Merge branch 'master' into add-nginx-stats-endpoint

.github/CODEOWNERS

@@ -1 +0,0 @@
-* @kwypchlo @meeh0w

.github/dependabot.yml

@@ -1,6 +1,62 @@
 version: 2
 updates:
+  - package-ecosystem: npm
+    directory: "/packages/dashboard"
+    schedule:
+      interval: weekly
+  - package-ecosystem: npm
+    directory: "/packages/dnslink-api"
+    schedule:
+      interval: weekly
+  - package-ecosystem: npm
+    directory: "/packages/handshake-api"
+    schedule:
+      interval: weekly
+  - package-ecosystem: npm
+    directory: "/packages/health-check"
+    schedule:
+      interval: weekly
+  - package-ecosystem: npm
+    directory: "/packages/website"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/docker/accounts"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/docker/caddy"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/docker/handshake"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/docker/nginx"
+    schedule:
+      interval: weekly
   - package-ecosystem: docker
     directory: "/docker/sia"
     schedule:
-      interval: monthly
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/packages/dashboard"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/packages/dnslink-api"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/packages/handshake-api"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/packages/health-check"
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: "/packages/website"
+    schedule:
+      interval: weekly

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '32 21 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/deploy-dashboard-v2-storybook.yml

@@ -0,0 +1,31 @@
+name: Build Storybook - packages/dashboard-v2
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "packages/dashboard-v2/**"
+  pull_request:
+    paths:
+      - "packages/dashboard-v2/**"
+
+defaults:
+  run:
+    working-directory: packages/dashboard-v2
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+      - run: yarn install
+      - run: yarn build-storybook
+      - name: "Deploy to Skynet"
+        uses: skynetlabs/deploy-to-skynet-action@v2
+        with:
+          upload-dir: packages/dashboard-v2/storybook-build
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/deploy-website.yml

@@ -0,0 +1,47 @@
+name: Deploy website to Skynet
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "packages/website/**"
+  pull_request:
+    paths:
+      - "packages/website/**"
+
+defaults:
+  run:
+    working-directory: packages/website
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn build
+
+      - name: "Integration tests"
+        uses: cypress-io/github-action@v2
+        env:
+          CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          working-directory: packages/website
+          install: false
+          record: true
+          start: yarn serve
+          wait-on: "http://127.0.0.1:9000"
+
+      - name: "Deploy to Skynet"
+        uses: skynetlabs/deploy-to-skynet-action@v2
+        with:
+          upload-dir: packages/website/public
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          registry-seed: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && secrets.WEBSITE_REGISTRY_SEED || '' }}

.github/workflows/lint-packages-dashboard-v2.yml

@@ -0,0 +1,24 @@
+name: Lint - packages/dashboard-v2
+
+on:
+  pull_request:
+    paths:
+      - packages/dashboard-v2/**
+
+defaults:
+  run:
+    working-directory: packages/dashboard-v2
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check
+      - run: yarn lint

.github/workflows/lint-packages-dashboard.yml

@@ -0,0 +1,24 @@
+name: Lint - packages/dashboard
+
+on:
+  pull_request:
+    paths:
+      - packages/dashboard/**
+
+defaults:
+  run:
+    working-directory: packages/dashboard
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check .
+      - run: yarn next lint

.github/workflows/lint-packages-dnslink-api.yml

@@ -0,0 +1,23 @@
+name: Lint - packages/dnslink-api
+
+on:
+  pull_request:
+    paths:
+      - packages/dnslink-api/**
+
+defaults:
+  run:
+    working-directory: packages/dnslink-api
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check .

.github/workflows/lint-packages-handshake-api.yml

@@ -0,0 +1,23 @@
+name: Lint - packages/handshake-api
+
+on:
+  pull_request:
+    paths:
+      - packages/handshake-api/**
+
+defaults:
+  run:
+    working-directory: packages/handshake-api
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check .

.github/workflows/lint-packages-health-check.yml

@@ -0,0 +1,23 @@
+name: Lint - packages/health-check
+
+on:
+  pull_request:
+    paths:
+      - packages/health-check/**
+
+defaults:
+  run:
+    working-directory: packages/health-check
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check .

.github/workflows/lint-packages-website.yml

@@ -0,0 +1,23 @@
+name: Lint - packages/website
+
+on:
+  pull_request:
+    paths:
+      - packages/website/**
+
+defaults:
+  run:
+    working-directory: packages/website
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn prettier --check .

