discourse
/
discourse_docker
mirror of https://github.com/discourse/discourse_docker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reapply "Use Nginx config with outlets (#913)" (#958) 

This reverts commit 3c2234830a.
This commit is contained in:
Bianca Nenciu 2025-05-09 13:50:08 +03:00
parent 3c2234830a
commit d5792cd93c
No known key found for this signature in database
GPG Key ID: 07E83B117A6B844D
10 changed files with 97 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
samples/standalone.yml
View File

@ -11,8 +11,6 @@ templates:
- "templates/postgres.template.yml" - "templates/postgres.template.yml"
- "templates/redis.template.yml" - "templates/redis.template.yml"
- "templates/web.template.yml" - "templates/web.template.yml"
## Uncomment the next line to enable the IPv6 listener
#- "templates/web.ipv6.template.yml"
- "templates/web.ratelimited.template.yml" - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https) ## Uncomment these two lines if you wish to add Lets Encrypt (https)
#- "templates/web.ssl.template.yml" #- "templates/web.ssl.template.yml"

2
samples/web_only.yml
View File

@ -3,8 +3,6 @@
templates: templates:
- "templates/web.template.yml" - "templates/web.template.yml"
## Uncomment the next line to enable the IPv6 listener
#- "templates/web.ipv6.template.yml"
- "templates/web.ratelimited.template.yml" - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https) ## Uncomment these two lines if you wish to add Lets Encrypt (https)
#- "templates/web.ssl.template.yml" #- "templates/web.ssl.template.yml"

19
templates/offline-page.template.yml
View File

@ -7,17 +7,14 @@ params:
offline_page_repository: https://github.com/discourse/discourse-offline-page.git offline_page_repository: https://github.com/discourse/discourse-offline-page.git
run: run:
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" path: "/etc/nginx/conf.d/outlets/server/30-offline-page.conf"
global: true contents: |
from: /server.+{/ error_page 502 /error_page.html;
to: | location /error_page.html {
server { root /var/www/discourse-offline-page/html;
error_page 502 /error_page.html; internal;
location /error_page.html { }
root /var/www/discourse-offline-page/html;
internal;
}
- exec: - exec:
cmd: git clone $offline_page_repository /var/www/discourse-offline-page cmd: git clone $offline_page_repository /var/www/discourse-offline-page

4
templates/sshd.template.yml
View File

@ -1,2 +1,6 @@
# This file is deprecated; you can remove it from your app.yml # This file is deprecated; you can remove it from your app.yml
# TODO(2026-01-01): Remove this file
run: run:
- exec: |-
echo "Deprecation warning: sshd is no longer supported"
echo "Remove templates/sshd.template.yml from your containers/*.yml files"

12
templates/web.ipv6.template.yml
View File

@ -1,8 +1,6 @@
# This file is deprecated; you can remove it from your app.yml
# TODO(2026-01-01): Remove this file
run: run:
- exec: echo "Enabling IPv6 listener" - exec: |-
- replace: echo "Deprecation warning: IPv6 is enabled by default when possible"
filename: "/etc/nginx/conf.d/discourse.conf" echo "Remove templates/web.ipv6.template.yml from your containers/*.yml files"
from: listen 80;
to: |
listen 80;
listen [::]:80;

22
templates/web.letsencrypt.ssl.template.yml
View File

@ -106,13 +106,6 @@ hooks:
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /ssl_certificate.+/
to: |
ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.cer;
- replace: - replace:
filename: /shared/letsencrypt/account.conf filename: /shared/letsencrypt/account.conf
from: /#?ACCOUNT_EMAIL=.+/ from: /#?ACCOUNT_EMAIL=.+/
@ -120,14 +113,15 @@ hooks:
ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
- replace: - replace:
filename: "/etc/nginx/conf.d/discourse.conf" filename: "/etc/nginx/conf.d/outlets/server/20-https.conf"
from: /ssl_certificate.+/
to: |
ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.cer;
- replace:
filename: "/etc/nginx/conf.d/outlets/server/20-https.conf"
from: /ssl_certificate_key.+/ from: /ssl_certificate_key.+/
to: | to: |
ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.key; ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.key;
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /add_header.+/
to: |
add_header Strict-Transport-Security 'max-age=63072000';

