Updated to 2.3.8

4 files changed, 280 insertions, 261 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 12f81d2a953b..0ccc4b6c9d94 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,17 +1,15 @@
-# Generated by mksrcinfo v8
-# Thu Jan  7 15:31:08 UTC 2016
 pkgbase = discourse
 	pkgdesc = A simple, flat forum, where replies flow down the page in a line
-	pkgver = 1.4.3
+	pkgver = 2.3.8
 	pkgrel = 1
 	url = http://www.discourse.org/
 	install = discourse.install
 	arch = i686
 	arch = x86_64
 	license = GPL
-	makedepends = nodejs-uglify-js
+	makedepends = uglify-js
 	depends = ruby>=2.0
-	depends = ruby-bundler>=1.5.2
+	depends = ruby-bundler>=1.17.3
 	depends = gmp
 	depends = libxml2
 	depends = libxslt
@@ -37,7 +35,7 @@ pkgbase = discourse
 	optdepends = optipng: needed to do optimizations on stored images
 	backup = etc/webapps/discourse/unicorn.conf.rb
 	backup = etc/webapps/discourse/discourse.conf
-	source = discourse::git+https://github.com/discourse/discourse.git#tag=v1.4.3
+	source = discourse::git+https://github.com/discourse/discourse.git#tag=v2.3.8
 	source = discourse-sidekiq.service
 	source = discourse-unicorn.service
 	source = discourse-kill.service
@@ -48,25 +46,21 @@ pkgbase = discourse
 	source = discourse.logrotate
 	source = unicorn.conf.rb
 	source = apache.conf.example
-	source = apache-ssl.conf.example
 	source = nginx.conf.example
-	source = nginx-ssl.conf.example
 	source = 0001-Revert-this-quickstart-file-is-confusing-and-not-nee.patch
-	sha256sums = SKIP
-	sha256sums = 51e2005fe002d42c8f5ffd3e9ccff54a739555c8e121584603c5d7daee255ca8
-	sha256sums = ec711a14712cd7419378a92209b9db1af6a26f758f24aeddcf6e73efc763cd9b
-	sha256sums = 803c5b71fb350577a0e81c60ad5d511cba0d983046592a5dc8a2f9c726ec2143
-	sha256sums = d8fab91c2b15e50db26caa00c034db4703b864e6434846b72225c871e4a3d508
-	sha256sums = b512d219056537f7a7b749a10cfb90fb78116d7c6414e0a0bc72c08f1ced3f43
-	sha256sums = 0b5110b99f3356d9931ce4991344b1149a2d3be04322043b555b91d8751c7a31
-	sha256sums = 71fa450935dea04c30cc5a0eaaa16012ac765445644ca719b7a1d589aad1938f
-	sha256sums = 1c57caa7b2dad6b66db724a7db3ff8f156d0291e88cccdfb37d89e3557a7715d