.github/workflows/nginx-lua-unit-tests.yml

@@ -0,0 +1,33 @@
+# Install and run unit tests with busted
+# Docs: http://olivinelabs.com/busted/
+
+name: Nginx Lua Unit Tests
+
+on:
+  pull_request:
+    paths:
+      - "docker/nginx/libs/**.lua"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.x"
+          architecture: "x64"
+
+      - name: Install Dependencies
+        run: |
+          pip install hererocks
+          hererocks env --lua=5.1 -rlatest
+          source env/bin/activate
+          luarocks install busted
+          luarocks install hasher
+
+      - name: Unit Tests
+        run: |
+          source env/bin/activate
+          busted --verbose --pattern=spec --directory=docker/nginx/libs .

.github/workflows/test-packages-health-check.yml

@@ -0,0 +1,23 @@
+name: Test - packages/health-check
+
+on:
+  pull_request:
+    paths:
+      - packages/health-check/**
+
+defaults:
+  run:
+    working-directory: packages/health-check
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+
+      - run: yarn
+      - run: yarn jest

.gitignore

@@ -67,6 +67,10 @@ yarn-error.log
 # Yarn Integrity file
 .yarn-integrity
 
+# Cypress
+packages/website/cypress/screenshots
+packages/website/cypress/videos
+
 # Docker data
 docker/data
 
@@ -82,10 +86,6 @@ __pycache__
 /.idea/
 /venv*
 
-# Luacov file
-luacov.stats.out
-luacov.report.out
-
 # Setup-script log files
 setup-scripts/serverload.log
 setup-scripts/serverload.json

CHANGELOG.md

@@ -10,46 +10,6 @@ Version History
 
 Latest:
 
-## Mar 8, 2022:
-### v0.1.4
-**Key Updates**
-- expose generic skylink serving endpoint on domain aliases
-- Add abuse scanner service, activated by adding `u` to `PORTAL_MODULES`
-- Add malware scanner service, activated by adding `s` to `PORTAL_MODULES`
-- Remove ORY Kratos, ORY Oathkeeper, CockroachDB.
-- Add `/serverload` endpoint for CPU usage and free disk space
-
-**Bugs Fixed**
-- Add missing servers and blocklist command to the manual blocklist script.
-- fixed a bug when accessing file from skylink via subdomain with a filename that had escaped characters
-- Fix `blocklist-skylink.sh` script that didn't removed blocked skylink from
-  nginx cache.
-- fixed uploaded directory name (was "undefined" before)
-- fixed empty directory upload progress (size was not calculated for directories)
-
-**Other**
-- add new critical health check that scans config and makes sure that all relevant configurations are set
-- Add abuse report configuration
-- Remove hardcoded Airtable default values from blocklist script. Portal
-  operators need to define their own values in portal common config (LastPass).
-- Add health check for the blocker container
-- Drop `Skynet-Requested-Skylink` header
-- Dump disk space usage when health-checker script disables portal due to
-  critical free disk space.
-- Enable the accounting module for skyd
-- Add link to supported setup process in Gitbook.
-- Set `min_free` parameter on the `proxy_cache_path` directive to `100g`
-- Parameterize MongoDB replicaset in `docker-compose.mongodb.yml` via
-  `SKYNET_DB_REPLICASET` from `.env` file.
-- Hot reload Nginx after pruning cache files.
-- Added script to prune nginx cache.
-- Remove hardcoded server list from `blocklist-skylink.sh` so it removes server
-  list duplication and can also be called from Ansible.
-- Remove outdated portal setup documentation and point to developer docs.
-- Block skylinks in batches to improve performance.
-- Add trimming Airtable skylinks from Takedown Request table.
-- Update handshake to use v3.0.1
-
 ## Oct 18, 2021:
 ### v0.1.3
 **Key Updates**

README.md

@@ -3,10 +3,27 @@
 ## Latest Setup Documentation
 
 Latest Skynet Webportal setup documentation and the setup process Skynet Labs
-supports is located at https://portal-docs.skynetlabs.com/.
+supports is located at https://docs.siasky.net/webportal-management/overview.
 
