That addon reduces the number of queries if you have multiple attachments. The caching header stuff should be overridden by my addon, but I'ld need to check.
If you use the CDN feature, then my addon is pointless as it will never be invoked.
XAR - Attachment [Deleted]
- Thread starter Xon
- Start date
If you use the CDN feature, then my addon is pointless as it will never be invoked.
Sunka
Well-known member
@Xon, after installed this addon, attachments are broken on my forum.
In ACP (admin.php?options/list/attachments) I already have setted option "Attachments download mode: X-Accel-Redirect Header (nginx)", before installing your addon.
My forum is in root, so internal_data folder are in root too.
I tried with and without this code in my site config
When I added, I added in this part:
For now, i uninstall this addon, but I woud like to have it installed.
Please help me what exactly to do after installing this addon
In ACP (admin.php?options/list/attachments) I already have setted option "Attachments download mode: X-Accel-Redirect Header (nginx)", before installing your addon.
My forum is in root, so internal_data folder are in root too.
I tried with and without this code in my site config
Code:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;When I added, I added in this part:
Code:
location /internal_data/ {
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
internal;
allow 127.0.0.1;
allow xxxxxxxxxxxx;
deny all;
}For now, i uninstall this addon, but I woud like to have it installed.
Please help me what exactly to do after installing this addon
Last edited:
That, or look at the nginx error log/access log for when an attachment it accessed.
Sunka
Well-known member
OK, I installed again and change part in my conf so it looks now:
So, I delete denay all
Should I leave it this way, or should I delete also last two allows?
When I open attachment picture in new tab I see that etag first is only with numbers, but change to letters and numbers when did hard refresh. Something probably with redis cache?
In ACP (admin.php?options/list/attachments) I already have setted option "Attachments download mode: X-Accel-Redirect Header (nginx)", I should leave it this way?
Do I need anything else to do regarding this addon, and if it throw mix of letters and numbers for attachment etag, that shows that addon is working?
Code:
location /internal_data/ {
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
internal;
allow 127.0.0.1;
allow MyIPAddress;
}Should I leave it this way, or should I delete also last two allows?
When I open attachment picture in new tab I see that etag first is only with numbers, but change to letters and numbers when did hard refresh. Something probably with redis cache?
In ACP (admin.php?options/list/attachments) I already have setted option "Attachments download mode: X-Accel-Redirect Header (nginx)", I should leave it this way?
Do I need anything else to do regarding this addon, and if it throw mix of letters and numbers for attachment etag, that shows that addon is working?
You can get rid of the two allow statements, as there isn't any need to access /internal_data without going via the X-Accel-Redirect header.
Make sure you add the line "add_header Etag $upstream_http_etag;" to the location /internal_data stanza so the Etag will be correctly propagated.
If a hard-refresh works, then the add-on is working.
It sounds like you have CMF Core installed. If that is so, you don't need this add-on, and can just need to check the option.
You will still need to make sure nginx is configured correctly.
Sunka
Well-known member
So in that case this will be correct:
Code:
location /internal_data/ {
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Etag $upstream_http_etag;
internal;
}I have, indeed. But it is base for another two addons from @Yoskaldyr so I have to choose to using Yoskaldyr addon or yours?
What will be correct code for internal_data in that case (Yoskaldyr's addon)?
Sunka
Well-known member
Ah, I see this.
So location for internal_data should be like this:
Code:
location /internal_data/ {
if ($upstream_http_etag != "") {
add_header Etag $upstream_http_etag;
}
internal;
}And what about this one? This is what I have in my conf
Code:
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$uri&$args;
}And this is what I should have. How to merge this two?
Code:
location ~ [^/]*\.php$ {
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass_header Etag;
}Sunka
Well-known member
This is my complete conf at the moment:
Code:
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html
# redirect from www to non-www forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
server_name pijanitvor.com www.pijanitvor.com;
return 301 https://www.$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name pijanitvor.com www.pijanitvor.com;
ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
ssl_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
include /usr/local/nginx/conf/ssl_include.conf;
# mozilla recommended
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
#######add_header Alternate-Protocol 443:npn-spdy/3;
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#add_header X-Content-Type-Options "nosniff";
#add_header X-Frame-Options DENY;
#######spdy_headers_comp 5;
ssl_buffer_size 1400;
ssl_session_tickets on;
#enable ocsp stapling
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt;
# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;
# limit_conn limit_per_ip 16;
# ssi on;
access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
error_log /home/nginx/domains/pijanitvor.com/log/error.log;
root /home/nginx/domains/pijanitvor.com/public;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$uri&$args;
}
location /internal_data/ {
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
internal;
allow 127.0.0.1;
allow MyIP;
}
location /library/ {
internal;
allow 127.0.0.1;
allow MyIP;
deny all;
}
# prevent access to ./directories and files
location ~ (?:^|/)\. {
deny all;
}
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
include /usr/local/nginx/conf/drop.conf;
#include /usr/local/nginx/conf/errorpage.conf;
include /usr/local/nginx/conf/vts_server.conf;
}
Yoskaldyr
Well-known member
@Sunka, this add-on doing almost the same thing that the nginx part of CMF_Core.