-	sha256sums = c76423db80d2f4b39ea5fcd95fd66dfb38de9e9862e8370dfc3a45641e2204ca
-	sha256sums = b40c615d8da35fe5a02b914baf5920025ee7167b5d78b47d5905e633934ca11e
-	sha256sums = 8056354bac606f66a3667034ff93ffbfce3ec52664e7a809835d5cc45a121c30
-	sha256sums = 7d00b5d99777b4843cdc2f8fb9c65beb94375dcaa6351d2c8f6d55161512b3c5
-	sha256sums = cd8965f971047ce5cf5c32d4709fe231c392893702db181300b02de86e0f70fb
-	sha256sums = 77fc9f233a964fbb3a4952001e575b07772d1939bf2e0872f5161512ceffd62a
+	sha512sums = SKIP
+	sha512sums = fdd4fbdbea672374ec1b10b33d931d9f1faf9a381fda73f58ab120cd2cc338c8fa989717c00aab6daa197650e9b5d7733fc45721b9b4ee01d6bf182e421eaaf3
+	sha512sums = 03bd411af6153f409a36ed8ca1abd7946613aee8b524cf11b44237b51fa239e3d11a6191c0f037ae40aeefc30f67eb6773e8d5610df7237072b1af4cf07f6c2c
+	sha512sums = 26a5fd92a08fdd133217a60f986221e92dca9ae1f9abc783d5f221cd04fb69fa014f90f7b56c7ba54fb46711fb7282408adbeee5706c4af2c3353069353352e9
+	sha512sums = ea819bd625d68452f5222e841f3f9e0aa8b568b8c32c1b43375261f7508c215211d920c4541a91a3acfea11f9b4f8b18b4b6d9071cf3e5ee1569949141560a9c
+	sha512sums = d1004ff9faeeac8f2c53b66e7bed6056e39d37d5e1bdbfe0b36685858ffc3977092185edf4579ae50af2a6cb09f628637487b09c01d50382543691442c38fc3c
+	sha512sums = 65b723be22b6d8656e312791652a77a20503a8d5cdca910f5fffae4e4546d73933cd9f4a900bbf92e9c7c20f59f780fcd1dfe3c3e8b47853e2d265079e0fc72f
+	sha512sums = b2eb1720378684a07e35fcd7036cb9dad495750609d0fee18b4cafbcb78a13218639b6c661421bddb2731a95731cbee3c71f4d27bacac797a54130309d4b6565
+	sha512sums = 179d0f577b06816466206b47e9e2b21befa7010bdc2bd4a1c9116e41111549b058d2613ae94f230b31a9e0122af69ae5216f8ddef8c14fe4df220bc6f2cc8e32
+	sha512sums = 0a1b4d54c497f4be26799234aac3e39660fe55f5808d41c5f056943ebefcc79f7e4146d0aa7d78d90101d5cf11a2aefb59ba25fc0e15c0d33e49bfdd80b65ff3
+	sha512sums = cc47f4c0697cb8a0c29caf0ccca13f7b5216157dc4728f49ae8608d5157a1fecbda92088439520bf61559209d2ba1e9cf4c200edfe87e4310893435d698ce8a5
+	sha512sums = 7f956d84cf732dc8f5e467723d6b08065d8c4f02ac154c6e8adc6caee189bca55b4fb7db1069a2e9d86b3bf9b2b0c905f3ae85480c2372b310accc0604c62956
+	sha512sums = b19f3967ce7f056d7bf0ed6bc853512987a5901fae234b3e682612606670e206aad44fc74909fc5952adcc4730d273f870bb8dea8f4ba2521cc6f9b487231b1a
 
