diff --git a/docker/nginx/conf.d/include/location-skylink b/docker/nginx/conf.d/include/location-skylink index 9d362a43..c47bb2f8 100644 --- a/docker/nginx/conf.d/include/location-skylink +++ b/docker/nginx/conf.d/include/location-skylink @@ -1,4 +1,110 @@ include /etc/nginx/conf.d/include/cors; +include /etc/nginx/conf.d/include/proxy-buffer; +include /etc/nginx/conf.d/include/proxy-cache-downloads; +include /etc/nginx/conf.d/include/track-download; +limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time + +# ensure that skylink that we pass around is base64 encoded (transform base32 encoded ones) +# this is important because we want only one format in cache keys and logs +set_by_lua_block $skylink { return require("skynet.skylink").parse(ngx.var.skylink) } + +# $skylink_v1 and $skylink_v2 variables default to the same value but in case the requested skylink was: +# a) skylink v1 - it would not matter, no additional logic is executed +# b) skylink v2 - in a lua block below we will resolve the skylink v2 into skylink v1 and update +# $skylink_v1 variable so then the proxy request to skyd can be cached in nginx (proxy_cache_key +# in proxy-cache-downloads includes $skylink_v1 as a part of the cache key) +set $skylink_v1 $skylink; +set $skylink_v2 $skylink; + +# variable for Skynet-Proof header that we need to inject +# into a response if the request was for skylink v2 +set $skynet_proof ''; + +access_by_lua_block { + -- the block below only makes sense if we are using nginx cache + if not ngx.var.skyd_disk_cache_enabled then + local httpc = require("resty.http").new() + + -- detect whether requested skylink is v2 + local isBase32v2 = string.len(ngx.var.skylink) == 55 and string.sub(ngx.var.skylink, 0, 2) == "04" + local isBase64v2 = string.len(ngx.var.skylink) == 46 and string.sub(ngx.var.skylink, 0, 2) == "AQ" + + if isBase32v2 or isBase64v2 then + -- 10.10.10.10 points to sia service (alias not available when using resty-http) + local res, err = httpc:request_uri("http://10.10.10.10:9980/skynet/resolve/" .. ngx.var.skylink_v2, { + headers = { ["User-Agent"] = "Sia-Agent" } + }) + + -- print error and exit with 500 or exit with response if status is not 200 + if err or (res and res.status ~= ngx.HTTP_OK) then + ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status + ngx.header["content-type"] = "text/plain" + ngx.say(err or res.body) + return ngx.exit(ngx.status) + end + + local json = require('cjson') + local resolve = json.decode(res.body) + ngx.var.skylink_v1 = resolve.skylink + ngx.var.skynet_proof = res.headers["Skynet-Proof"] + end + + -- check if skylink v1 is present on blocklist (compare hashes) + if require("skynet.blocklist").is_blocked(ngx.var.skylink_v1) then + return require("skynet.blocklist").exit_illegal() + end + + -- if skylink is found on nocache list then set internal nocache variable + -- to tell nginx that it should not try and cache this file (too large) + if ngx.shared.nocache:get(ngx.var.skylink_v1) then + ngx.var.nocache = "1" + end + end + + if require("skynet.account").accounts_enabled() then + -- check if portal is in authenticated only mode + if require("skynet.account").is_access_unauthorized() then + return require("skynet.account").exit_access_unauthorized() + end + + -- check if portal is in subscription only mode + if require("skynet.account").is_access_forbidden() then + return require("skynet.account").exit_access_forbidden() + end + + -- get account limits of currently authenticated user + local limits = require("skynet.account").get_account_limits() + end +} + +header_filter_by_lua_block { + ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. ngx.var.skynet_portal_domain + ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. ngx.var.skynet_server_domain + + -- the block below only makes sense if we are using nginx cache + if not ngx.var.skyd_disk_cache_enabled then + -- not empty skynet_proof means this is a skylink v2 request + -- so we should replace the Skynet-Proof header with the one + -- we got from /skynet/resolve/ endpoint, otherwise we would + -- be serving cached empty v1 skylink Skynet-Proof header + if ngx.var.skynet_proof and ngx.var.skynet_proof ~= "" then + ngx.header["Skynet-Proof"] = ngx.var.skynet_proof + end + + -- add skylink to nocache list if it exceeds 1GB (1e+9 bytes) threshold + -- (content length can be nil for already cached files - we can ignore them) + if ngx.header["Content-Length"] and tonumber(ngx.header["Content-Length"]) > 1e+9 then + ngx.shared.nocache:set(ngx.var.skylink_v1, ngx.header["Content-Length"]) + end + end +} + +proxy_read_timeout 600; proxy_set_header User-Agent: Sia-Agent; -proxy_pass http://sia:9980/skynet/skylink/$skylink$path$is_args$args; + +# in case the requested skylink was v2 and we already resolved it to skylink v1, we are going to pass resolved +# skylink v1 to skyd to save that extra skylink v2 lookup in skyd but in turn, in case skyd returns a redirect +# we need to rewrite the skylink v1 to skylink v2 in the location header with proxy_redirect +proxy_redirect $skylink_v1 $skylink_v2; +proxy_pass http://sia:9980/skynet/skylink/$skylink_v1$path$is_args$args; diff --git a/docker/nginx/conf.d/include/proxy-cache-downloads b/docker/nginx/conf.d/include/proxy-cache-downloads index 94a635e1..a91c14cc 100644 --- a/docker/nginx/conf.d/include/proxy-cache-downloads +++ b/docker/nginx/conf.d/include/proxy-cache-downloads @@ -1,4 +1,5 @@ proxy_cache skynet; # cache name +#proxy_cache_key $skylink_v1$path$arg_format$arg_attachment$arg_start$arg_end$http_range; # unique cache key proxy_cache_key $skylink$path$arg_format$arg_attachment$arg_start$arg_end$http_range; # unique cache key proxy_cache_min_uses 3; # cache after 3 uses proxy_cache_valid 200 206 307 308 48h; # keep 200, 206, 307 and 308 responses valid for up to 2 days