local-uploads: Start running authentication checks on file requests.

From here on we start to authenticate uploaded file request before serving this files in production. This involves allowing NGINX to pass on these file requests to Django for authentication and then serve these files by making use on internal redirect requests having x-accel-redirect field. The redirection on requests and loading of x-accel-redirect param is handled by django-sendfile. NOTE: This commit starts to authenticate these requests for Zulip servers running platforms either Ubuntu Xenial (16.04) or above. Fixes: #320 and #291 partially.
2025-11-04 05:53:43 +00:00 · 2018-02-12 22:48:03 +05:30
parent 6fce1d7834
commit efe8545303
12 changed files with 118 additions and 33 deletions
--- a/puppet/zulip/files/nginx/sites-available/zulip-enterprise
+++ b/puppet/zulip/files/nginx/sites-available/zulip-enterprise
@@ -12,12 +12,6 @@ server {
    ssl_certificate /etc/ssl/certs/zulip.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/zulip.key;

-    location /user_uploads {
-        add_header X-Content-Type-Options nosniff;
-        include /etc/nginx/zulip-include/uploads.types;
-        alias /home/zulip/uploads/files;
-    }
-
    location /user_avatars {
        add_header X-Content-Type-Options nosniff;
        include /etc/nginx/zulip-include/uploads.types;
@@ -30,4 +24,5 @@ server {

    include /etc/nginx/zulip-include/certbot;
    include /etc/nginx/zulip-include/app;
+    include /etc/nginx/zulip-include/uploads.route;
 }
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
@@ -0,0 +1,5 @@
+location /user_uploads {
+    add_header X-Content-Type-Options nosniff;
+    include /etc/nginx/zulip-include/uploads.types;
+    alias /home/zulip/uploads/files;
+}
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
@@ -0,0 +1,6 @@
+location /serve_uploads {
+    internal;
+    add_header X-Content-Type-Options nosniff;
+    include /etc/nginx/zulip-include/uploads.types;
+    alias /home/zulip/uploads/files;
+}
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -14,6 +14,29 @@ class zulip::nginx {
    notify => Service["nginx"],
  }

+  # Nginx versions 1.4.6 and older do not support quoted URLs with the
+  # X-Accel-Redirect / "sendfile" feature, which are required for
+  # unicode support in filenames.  As a result, we use the fancier
+  # django-sendfile behavior only when a sufficiently current version
+  # of nginx is present (e.g.. Xenial).  Older versions (e.g. Trusty)
+  # retain the older, less secure, file upload behavior; we expect
+  # that this will stop being relevant when we drop Trusty support
+  # from Zulip altogether, no later than when Trusty reaches EOL in 2019.
+  $uploads_route = $zulip::base::release_name ? {
+    'trusty' => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.direct',
+    default  => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.internal',
+  }
+
+  file { "/etc/nginx/zulip-include/uploads.route":
+    require => Package["nginx-full"],
+    ensure => file,
+    owner  => "root",
+    group  => "root",
+    mode => 644,
+    notify => Service["nginx"],
+    source => $uploads_route,
+  }
+
  file { "/etc/nginx/nginx.conf":
    require => Package["nginx-full"],
    ensure => file,