How to prevent attachments from being dl'd w/o password? (nginx, puma)

Added by Alex Strasheim over 4 years ago

I found out today that Google has crawled our web site via the IP address, and that it's indexed our attachments. I have things set up so that nginx will serve a static file if it can, and pass the URL to puma and Redmine if it can't.

Can anyone point me to a nginx configuration that wouldn't leave my attachments out in the open like that?

Here's my bin/about output:

sh: svn: command not found
sh: darcs: command not found
sh: hg: command not found
sh: cvs: command not found
sh: bzr: command not found
Redmine version                3.4.5.stable
Ruby version                   2.4.4-p296 (2018-03-28) [x86_64-linux]
Rails version                  4.2.8
Environment                    production
Database adapter               PostgreSQL
Git                            2.14.5
Redmine plugins:
no plugin installed

And here's the relevant part of my nginx.conf:

server {
    listen 80;

    root /var/lib/redmine-3.4.5/public;

    try_files $uri/index.html $uri @app;

    location @app {
        proxy_pass http://app;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;

    error_page 500 502 503 504 /500.html;
    client_max_body_size 4G;
    keepalive_timeout 10;