 pkgname = discourse
 
diff --git a/PKGBUILD b/PKGBUILD
index e7b728134745..6a7f72dd5e60 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,15 +2,15 @@
 # Contributor: Tobias Hunger <tobias DOT hunger AT gmail DOT com>
 
 pkgname=discourse
-pkgver=1.4.3
+pkgver=2.3.8
 pkgrel=1
 pkgdesc="A simple, flat forum, where replies flow down the page in a line"
 arch=('i686' 'x86_64')
 url="http://www.discourse.org/"
 license=('GPL')
-depends=('ruby>=2.0' 'ruby-bundler>=1.5.2' 'gmp' 'libxml2' 'libxslt' 'openssl'
+depends=('ruby>=2.0' 'ruby-bundler>=1.17.3' 'gmp' 'libxml2' 'libxslt' 'openssl'
          'krb5' 'libgcrypt' 'libgpg-error' 'postgresql-libs' 'xz' 'zlib')
-makedepends=('nodejs-uglify-js')
+makedepends=('uglify-js')
 optdepends=('apache: a webserver to deploy discourse'
             'nginx: another webserver to deploy discourse (example configs have to be fixed!)'
             'postgresql: database server'
@@ -37,26 +37,22 @@ source=("${pkgname}::git+https://github.com/discourse/discourse.git#tag=v${pkgve
         "discourse.logrotate"
         "unicorn.conf.rb"
         "apache.conf.example"
-        "apache-ssl.conf.example"
         "nginx.conf.example"
-        "nginx-ssl.conf.example"
         "0001-Revert-this-quickstart-file-is-confusing-and-not-nee.patch")
 install="${pkgname}.install"
-sha256sums=('SKIP'
-            '51e2005fe002d42c8f5ffd3e9ccff54a739555c8e121584603c5d7daee255ca8'
-            'ec711a14712cd7419378a92209b9db1af6a26f758f24aeddcf6e73efc763cd9b'
-            '803c5b71fb350577a0e81c60ad5d511cba0d983046592a5dc8a2f9c726ec2143'
-            'd8fab91c2b15e50db26caa00c034db4703b864e6434846b72225c871e4a3d508'
-            'b512d219056537f7a7b749a10cfb90fb78116d7c6414e0a0bc72c08f1ced3f43'
-            '0b5110b99f3356d9931ce4991344b1149a2d3be04322043b555b91d8751c7a31'
-            '71fa450935dea04c30cc5a0eaaa16012ac765445644ca719b7a1d589aad1938f'
-            '1c57caa7b2dad6b66db724a7db3ff8f156d0291e88cccdfb37d89e3557a7715d'
-            'c76423db80d2f4b39ea5fcd95fd66dfb38de9e9862e8370dfc3a45641e2204ca'
-            'b40c615d8da35fe5a02b914baf5920025ee7167b5d78b47d5905e633934ca11e'
-            '8056354bac606f66a3667034ff93ffbfce3ec52664e7a809835d5cc45a121c30'
-            '7d00b5d99777b4843cdc2f8fb9c65beb94375dcaa6351d2c8f6d55161512b3c5'
-            'cd8965f971047ce5cf5c32d4709fe231c392893702db181300b02de86e0f70fb'
-            '77fc9f233a964fbb3a4952001e575b07772d1939bf2e0872f5161512ceffd62a')
+sha512sums=('SKIP'
+            'fdd4fbdbea672374ec1b10b33d931d9f1faf9a381fda73f58ab120cd2cc338c8fa989717c00aab6daa197650e9b5d7733fc45721b9b4ee01d6bf182e421eaaf3'
+            '03bd411af6153f409a36ed8ca1abd7946613aee8b524cf11b44237b51fa239e3d11a6191c0f037ae40aeefc30f67eb6773e8d5610df7237072b1af4cf07f6c2c'
+            '26a5fd92a08fdd133217a60f986221e92dca9ae1f9abc783d5f221cd04fb69fa014f90f7b56c7ba54fb46711fb7282408adbeee5706c4af2c3353069353352e9'
+            'ea819bd625d68452f5222e841f3f9e0aa8b568b8c32c1b43375261f7508c215211d920c4541a91a3acfea11f9b4f8b18b4b6d9071cf3e5ee1569949141560a9c'
+            'd1004ff9faeeac8f2c53b66e7bed6056e39d37d5e1bdbfe0b36685858ffc3977092185edf4579ae50af2a6cb09f628637487b09c01d50382543691442c38fc3c'
+            '65b723be22b6d8656e312791652a77a20503a8d5cdca910f5fffae4e4546d73933cd9f4a900bbf92e9c7c20f59f780fcd1dfe3c3e8b47853e2d265079e0fc72f'
+            'b2eb1720378684a07e35fcd7036cb9dad495750609d0fee18b4cafbcb78a13218639b6c661421bddb2731a95731cbee3c71f4d27bacac797a54130309d4b6565'
+            '179d0f577b06816466206b47e9e2b21befa7010bdc2bd4a1c9116e41111549b058d2613ae94f230b31a9e0122af69ae5216f8ddef8c14fe4df220bc6f2cc8e32'
+            '0a1b4d54c497f4be26799234aac3e39660fe55f5808d41c5f056943ebefcc79f7e4146d0aa7d78d90101d5cf11a2aefb59ba25fc0e15c0d33e49bfdd80b65ff3'
+            'cc47f4c0697cb8a0c29caf0ccca13f7b5216157dc4728f49ae8608d5157a1fecbda92088439520bf61559209d2ba1e9cf4c200edfe87e4310893435d698ce8a5'
+            '7f956d84cf732dc8f5e467723d6b08065d8c4f02ac154c6e8adc6caee189bca55b4fb7db1069a2e9d86b3bf9b2b0c905f3ae85480c2372b310accc0604c62956'
+            'b19f3967ce7f056d7bf0ed6bc853512987a5901fae234b3e682612606670e206aad44fc74909fc5952adcc4730d273f870bb8dea8f4ba2521cc6f9b487231b1a')
 
