mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-28 12:31:12 +00:00
75bc4f8cb0
Instead of allowing all image files anywhere, and disallowing non-image file under /images/, only allow image files under /images/ and don't match non-image files elsewhere. They get proxied to web instead and result in a 404 there. For example, the old config allowed /exports/foo.jpg to be served, while the new config does not.
91 lines
2.5 KiB
Text
91 lines
2.5 KiB
Text
include /etc/nginx/conf.d/server_config;
|
|
|
|
upstream web {
|
|
server web:8000;
|
|
}
|
|
|
|
server {
|
|
access_log /var/log/nginx/access.log cache_log;
|
|
|
|
listen 80;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
#include /etc/nginx/mime.types;
|
|
#default_type application/octet-stream;
|
|
|
|
gzip on;
|
|
gzip_disable "msie6";
|
|
|
|
proxy_read_timeout 1800s;
|
|
chunked_transfer_encoding on;
|
|
|
|
# store responses to anonymous users for up to 1 minute
|
|
proxy_cache bookwyrm_cache;
|
|
proxy_cache_valid any 1m;
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
# ignore the set cookie header when deciding to
|
|
# store a response in the cache
|
|
proxy_ignore_headers Cache-Control Set-Cookie Expires;
|
|
|
|
# PUT requests always bypass the cache
|
|
# logged in sessions also do not populate the cache
|
|
# to avoid serving personal data to anonymous users
|
|
proxy_cache_methods GET HEAD;
|
|
proxy_no_cache $cookie_sessionid;
|
|
proxy_cache_bypass $cookie_sessionid;
|
|
|
|
# tell the web container the address of the outside client
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
proxy_redirect off;
|
|
|
|
# rate limit the login or password reset pages
|
|
location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
|
|
limit_req zone=loginlimit;
|
|
proxy_pass http://web;
|
|
}
|
|
|
|
# do not log periodic polling requests from logged in users
|
|
location /api/updates/ {
|
|
access_log off;
|
|
proxy_pass http://web;
|
|
}
|
|
|
|
# forward any cache misses or bypass to the web container
|
|
location / {
|
|
proxy_pass http://web;
|
|
}
|
|
|
|
# directly serve static files from the
|
|
# bookwyrm filesystem using sendfile.
|
|
# make the logs quieter by not reporting these requests
|
|
location /static/ {
|
|
root /app;
|
|
try_files $uri =404;
|
|
add_header X-Cache-Status STATIC;
|
|
access_log off;
|
|
}
|
|
|
|
# same with image files not in static folder
|
|
location /images/ {
|
|
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
|
root /app;
|
|
try_files $uri =404;
|
|
add_header X-Cache-Status STATIC;
|
|
access_log off;
|
|
}
|
|
# block access to any non-image files from images
|
|
return 403;
|
|
}
|
|
|
|
# monitor the celery queues with flower, no caching enabled
|
|
location /flower/ {
|
|
proxy_pass http://flower:8888;
|
|
proxy_cache_bypass 1;
|
|
}
|
|
}
|