Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

nginx: Limit the methods that we proxy to Tornado. 

While the Tornado server supports POST requests, those are only used
by internal endpoints.  We only support OPTIONS, GET, and DELETE
methods from clients, so filter everything else out at the nginx
level.

We set `Accepts` header on both `OPTIONS` requests and 405 responses,
and the CORS headers on `OPTIONS` requests.
This commit is contained in:
Alex Vandiver 2023-12-07 21:15:49 +00:00 committed by Tim Abbott
parent 8eccb3af20
commit 4989221b9e
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
puppet/zulip/files/nginx/zulip-include-common/tornado_cors_headers Normal file
View File

@ -0,0 +1,4 @@
include /etc/nginx/zulip-include/headers;
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Headers Authorization always;
add_header Access-Control-Allow-Methods 'OPTIONS, GET, DELETE' always;

26
puppet/zulip/files/nginx/zulip-include-frontend/app
View File

@ -28,18 +28,42 @@ location /static/ {
# Send longpoll requests to Tornado
location /json/events {
if ($request_method = 'OPTIONS') {
# add_header does not propagate into/out of blocks, so this
# include cannot be factored out
include /etc/nginx/zulip-include/headers;
add_header Allow 'OPTIONS, GET, DELETE' always;
return 204;
}
if ($request_method !~ ^(GET|DELETE)$ ) {
# add_header does not propagate into/out of blocks, so this
# include cannot be factored out
include /etc/nginx/zulip-include/headers;
add_header Allow 'OPTIONS, GET, DELETE' always;
return 405;
}
proxy_pass $tornado_server;
include /etc/nginx/zulip-include/proxy_longpolling;
}
# Send longpoll requests to Tornado
location /api/v1/events {
include /etc/nginx/zulip-include/api_headers;
if ($request_method = 'OPTIONS') {
include /etc/nginx/zulip-include/tornado_cors_headers;
add_header Allow 'OPTIONS, GET, DELETE' always;
return 204;
}
if ($request_method !~ ^(GET|DELETE)$ ) {
include /etc/nginx/zulip-include/headers;
add_header Allow 'OPTIONS, GET, DELETE' always;
return 405;
}
include /etc/nginx/zulip-include/tornado_cors_headers;
proxy_pass $tornado_server;
include /etc/nginx/zulip-include/proxy_longpolling;
}