diff options
author | Felix Golatofski | 2020-01-06 13:53:50 +0100 |
---|---|---|
committer | Felix Golatofski | 2020-01-06 13:53:50 +0100 |
commit | 6591878c3de37d5f6b2f692ca64b62715f7f9252 (patch) | |
tree | 9078ad5118ea538ea6e1fde974d2a27a9029dede | |
parent | 21c758252a0b78910ca67d1c34031f27770603d4 (diff) | |
download | aur-6591878c3de37d5f6b2f692ca64b62715f7f9252.tar.gz |
Updated to 2.3.8
-rw-r--r-- | .SRCINFO | 40 | ||||
-rw-r--r-- | PKGBUILD | 36 | ||||
-rw-r--r-- | nginx-ssl.conf.example | 142 | ||||
-rw-r--r-- | nginx.conf.example | 323 |
4 files changed, 280 insertions, 261 deletions
@@ -1,17 +1,15 @@ -# Generated by mksrcinfo v8 -# Thu Jan 7 15:31:08 UTC 2016 pkgbase = discourse pkgdesc = A simple, flat forum, where replies flow down the page in a line - pkgver = 1.4.3 + pkgver = 2.3.8 pkgrel = 1 url = http://www.discourse.org/ install = discourse.install arch = i686 arch = x86_64 license = GPL - makedepends = nodejs-uglify-js + makedepends = uglify-js depends = ruby>=2.0 - depends = ruby-bundler>=1.5.2 + depends = ruby-bundler>=1.17.3 depends = gmp depends = libxml2 depends = libxslt @@ -37,7 +35,7 @@ pkgbase = discourse optdepends = optipng: needed to do optimizations on stored images backup = etc/webapps/discourse/unicorn.conf.rb backup = etc/webapps/discourse/discourse.conf - source = discourse::git+https://github.com/discourse/discourse.git#tag=v1.4.3 + source = discourse::git+https://github.com/discourse/discourse.git#tag=v2.3.8 source = discourse-sidekiq.service source = discourse-unicorn.service source = discourse-kill.service @@ -48,25 +46,21 @@ pkgbase = discourse source = discourse.logrotate source = unicorn.conf.rb source = apache.conf.example - source = apache-ssl.conf.example source = nginx.conf.example - source = nginx-ssl.conf.example source = 0001-Revert-this-quickstart-file-is-confusing-and-not-nee.patch - sha256sums = SKIP - sha256sums = 51e2005fe002d42c8f5ffd3e9ccff54a739555c8e121584603c5d7daee255ca8 - sha256sums = ec711a14712cd7419378a92209b9db1af6a26f758f24aeddcf6e73efc763cd9b - sha256sums = 803c5b71fb350577a0e81c60ad5d511cba0d983046592a5dc8a2f9c726ec2143 - sha256sums = d8fab91c2b15e50db26caa00c034db4703b864e6434846b72225c871e4a3d508 - sha256sums = b512d219056537f7a7b749a10cfb90fb78116d7c6414e0a0bc72c08f1ced3f43 - sha256sums = 0b5110b99f3356d9931ce4991344b1149a2d3be04322043b555b91d8751c7a31 - sha256sums = 71fa450935dea04c30cc5a0eaaa16012ac765445644ca719b7a1d589aad1938f - sha256sums = 1c57caa7b2dad6b66db724a7db3ff8f156d0291e88cccdfb37d89e3557a7715d - sha256sums = c76423db80d2f4b39ea5fcd95fd66dfb38de9e9862e8370dfc3a45641e2204ca - sha256sums = b40c615d8da35fe5a02b914baf5920025ee7167b5d78b47d5905e633934ca11e - sha256sums = 8056354bac606f66a3667034ff93ffbfce3ec52664e7a809835d5cc45a121c30 - sha256sums = 7d00b5d99777b4843cdc2f8fb9c65beb94375dcaa6351d2c8f6d55161512b3c5 - sha256sums = cd8965f971047ce5cf5c32d4709fe231c392893702db181300b02de86e0f70fb - sha256sums = 77fc9f233a964fbb3a4952001e575b07772d1939bf2e0872f5161512ceffd62a + sha512sums = SKIP + sha512sums = fdd4fbdbea672374ec1b10b33d931d9f1faf9a381fda73f58ab120cd2cc338c8fa989717c00aab6daa197650e9b5d7733fc45721b9b4ee01d6bf182e421eaaf3 + sha512sums = 03bd411af6153f409a36ed8ca1abd7946613aee8b524cf11b44237b51fa239e3d11a6191c0f037ae40aeefc30f67eb6773e8d5610df7237072b1af4cf07f6c2c + sha512sums = 26a5fd92a08fdd133217a60f986221e92dca9ae1f9abc783d5f221cd04fb69fa014f90f7b56c7ba54fb46711fb7282408adbeee5706c4af2c3353069353352e9 + sha512sums = ea819bd625d68452f5222e841f3f9e0aa8b568b8c32c1b43375261f7508c215211d920c4541a91a3acfea11f9b4f8b18b4b6d9071cf3e5ee1569949141560a9c + sha512sums = d1004ff9faeeac8f2c53b66e7bed6056e39d37d5e1bdbfe0b36685858ffc3977092185edf4579ae50af2a6cb09f628637487b09c01d50382543691442c38fc3c + sha512sums = 65b723be22b6d8656e312791652a77a20503a8d5cdca910f5fffae4e4546d73933cd9f4a900bbf92e9c7c20f59f780fcd1dfe3c3e8b47853e2d265079e0fc72f + sha512sums = b2eb1720378684a07e35fcd7036cb9dad495750609d0fee18b4cafbcb78a13218639b6c661421bddb2731a95731cbee3c71f4d27bacac797a54130309d4b6565 + sha512sums = 179d0f577b06816466206b47e9e2b21befa7010bdc2bd4a1c9116e41111549b058d2613ae94f230b31a9e0122af69ae5216f8ddef8c14fe4df220bc6f2cc8e32 + sha512sums = 0a1b4d54c497f4be26799234aac3e39660fe55f5808d41c5f056943ebefcc79f7e4146d0aa7d78d90101d5cf11a2aefb59ba25fc0e15c0d33e49bfdd80b65ff3 + sha512sums = cc47f4c0697cb8a0c29caf0ccca13f7b5216157dc4728f49ae8608d5157a1fecbda92088439520bf61559209d2ba1e9cf4c200edfe87e4310893435d698ce8a5 + sha512sums = 7f956d84cf732dc8f5e467723d6b08065d8c4f02ac154c6e8adc6caee189bca55b4fb7db1069a2e9d86b3bf9b2b0c905f3ae85480c2372b310accc0604c62956 + sha512sums = b19f3967ce7f056d7bf0ed6bc853512987a5901fae234b3e682612606670e206aad44fc74909fc5952adcc4730d273f870bb8dea8f4ba2521cc6f9b487231b1a pkgname = discourse @@ -2,15 +2,15 @@ # Contributor: Tobias Hunger <tobias DOT hunger AT gmail DOT com> pkgname=discourse -pkgver=1.4.3 +pkgver=2.3.8 pkgrel=1 pkgdesc="A simple, flat forum, where replies flow down the page in a line" arch=('i686' 'x86_64') url="http://www.discourse.org/" license=('GPL') -depends=('ruby>=2.0' 'ruby-bundler>=1.5.2' 'gmp' 'libxml2' 'libxslt' 'openssl' +depends=('ruby>=2.0' 'ruby-bundler>=1.17.3' 'gmp' 'libxml2' 'libxslt' 'openssl' 'krb5' 'libgcrypt' 'libgpg-error' 'postgresql-libs' 'xz' 'zlib') -makedepends=('nodejs-uglify-js') +makedepends=('uglify-js') optdepends=('apache: a webserver to deploy discourse' 'nginx: another webserver to deploy discourse (example configs have to be fixed!)' 'postgresql: database server' @@ -37,26 +37,22 @@ source=("${pkgname}::git+https://github.com/discourse/discourse.git#tag=v${pkgve "discourse.logrotate" "unicorn.conf.rb" "apache.conf.example" - "apache-ssl.conf.example" "nginx.conf.example" - "nginx-ssl.conf.example" "0001-Revert-this-quickstart-file-is-confusing-and-not-nee.patch") install="${pkgname}.install" -sha256sums=('SKIP' - '51e2005fe002d42c8f5ffd3e9ccff54a739555c8e121584603c5d7daee255ca8' - 'ec711a14712cd7419378a92209b9db1af6a26f758f24aeddcf6e73efc763cd9b' - '803c5b71fb350577a0e81c60ad5d511cba0d983046592a5dc8a2f9c726ec2143' - 'd8fab91c2b15e50db26caa00c034db4703b864e6434846b72225c871e4a3d508' - 'b512d219056537f7a7b749a10cfb90fb78116d7c6414e0a0bc72c08f1ced3f43' - '0b5110b99f3356d9931ce4991344b1149a2d3be04322043b555b91d8751c7a31' - '71fa450935dea04c30cc5a0eaaa16012ac765445644ca719b7a1d589aad1938f' - '1c57caa7b2dad6b66db724a7db3ff8f156d0291e88cccdfb37d89e3557a7715d' - 'c76423db80d2f4b39ea5fcd95fd66dfb38de9e9862e8370dfc3a45641e2204ca' - 'b40c615d8da35fe5a02b914baf5920025ee7167b5d78b47d5905e633934ca11e' - '8056354bac606f66a3667034ff93ffbfce3ec52664e7a809835d5cc45a121c30' - '7d00b5d99777b4843cdc2f8fb9c65beb94375dcaa6351d2c8f6d55161512b3c5' - 'cd8965f971047ce5cf5c32d4709fe231c392893702db181300b02de86e0f70fb' - '77fc9f233a964fbb3a4952001e575b07772d1939bf2e0872f5161512ceffd62a') +sha512sums=('SKIP' + 'fdd4fbdbea672374ec1b10b33d931d9f1faf9a381fda73f58ab120cd2cc338c8fa989717c00aab6daa197650e9b5d7733fc45721b9b4ee01d6bf182e421eaaf3' + '03bd411af6153f409a36ed8ca1abd7946613aee8b524cf11b44237b51fa239e3d11a6191c0f037ae40aeefc30f67eb6773e8d5610df7237072b1af4cf07f6c2c' + '26a5fd92a08fdd133217a60f986221e92dca9ae1f9abc783d5f221cd04fb69fa014f90f7b56c7ba54fb46711fb7282408adbeee5706c4af2c3353069353352e9' + 