-Some scripts and setup documentation contained in this repository
-(`skynet-webportal`) may be outdated and generally should not be used.
+Some of the scripts and setup documentation contained in this repository
+(`skynet-webportal`) can be outdated and generally should not be used.
+
+## Web application
+
+Change current directory with `cd packages/website`.
+
+Use `yarn start` to start the development server.
+
+Use `yarn build` to compile the application to `/public` directory.
+
+You can use the below build parameters to customize your web application.
+
+- development example `GATSBY_API_URL=https://siasky.dev yarn start`
+- production example `GATSBY_API_URL=https://siasky.net yarn build`
+
+List of available parameters:
+
+- `GATSBY_API_URL`: override api url (defaults to location origin)
 
 ## License
 
@@ -16,3 +33,19 @@ and distribute the software, but you must preserve the payment mechanism in the
 For the purposes of complying with our code license, you can use the following Siacoin address:
 
 `fb6c9320bc7e01fbb9cd8d8c3caaa371386928793c736837832e634aaaa484650a3177d6714a`
+
+## Running a Portal
+For those interested in running a Webportal, head over to our developer docs [here](https://docs.siasky.net/webportal-management/overview.) to learn more.
+
+## Contributing
+
+### Testing Your Code
+
+Before pushing your code, you should verify that it will pass our online test suite.
+
+**Cypress Tests**
+Verify the Cypress test suite by doing the following:
+
+1. In one terminal screen run `GATSBY_API_URL=https://siasky.net website serve`
+1. In a second terminal screen run `yarn cypress run`
+

changelog/changelog-tail.md

@@ -1,43 +1,3 @@
-## Mar 8, 2022:
-### v0.1.4
-**Key Updates**
-- expose generic skylink serving endpoint on domain aliases
-- Add abuse scanner service, activated by adding `u` to `PORTAL_MODULES`
-- Add malware scanner service, activated by adding `s` to `PORTAL_MODULES`
-- Remove ORY Kratos, ORY Oathkeeper, CockroachDB.
-- Add `/serverload` endpoint for CPU usage and free disk space
-
-**Bugs Fixed**
-- Add missing servers and blocklist command to the manual blocklist script.
-- fixed a bug when accessing file from skylink via subdomain with a filename that had escaped characters
-- Fix `blocklist-skylink.sh` script that didn't removed blocked skylink from
-  nginx cache.
-- fixed uploaded directory name (was "undefined" before)
-- fixed empty directory upload progress (size was not calculated for directories)
-
-**Other**
-- add new critical health check that scans config and makes sure that all relevant configurations are set
-- Add abuse report configuration
-- Remove hardcoded Airtable default values from blocklist script. Portal
-  operators need to define their own values in portal common config (LastPass).
-- Add health check for the blocker container
-- Drop `Skynet-Requested-Skylink` header
-- Dump disk space usage when health-checker script disables portal due to
-  critical free disk space.
-- Enable the accounting module for skyd
-- Add link to supported setup process in Gitbook.
-- Set `min_free` parameter on the `proxy_cache_path` directive to `100g`
-- Parameterize MongoDB replicaset in `docker-compose.mongodb.yml` via
-  `SKYNET_DB_REPLICASET` from `.env` file.
-- Hot reload Nginx after pruning cache files.
-- Added script to prune nginx cache.
-- Remove hardcoded server list from `blocklist-skylink.sh` so it removes server
-  list duplication and can also be called from Ansible.
-- Remove outdated portal setup documentation and point to developer docs.
-- Block skylinks in batches to improve performance.
-- Add trimming Airtable skylinks from Takedown Request table.
-- Update handshake to use v3.0.1
-
 ## Oct 18, 2021:
 ### v0.1.3
 **Key Updates**

changelog/items/bugs-fixed/add-missing-blocklist-cmd.md

@@ -0,0 +1 @@
+- Add missing servers and blocklist command to the manual blocklist script.

changelog/items/bugs-fixed/escape-uri-on-subdomain-skylink-requests.md

@@ -0,0 +1 @@
+- fixed a bug when accessing file from skylink via subdomain with a filename that had escaped characters

changelog/items/bugs-fixed/fix-blocklist-skylink.md

@@ -0,0 +1,2 @@
+- Fix `blocklist-skylink.sh` script that didn't removed blocked skylink from
+  nginx cache.

changelog/items/bugs-fixed/fix-context.md

@@ -1,2 +0,0 @@
-- Fix `dashboard-v2` Dockerfile context in `docker-compose.accounts.yml` to
-  avoid Ansible deploy (docker compose build) `permission denied` issues.

changelog/items/bugs-fixed/fix-missing-logs-dir.md

@@ -1 +0,0 @@
-- Fix missing `logs` dir that is required for backup scripts (cron jobs).

changelog/items/bugs-fixed/undefined-dir-upload-name-and-empty-progress.md

@@ -0,0 +1,2 @@
+- fixed uploaded directory name (was "undefined" before)
+- fixed empty directory upload progress (size was not calculated for directories)

changelog/items/key-updates/1223-wildcard-api.md

@@ -0,0 +1 @@
+- expose generic skylink serving endpoint on domain aliases

changelog/items/key-updates/abuse-scanner.md

@@ -0,0 +1 @@
+- Add abuse scanner service, activated by adding `u` to `PORTAL_MODULES`

changelog/items/key-updates/malware-scanner.md

@@ -0,0 +1 @@
+- Add malware scanner service, activated by adding `s` to `PORTAL_MODULES`

changelog/items/key-updates/pinner.md

@@ -1 +0,0 @@
-- Add Pinner service to the portal stack. Activate it by selecting the 'p' module.

