Commit Graph

119 Commits

Author SHA1 Message Date
Vinoth Kannan cc1c4265c1
DEV: add allow origin header to public javascript files. (#12059) 2021-02-12 19:37:57 +05:30
David Taylor 60515547bc
DEV: Use $upstream for logging performance headers in NGINX (#11856)
This ensures that the logs will still work, even if the headers are
hidden with `proxy_hide_header`
2021-01-26 21:03:20 +00:00
David Taylor 67db5e97f8
FEATURE: Add extra response headers to nginx log format (#11840)
These headers are useful for debugging and performance analysis
2021-01-26 11:32:43 +00:00
Penar Musaraj fb57fe7e36
FIX: Allow .otf fonts to be delivered via cdn (#10787)
The discourse-fonts package includes NotoSansJP (bold and regular), but
it is an OTF font, and it results in 404s in CDN requests.
2020-09-30 11:59:46 -04:00
Sam Saffron f5051ec833
FIX: Allow fonts to be delivered via CDN
We introduced support for custom fonts which are shipped out of the `/fonts`
directory, however we did not provide a bypass in our NGINX config.
2020-09-02 10:19:19 +10:00
Martin Brennan 31e31ef449
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:31:48 +10:00
Patrick Schleizer 2d63d7d05e
make unix domain sockets listening example match web.socketed.template.yml (#10060) 2020-06-18 11:30:08 -04:00
Martin Brennan c994fd1b01
FIX: Serve .ico files without nginx 404 for secure media uploads (#8826)
Add nginx location to handle /secure-media-uploads/ requests .ico files were getting a 404 when being looked for via /secure-media-uploads/. this nginx config addition fixes the issue.
2020-01-31 12:45:02 +10:00
Jeff Wong c6d8dbd4a9 Revert "FEATURE: Normalize the service worker route (#8359)"
This reverts commit 9799a651b6.
2019-11-20 14:10:17 -08:00
Jeff Wong 9799a651b6
FEATURE: Normalize the service worker route (#8359)
* FEATURE: Normalize the service worker route

Update cache headers so they are not immutable outside of the rails app

Add the ability to purge the service worker cache from localhost

Rails -> nginx will pass immutable flags so the file is cached until reloaded.
In most cases, nginx will have its cache flushed on rebuild (new image)

For those needing dynamic re-caching (such as upgrading via the UI),
a rake task for flushing the service worker script is provided
through `assets:flush_sw`
2019-11-20 11:33:41 -08:00
Sam Saffron 1d1dd2a4d4 PERF: cache static assets in NGINX for longer
Previously our cache would expire any asset that was not accessed for 10
minutes. This is way too short and was never intended. All the assets we
are serving are usually very long living assets like avatars and css files

1 day is a reasonable setting here cause it offers far better protection.
I would consider upping this to a week though longer term.

Maximum disk space of cache was increased as well to 600m. Very unlikely to
ever hit this except on very large sites.

Additionally, this places all the cached assets in nested directories, we
never want cached files to be in one giant directory cause it is inefficient
2019-11-07 12:12:24 +11:00
Guo Xiang Tan c920f9d137 FIX: Have nginx always pass `/uploads/short-url` requests to app.
Follow up to f0620e7118
2019-05-29 18:19:15 +08:00
Sam Saffron be59c1559d FEATURE: enable NGINX brotli support unconditionally
Previously we would rely on enable brotli in the web template to turn this
on, going forward this is default on
2019-04-11 12:41:16 +10:00
David Taylor f04471e422 REFACTOR: Proxy letter avatars in rails instead of nginx
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>

This gives more control over the request. In particular we can easily
lookup DNS dynamically, instead of only upon NGINX startup.
Previously, NGINX was looking up IP for the letter avatar service and
caching the CDN IP address, this caused issues if CDN changed IP, in
which letter avatars would be broken till a container restarted.

NGINX config has been updated to add caching. This change will require
a container rebuild.

The proxy will now function in development environments, so the patch
for `letter_avatar_proxy` has been removed.
2019-02-18 08:46:56 +11:00
David Taylor 56820a5fa5
PERF: Add text/javascript to NGINX gzip_types 2019-02-07 23:47:42 +00:00
Sam 1824ac9d39 PERF: cache path for svg-sprite in upcoming FA5
We need to make sure NGINX caches all paths for SVG assets,
this ensures only the first request for an svg sprite ever hits the app
2018-11-19 10:34:16 +11:00
Andrew Schleifer 581016c31f Revert "strip X-Forwarded-Host in sample"
This broke brotli_assets on a site, more testing needed.

