From e48f9e436335798653e3427e24a439fad386b1f7 Mon Sep 17 00:00:00 2001
From: Yamila Moreno <yamila.ms@gmail.com>
Date: Mon, 4 Jan 2021 17:45:11 +0100
Subject: [PATCH] Add taiga-protected

---
 README.md                | 12 ++++++++++++
 docker-compose.yml       |  8 ++++++++
 taiga-gateway/taiga.conf | 20 +++++++++++++++++++-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7e8b9ece..b5db688e 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,8 @@ Where the database is set. By default, it's meant to be in the same host as the
 
 Is the secret key of Taiga. Should be the same as this var in `taiga-events` and `taiga-async`
 
+Besides, this should have the same value of `SECRET_KEY` in `taiga-protected`.
+
 ##### `TAIGA_SITES_SCHEME`, `TAIGA_SITES_DOMAIN`
 
 Should have the url where this is served: https[://]taiga.mycompany.com
@@ -136,6 +138,16 @@ Get these in your profile https://github.com/settings/apps or in your organizati
 Used for login with GitLab.
 Get these in your profile https://{YOUR-GITLAB}/profile/applications or in your organization profile https://{YOUR-GITLAB}/admin/applications
 
+### taiga-protected
+
+##### `SECRET_KEY`
+
+Should be the same as this var in `taiga-back`.
+
+##### `MAX_AGE`
+
+The attachments will be accesible with a token during MAX_AGE (in seconds). After that, the token will expire.
+
 
 ### taiga-events
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 3aba5cff..62402194 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -133,6 +133,14 @@ services:
     networks:
       - taiga
 
+  taiga-protected:
+    image: taigaio/taiga-protected:alpha
+    environment:
+      MAX_AGE: 360
+      SECRET_KEY: "taiga-back-secret-key"
+    networks:
+      - taiga
+
   taiga-gateway:
     image: nginx:1.19-alpine
     ports:
diff --git a/taiga-gateway/taiga.conf b/taiga-gateway/taiga.conf
index c9b1289b..bc7e7eda 100644
--- a/taiga-gateway/taiga.conf
+++ b/taiga-gateway/taiga.conf
@@ -40,8 +40,26 @@ server {
     }
 
     # Media
+    location /_protected {
+        internal;
+        alias /taiga/media/;
+        add_header Content-disposition "attachment";
+    }
+
+    # Unprotected section
+    location /media/exports {
+        alias /taiga/media/exports/;
+        add_header Content-disposition "attachment";
+    }
+
     location /media {
-        root /taiga;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://taiga-protected:8003/;
+        proxy_redirect off;
     }
 
     # Events