'ea819bd625d68452f5222e841f3f9e0aa8b568b8c32c1b43375261f7508c215211d920c4541a91a3acfea11f9b4f8b18b4b6d9071cf3e5ee1569949141560a9c' + 'd1004ff9faeeac8f2c53b66e7bed6056e39d37d5e1bdbfe0b36685858ffc3977092185edf4579ae50af2a6cb09f628637487b09c01d50382543691442c38fc3c' + '65b723be22b6d8656e312791652a77a20503a8d5cdca910f5fffae4e4546d73933cd9f4a900bbf92e9c7c20f59f780fcd1dfe3c3e8b47853e2d265079e0fc72f' + 'b2eb1720378684a07e35fcd7036cb9dad495750609d0fee18b4cafbcb78a13218639b6c661421bddb2731a95731cbee3c71f4d27bacac797a54130309d4b6565' + '179d0f577b06816466206b47e9e2b21befa7010bdc2bd4a1c9116e41111549b058d2613ae94f230b31a9e0122af69ae5216f8ddef8c14fe4df220bc6f2cc8e32' + '0a1b4d54c497f4be26799234aac3e39660fe55f5808d41c5f056943ebefcc79f7e4146d0aa7d78d90101d5cf11a2aefb59ba25fc0e15c0d33e49bfdd80b65ff3' + 'cc47f4c0697cb8a0c29caf0ccca13f7b5216157dc4728f49ae8608d5157a1fecbda92088439520bf61559209d2ba1e9cf4c200edfe87e4310893435d698ce8a5' + '7f956d84cf732dc8f5e467723d6b08065d8c4f02ac154c6e8adc6caee189bca55b4fb7db1069a2e9d86b3bf9b2b0c905f3ae85480c2372b310accc0604c62956' + 'b19f3967ce7f056d7bf0ed6bc853512987a5901fae234b3e682612606670e206aad44fc74909fc5952adcc4730d273f870bb8dea8f4ba2521cc6f9b487231b1a') _homedir="/var/lib/${pkgname}" _datadir="/usr/share/webapps/${pkgname}" diff --git a/nginx-ssl.conf.example b/nginx-ssl.conf.example deleted file mode 100644 index cbb198086b5b..000000000000 --- a/nginx-ssl.conf.example +++ /dev/null @@ -1,142 +0,0 @@ -## GitLab -## Contributors: randx, yin8086, sashkab, orkoden, axilleas -## -## Modified from nginx http version -## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ -## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -## -## Lines starting with two hashes (##) are comments with information. -## Lines starting with one hash (#) are configuration parameters that can be uncommented. -## -################################## -## CHUNKED TRANSFER ## -################################## -## -## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] -## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object -## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get -## around this by tweaking this configuration file and either: -## - installing an old version of Nginx with the chunkin module [2] compiled in, or -## - using a newer version of Nginx. -## -## At the time of writing we do not know if either of these theoretical solutions works. -## As a workaround users can use Git over SSH to push large files. -## -## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -## [1] https://github.com/agentzh/chunkin-nginx-module#status -## [2] https://github.com/agentzh/chunkin-nginx-module -## -## -################################### -## SSL configuration ## -################################### -## -## See installation.md#using-https for additional HTTPS configuration details. - -upstream gitlab { - server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; -} - -## Normal HTTP host -server { - listen *:80 default_server; - server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com - server_tokens off; ## Don't show the nginx version number, a security best practice - - ## Redirects all traffic to the HTTPS host - root /nowhere; ## root doesn't have to be a valid path since we are redirecting - rewrite ^ https://$server_name$request_uri? permanent; -} - -## HTTPS host -server { - listen 443 ssl; - server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com - server_tokens off; - root /home/git/gitlab/public; - - ## Increase this if you want to upload large attachments - ## Or if you want to accept large git objects