From 06f0946317d78b81d4a4d984a866a7913334d9e0 Mon Sep 17 00:00:00 2001 From: Karol Wypchlo Date: Fri, 31 Jul 2020 15:25:57 +0200 Subject: [PATCH] fix hns header overflow and redirects --- docker/handshake-api/Dockerfile | 2 +- docker/nginx/conf.d/client.conf | 11 +++-------- docker/nginx/conf.d/include/proxy-buffer | 4 ++++ handshake-api/index.js | 10 ++++------ 4 files changed, 12 insertions(+), 15 deletions(-) create mode 100644 docker/nginx/conf.d/include/proxy-buffer diff --git a/docker/handshake-api/Dockerfile b/docker/handshake-api/Dockerfile index 22826b4e..c7a393b3 100644 --- a/docker/handshake-api/Dockerfile +++ b/docker/handshake-api/Dockerfile @@ -17,4 +17,4 @@ ENV HSD_API_KEY="foo" EXPOSE $PORT -ENTRYPOINT ["node", "index.js"] +ENTRYPOINT ["node", "--max-http-header-size=64000", "index.js"] diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index 6dca374b..bfa29563 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -114,6 +114,7 @@ server { location /hns { include /etc/nginx/conf.d/include/cors; + include /etc/nginx/conf.d/include/proxy-buffer; proxy_pass http://handshake-api:3100; } @@ -173,6 +174,7 @@ server { location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" { include /etc/nginx/conf.d/include/cors; + include /etc/nginx/conf.d/include/proxy-buffer; limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time @@ -184,10 +186,6 @@ server { proxy_set_header User-Agent: Sia-Agent; # proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is correct) proxy_pass http://siad/skynet/skylink/$skylink$is_args$args; - - # if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs - proxy_buffer_size 128k; - proxy_buffers 4 128k; # cache frequent (> 10) downloads for 24 hours proxy_cache skynet; @@ -199,6 +197,7 @@ server { location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" { include /etc/nginx/conf.d/include/cors; + include /etc/nginx/conf.d/include/proxy-buffer; limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time @@ -211,10 +210,6 @@ server { # proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is correct) # this alias also adds attachment=true url param to force download the file proxy_pass http://siad/skynet/skylink/$skylink?attachment=true&$args; - - # if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs - proxy_buffer_size 128k; - proxy_buffers 4 128k; # cache frequent (> 10) downloads for 24 hours proxy_cache skynet; diff --git a/docker/nginx/conf.d/include/proxy-buffer b/docker/nginx/conf.d/include/proxy-buffer new file mode 100644 index 00000000..aea687fb --- /dev/null +++ b/docker/nginx/conf.d/include/proxy-buffer @@ -0,0 +1,4 @@ +# if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs +proxy_buffer_size 128k; +proxy_buffers 4 256k; +proxy_busy_buffers_size 256k; \ No newline at end of file diff --git a/handshake-api/index.js b/handshake-api/index.js index 07282e35..6c00d2f4 100644 --- a/handshake-api/index.js +++ b/handshake-api/index.js @@ -85,14 +85,12 @@ server.use( const basepath = url.resolve("/", skylink); // make the url absolute const subpath = req.url.slice(1); // drop the leading slash - // if the skylink from handshake does not contain a subpath but subpath - // is defined in request, join the skylink and subpath together (do not - // use url.resolve because it will replace skylink with subapth thinking - // it is relative) - if (skylink.length === 46 && subpath) { - return `${basepath}/${subpath}`; + // if the record is just a raw skylink, replace baseUrl with /skylink + if (skylink.length === 46) { + return req.originalUrl.replace(req.baseUrl, basepath); } + // if the record contains more than a skylink then it needs to be resolved return url.resolve(basepath, subpath); }, })