bookwyrm: update nginx to use latest pullrequest and map /flower

bookwyrm.yaml

@@ -107,10 +107,8 @@ services:
   bookwyrm-flower:
     container_name: bookwyrm-flower
     image: osresearch/bookwyrm:oidc
-    command: celery -A celerywyrm flower --basic_auth=admin:${BOOKWYRM_ADMIN_PASSWORD}
+    command: celery -A celerywyrm flower --basic_auth=admin:${BOOKWYRM_ADMIN_PASSWORD} --url_prefix=flower
     env_file: bookwyrm/env
-#    ports:
-#      - ${FLOWER_PORT}:${FLOWER_PORT}
     volumes:
       - ./data/bookwyrm/static_volume:/app/static
       - ./data/bookwyrm/media_volume:/app/images

bookwyrm/nginx.conf

@@ -20,50 +20,58 @@ server {
     client_body_buffer_size     10M;
     client_max_body_size        10M;
 
+    # store responses to anonymous users for up to 1 minute
+    proxy_cache mycache;
+    proxy_cache_valid any 1m;
+    add_header X-Cache-Status $upstream_cache_status;
+
+    # ignore the set cookie header when deciding to
+    # store a response in the cache
+    proxy_ignore_headers Cache-Control Set-Cookie Expires;
+
+    # PUT requests always bypass the cache
+    # logged in sessions also do not populate the cache
+    # to avoid serving personal data to anonymous users
+    proxy_cache_methods GET HEAD;
+    proxy_no_cache      $cookie_sessionid;
+    proxy_cache_bypass  $cookie_sessionid;
+
+    # tell the web container the address of the outside client
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_redirect off;
+
+    # rate limit the login or password reset pages
     location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
         limit_req zone=loginlimit;
-
         proxy_pass http://bookwyrm-web:8000;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_redirect off;
     }
 
-    location ~ ^/(api|oidc|preferences) {
-        proxy_pass http://bookwyrm-web:8000;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_redirect off;
+    # do not log periodic polling requests from logged in users
+    location /api/updates/ {
         access_log off;
+        proxy_pass http://bookwyrm-web:8000;
     }
 
-    location / {
-        proxy_cache mycache;
-        add_header X-Cache-Status $upstream_cache_status;
-        proxy_ignore_headers Cache-Control Set-Cookie Expires;
-        #proxy_ignore_headers Cache-Control;
-
-	# logged in sessions and PUT bypass the cache
-	proxy_cache_methods GET HEAD;
-	proxy_no_cache      $cookie_session;
-	proxy_cache_bypass  $cookie_session;
-  
-        proxy_cache_valid any 1m;
-
-        proxy_pass http://bookwyrm-web:8000;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_redirect off;
+    # monitor the celery queues with flower, no caching enabled
+    location /flower/ {
+       proxy_pass http://bookwyrm-flower:8888;
+       proxy_cache_bypass 1;
     }
 
-    location /images/ {
-        alias /bookwyrm/app/images/;
-        #access_log off;
+    # forward any cache misses or bypass to the web container
+    location / {
+        proxy_pass http://bookwyrm-web:8000;
     }
 
-    location /static/ {
-        alias /bookwyrm/app/static/;
-        #access_log off;
+    # directly serve images and static files from the
+    # bookwyrm filesystem using sendfile.
+    # make the logs quieter by not reporting these requests
+    location ~ ^/(images|static)/ {
+        root /bookwyrm/app;
+        try_files $uri =404;
+        add_header X-Cache-Status STATIC;
+        access_log off;
     }
 
     include /etc/nginx/includes/ssl.conf;