disable media proxy for now

GrapheneOS · Jun 15, 2024 · 0693d33 · 0693d33
1 parent 24c0e27
commit 0693d33
Showing 1 changed file with 73 additions and 73 deletions.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -52,7 +52,7 @@ http {
     proxy_read_timeout 15s;
     proxy_send_timeout 15s;
 
-    proxy_cache_path /var/cache/nginx/media-proxy levels=1:2 use_temp_path=off keys_zone=media-proxy-cache:10m inactive=7d max_size=5G;
+    #proxy_cache_path /var/cache/nginx/media-proxy levels=1:2 use_temp_path=off keys_zone=media-proxy-cache:10m inactive=7d max_size=5G;
 
     # remove security headers that are statically set to the strictest possible values
     fastcgi_hide_header Referrer-Policy;
@@ -80,7 +80,7 @@ http {
     limit_req_status 429;
     limit_req_zone $binary_remote_addr zone=flarum-limit:10m rate=256r/s;
     limit_req_zone $post_binary_remote_addr zone=auth-limit:10m rate=1r/s;
-    limit_req_zone $binary_remote_addr zone=media-proxy-limit:10m rate=256r/s;
+    #limit_req_zone $binary_remote_addr zone=media-proxy-limit:10m rate=256r/s;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
@@ -431,77 +431,77 @@ http {
             fastcgi_pass backend;
         }
 
-        location ~ ^/media-proxy/(?<phost>i.imgur.com)(?<puri>/[^\s]*) {
-            if ($request_method != GET) {
-                return 405;
-            }
-            if ($same_origin != 1) {
-                return 403;
-            }
-
-            include snippets/security-headers.conf;
-            add_header Content-Security-Policy "default-src 'none'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'" always;
-
-            set $base https://$phost;
-            rewrite .* $puri break;
-
-            proxy_pass $base;
-
-            proxy_set_header Host $phost;
-
-            proxy_cache media-proxy-cache;
-            proxy_cache_lock on;
-            proxy_cache_lock_timeout 60s;
-            proxy_cache_revalidate on;
-            proxy_cache_use_stale error timeout updating invalid_header http_500 http_502 http_503 http_504 http_429;
-            proxy_cache_background_update on;
-            proxy_no_cache $arg_nocache;
-            proxy_cache_bypass $arg_nocache;
-            add_header X-Cache-Status $upstream_cache_status;
-
-            proxy_pass_request_body off;
-            proxy_pass_request_headers off;
-
-            proxy_ignore_headers Set-Cookie X-Accel-Redirect X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset;
-
-            proxy_hide_header Access-Control-Allow-Methods;
-            proxy_hide_header Access-Control-Allow-Origin;
-            proxy_hide_header Age;
-            proxy_hide_header Content-Security-Policy;
-            proxy_hide_header Cross-Origin-Embedder-Policy;
-            proxy_hide_header Cross-Origin-Opener-Policy;
-            proxy_hide_header Permissions-Policy;
-            proxy_hide_header Referrer-Policy;
-            proxy_hide_header Set-Cookie;
-            proxy_hide_header Strict-Transport-Security;
-            proxy_hide_header X-Amz-Storage-Class;
-            proxy_hide_header X-Cache;
-            proxy_hide_header X-Cache-Hits;
-            proxy_hide_header X-Content-Type-Options;
-            proxy_hide_header X-Frame-Options;
-            proxy_hide_header X-Served-By;
-            proxy_hide_header X-Timer;
-            proxy_hide_header X-XSS-Protection;
-
-            proxy_hide_header Content-Type;
-            add_header Content-Type $filtered_content_type;
-
-            proxy_http_version 1.1;
-
-            proxy_ssl_protocols TLSv1.2 TLSv1.3;
-            proxy_ssl_server_name on;
-            proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-            proxy_ssl_verify on;
-
-            proxy_max_temp_file_size 8m;
-
-            proxy_redirect ~(https?)://(.*) https://discuss.grapheneos.org/media-proxy/$2;
-            proxy_redirect ~(.*) https://discuss.grapheneos.org/media-proxy/$phost$1;
-
-            proxy_intercept_errors on;
-
-            limit_req zone=media-proxy-limit burst=32 nodelay;
-        }
+        #location ~ ^/media-proxy/(?<phost>i.imgur.com)(?<puri>/[^\s]*) {
+            #if ($request_method != GET) {
+                #return 405;
+            #}
+            #if ($same_origin != 1) {
+                #return 403;
+            #}
+
+            #include snippets/security-headers.conf;
+            #add_header Content-Security-Policy "default-src 'none'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'" always;
+
+            #set $base https://$phost;
+            #rewrite .* $puri break;
+
+            #proxy_pass $base;
+
+            #proxy_set_header Host $phost;
+
+            #proxy_cache media-proxy-cache;
+            #proxy_cache_lock on;
+            #proxy_cache_lock_timeout 60s;
+            #proxy_cache_revalidate on;
+            #proxy_cache_use_stale error timeout updating invalid_header http_500 http_502 http_503 http_504 http_429;
+            #proxy_cache_background_update on;
+            #proxy_no_cache $arg_nocache;
+            #proxy_cache_bypass $arg_nocache;
+            #add_header X-Cache-Status $upstream_cache_status;
+
+            #proxy_pass_request_body off;
+            #proxy_pass_request_headers off;
+
+            #proxy_ignore_headers Set-Cookie X-Accel-Redirect X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset;
+
+            #proxy_hide_header Access-Control-Allow-Methods;
+            #proxy_hide_header Access-Control-Allow-Origin;
+            #proxy_hide_header Age;
+            #proxy_hide_header Content-Security-Policy;
+            #proxy_hide_header Cross-Origin-Embedder-Policy;
+            #proxy_hide_header Cross-Origin-Opener-Policy;
+            #proxy_hide_header Permissions-Policy;
+            #proxy_hide_header Referrer-Policy;
+            #proxy_hide_header Set-Cookie;
+            #proxy_hide_header Strict-Transport-Security;
+            #proxy_hide_header X-Amz-Storage-Class;
+            #proxy_hide_header X-Cache;
+            #proxy_hide_header X-Cache-Hits;
+            #proxy_hide_header X-Content-Type-Options;
+            #proxy_hide_header X-Frame-Options;
+            #proxy_hide_header X-Served-By;
+            #proxy_hide_header X-Timer;
+            #proxy_hide_header X-XSS-Protection;
+
+            #proxy_hide_header Content-Type;
+            #add_header Content-Type $filtered_content_type;
+
+            #proxy_http_version 1.1;
+
+            #proxy_ssl_protocols TLSv1.2 TLSv1.3;
+            #proxy_ssl_server_name on;
+            #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+            #proxy_ssl_verify on;
+
+            #proxy_max_temp_file_size 8m;
+
+            #proxy_redirect ~(https?)://(.*) https://discuss.grapheneos.org/media-proxy/$2;
+            #proxy_redirect ~(.*) https://discuss.grapheneos.org/media-proxy/$phost$1;
+
+            #proxy_intercept_errors on;
+
+            #limit_req zone=media-proxy-limit burst=32 nodelay;
+        #}
 
         location ~ \.webmanifest$ {
             include snippets/security-headers.conf;