Add nginx config file and support for outlets

image/base/etc/nginx/conf.d/discourse.conf

@@ -0,0 +1,289 @@
+# Additional MIME types that you'd like nginx to handle go in here
+types {
+  text/csv csv;
+  application/wasm wasm;
+}
+
+upstream discourse {
+  server 127.0.0.1:3000;
+}
+
+# inactive means we keep stuff around for 1440m minutes regardless of last access (1 week)
+# levels means it is a 2 deep hierarchy cause we can have lots of files
+# max_size limits the size of the cache
+proxy_cache_path /var/nginx/cache inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m;
+
+# Increased from the default value to acommodate large cookies during oAuth2 flows
+# like in https://meta.discourse.org/t/x/74060 and large CSP and Link (preload) headers
+proxy_buffer_size 32k;
+proxy_buffers 4 32k;
+
+# Increased from the default value to allow for a large volume of cookies in request headers
+# Discourse itself tries to minimise cookie size, but we cannot control other cookies set by other tools on the same domain.
+large_client_header_buffers 4 32k;
+
+# attempt to preserve the proto, must be in http context
+map $http_x_forwarded_proto $thescheme {
+  default $scheme;
+  "~https$" https;
+}
+
+log_format log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$upstream_http_x_discourse_username" "$upstream_http_x_discourse_trackview" "$upstream_http_x_queue_time" "$upstream_http_x_redis_calls" "$upstream_http_x_redis_time" "$upstream_http_x_sql_calls" "$upstream_http_x_sql_time"';
+
+# Allow bypass cache from localhost
+geo $bypass_cache {
+  default         0;
+  127.0.0.1       1;
+  ::1             1;
+}
+
+include conf.d/outlets/before-server/*.conf;
+
+server {
+  access_log /var/log/nginx/access.log log_discourse;
+
+  include conf.d/outlets/server/*.conf;
+
+  gzip on;
+  gzip_vary on;
+  gzip_min_length 1000;
+  gzip_comp_level 5;
+  gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml application/wasm;
+  gzip_proxied any;
+
+  server_name _;
+  server_tokens off;
+
+  sendfile on;
+
+  keepalive_timeout 65;
+
+  # maximum file upload size (keep up to date when changing the corresponding site setting)
+  client_max_body_size 10m;
+
+  # path to discourse's public directory
+  set $public /var/www/discourse/public;
+
+  # without weak etags we get zero benefit from etags on dynamically compressed content
+  # further more etags are based on the file in nginx not sha of data
+  # use dates, it solves the problem fine even cross server
+  etag off;
+
+  # prevent direct download of backups
+  location ^~ /backups/ {
+    internal;
+  }
+
+  # bypass rails stack with a cheap 204 for favicon.ico requests
+  location /favicon.ico {
+    return 204;
+    access_log off;
+    log_not_found off;
+  }
+
+  location / {
+    root $public;
+    add_header ETag "";
+
+    # auth_basic on;
+    # auth_basic_user_file /etc/nginx/htpasswd;
+
+    location ~ ^/uploads/short-url/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+      proxy_pass http://discourse;
+      break;
+    }
+
+    location ~ ^/(secure-media-uploads/|secure-uploads)/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+      proxy_pass http://discourse;
+      break;
+    }
+
+    location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+      add_header Access-Control-Allow-Origin *;
+    }
+
+    location = /srv/status {
+      access_log off;
+      log_not_found off;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # some minimal caching here so we don't keep asking
+    # longer term we should increase probably to 1y
+    location ~ ^/javascripts/ {
+      expires 1d;
+      add_header Cache-Control public,immutable;
+      add_header Access-Control-Allow-Origin *;
+    }
+
+    location ~ ^/assets/(?<asset_path>.+)$ {
+      expires 1y;
+      # asset pipeline enables this
+      brotli_static on;
+      gzip_static on;
+      add_header Cache-Control public,immutable;
+      # HOOK in asset location (used for extensibility)
+      # TODO I don't think this break is needed, it just breaks out of rewrite
+      break;
+    }
+
+    location ~ ^/plugins/ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+      add_header Access-Control-Allow-Origin *;
+    }
+
+    # cache emojis
+    location ~ /images/emoji/ {
+      expires 1y;
+      add_header Cache-Control public,immutable;
+      add_header Access-Control-Allow-Origin *;
+    }
+
+    location ~ ^/uploads/ {
+      # NOTE: it is really annoying that we can't just define headers
+      # at the top level and inherit.
+      #
+      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
+      # otherwise headers are not set correctly
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
+      proxy_set_header X-Accel-Mapping $public/=/downloads/;
+      expires 1y;
+      add_header Cache-Control public,immutable;
+
+      ## optional upload anti-hotlinking rules
+      #valid_referers none blocked mysite.com *.mysite.com;
+      #if ($invalid_referer) { return 403; }
+
+      # custom CSS
+      location ~ /stylesheet-cache/ {
+          add_header Access-Control-Allow-Origin *;
+          try_files $uri =404;
+      }
+
+      # this allows us to bypass rails
+      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp|avif)$ {
+          add_header Access-Control-Allow-Origin *;
+          try_files $uri =404;
+      }
+
+      # SVG needs an extra header attached
+      location ~* \.(svg)$ {
+      }
+
+      # thumbnails & optimized images
+      location ~ /_?optimized/ {
+          add_header Access-Control-Allow-Origin *;
+          try_files $uri =404;
+      }
+
+      proxy_pass http://discourse;
+      break;
+    }
+
+    location ~ ^/admin/backups/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
+      proxy_set_header X-Accel-Mapping $public/=/downloads/;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # This big block is needed so we can selectively enable
+    # acceleration for backups, avatars, sprites and so on.
+    # see note about repetition above
+    location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+
+      # if Set-Cookie is in the response nothing gets cached
+      # this is double bad cause we are not passing last modified in
+      proxy_ignore_headers "Set-Cookie";
+      proxy_hide_header "Set-Cookie";
+      proxy_hide_header "X-Discourse-Username";
+      proxy_hide_header "X-Runtime";
+
+      # note x-accel-redirect can not be used with proxy_cache
+      proxy_cache one;
+      proxy_cache_key "$scheme,$host,$request_uri";
+      proxy_cache_valid 200 301 302 7d;
+      proxy_cache_bypass $bypass_cache;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # we need buffering off for message bus
+    location /message-bus/ {
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+      proxy_http_version 1.1;
+      proxy_buffering off;
+      proxy_pass http://discourse;
+      break;
+    }
+
+    # this means every file in public is tried first
+    try_files $uri @discourse;
+  }
+
+  location /downloads/ {
+    internal;
+    alias $public/;
+  }
+
+  location @discourse {
+    include conf.d/outlets/discourse/*.conf;
+
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Request-Start "t=${msec}";
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $thescheme;
+    proxy_set_header X-Sendfile-Type "";
+    proxy_set_header X-Accel-Mapping "";
+    proxy_pass http://discourse;
+  }
+}

