From e9f42ece6128ff0f41c5a9fbd6d178f6c141984b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Gigandet?= <stephane@openfoodfacts.org>
Date: Fri, 15 Mar 2024 11:36:17 +0100
Subject: [PATCH] fix: nginx config changes for prod (#9919)

---
 conf/nginx/conf.d/expires-no-json-xml.conf   |  1 +
 conf/nginx/sites-available/howmuchsugar      | 12 +++----
 conf/nginx/sites-available/madenearme        | 12 +++----
 conf/nginx/sites-available/off               | 34 +++++++-------------
 conf/nginx/sites-available/off-pro           | 24 +++++++-------
 conf/nginx/snippets/expires-no-json-xml.conf | 11 -------
 6 files changed, 35 insertions(+), 59 deletions(-)
 create mode 120000 conf/nginx/conf.d/expires-no-json-xml.conf

diff --git a/conf/nginx/conf.d/expires-no-json-xml.conf b/conf/nginx/conf.d/expires-no-json-xml.conf
new file mode 120000
index 0000000000000..de5302e3e0bb9
--- /dev/null
+++ b/conf/nginx/conf.d/expires-no-json-xml.conf
@@ -0,0 +1 @@
+../snippets/expires-no-json-xml.conf
\ No newline at end of file
diff --git a/conf/nginx/sites-available/howmuchsugar b/conf/nginx/sites-available/howmuchsugar
index 399925cb08643..e6c7c1645ea7c 100644
--- a/conf/nginx/sites-available/howmuchsugar
+++ b/conf/nginx/sites-available/howmuchsugar
@@ -11,7 +11,7 @@ map $howmuchsugar_name $howmuchsugar_lang {
 	combiendesucres fr;
 }
 
-include /etc/nginx/snippets/expires-no-json-xml.conf;
+# variables definitions for expiry headers are loaded from /etc/nginx/conf.d/expires-no-json-xml.conf
 
 log_format proxied_requests2
   '$http_x_forwarded_for - $remote_user [$time_local] '
@@ -36,19 +36,19 @@ server {
 	index index.html index.htm index.nginx-debian.html;
 
 	location ~* \.(eot|ttf|woff|woff2)$ {
-		include /etc/nginx/snippets/expiry-headers.conf;
+		include snippets/expiry-headers.include;
 		add_header Access-Control-Allow-Origin *;
 	}
 
 	location ~ ^/(favicon.ico) {
-		include /etc/nginx/snippets/expiry-headers.conf;
+		include snippets/expiry-headers.include;
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $howmuchsugar_name-favicon.ico =404;
 	}
 
 	location ~ ^/(.well-known|images|js|rss|data|files|resources|foundation)/ {
-		include /etc/nginx/snippets/expiry-headers.conf;
+		include snippets/expiry-headers.include;
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
@@ -59,13 +59,13 @@ server {
 	}
 
 	location ~ ^/$ {
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 		try_files $uri /$howmuchsugar_name.html;
 	}
 
 	# redirect to .html files
 	location / {
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 		try_files $uri $uri.html =404;
 	}
 
diff --git a/conf/nginx/sites-available/madenearme b/conf/nginx/sites-available/madenearme
index 46e91ba11e4f7..bf6de53e9b954 100644
--- a/conf/nginx/sites-available/madenearme
+++ b/conf/nginx/sites-available/madenearme
@@ -7,7 +7,7 @@ map $host $madenearme_name {
 
 }
 
-include /etc/nginx/snippets/expires-no-json-xml.conf;
+# variables definitions for expiry headers are loaded from /etc/nginx/conf.d/expires-no-json-xml.conf
 
 server {
 	listen 80;
@@ -28,19 +28,19 @@ server {
 
 	location ~* \.(eot|ttf|woff|woff2)$ {
 		add_header Access-Control-Allow-Origin *;
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 	}
 
 	location ~ ^/images/products/ {
 		add_header Link "<http://creativecommons.org/licenses/by-sa/3.0/>; rel='license'; title='CC-BY-SA 3.0'";
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 	}
 
 	location ~ ^/(favicon.ico) {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri /images/misc/$madenearme_name.16x16.png;
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 	}
 
