Skip to content

Performance improvements (1/3) to example-advanced.nginx.conf #1709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 9, 2024
Merged

Performance improvements (1/3) to example-advanced.nginx.conf #1709

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9726a96
Update example-advanced.nginx.conf
nisbet-hubbard Nov 9, 2024
8dfa335
Fix trailing slash
nisbet-hubbard Nov 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions docs/example-advanced.nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ server {
resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;

# OnlyOffice fonts may be loaded from both domains
if ($uri ~ ^\/common\/onlyoffice\/.*\/fonts\/.*$) { set $allowed_origins "*"; }
if ($uri ~ ^/common/onlyoffice/.*/fonts/) { set $allowed_origins "*"; }

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
Expand Down Expand Up @@ -128,7 +128,7 @@ server {
# We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted
# some important headers incorrectly when loading these files from cache.
# This is why we can't have nice things :(
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
if ($uri ~ ^(?:/|.*/|.*\.html)$) {
set $cacheControl no-cache;
}

Expand Down Expand Up @@ -177,16 +177,16 @@ server {
set $unsafe 0;
# the following assets are loaded via the sandbox domain
# they unfortunately still require exceptions to the sandboxing to work correctly.
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
if ($uri ~ ^/(?:sheet|doc|presentation)/inner.html) { set $unsafe 1; }
if ($uri ~ ^/common/onlyoffice/.*/.*\.html) { set $unsafe 1; }

# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
if ($host != $sandbox_domain) { set $unsafe 0; }
# this iframe is an exception. Office file formats are converted outside of the sandboxed scope
# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
# the use of some modern APIs that we require when javascript is run in a cross-origin context.
# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
if ($uri ~ ^/unsafeiframe/inner\.html) { set $unsafe 1; }

# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
if ($unsafe) {
Expand Down Expand Up @@ -235,7 +235,7 @@ server {
# /api/config is loaded once per page load and is used to retrieve
# the caching variable which is applied to every other resource
# which is loaded during that session.
location ~ ^/api/.*$ {
location ^~ /api/ {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
Expand All @@ -249,7 +249,7 @@ server {
add_header Cross-Origin-Embedder-Policy require-corp;
}

location ~ ^/extensions.js {
location = /extensions.js/ {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
Expand All @@ -268,7 +268,7 @@ server {
# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
# enforce access control for them, though this is not yet implemented.
# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
location ~ ^/(blob|block)/.*$ {
location ~ ^/(?:blob|block)/ {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
add_header 'Access-Control-Allow-Credentials' true;
Expand All @@ -293,8 +293,8 @@ server {
# The nodejs server has some built-in forwarding rules to prevent
# URLs like /pad from resulting in a 404. This simply adds a trailing slash
# to a variety of applications.
location ~ ^/(register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ {
rewrite ^(.*)$ $1/ redirect;
location ~ ^/(?:register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ {
return 301 https://$host$uri/;
}

# Finally, serve anything the above exceptions don't govern.
Expand Down