 _homedir="/var/lib/${pkgname}"
 _datadir="/usr/share/webapps/${pkgname}"
diff --git a/nginx-ssl.conf.example b/nginx-ssl.conf.example
deleted file mode 100644
index cbb198086b5b..000000000000
--- a/nginx-ssl.conf.example
+++ /dev/null
@@ -1,142 +0,0 @@
-## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas
-##
-## Modified from nginx http version
-## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
-## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-##
-## Lines starting with two hashes (##) are comments with information.
-## Lines starting with one hash (#) are configuration parameters that can be uncommented.
-##
-##################################
-##        CHUNKED TRANSFER      ##
-##################################
-##
-## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
-## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
-## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
-## around this by tweaking this configuration file and either:
-## - installing an old version of Nginx with the chunkin module [2] compiled in, or
-## - using a newer version of Nginx.
-##
-## At the time of writing we do not know if either of these theoretical solutions works.
-## As a workaround users can use Git over SSH to push large files.
-##
-## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
-## [1] https://github.com/agentzh/chunkin-nginx-module#status
-## [2] https://github.com/agentzh/chunkin-nginx-module
-##
-##
-###################################
-##        SSL configuration      ##
-###################################
-##
-## See installation.md#using-https for additional HTTPS configuration details.
-
-upstream gitlab {
-  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
-}
-
-## Normal HTTP host
-server {
-  listen *:80 default_server;
-  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
-  server_tokens off; ## Don't show the nginx version number, a security best practice
-
-  ## Redirects all traffic to the HTTPS host
-  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
-  rewrite ^ https://$server_name$request_uri? permanent;
-}
-
-## HTTPS host
-server {
-  listen 443 ssl;
-  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
-  server_tokens off;
-  root /home/git/gitlab/public;
-
-  ## Increase this if you want to upload large attachments
-  ## Or if you want to accept large git objects over http
-  client_max_body_size 20m;
-
-  ## Strong SSL Security
-  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/gitlab.crt;
-  ssl_certificate_key /etc/nginx/ssl/gitlab.key;
-
-  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
-
-  ## [WARNING] The following header states that the browser should only communicate
-  ## with your server over a secure connection for the next 24 months.
-  add_header Strict-Transport-Security max-age=63072000;
-  add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
-
-  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
-  ## Replace with your ssl_trusted_certificate. For more info see:
-  ## - https://medium.com/devops-programming/4445f4862461
-  ## - https://www.ruby-forum.com/topic/4419319
-  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
-  # ssl_stapling on;
-  # ssl_stapling_verify on;
-  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
-  # resolver_timeout 5s;
-
-  ## [Optional] Generate a stronger DHE parameter:
-  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
-  ##
-  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
-
-  ## Individual nginx logs for this GitLab vhost
-  access_log  /var/log/nginx/gitlab_access.log;
-  error_log   /var/log/nginx/gitlab_error.log;
-
-  location / {
-    ## Serve static files from defined root folder.
-    ## @gitlab is a named location for the upstream fallback, see below.
-    try_files $uri $uri/index.html $uri.html @gitlab;
-  }
-
-  ## If a file, which is not found in the root folder is requested,
-  ## then the proxy passes the request to the upsteam (gitlab unicorn).
-  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-Ssl     on;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
-    proxy_pass http://gitlab;
-  }
-
-  ## Enable gzip compression as per rails guide:
-  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
-  ## WARNING: If you are using relative urls remove the block below
-  ## See config/application.rb under "Relative url support" for the list of
-  ## other files that need to be changed for relative url support
-  location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
-    gzip_static on; # to serve pre-gzipped version
-    expires max;
-    add_header Cache-Control public;
-  }
-
-  error_page 502 /502.html;
-}
diff --git a/nginx.conf.example b/nginx.conf.example
index 6357dc8fa468..538e29fab4a1 100644
--- a/nginx.conf.example
+++ b/nginx.conf.example
@@ -1,90 +1,261 @@
-## GitLab
-## Maintainer: @randx
-##
-## Lines starting with two hashes (##) are comments with information.
-## Lines starting with one hash (#) are configuration parameters that can be uncommented.
-##
-##################################
-##        CHUNKED TRANSFER      ##
-##################################
-##
-## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
-## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
-## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
-## around this by tweaking this configuration file and either:
-## - installing an old version of Nginx with the chunkin module [2] compiled in, or
-## - using a newer version of Nginx.
-##
-## At the time of writing we do not know if either of these theoretical solutions works.
-## As a workaround users can use Git over SSH to push large files.
-##
-## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
-## [1] https://github.com/agentzh/chunkin-nginx-module#status
-## [2] https://github.com/agentzh/chunkin-nginx-module
-##
-###################################
-##         configuration         ##
-###################################
-##
-
-upstream gitlab {
-  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
+# Additional MIME types that you'd like nginx to handle go in here
+types {
+    text/csv csv;
 }
 
