From ae7dac59cce40f10c4ef6ef1f0821e9a7e96efda Mon Sep 17 00:00:00 2001 From: Ivaylo Novakov Date: Mon, 14 Mar 2022 18:45:04 +0100 Subject: [PATCH] Disable nginx proxy cache and rate limits. --- docker/nginx/conf.d/include/location-skylink | 84 +++---------------- .../conf.d/include/proxy-cache-downloads | 20 ++--- docker/nginx/libs/skynet/account.lua | 17 +++- 3 files changed, 34 insertions(+), 87 deletions(-) diff --git a/docker/nginx/conf.d/include/location-skylink b/docker/nginx/conf.d/include/location-skylink index da4727c7..6035321a 100644 --- a/docker/nginx/conf.d/include/location-skylink +++ b/docker/nginx/conf.d/include/location-skylink @@ -11,13 +11,13 @@ set_by_lua_block $skylink { return require("skynet.skylink").parse(ngx.var.skyli # $skylink_v1 and $skylink_v2 variables default to the same value but in case the requested skylink was: # a) skylink v1 - it would not matter, no additional logic is executed -# b) skylink v2 - in a lua block below we will resolve the skylink v2 into skylink v1 and update -# $skylink_v1 variable so then the proxy request to skyd can be cached in nginx (proxy_cache_key +# b) skylink v2 - in a lua block below we will resolve the skylink v2 into skylink v1 and update +# $skylink_v1 variable so then the proxy request to skyd can be cached in nginx (proxy_cache_key # in proxy-cache-downloads includes $skylink_v1 as a part of the cache key) set $skylink_v1 $skylink; set $skylink_v2 $skylink; -# variable for Skynet-Proof header that we need to inject +# variable for Skynet-Proof header that we need to inject # into a response if the request was for skylink v2 set $skynet_proof ''; @@ -25,85 +25,23 @@ set $skynet_proof ''; set $limit_rate 0; access_by_lua_block { - -- the block below only makes sense if we are using nginx cache - if not ngx.var.skyd_disk_cache_enabled then - local httpc = require("resty.http").new() - - -- detect whether requested skylink is v2 - local isBase32v2 = string.len(ngx.var.skylink) == 55 and string.sub(ngx.var.skylink, 0, 2) == "04" - local isBase64v2 = string.len(ngx.var.skylink) == 46 and string.sub(ngx.var.skylink, 0, 2) == "AQ" - - if isBase32v2 or isBase64v2 then - -- 10.10.10.10 points to sia service (alias not available when using resty-http) - local res, err = httpc:request_uri("http://10.10.10.10:9980/skynet/resolve/" .. ngx.var.skylink_v2, { - headers = { ["User-Agent"] = "Sia-Agent" } - }) - - -- print error and exit with 500 or exit with response if status is not 200 - if err or (res and res.status ~= ngx.HTTP_OK) then - ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status - ngx.header["content-type"] = "text/plain" - ngx.say(err or res.body) - return ngx.exit(ngx.status) - end - - local json = require('cjson') - local resolve = json.decode(res.body) - ngx.var.skylink_v1 = resolve.skylink - ngx.var.skynet_proof = res.headers["Skynet-Proof"] - end - - -- check if skylink v1 is present on blocklist (compare hashes) - if require("skynet.blocklist").is_blocked(ngx.var.skylink_v1) then - return require("skynet.blocklist").exit_illegal() - end - - -- if skylink is found on nocache list then set internal nocache variable - -- to tell nginx that it should not try and cache this file (too large) - if ngx.shared.nocache:get(ngx.var.skylink_v1) then - ngx.var.nocache = "1" - end - end - - if require("skynet.account").accounts_enabled() then + local accounts = require("skynet.account") + if accounts.accounts_enabled() then -- check if portal is in authenticated only mode - if require("skynet.account").is_access_unauthorized() then - return require("skynet.account").exit_access_unauthorized() + if accounts.is_access_unauthorized() then + return accounts.exit_access_unauthorized() end -- check if portal is in subscription only mode - if require("skynet.account").is_access_forbidden() then - return require("skynet.account").exit_access_forbidden() + if accounts.is_access_forbidden() then + return accounts.exit_access_forbidden() end - - -- get account limits of currently authenticated user - local limits = require("skynet.account").get_account_limits() - - -- apply download speed limit - ngx.var.limit_rate = limits.download end } header_filter_by_lua_block { ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. ngx.var.skynet_portal_domain ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. ngx.var.skynet_server_domain - - -- the block below only makes sense if we are using nginx cache - if not ngx.var.skyd_disk_cache_enabled then - -- not empty skynet_proof means this is a skylink v2 request - -- so we should replace the Skynet-Proof header with the one - -- we got from /skynet/resolve/ endpoint, otherwise we would - -- be serving cached empty v1 skylink Skynet-Proof header - if ngx.var.skynet_proof and ngx.var.skynet_proof ~= "" then - ngx.header["Skynet-Proof"] = ngx.var.skynet_proof - end - - -- add skylink to nocache list if it exceeds 1GB (1e+9 bytes) threshold - -- (content length can be nil for already cached files - we can ignore them) - if ngx.header["Content-Length"] and tonumber(ngx.header["Content-Length"]) > 1e+9 then - ngx.shared.nocache:set(ngx.var.skylink_v1, ngx.header["Content-Length"]) - end - end } limit_rate_after 512k; @@ -112,8 +50,8 @@ limit_rate $limit_rate; proxy_read_timeout 600; proxy_set_header User-Agent: Sia-Agent; -# in case the requested skylink was v2 and we already resolved it to skylink v1, we are going to pass resolved -# skylink v1 to skyd to save that extra skylink v2 lookup in skyd but in turn, in case skyd returns a redirect +# in case the requested skylink was v2 and we already resolved it to skylink v1, we are going to pass resolved +# skylink v1 to skyd to save that extra skylink v2 lookup in skyd but in turn, in case skyd returns a redirect # we need to rewrite the skylink v1 to skylink v2 in the location header with proxy_redirect proxy_redirect $skylink_v1 $skylink_v2; proxy_pass http://sia:9980/skynet/skylink/$skylink_v1$path$is_args$args; diff --git a/docker/nginx/conf.d/include/proxy-cache-downloads b/docker/nginx/conf.d/include/proxy-cache-downloads index 85aeeb9e..5dca2771 100644 --- a/docker/nginx/conf.d/include/proxy-cache-downloads +++ b/docker/nginx/conf.d/include/proxy-cache-downloads @@ -1,13 +1,13 @@ -proxy_cache skynet; # cache name -proxy_cache_key $skylink_v1$path$arg_format$arg_attachment$arg_start$arg_end$http_range; # unique cache key -proxy_cache_min_uses 3; # cache after 3 uses -proxy_cache_valid 200 206 307 308 48h; # keep 200, 206, 307 and 308 responses valid for up to 2 days +#proxy_cache skynet; # cache name +#proxy_cache_key $skylink_v1$path$arg_format$arg_attachment$arg_start$arg_end$http_range; # unique cache key +#proxy_cache_min_uses 3; # cache after 3 uses +#proxy_cache_valid 200 206 307 308 48h; # keep 200, 206, 307 and 308 responses valid for up to 2 days add_header X-Proxy-Cache $upstream_cache_status; # add response header to indicate cache hits and misses -# map skyd env variable value to "1" for true and "0" for false (expected by proxy_no_cache) -set_by_lua_block $skyd_disk_cache_enabled { - return os.getenv("SKYD_DISK_CACHE_ENABLED") == "true" and "1" or "0" -} +## map skyd env variable value to "1" for true and "0" for false (expected by proxy_no_cache) +#set_by_lua_block $skyd_disk_cache_enabled { +# return os.getenv("SKYD_DISK_CACHE_ENABLED") == "true" and "1" or "0" +#} # bypass - this will bypass cache hit on request (status BYPASS) # but still stores file in cache if cache conditions are met @@ -15,7 +15,7 @@ proxy_cache_bypass $cookie_nocache $arg_nocache $skyd_disk_cache_enabled; # no cache - this will ignore cache on request (status MISS) # and does not store file in cache under no condition -set_if_empty $nocache "0"; +set $nocache "1"; # disable cache when nocache is set or skyd cache is enabled -proxy_no_cache $nocache $skyd_disk_cache_enabled; +proxy_no_cache $nocache diff --git a/docker/nginx/libs/skynet/account.lua b/docker/nginx/libs/skynet/account.lua index 7be6013f..dc80d93d 100644 --- a/docker/nginx/libs/skynet/account.lua +++ b/docker/nginx/libs/skynet/account.lua @@ -14,6 +14,9 @@ local anon_limits = { ["registry"] = 250 } +-- basic caching of user data +local curr_limits + -- handle request exit when access to portal should be restricted to authenticated users only function _M.exit_access_unauthorized(message) ngx.status = ngx.HTTP_UNAUTHORIZED @@ -35,20 +38,25 @@ function _M.accounts_enabled() end function _M.get_account_limits() + if curr_limits ~= nil then + return curr_limits + end + local cjson = require('cjson') + -- TODO: This needs to accommodate authorization tokens and api keys. if ngx.var.skynet_jwt == "" then return anon_limits end if ngx.var.account_limits == "" then local httpc = require("resty.http").new() - + -- 10.10.10.70 points to accounts service (alias not available when using resty-http) local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", { headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt } }) - + -- fail gracefully in case /user/limits failed if err or (res and res.status ~= ngx.HTTP_OK) then ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body)) @@ -58,7 +66,8 @@ function _M.get_account_limits() end end - return cjson.decode(ngx.var.account_limits) + curr_limits = cjson.decode(ngx.var.account_limits) + return curr_limits end -- detect whether current user is authenticated @@ -78,7 +87,7 @@ function _M.has_subscription() end function _M.is_auth_required() - return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "authenticated" + return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "authenticated" or os.getenv("ACCOUNTS_LIMIT_ACCESS") == "subscription" end function _M.is_subscription_required()