 
@@ -48,7 +48,7 @@ server {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 	}
 
 	location = /robots.txt {
@@ -57,7 +57,7 @@ server {
 
 	location / {
 		try_files $uri /data/$madenearme_name.html;
-		include /etc/nginx/snippets/expires-no-json-xml.conf;
+		include snippets/expiry-headers.include;
 	}
 
 }
diff --git a/conf/nginx/sites-available/off b/conf/nginx/sites-available/off
index 24f2926a2f276..dc1390344b0df 100644
--- a/conf/nginx/sites-available/off
+++ b/conf/nginx/sites-available/off
@@ -13,9 +13,7 @@ server {
 	}
 }
 
-# variables definitions for expiry headers
-include /etc/nginx/snippets/expires-no-json-xml.conf;
-
+# variables definitions for expiry headers are loaded from /etc/nginx/conf.d/expires-no-json-xml.conf
 
 server {
 
@@ -32,9 +30,10 @@ server {
 	client_body_timeout 120s;
 	client_header_timeout 120s;
 
-	# logs location
-	access_log /var/log/nginx/${productopener_access_file_prefix}off-access.log proxied_requests buffer=256K flush=1s;
-	error_log /var/log/nginx/off-error.log;
+	# logs location: default is static-off, will be changed to proxy-off
+	# for requests passed to Apache
+	access_log /var/log/nginx/static-off-access.log proxied_requests buffer=256K flush=1s;
+	error_log /var/log/nginx/static-off-error.log;
 
 	# some redirection for specific subdomains
 	include snippets/off.domain-redirects.include;
@@ -45,14 +44,6 @@ server {
 
 	index index.html index.htm index.nginx-debian.html;
 
-	location /data/ {
-        include snippets/off.cors-headers.include;
-		include snippets/expiry-headers.include;
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
-
 	location ~ ^/images/products/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
@@ -72,12 +63,6 @@ server {
 	try_files /1.json = 404;
 	}
 
-	location ~ ^/(favicon.ico) {
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
-
 	# Static files are served directly by NGINX
 
 	location ~ ^/(favicon.ico) {
@@ -87,7 +72,7 @@ server {
 	}
 
 	# Static files are served directly by NGINX
-	location ~ ^/(.well-known|files)/ {
+	location ~ ^/(.well-known|files|data|exports|dump)/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
 		# First attempt to serve request from resource, then as file,
@@ -96,7 +81,7 @@ server {
 		gzip_static always;
 		gunzip on;
 	}
-	location ~ ^/(images|fonts|css|js|rss|foundation|bower_components)/ {
+	location ~ ^/(images|fonts|css|js|donate|resources)/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
 		# First attempt to serve request as file, off_web_html acting as an override,
@@ -116,7 +101,6 @@ server {
 	location = /.well-known/assetlinks.json {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
-		expires 1d;
 		try_files $uri =404;
 	}
 
@@ -131,6 +115,8 @@ server {
 		# recursive hosts as we are proxying behind a proxy
 		set_real_ip_from 10.0.0.0/8;
 		real_ip_recursive on;
+	        access_log /var/log/nginx/proxy-off-access.log proxied_requests buffer=256K flush=1s;
+	        error_log /var/log/nginx/proxy-off-error.log;
 
 		proxy_pass http://127.0.0.1:8004/cgi/display.pl?;
 	}
@@ -140,6 +126,8 @@ server {
 		# recursive hosts as we are proxying behind a proxy
 		set_real_ip_from 10.0.0.0/8;
 		real_ip_recursive on;
+	        access_log /var/log/nginx/proxy-off-access.log proxied_requests buffer=256K flush=1s;
+	        error_log /var/log/nginx/proxy-off-error.log;
 
 		proxy_pass http://127.0.0.1:8004;
 	}
diff --git a/conf/nginx/sites-available/off-pro b/conf/nginx/sites-available/off-pro
index b37846b4023bb..43a1bce4ef685 100644
--- a/conf/nginx/sites-available/off-pro
+++ b/conf/nginx/sites-available/off-pro
@@ -13,7 +13,7 @@ server {
 	}
 }
 