17
templates/web.ratelimited.template.yml
View File

@ -6,21 +6,18 @@ params:
conn_per_ip: 20 conn_per_ip: 20
run: run:
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" path: "/etc/nginx/conf.d/outlets/before-server/30-ratelimited.conf"
from: /server.+{/ contents: |
to: |
limit_req_zone $binary_remote_addr zone=flood:10m rate=$reqs_per_secondr/s; limit_req_zone $binary_remote_addr zone=flood:10m rate=$reqs_per_secondr/s;
limit_req_zone $binary_remote_addr zone=bot:10m rate=$reqs_per_minuter/m; limit_req_zone $binary_remote_addr zone=bot:10m rate=$reqs_per_minuter/m;
limit_req_status 429; limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=connperip:10m; limit_conn_zone $binary_remote_addr zone=connperip:10m;
limit_conn_status 429; limit_conn_status 429;
server {
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" path: "/etc/nginx/conf.d/outlets/discourse/30-ratelimited.conf"
from: "/location @discourse {/" contents: |
to: |
location @discourse {
limit_conn connperip $conn_per_ip; limit_conn connperip $conn_per_ip;
limit_req zone=flood burst=$burst_per_second nodelay; limit_req zone=flood burst=$burst_per_second nodelay;
limit_req zone=bot burst=$burst_per_minute nodelay; limit_req zone=bot burst=$burst_per_minute nodelay;

8
templates/web.socketed.template.yml
View File

@ -12,14 +12,14 @@ run:
#!/bin/bash #!/bin/bash
rm -rf /shared/nginx.http*.sock rm -rf /shared/nginx.http*.sock
- replace: - replace:
filename: "/etc/nginx/conf.d/discourse.conf" filename: "/etc/nginx/conf.d/outlets/server/10-http.conf"
from: /listen 80;/ from: /listen 80;(\nlisten \[::\]:80;)?/
to: | to: |
listen unix:/shared/nginx.http.sock; listen unix:/shared/nginx.http.sock;
set_real_ip_from unix:; set_real_ip_from unix:;
- replace: - replace:
filename: "/etc/nginx/conf.d/discourse.conf" filename: "/etc/nginx/conf.d/outlets/server/20-https.conf"
from: /listen 443 ssl;/ from: /listen 443 ssl;(\nlisten \[::\]:443 ssl;)?/
to: | to: |
listen unix:/shared/nginx.https.sock ssl; listen unix:/shared/nginx.https.sock ssl;
set_real_ip_from unix:; set_real_ip_from unix:;

86
templates/web.ssl.template.yml
View File

@ -1,56 +1,46 @@
run: run:
- exec: - exec:
cmd: cmd:
- "mkdir -p /shared/ssl/" - "mkdir -p /shared/ssl/"
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" path: "/etc/nginx/conf.d/outlets/before-server/10-redirect-http-to-https.conf"
from: /listen 80;\s+listen \[::\]:80;/m contents: |
to: | server {
listen 443 ssl; listen 80;
listen [::]:443 ssl; return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
http2 on; }
SSL_TEMPLATE_SSL_BLOCK - exec: rm /etc/nginx/conf.d/outlets/server/10-http.conf
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" hook: ssl
from: /listen 80;/ path: "/etc/nginx/conf.d/outlets/server/20-https.conf"
to: | contents: |
listen 443 ssl; listen 443 ssl;
http2 on; http2 on;
SSL_TEMPLATE_SSL_BLOCK
- replace:
hook: ssl
filename: "/etc/nginx/conf.d/discourse.conf"
from: /SSL_TEMPLATE_SSL_BLOCK/
to: |
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_certificate /shared/ssl/ssl.crt; ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key; ssl_certificate_key /shared/ssl/ssl.key;
ssl_session_tickets off; ssl_session_tickets off;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain add_header Strict-Transport-Security 'max-age=31536000';
if ($http_host != $$ENV_DISCOURSE_HOSTNAME) { if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent; rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
} }
- replace: - file:
filename: "/etc/nginx/conf.d/discourse.conf" path: "/etc/nginx/conf.d/outlets/discourse/20-https.conf"
from: "location @discourse {" contents: |
to: | add_header Strict-Transport-Security 'max-age=31536000';
location @discourse { - exec:
add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain cmd:
- replace: - |-
filename: "/etc/nginx/conf.d/discourse.conf" if [ -f "/proc/net/if_inet6" ] ; then
from: /server.+{/ sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/10-redirect-http-to-https.conf
to: | sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf
server { fi
listen 80;
return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
}
server {