-## Normal HTTP host
+upstream discourse {
+  server unix:/var/www/discourse/tmp/sockets/thin.0.sock;
+  server unix:/var/www/discourse/tmp/sockets/thin.1.sock;
+  server unix:/var/www/discourse/tmp/sockets/thin.2.sock;
+  server unix:/var/www/discourse/tmp/sockets/thin.3.sock;
+}
+
+# inactive means we keep stuff around for 1440m minutes regardless of last access (1 week)
+# levels means it is a 2 deep heirarchy cause we can have lots of files
+# max_size limits the size of the cache
+proxy_cache_path /var/nginx/cache inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m;
+
+# see: https://meta.discourse.org/t/x/74060
+proxy_buffer_size 8k;
+
+# If you are going to use Puma, use these:
+#
+# upstream discourse {
+#   server unix:/var/www/discourse/tmp/sockets/puma.sock;
+# }
+
+
+# attempt to preserve the proto, must be in http context
+map $http_x_forwarded_proto $thescheme {
+  default $scheme;
+  https https;
+}
+
+log_format log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$sent_http_x_discourse_username"';
+
 server {
-  listen *:80 default_server;
-  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
-  server_tokens off; ## Don't show the nginx version number, a security best practice
-  root /home/git/gitlab/public;
 
-  ## Increase this if you want to upload large attachments
-  ## Or if you want to accept large git objects over http
-  client_max_body_size 20m;
+  access_log /var/log/nginx/access.log log_discourse;
+
+  listen 80;
+  gzip on;
+  gzip_vary on;
+  gzip_min_length 1000;
+  gzip_comp_level 5;
+  gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml;
+  gzip_proxied any;
 
-  ## Individual nginx logs for this GitLab vhost
-  access_log  /var/log/nginx/gitlab_access.log;
-  error_log   /var/log/nginx/gitlab_error.log;
+  # Uncomment and configure this section for HTTPS support
+  # NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)
+  #
+  # rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent;
+  #
+  # listen 443 ssl;
+  # ssl_certificate your-hostname-cert.pem;
+  # ssl_certificate_key your-hostname-cert.key;
+  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  # ssl_ciphers HIGH:!aNULL:!MD5;
+  #
+
+  server_name enter.your.web.hostname.here;
+  server_tokens off;
+
+  sendfile on;
+
+  keepalive_timeout 65;
+
+  # maximum file upload size (keep up to date when changing the corresponding site setting)
+  client_max_body_size 10m;
+
+  # path to discourse's public directory
+  set $public /var/www/discourse/public;
+
+  # without weak etags we get zero benefit from etags on dynamically compressed content
+  # further more etags are based on the file in nginx not sha of data
+  # use dates, it solves the problem fine even cross server
+  etag off;
+
+  # prevent direct download of backups
+  location ^~ /backups/ {
+    internal;
+  }
+
+  # bypass rails stack with a cheap 204 for favicon.ico requests
+  location /favicon.ico {
+    return 204;
+    access_log off;
+    log_not_found off;
+  }
 