over http - client_max_body_size 20m; - - ## Strong SSL Security - ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; - ssl_certificate /etc/nginx/ssl/gitlab.crt; - ssl_certificate_key /etc/nginx/ssl/gitlab.key; - - # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - ## [WARNING] The following header states that the browser should only communicate - ## with your server over a secure connection for the next 24 months. - add_header Strict-Transport-Security max-age=63072000; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - - ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - ## [Optional] Generate a stronger DHE parameter: - ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 - ## - # ssl_dhparam /etc/ssl/certs/dhparam.pem; - - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location / { - ## Serve static files from defined root folder. - ## @gitlab is a named location for the upstream fallback, see below. - try_files $uri $uri/index.html $uri.html @gitlab; - } - - ## If a file, which is not found in the root folder is requested, - ## then the proxy passes the request to the upsteam (gitlab unicorn). - location @gitlab { - ## If you use HTTPS make sure you disable gzip compression - ## to be safe against BREACH attack. - gzip off; - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://gitlab; - } - - ## Enable gzip compression as per rails guide: - ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - ## WARNING: If you are using relative urls remove the block below - ## See config/application.rb under "Relative url support" for the list of - ## other files that need to be changed for relative url support - location ~ ^/(assets)/ { - root /home/git/gitlab/public; - gzip_static on; # to serve pre-gzipped version - expires max; - add_header Cache-Control public; - } - - error_page 502 /502.html; -} diff --git a/nginx.conf.example b/nginx.conf.example index 6357dc8fa468..538e29fab4a1 100644 --- a/nginx.conf.example +++ b/nginx.conf.example @@ -1,90 +1,261 @@ -## GitLab -## Maintainer: @randx -## -## Lines starting with two hashes (##) are comments with information. -## Lines starting with one hash (#) are configuration parameters that can be uncommented. -## -################################## -## CHUNKED TRANSFER ## -################################## -## -## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] -## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object -## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get -## around this by tweaking this configuration file and either: -## - installing an old version of Nginx with the chunkin module [2] compiled in, or -## - using a newer version of Nginx. -## -## At the time of writing we do not know if either of these theoretical solutions works. -## As a workaround users can use Git over SSH to push large files. -## -## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -## [1] https://github.com/agentzh/chunkin-nginx-module#status -## [2] https://github.com/agentzh/chunkin-nginx-module -## -################################### -## configuration ## -################################### -## - -upstream gitlab { - server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; +# Additional MIME types that you'd like nginx to handle go in here +types { + text/csv csv; } -## Normal HTTP host +upstream discourse { + server unix:/var/www/discourse/tmp/sockets/thin.0.sock; + server unix:/var/www/discourse/tmp/sockets/thin.1.sock; + server unix:/var/www/discourse/tmp/sockets/thin.2.sock; + server unix:/var/www/discourse/tmp/sockets/thin.3.sock; +} + +# inactive means we keep stuff