[Docker] Add deleted/replacements protection

docker-compose.yml

@@ -9,6 +9,8 @@ x-environment: &common-env
   DANBOORU_DISCORD_SITE: http://localhost:8000
   DANBOORU_DISCORD_SECRET: super_secret_for_url_discord
   # These are just development secrets, do not use them in production
+  DANBOORU_PROTECTED_FILE_SECRET: 6686a6413d90c43d5e82403ef271ec25d13cc24e3bfcdd094e73d1eff22a3567
+  DANBOORU_REPLACEMENT_FILE_SECRET: b35bc54cdc0d0436fc5867c7ef88f9b10a37ae20a06b37e67614fe60019d7bb1
   SECRET_TOKEN: 1c58518a891eff4520cadc59afa9e378a9325f1247544ff258096e497f095f45
   SESSION_SECRET_KEY: 44b4f44e9f253c406cbe727d403d500c1cecff943e4d2aea8f5447f28846fffe
 
@@ -67,6 +69,7 @@ services:
       - public_packs:/app/public/packs
       - ./docker/default.conf.template:/etc/nginx/templates/default.conf.template
     environment:
+      <<: *common-env
       NGINX_HOST: localhost
       NGINX_PORT: 3000
     depends_on:

docker/default.conf.template

@@ -5,13 +5,36 @@ server {
   index index.html;
   access_log off;
   client_max_body_size 100m;
+
   location /data {
-    rewrite ^/data/sample/__.+?__(.+) /data/sample/$1 last;
-    rewrite ^/data/__.+?__(.+) /data/$1 last;
     expires max;
     break;
   }
 
+  location /data/deleted/ {
+    add_header Cache-Control "private";
+    secure_link $arg_auth,$arg_expires;
+    secure_link_md5 "$secure_link_expires $uri $arg_uid ${DANBOORU_PROTECTED_FILE_SECRET}";
+    if ($secure_link = "") {
+      return 403;
+    }
+    if ($secure_link = "0") {
+      return 403;
+    }
+  }
+
+  location /data/replacements/ {
+    add_header Cache-Control "private";
+    secure_link $arg_auth,$arg_expires;
+    secure_link_md5 "$secure_link_expires $uri $arg_uid ${DANBOORU_REPLACEMENT_FILE_SECRET}";
+    if ($secure_link = "") {
+      return 403;
+    }
+    if ($secure_link = "0") {
+      return 403;
+    }
+}
+
   location /tags/autocomplete.json {
     proxy_pass http://autocompleted:8118/;
     proxy_redirect off;