And correct nginx configuration depends on your server configuration.
By default nginx overwrites ETag headers when return files via X-Accel-Redirect header.
So lines below is needed usually
and
And correct nginx configuration depends on your server configuration.
By default nginx overwrites ETag headers when return files via X-Accel-Redirect header.
So lines below is needed usually
HTML:
if ($upstream_http_etag != "") {
add_header Etag $upstream_http_etag;
}
HTML:
add_header Etag $upstream_http_etag;
BobbyWibowo
Well-known member
I'm behind CloudFlare, and for some reason the Etag is nowhere to be found on the response headers. Although x-content-type-options: nosniff and x-frame-options: SAMEORIGIN are there. I couldn't find any article saying that CloudFlare would omit that, so I guess I did something wrong on the nginx domain configuration?
Also, whenever I tried to view attachments from the Admin CP (YOUR_URL/admin.php?attachments/), basically by clicking on one of the attachments, my browser would download the image instead, and it'd name it as admin.php (the raw code of the PHP was the image itself, for some reason). Also, when I tried to open an image attachment from a post on a new tab, my browser would also download the image, and it'd name it as download, with the raw code was the image itself. Any clues about that?
Here's the domain configuration for internal_data path:
The forums is installed on the root domain.
Also, attachments that were embedded on posts worked just fine. It only behaved strange when you try to open them directly, be it on the current tab or a new tab.
Also, whenever I tried to view attachments from the Admin CP (YOUR_URL/admin.php?attachments/), basically by clicking on one of the attachments, my browser would download the image instead, and it'd name it as admin.php (the raw code of the PHP was the image itself, for some reason). Also, when I tried to open an image attachment from a post on a new tab, my browser would also download the image, and it'd name it as download, with the raw code was the image itself. Any clues about that?
Here's the domain configuration for internal_data path:
Code:
location ^~ /internal_data/ {
add_header Etag $upstream_http_etag;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
internal;
}Also, attachments that were embedded on posts worked just fine. It only behaved strange when you try to open them directly, be it on the current tab or a new tab.
@BobbyWibowo I've got the same setup; nginx behind cloudflare, and with a direct access URL and that exact stanza for the internal_data folder.
I don't have an issue when viewing attachments with that download behaviour, what browser and content?
I don't have an issue when viewing attachments with that download behaviour, what browser and content?
Viewing a PNG via Cloudflare, headers:
Viewing a PNG via direct access, headers:
Viewing a PNG via direct access, headers:
BobbyWibowo
Well-known member
I'm on Chrome. The attachments were PNG files (at least as far as my test went). On a side note, what did you use to inspect the headers? I'd like to do deeper investigation.
Internet Explorer and it's developer tools (F12) under the network tab, and then ctrl-f5 the page. Then click the request and navigate to the Response Headers.
You can do the same in Chrome (nearly exact same instructions even).
Sunka
Well-known member
Something like this:
Code:
location /internal_data/ {
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Etag $upstream_http_etag;
internal;
}Or this:
Code:
location ^~ /internal_data/ {
add_header Etag $upstream_http_etag;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
internal;
}Btw, I have installed Yoskalydr addon, but switched to Default XenForo Mode option in attachment download ACP option. My forum (and internal_data) is in root.
Above code would be only change in domain.conf (beside install your addon)
There are no options in ACP for your addon?
Order doesn't matter. However the ^~ bit increases the priority so other blocks do not match (for example extension-based caching policy)
There is a debugging option which shows up in debug mode.
But otherwise this add-on only does the one thing, so there is no need for an on/off toggle for the X-Accel-Redirect since that is the add-on itself.
Sunka
Well-known member
so better use with this (^~) part of code?
In his addon, this is just a part of core and it is in use only if nginx is configured like it should be for that addon. Eva200a and myself spend 1 hour to configure that, but after all we do not know is it working or not.
Your addon works OK if Etag is letters and numbers mixed.
So, if I choose default option in ACP for attachment download (Xenforo default mode) and install your addon, etags will be like they should be (mixed numbers and letters)?
BobbyWibowo
Well-known member
Unlike what's mentioned here: https://xenforo.com/community/threads/xar-attachment.89741/#post-873506, my etag seems to stay as simple integer?
Also, I'm actually getting tons of errors 
WAIT! That was the debug log? I mean I just noticed that I enabled that option a few minutes ago.
Code:
Exception: X-Accel-Redirect:/internal_data/attachments/0/SOME_RANDOM_INSANE_NUMBERS.data - library/XenForo/Error.php:240
Last edited:
BobbyWibowo
Well-known member
Try opening this: https://www.endlesshorizon.net/attachments/lwlg5sf-jpg.83/ (accessible to guests)
It keeps on downloading the attachment instead. And my browser names it as download again..
It keeps on downloading the attachment instead. And my browser names it as download again..