around for 1440m minutes regardless of last access (1 week) +# levels means it is a 2 deep heirarchy cause we can have lots of files +# max_size limits the size of the cache +proxy_cache_path /var/nginx/cache inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m; + +# see: https://meta.discourse.org/t/x/74060 +proxy_buffer_size 8k; + +# If you are going to use Puma, use these: +# +# upstream discourse { +# server unix:/var/www/discourse/tmp/sockets/puma.sock; +# } + + +# attempt to preserve the proto, must be in http context +map $http_x_forwarded_proto $thescheme { + default $scheme; + https https; +} + +log_format log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$sent_http_x_discourse_username"'; + server { - listen *:80 default_server; - server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com - server_tokens off; ## Don't show the nginx version number, a security best practice - root /home/git/gitlab/public; - ## Increase this if you want to upload large attachments - ## Or if you want to accept large git objects over http - client_max_body_size 20m; + access_log /var/log/nginx/access.log log_discourse; + + listen 80; + gzip on; + gzip_vary on; + gzip_min_length 1000; + gzip_comp_level 5; + gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml; + gzip_proxied any; - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; + # Uncomment and configure this section for HTTPS support + # NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx) + # + # rewrite ^/(.*) https://enter.your.web.hostname.here/$1 permanent; + # + # listen 443 ssl; + # ssl_certificate your-hostname-cert.pem; + # ssl_certificate_key your-hostname-cert.key; + # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # ssl_ciphers HIGH:!aNULL:!MD5; + # + + server_name enter.your.web.hostname.here; + server_tokens off; + + sendfile on; + + keepalive_timeout 65; + + # maximum file upload size (keep up to date when changing the corresponding site setting) + client_max_body_size 10m; + + # path to discourse's public directory + set $public /var/www/discourse/public; + + # without weak etags we get zero benefit from etags on dynamically compressed content + # further more etags are based on the file in nginx not sha of data + # use dates, it solves the problem fine even cross server + etag off; + + # prevent direct download of backups + location ^~ /backups/ { + internal; + } + + # bypass rails stack with a cheap 204 for favicon.ico requests + location /favicon.ico { + return 204; + access_log off; + log_not_found off; + } location / { - ## Serve static files from defined root folder. - ## @gitlab is a named location for the upstream fallback, see below. - try_files $uri $uri/index.html $uri.html @gitlab; + root $public; + add_header ETag ""; + + # auth_basic on; + # auth_basic_user_file /etc/nginx/htpasswd; + + location ~ ^/uploads/short-url/ { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_pass http://discourse; + break; + } + + location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ { + expires 1y; + add_header Cache-Control public,immutable; + add_header Access-Control-Allow-Origin *; + } + + location = /srv/status { + access_log off; + log_not_found off; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_pass http://discourse; + break; + } + + # some minimal caching here so we don't keep asking + # longer term we should increas probably to 1y + location ~ ^/javascripts/ { + expires 1d; + add_header Cache-Control public,immutable; + } + + location ~ ^/assets/(?<asset_path>.