38
templates/web.template.yml
View File

@ -135,6 +135,14 @@ run:
- "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf" - "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
- "rm /etc/nginx/sites-enabled/default" - "rm /etc/nginx/sites-enabled/default"
- "mkdir -p /var/nginx/cache" - "mkdir -p /var/nginx/cache"
- "mkdir -p /etc/nginx/conf.d/outlets/before-server"
- "mkdir -p /etc/nginx/conf.d/outlets/server"
- "mkdir -p /etc/nginx/conf.d/outlets/discourse"
# Stop building the container if the Nginx outlets are missing
- "grep -q 'outlets/before-server' /etc/nginx/conf.d/discourse.conf || ( >&2 echo 'The \"before-server\" Nginx outlet is missing. This version of discourse_docker is not compatible with the chosen Discourse version.' ; exit 1 )"
- "grep -q 'outlets/server' /etc/nginx/conf.d/discourse.conf || ( >&2 echo 'The \"server\" Nginx outlet is missing. This version of discourse_docker is not compatible with the chosen Discourse version.' ; exit 1 )"
- "grep -q 'outlets/discourse' /etc/nginx/conf.d/discourse.conf || ( >&2 echo 'The \"discourse\" Nginx outlet is missing. This version of discourse_docker is not compatible with the chosen Discourse version.' ; exit 1 )"
- replace: - replace:
filename: /etc/nginx/nginx.conf filename: /etc/nginx/nginx.conf
@ -142,26 +150,25 @@ run:
to: daemon off; to: daemon off;
- replace: - replace:
filename: "/etc/nginx/conf.d/discourse.conf" filename: "/etc/nginx/nginx.conf"
from: /upstream[^\}]+\}/m from: /worker_connections.+$/
to: "upstream discourse { to: worker_connections $nginx_worker_connections;
server 127.0.0.1:3000;
}"
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /server_name.+$/
to: server_name _ ;
- replace: - replace:
filename: "/etc/nginx/conf.d/discourse.conf" filename: "/etc/nginx/conf.d/discourse.conf"
from: /client_max_body_size.+$/ from: /client_max_body_size.+$/
to: client_max_body_size $upload_size ; to: client_max_body_size $upload_size;
- replace: - exec:
filename: "/etc/nginx/nginx.conf" cmd:
from: /worker_connections.+$/ # Move `listen 80` to an outlet
to: worker_connections $nginx_worker_connections ; - sed -i 's#listen 80;##g' /etc/nginx/conf.d/discourse.conf
- |-
if [ -f "/proc/net/if_inet6" ]; then
echo "listen 80;\nlisten [::]:80;" > /etc/nginx/conf.d/outlets/server/10-http.conf
else
echo "listen 80;" > /etc/nginx/conf.d/outlets/server/10-http.conf
fi
- exec: - exec:
cmd: echo "done configuring web" cmd: echo "done configuring web"
@ -222,6 +229,7 @@ run:
hook: assets_precompile hook: assets_precompile
cmd: cmd:
- su discourse -c 'SKIP_EMBER_CLI_COMPILE=1 bundle exec rake themes:update assets:precompile' - su discourse -c 'SKIP_EMBER_CLI_COMPILE=1 bundle exec rake themes:update assets:precompile'
- replace: - replace:
tag: precompile tag: precompile
filename: /etc/service/unicorn/run filename: /etc/service/unicorn/run