feat: enhance Immich integration with local copy option and validation for image handling

2025-08-05 05:05:17 +02:00 · 2025-06-01 19:55:12 -04:00 · 2025-06-01 19:55:12 -04:00 · 06787bccf6
commit 06787bccf6
parent f95afdc35c
12 changed files with 214 additions and 37 deletions
--- a/backend/nginx.conf
+++ b/backend/nginx.conf
@ -8,41 +8,35 @@ http {
    sendfile        on;
    keepalive_timeout  65;
    client_max_body_size 100M;
-    
+    # The backend is running in the same container, so reference localhost
    upstream django {
-        server 127.0.0.1:8000;
+        server 127.0.0.1:8000;  # Use localhost to point to Gunicorn running internally
    }
-    
    server {
        listen 80;
        server_name localhost;
-        
        location / {
-            proxy_pass http://django;
+            proxy_pass http://django;  # Forward to the upstream block
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
-        
        location /static/ {
-            alias /code/staticfiles/;
+            alias /code/staticfiles/;  # Serve static files directly
        }
-        
-        # Special handling for PDF files with CSP headers
-        location ~ ^/protectedMedia/(.*)\.pdf$ {
-            internal;
-            alias /code/media/$1.pdf;
+        # Serve protected media files with X-Accel-Redirect
+        location /protectedMedia/ {
+            internal; # Only internal requests are allowed
+            alias /code/media/;  # This should match Django MEDIA_ROOT
+            try_files $uri =404; # Return a 404 if the file doesn't exist
+            
+            # Security headers for all protected files
            add_header Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none'; base-uri 'none'" always;
            add_header X-Content-Type-Options nosniff always;
            add_header X-Frame-Options SAMEORIGIN always;
-            add_header Content-Disposition "inline" always;
-        }
-        
-        # General protected media files (non-PDF)
-        location ~ ^/protectedMedia/(.*)$ {
-            internal;
-            alias /code/media/$1;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        }
    }
 }