Secure Uploads

pfaffman · March 30, 2021, 6:27pm

I’ve got a quick hack that I think would provide secure uploads for login-required sites.

Basically, you set up NGINX Docs | Authentication Based on Subrequest Result for uploads. The only issue is that I can’t find a URL that returns a 403/401 when login-required is turned on, so accessing an upload when you’re not logged in gives a 500 error. This would only happen if someone had an upload URL and tried to access it when they weren’t logged in, so it doesn’t seem that bad.

It’s something like this:

# JP
    location = /auth {
        internal;
        proxy_pass http://discourse/categories;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    } 
    # END JP
    location ~ ^/uploads/ {

      auth_request /auth; #$JP
      # NOTE: it is really annoying that we can't just define headers
      # at the top level and inherit.
      #

Topic		Replies	Views
Enable a CDN for your Discourse sysadmin cdn , configuring , how-to	67	281476	April 6, 2024
Configure an S3 compatible object storage provider for uploads sysadmin cdn , configuring , how-to , reference	217	34503	April 4, 2024
User Messages Inbox Error 500 installation	36	1947	November 28, 2020
User cannot use custom avatar with Amazon S3 bug	42	6189	May 4, 2015
Rebaking old posts won't pull new S3 CDN URL after S3 bucket rename installation	14	1460	January 12, 2021

Secure Uploads

Related Topics