image/base/etc/nginx/conf.d/outlets/server/http.conf

@@ -0,0 +1 @@
+listen 80;

samples/standalone.yml

@@ -11,8 +11,6 @@ templates:
   - "templates/postgres.template.yml"
   - "templates/redis.template.yml"
   - "templates/web.template.yml"
-  ## Uncomment the next line to enable the IPv6 listener
-  #- "templates/web.ipv6.template.yml"
   - "templates/web.ratelimited.template.yml"
   ## Uncomment these two lines if you wish to add Lets Encrypt (https)
   #- "templates/web.ssl.template.yml"

samples/web_only.yml

@@ -3,8 +3,6 @@
 
 templates:
   - "templates/web.template.yml"
-  ## Uncomment the next line to enable the IPv6 listener
-  #- "templates/web.ipv6.template.yml"
   - "templates/web.ratelimited.template.yml"
   ## Uncomment these two lines if you wish to add Lets Encrypt (https)
   #- "templates/web.ssl.template.yml"

templates/offline-page.template.yml

@@ -7,17 +7,14 @@ params:
   offline_page_repository: https://github.com/discourse/discourse-offline-page.git
 
 run:
-  - replace:
-     filename: "/etc/nginx/conf.d/discourse.conf"
-     global: true
-     from: /server.+{/
-     to: |
-       server {
-         error_page 502 /error_page.html;
-         location /error_page.html {
-           root /var/www/discourse-offline-page/html;
-           internal;
-         }
+  - file:
+     path: "/etc/nginx/conf.d/outlets/server/offline-page.conf"
+     contents: |
+        error_page 502 /error_page.html;
+        location /error_page.html {
+          root /var/www/discourse-offline-page/html;
+          internal;
+        }
 
   - exec:
       cmd: git clone $offline_page_repository /var/www/discourse-offline-page

templates/sshd.template.yml

@@ -1,2 +1,6 @@
 # This file is deprecated; you can remove it from your app.yml
+# TODO(2026-01-01): Remove this file
 run: 
+  - exec: |-
+      echo "Deprecation warning: sshd is no longer supported"
+      echo "Remove templates/sshd.template.yml from your containers/*.yml files"

templates/web.ipv6.template.yml

@@ -1,8 +1,6 @@
+# This file is deprecated; you can remove it from your app.yml
+# TODO(2026-01-01): Remove this file
 run:
-  - exec: echo "Enabling IPv6 listener"
-  - replace:
-      filename: "/etc/nginx/conf.d/discourse.conf"
-      from: listen 80;
-      to: |
-        listen 80;
-        listen [::]:80;
+  - exec: |-
+      echo "Deprecation warning: IPv6 is enabled by default when possible"
+      echo "Remove templates/web.ipv6.template.yml from your containers/*.yml files"

templates/web.letsencrypt.ssl.template.yml

@@ -106,28 +106,22 @@ hooks:
 
         /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
 
-    - replace:
-       filename: "/etc/nginx/conf.d/discourse.conf"
-       from: /ssl_certificate.+/
-       to: |
-         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
-         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.cer;
-
     - replace:
        filename: /shared/letsencrypt/account.conf
        from: /#?ACCOUNT_EMAIL=.+/
        to: |
          ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
 
     - replace:
-       filename: "/etc/nginx/conf.d/discourse.conf"
-       from: /ssl_certificate_key.+/
+       filename: "/etc/nginx/conf.d/outlets/server/https.conf"
+       from: /ssl_certificate.+/
        to: |
-         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
-         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.key;
+         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
+         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.cer;
 
     - replace:
-       filename: "/etc/nginx/conf.d/discourse.conf"
-       from: /add_header.+/
+       filename: "/etc/nginx/conf.d/outlets/server/https.conf"
+       from: /ssl_certificate_key.+/
        to: |
-         add_header Strict-Transport-Security 'max-age=63072000';
+         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
+         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.key;