-include /etc/nginx/snippets/expires-no-json-xml.conf;
+# variables definitions for expiry headers are loaded from /etc/nginx/conf.d/expires-no-json-xml.conf
 
 server {
 
@@ -36,8 +36,10 @@ server {
 	send_timeout                1200;
 
 	# logs location
-	access_log /var/log/nginx/${productopener_access_file_prefix}off-access.log proxied_requests;
-	error_log /var/log/nginx/off-error.log;
+	# logs location: default is static-off, will be changed to proxy-off
+	# for requests passed to Apache
+	access_log /var/log/nginx/static-off-access.log proxied_requests buffer=256K flush=1s;
+	error_log /var/log/nginx/static-off-error.log;
 
 	gzip on;
 	gzip_min_length 1000;
@@ -45,14 +47,6 @@ server {
 
 	index index.html index.htm index.nginx-debian.html;
 
-	location /data/ {
-        include snippets/off.cors-headers.include;
-		include snippets/expiry-headers.include;
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
-
 	location ~ ^/images/products/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
@@ -69,7 +63,7 @@ server {
 	}
 
 	# Static files are served directly by NGINX
-	location ~ ^/(.well-known|files)/ {
+	location ~ ^/(.well-known|files|data|exports|dump)/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
 		# First attempt to serve request from resource, then as file,
@@ -78,7 +72,7 @@ server {
 		gzip_static always;
 		gunzip on;
 	}
-	location ~ ^/(images|fonts|css|js|rss|foundation|bower_components)/ {
+	location ~ ^/(images|fonts|css|js|donate|resources)/ {
 		include snippets/off.cors-headers.include;
 		include snippets/expiry-headers.include;
 		# First attempt to serve request as file, off_web_html acting as an override,
@@ -97,6 +91,8 @@ server {
 		# recursive hosts as we are proxying behind a proxy
 		set_real_ip_from 10.0.0.0/8;
 		real_ip_recursive on;
+		access_log /var/log/nginx/proxy-off-access.log proxied_requests buffer=256K flush=1s;
+	        error_log /var/log/nginx/proxy-off-error.log;
 
 		proxy_pass http://127.0.0.1:8014/cgi/display.pl?;
 	}
@@ -106,6 +102,8 @@ server {
 		# recursive hosts as we are proxying behind a proxy
 		set_real_ip_from 10.0.0.0/8;
 		real_ip_recursive on;
+		access_log /var/log/nginx/proxy-off-access.log proxied_requests buffer=256K flush=1s;
+	        error_log /var/log/nginx/proxy-off-error.log;
 
 		proxy_pass http://127.0.0.1:8014;
 	}
diff --git a/conf/nginx/snippets/expires-no-json-xml.conf b/conf/nginx/snippets/expires-no-json-xml.conf
index 6c3ca932123c7..5798299c9e004 100644
--- a/conf/nginx/snippets/expires-no-json-xml.conf
+++ b/conf/nginx/snippets/expires-no-json-xml.conf
@@ -30,17 +30,6 @@ map $uri $productopener_is_public_cache {
   "~*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|ico)$" public;
 }
 
-map $uri $productopener_access_file_prefix {
-	default "";
-	# Media: images, icons, video, audio, HTC
-	"~*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$" "static-";
-	# CSS and Javascript
-	"~*\.(?:css|js)$" "static-";
-	# Web Fonts
-	"~*\.(?:ttf|ttc|otf|eot|woff|woff2)$" "static-";
-}
-
-
 # # cache.appcache, your document html and data
 # location ~* \.(?:manifest|appcache|html?)$ {
 #   expires -1;