020-09-30 11:59:46 -04:00
Sam Saffron f5051ec833
FIX: Allow fonts to be delivered via CDN
We introduced support for custom fonts which are shipped out of the `/fonts`
directory, however we did not provide a bypass in our NGINX config.
2020-09-02 10:19:19 +10:00
Martin Brennan 31e31ef449
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:31:48 +10:00
Patrick Schleizer 2d63d7d05e
make unix domain sockets listening example match web.socketed.template.yml (#10060) 2020-06-18 11:30:08 -04:00
Martin Brennan c994fd1b01
FIX: Serve .ico files without nginx 404 for secure media uploads (#8826)
Add nginx location to handle /secure-media-uploads/ requests .ico files were getting a 404 when being looked for via /secure-media-uploads/. this nginx config addition fixes the issue.
2020-01-31 12:45:02 +10:00
Jeff Wong c6d8dbd4a9 Revert "FEATURE: Normalize the service worker route (#8359)"
This reverts commit 9799a651b6.
2019-11-20 14:10:17 -08:00
Jeff Wong 9799a651b6
FEATURE: Normalize the service worker route (#8359)
* FEATURE: Normalize the service worker route

Update cache headers so they are not immutable outside of the rails app

Add the ability to purge the service worker cache from localhost

Rails -> nginx will pass immutable flags so the file is cached until reloaded.
In most cases, nginx will have its cache flushed on rebuild (new image)

For those needing dynamic re-caching (such as upgrading via the UI),
a rake task for flushing the service worker script is provided
through `assets:flush_sw`
2019-11-20 11:33:41 -08:00
Sam Saffron 1d1dd2a4d4 PERF: cache static assets in NGINX for longer
Previously our cache would expire any asset that was not accessed for 10
minutes. This is way too short and was never intended. All the assets we
are serving are usually very long living assets like avatars and css files

1 day is a reasonable setting here cause it offers far better protection.
I would consider upping this to a week though longer term.

Maximum disk space of cache was increased as well to 600m. Very unlikely to
ever hit this except on very large sites.

Additionally, this places all the cached assets in nested directories, we
never want cached files to be in one giant directory cause it is inefficient
2019-11-07 12:12:24 +11:00
Guo Xiang Tan c920f9d137 FIX: Have nginx always pass `/uploads/short-url` requests to app.
Follow up to f0620e7118
2019-05-29 18:19:15 +08:00
Sam Saffron be59c1559d FEATURE: enable NGINX brotli support unconditionally
Previously we would rely on enable brotli in the web template to turn this
on, going forward this is default on
2019-04-11 12:41:16 +10:00
David Taylor f04471e422 REFACTOR: Proxy letter avatars in rails instead of nginx
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>

This gives more control over the request. In particular we can easily
lookup DNS dynamically, instead of only upon NGINX startup.
Previously, NGINX was looking up IP for the letter avatar service and
caching the CDN IP address, this caused issues if CDN changed IP, in
which letter avatars would be broken till a container restarted.

NGINX config has been updated to add caching. This change will require
a container rebuild.

The proxy will now function in development environments, so the patch
for `letter_avatar_proxy` has been removed.
2019-02-18 08:46:56 +11:00
David Taylor 56820a5fa5
PERF: Add text/javascript to NGINX gzip_types 2019-02-07 23:47:42 +00:00
Sam 1824ac9d39 PERF: cache path for svg-sprite in upcoming FA5
We need to make sure NGINX caches all paths for SVG assets,
this ensures only the first request for an svg sprite ever hits the app
2018-11-19 10:34:16 +11:00
Andrew Schleifer 581016c31f Revert "strip X-Forwarded-Host in sample"
This broke brotli_assets on a site, more testing needed.

This reverts commit 118abfad0f.
2018-11-14 12:05:21 -06:00
Andrew Schleifer 118abfad0f strip X-Forwarded-Host in sample 2018-11-13 12:44:32 -06:00
Sam Saffron 64aca0dc1b FIX: remove duplicate referrer policy
Rails already ships with strict-origin-when-cross-origin, no need
to also add no-referrer-when-downgrade

see: https://meta.discourse.org/t/harden-referrer-policy-header/100172
2018-10-24 08:38:39 +11:00
Kyle Zhao 99d1ded3b3
rename route `/javascripts` to `/theme-javascripts` (#6495) 2018-10-15 11:32:52 -04:00
Sam abf0b1c5bd correct multisite bleed in proxy cache 2018-04-11 11:02:16 +10:00
Sam da6c268e56 FEATURE: add request start time so we can track queueing 2018-03-26 16:29:20 +11:00
Guo Xiang Tan d601a6b23c FIX: Support old Service Worker source file path to avoid routing errors. 2018-02-19 08:04:45 +08:00
Guo Xiang Tan 28365f8ae5 PERF: Have nginx cache and serve the service worker file. 2018-02-15 10:50:39 +08:00
Michael Brown bec3f124dd nginx sample config: also add A-C-A-O header to font files in uploads or plugins path 2018-01-18 16:41:16 -05:00
Sam 18a929d801 PERF: enable gzip on proxied requests 2018-01-09 13:28:05 +11:00
Sam 6e70065291 PERF: add some minimal caching to javascripts folder 2018-01-09 12:38:15 +11:00
Sam 394abbe26b bump up proxy buffer size 2017-12-11 09:29:47 +11:00
Robin Ward 173aa69905 Enable compression for SVG files 2017-08-01 17:25:25 -04:00
Sam e9e97f5bcf simplify emoji cache rule 2017-07-20 18:22:59 -04:00
Sam 89f34eb62b attempt to cache all emojis 2017-07-20 17:47:16 -04:00
Matt Palmer c3ca281ea7 Merge pull request #4943 from mpalmer/log-http-host
Include HTTP Host header in nginx logs
2017-06-30 15:16:53 +10:00
Rafael dos Santos Silva 97b6d8664b FIX: Move Referrer Policy header to right location 2017-06-28 14:39:54 -03:00
Rafael dos Santos Silva 095a131163 FEATURE: Add default Referrer Policy header 2017-06-28 02:25:41 -03:00