update NGINX sample to allow admin to download backups

config/nginx.sample.conf

@@ -46,28 +46,26 @@ server {
     root $public;
 
     location ~* \.(eot|ttf|woff|ico)$ {
-	    add_header Access-Control-Allow-Origin *;
+      expires 1y;
-	    expires 1y;
+      add_header Cache-Control public;
-        add_header Cache-Control public;
+      add_header Access-Control-Allow-Origin *;
-	}
+     }
 
     location ~ ^/assets/ {
       expires 1y;
-      add_header Cache-Control public;
       add_header ETag "";
+      add_header Cache-Control public;
       break;
     }
 
     location ~ ^/uploads/ {
       expires 1y;
-      add_header Cache-Control public;
       add_header ETag "";
+      add_header Cache-Control public;
 
       ## optional upload anti-hotlinking rules
       #valid_referers none blocked mysite.com *.mysite.com;
-      #if ($invalid_referer) {
+      #if ($invalid_referer) { return 403; }
-      #  return 403;
-      #}
 
       # custom CSS
       location ~ /stylesheet-cache/ { try_files $uri =404; }
@@ -83,6 +81,14 @@ server {
       break;
     }
 
+    location ~ ^/backups/ {
+      # backups must go through the rails application to handle security
+      proxy_set_header X-Sendfile-Type X-Accel-Redirect;
+      proxy_set_header X-Accel-Mapping $public/=/downloads/;
+      proxy_pass http://discourse;
+      break;
+    }
+
     try_files $uri @discourse;
   }
 
@@ -92,12 +98,10 @@ server {
   }
 
   location @discourse {
+    proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-
     proxy_set_header X-Forwarded-Proto $thescheme;
-    proxy_set_header Host $http_host;
 
     proxy_pass http://discourse;
   }