From 9a373f4cbfb51528c204743dc7ca03c1cb8500fa Mon Sep 17 00:00:00 2001 From: Deimos Date: Thu, 20 Jun 2019 19:28:38 -0600 Subject: [PATCH] Change tild.es to nginx redirect instead of proxy Previously tild.es urls would proxy_pass through to the views inside the Pyramid app, but this caused strange behavior in some cases. For example, anything that caused a 404 response would end up in a broken page that still appeared to be on the tild.es domain, but would be an HTML-only page coming from the app, since the CSS and JS would not be available. This method is still a bit weird in some ways (now you'll end up on a 404 page at https://tildes.net/shortener/... instead), but I think it's an improvement overall. --- salt/salt/nginx/tildes-shortener.conf.jinja2 | 23 ++++++++++---------- tildes/tildes/routes.py | 3 --- tildes/tildes/views/shortener.py | 9 +------- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/salt/salt/nginx/tildes-shortener.conf.jinja2 b/salt/salt/nginx/tildes-shortener.conf.jinja2 index 5fda469..37753d5 100644 --- a/salt/salt/nginx/tildes-shortener.conf.jinja2 +++ b/salt/salt/nginx/tildes-shortener.conf.jinja2 @@ -1,26 +1,27 @@ server { - # remove trailing slash from addresses - rewrite ^/(.*)/$ https://$host/$1 permanent; - listen 443 ssl http2; listen [::]:443 ssl http2; + server_name tild.es; + + keepalive_timeout 5; + add_header Strict-Transport-Security "max-age={{ pillar['hsts_max_age'] }}; includeSubDomains; preload" always; + # Are these security headers unnecessary when we're just redirecting? add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Xss-Protection "1; mode=block" always; add_header Referrer-Policy "same-origin" always; - server_name tild.es; - - keepalive_timeout 5; + # Exact location match to redirect the root url to tildes.net + location = / { + return 301 https://tildes.net; + } + # Will match all addresses *except* the root location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_pass http://app_server/shortener/; + # Strip any trailing slash while redirecting + rewrite ^/(.*)/?$ https://tildes.net/shortener/$1 permanent; } } diff --git a/tildes/tildes/routes.py b/tildes/tildes/routes.py index c4faec0..4f7aa5b 100644 --- a/tildes/tildes/routes.py +++ b/tildes/tildes/routes.py @@ -109,9 +109,6 @@ def includeme(config: Configurator) -> None: add_intercooler_routes(config) # Add routes for the link-shortener under the /shortener path - # The trailing slash is required for the base /shortener/ path because of the way - # nginx's proxy_pass will forward the urls from the shortener - config.add_route("shortener", "/shortener/") with config.route_prefix_context("/shortener"): config.add_route("shortener_group", "/~{group_path}", factory=group_by_path) config.add_route("shortener_topic", "/{topic_id36}", factory=topic_by_id36) diff --git a/tildes/tildes/views/shortener.py b/tildes/tildes/views/shortener.py index 3b974e2..7d4af20 100644 --- a/tildes/tildes/views/shortener.py +++ b/tildes/tildes/views/shortener.py @@ -4,19 +4,12 @@ """Views related to the link shortener.""" from mypy_extensions import NoReturn -from pyramid.httpexceptions import HTTPFound, HTTPMovedPermanently +from pyramid.httpexceptions import HTTPMovedPermanently from pyramid.request import Request from pyramid.security import NO_PERMISSION_REQUIRED from pyramid.view import view_config -@view_config(route_name="shortener", permission=NO_PERMISSION_REQUIRED) -def get_shortener(request: Request) -> NoReturn: - """Redirect to the site if someone just visits the base shortener domain.""" - # pylint: disable=unused-argument - raise HTTPFound(location="https://tildes.net") - - @view_config(route_name="shortener_group", permission=NO_PERMISSION_REQUIRED) def get_shortener_group(request: Request) -> NoReturn: """Redirect to the base path of a group."""