   location / {
-    ## Serve static files from defined root folder.
-    ## @gitlab is a named location for the upstream fallback, see below.
-    try_files $uri $uri/index.html $uri.html @gitlab;
+    root $public;
+    add_header ETag "";
+
+    # auth_basic on;
+    # auth_basic_user_file /etc/nginx/htpasswd;
+
+    location ~ ^/uploads/short-url/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+      add_header Access-Control-Allow-Origin *;
+    }
+
+    location = /srv/status {
+      access_log off;
+      log_not_found off;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # some minimal caching here so we don't keep asking
+    # longer term we should increas probably to 1y
+    location ~ ^/javascripts/ {
+      expires 1d;
+      add_header Cache-Control public,immutable;
+    }
+
+    location ~ ^/assets/(?<asset_path>.+)$ {
+      expires 1y;
+      # asset pipeline enables this
+      brotli_static on;
+      gzip_static on;
+      add_header Cache-Control public,immutable;
+      # HOOK in asset location (used for extensibility)
+      # TODO I don't think this break is needed, it just breaks out of rewrite
+      break;
+    }
+
+    location ~ ^/plugins/ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+    }
+
+    # cache emojis
+    location ~ /images/emoji/ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+    }
+
+    location ~ ^/uploads/ {
+
+      # NOTE: it is really annoying that we can't just define headers
+      # at the top level and inherit.
+      #
+      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
+      # otherwise headers are not set correctly
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
+      proxy_set_header X-Accel-Mapping $public/=/downloads/;
+      expires 1y;
+      add_header Cache-Control public,immutable;
+
+      ## optional upload anti-hotlinking rules
+      #valid_referers none blocked mysite.com *.mysite.com;
+      #if ($invalid_referer) { return 403; }
+
+      # custom CSS
+      location ~ /stylesheet-cache/ {
+          try_files $uri =404;
+      }
+      # this allows us to bypass rails
+      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ {
+          try_files $uri =404;
+      }
+      # thumbnails & optimized images
+      location ~ /_?optimized/ {
+          try_files $uri =404;
+      }
+
+      proxy_pass http://discourse;
+      break;
+    }
+
+    location ~ ^/admin/backups/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
+      proxy_set_header X-Accel-Mapping $public/=/downloads/;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # This big block is needed so we can selectively enable
+    # acceleration for backups, avatars, sprites and so on.
+    # see note about repetition above
+    location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+
+      # if Set-Cookie is in the response nothing gets cached
+      # this is double bad cause we are not passing last modified in
+      proxy_ignore_headers "Set-Cookie";
+      proxy_hide_header "Set-Cookie";
+      proxy_hide_header "X-Discourse-Username";
+      proxy_hide_header "X-Runtime";
+
+      # note x-accel-redirect can not be used with proxy_cache
+      proxy_cache one;
+      proxy_cache_key "$scheme,$host,$request_uri";
+      proxy_cache_valid 200 301 302 7d;
+      proxy_cache_valid any 1m;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # we need buffering off for message bus
+    location /message-bus/ {
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_http_version 1.1;
+      proxy_buffering off;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # this means every file in public is tried first
+    try_files $uri @discourse;
   }
 
-  ## If a file, which is not found in the root folder is requested,
-  ## then the proxy passes the request to the upsteam (gitlab unicorn).
-  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    # gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
-    proxy_pass http://gitlab;
+  location /downloads/ {
+    internal;
+    alias $public/;
   }
 
-  ## Enable gzip compression as per rails guide:
-  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
-  ## WARNING: If you are using relative urls remove the block below
-  ## See config/application.rb under "Relative url support" for the list of
-  ## other files that need to be changed for relative url support
-  location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
-    gzip_static on; # to serve pre-gzipped version
-    expires max;
-    add_header Cache-Control public;
+  location @discourse {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Request-Start "t=${msec}";
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $thescheme;
+    proxy_pass http://discourse;
   }
 
-  error_page 502 /502.html;
 }