This reverts commit 118abfad0f.
2018-11-14 12:05:21 -06:00
Andrew Schleifer 118abfad0f strip X-Forwarded-Host in sample 2018-11-13 12:44:32 -06:00
Sam Saffron 64aca0dc1b FIX: remove duplicate referrer policy
Rails already ships with strict-origin-when-cross-origin, no need
to also add no-referrer-when-downgrade

see: https://meta.discourse.org/t/harden-referrer-policy-header/100172
2018-10-24 08:38:39 +11:00
Kyle Zhao 99d1ded3b3
rename route `/javascripts` to `/theme-javascripts` (#6495) 2018-10-15 11:32:52 -04:00
Sam abf0b1c5bd correct multisite bleed in proxy cache 2018-04-11 11:02:16 +10:00
Sam da6c268e56 FEATURE: add request start time so we can track queueing 2018-03-26 16:29:20 +11:00
Guo Xiang Tan d601a6b23c FIX: Support old Service Worker source file path to avoid routing errors. 2018-02-19 08:04:45 +08:00
Guo Xiang Tan 28365f8ae5 PERF: Have nginx cache and serve the service worker file. 2018-02-15 10:50:39 +08:00
Michael Brown bec3f124dd nginx sample config: also add A-C-A-O header to font files in uploads or plugins path 2018-01-18 16:41:16 -05:00
Sam 18a929d801 PERF: enable gzip on proxied requests 2018-01-09 13:28:05 +11:00
Sam 6e70065291 PERF: add some minimal caching to javascripts folder 2018-01-09 12:38:15 +11:00
Sam 394abbe26b bump up proxy buffer size 2017-12-11 09:29:47 +11:00
Robin Ward 173aa69905 Enable compression for SVG files 2017-08-01 17:25:25 -04:00
Sam e9e97f5bcf simplify emoji cache rule 2017-07-20 18:22:59 -04:00
Sam 89f34eb62b attempt to cache all emojis 2017-07-20 17:47:16 -04:00
Matt Palmer c3ca281ea7 Merge pull request #4943 from mpalmer/log-http-host
Include HTTP Host header in nginx logs
2017-06-30 15:16:53 +10:00
Rafael dos Santos Silva 97b6d8664b FIX: Move Referrer Policy header to right location 2017-06-28 14:39:54 -03:00
Rafael dos Santos Silva 095a131163 FEATURE: Add default Referrer Policy header 2017-06-28 02:25:41 -03:00
Matt Palmer 90d654c46c Include HTTP Host header in nginx logs
This is crucial in multisite installations, because otherwise the nginx logs
are fairly useless, however it can also be quite handy to know what
hostnames are being sent to your site.  The variable is quoted, because it
is untrusted input (it is taken directly from the HTTP request), but nginx
helpfully escapes the quoting character automagically, so we don't have to
worry about that.

For now, the log analysis plugin *recognises* the new log format
(and continues to recognise the previous format, for backwards
compatibility), but doesn't do anything with the new log entry field.  This
means your multisite performance plugin data is still broken, but it's no
worse than it was before.
2017-06-28 14:41:02 +10:00
Régis Hanol 94a0d43f31 add 'ico' and 'webp' to image extensions list in order to bypass rails 2017-06-22 12:55:27 +02:00
Jeff Atwood 2fd1c49b88 we don't need this IE 10 tag any more, see
http://stackoverflow.com/questions/26346917/why-use-x-ua-compatible-ie-edge-anymore
2017-03-31 00:12:07 -07:00
Sam 2640b4e173 FEATURE: add hook and asset path variable 2017-03-20 12:12:22 -04:00
Sam Saffron ef08462b33 spaces matter 2017-02-23 17:37:53 -05:00
Sam eee22bf037 FEATURE: Add immutable cache for assets that do not update
This will eliminate revalidation of avatars, css, js and uploads on reloads on supporting browsers (at the moment firefox)
2017-02-23 12:24:47 -05:00
Régis Hanol 5e2545a578 FEATURE: improve support for (whitelisted) SVGs as images 2016-06-20 10:22:13 +02:00
Sam ba8aec2bc3 added comment for brotli support 2016-06-07 16:58:36 +10:00
Jeff Atwood 161170aabe Merge pull request #3928 from jamielinux/nginx204
Return 204 instead of 404 for favicon.ico requests
2016-01-30 01:48:22 -08:00
Guo Xiang Tan 9f05361f14 Allow sites to set HTTP basic authentication through nginx. 2016-01-08 12:49:17 +08:00
Sam 268e0f3b2b remove http 1.1 in case it has side effects 2016-01-05 07:54:12 +11:00
Sam b8471177dc clean up config file 2016-01-04 16:13:44 +11:00
Sam Saffron 0e2ded278d Don't buffer message bus, this allows us to stream 2016-01-04 09:56:30 +11:00
Sam Saffron ab5cd3ad3b allow http 1.1 via proxy 2016-01-04 09:52:11 +11:00
Jamie Nguyen eed86e9afc Do not log favicon.ico requests 2015-12-21 12:14:36 +00:00
Jamie Nguyen e8919df110 Return 204 instead of 404 for favicon.ico requests 2015-12-21 12:13:56 +00:00