+)$ { + expires 1y; + # asset pipeline enables this + brotli_static on; + gzip_static on; + add_header Cache-Control public,immutable; + # HOOK in asset location (used for extensibility) + # TODO I don't think this break is needed, it just breaks out of rewrite + break; + } + + location ~ ^/plugins/ { + expires 1y; + add_header Cache-Control public,immutable; + } + + # cache emojis + location ~ /images/emoji/ { + expires 1y; + add_header Cache-Control public,immutable; + } + + location ~ ^/uploads/ { + + # NOTE: it is really annoying that we can't just define headers + # at the top level and inherit. + # + # proxy_set_header DOES NOT inherit, by design, we must repeat it, + # otherwise headers are not set correctly + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type X-Accel-Redirect; + proxy_set_header X-Accel-Mapping $public/=/downloads/; + expires 1y; + add_header Cache-Control public,immutable; + + ## optional upload anti-hotlinking rules + #valid_referers none blocked mysite.com *.mysite.com; + #if ($invalid_referer) { return 403; } + + # custom CSS + location ~ /stylesheet-cache/ { + try_files $uri =404; + } + # this allows us to bypass rails + location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ { + try_files $uri =404; + } + # thumbnails & optimized images + location ~ /_?optimized/ { + try_files $uri =404; + } + + proxy_pass http://discourse; + break; + } + + location ~ ^/admin/backups/ { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_set_header X-Sendfile-Type X-Accel-Redirect; + proxy_set_header X-Accel-Mapping $public/=/downloads/; + proxy_pass http://discourse; + break; + } + + # This big block is needed so we can selectively enable + # acceleration for backups, avatars, sprites and so on. + # see note about repetition above + location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + + # if Set-Cookie is in the response nothing gets cached + # this is double bad cause we are not passing last modified in + proxy_ignore_headers "Set-Cookie"; + proxy_hide_header "Set-Cookie"; + proxy_hide_header "X-Discourse-Username"; + proxy_hide_header "X-Runtime"; + + # note x-accel-redirect can not be used with proxy_cache + proxy_cache one; + proxy_cache_key "$scheme,$host,$request_uri"; + proxy_cache_valid 200 301 302 7d; + proxy_cache_valid any 1m; + proxy_pass http://discourse; + break; + } + + # we need buffering off for message bus + location /message-bus/ { + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_http_version 1.1; + proxy_buffering off; + proxy_pass http://discourse; + break; + } + + # this means every file in public is tried first + try_files $uri @discourse; } - ## If a file, which is not found in the root folder is requested, - ## then the proxy passes the request to the upsteam (gitlab unicorn). - location @gitlab { - ## If you use HTTPS make sure you disable gzip compression - ## to be safe against BREACH attack. - # gzip off; - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://gitlab; + location /downloads/ { + internal; + alias $public/; } - ## Enable gzip compression as per rails guide: - ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - ## WARNING: If you are using relative urls remove the block below - ## See config/application.rb under "Relative url support" for the list of - ## other files that need to be changed for relative url support - location ~ ^/(assets)/ { - root /home/git/gitlab/public; - gzip_static on; # to serve pre-gzipped version - expires max; - add_header Cache-Control public; + location @discourse { + proxy_set_header Host $http_host; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $thescheme; + proxy_pass http://discourse; } - error_page 502 /502.html; } |