changelog/items/key-updates/remove-kratos.md

@@ -0,0 +1 @@
+- Remove ORY Kratos, ORY Oathkeeper, CockroachDB.

changelog/items/key-updates/serverload.md

@@ -0,0 +1 @@
+- Add `/serverload` endpoint for CPU usage and free disk space

changelog/items/other/1332-skyd-config-health-check.md

@@ -0,0 +1 @@
+- add new critical health check that scans config and makes sure that all relevant configurations are set

changelog/items/other/add-abuse-config.md

@@ -0,0 +1 @@
+- Add abuse report configuration

changelog/items/other/airtable-env-vars.md

@@ -0,0 +1,2 @@
+- Remove hardcoded Airtable default values from blocklist script. Portal
+  operators need to define their own values in portal common config (LastPass).

changelog/items/other/blocker-health-check.md

@@ -0,0 +1 @@
+- Add health check for the blocker container

changelog/items/other/drop-requested-skylink-header.md

@@ -0,0 +1 @@
+- Drop `Skynet-Requested-Skylink` header

changelog/items/other/dump-disk-space-usage.md

@@ -0,0 +1,2 @@
+- Dump disk space usage when health-checker script disables portal due to
+  critical free disk space.

changelog/items/other/enable-accounting.md

@@ -0,0 +1 @@
+- Enable the accounting module for skyd

changelog/items/other/gitbook-link.md

@@ -0,0 +1 @@
+- Add link to supported setup process in Gitbook.

changelog/items/other/min-free-param.md

@@ -0,0 +1 @@
+- Set `min_free` parameter on the `proxy_cache_path` directive to `100g`

changelog/items/other/mongo-replicaset-env.md

@@ -0,0 +1,2 @@
+- Parameterize MongoDB replicaset in `docker-compose.mongodb.yml` via
+  `SKYNET_DB_REPLICASET` from `.env` file.

changelog/items/other/nginx-prune-hot-reload.md

@@ -0,0 +1 @@
+- Hot reload Nginx after pruning cache files.

changelog/items/other/nginx-prune.md

@@ -0,0 +1 @@
+- Added script to prune nginx cache.

changelog/items/other/refactor-blocklist.md

@@ -0,0 +1,2 @@
+- Remove hardcoded server list from `blocklist-skylink.sh` so it removes server
+  list duplication and can also be called from Ansible.

changelog/items/other/remove-outdated-documentation.md

@@ -0,0 +1 @@
+- Remove outdated portal setup documentation and point to developer docs.

changelog/items/other/skylinks-block-batch.md

@@ -0,0 +1 @@
+- Block skylinks in batches to improve performance.

changelog/items/other/trim-airtable-skylinks.md

@@ -0,0 +1 @@
+- Add trimming Airtable skylinks from Takedown Request table.

changelog/items/other/update-handshake.md

@@ -0,0 +1 @@
+- Update handshake to use v3.0.1

dc

@@ -5,59 +5,51 @@
 # would use docker-compose with the only difference being that you don't need to specify compose files. For more
 # information you can run `./dc` or `./dc help`.
 
-# get current working directory of this script and prefix all files with it to
-# be able to call this script from anywhere and not only root directory of
-# skynet-webportal project
-cwd="$(dirname -- "$0";)";
-
-# get portal modules configuration from .env file (if defined more than once, the last one is used)
-if [[ -f "${cwd}/.env" ]]; then
-  PORTAL_MODULES=$(grep -e "^PORTAL_MODULES=" ${cwd}/.env | tail -1 | sed "s/PORTAL_MODULES=//")
+if [ -f .env ]; then
+  OLD_IFS=$IFS
+  IFS=$'\n'
+  for x in $(grep -v '^#.*' .env); do export $x; done
+  IFS=$OLD_IFS
 fi
 
 # include base docker compose file
-COMPOSE_FILES="-f ${cwd}/docker-compose.yml"
+COMPOSE_FILES="-f docker-compose.yml"
 
 for i in $(seq 1 ${#PORTAL_MODULES}); do
   # accounts module - alias "a"
   if [[ ${PORTAL_MODULES:i-1:1} == "a" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.mongodb.yml -f ${cwd}/docker-compose.accounts.yml"
+    COMPOSE_FILES+=" -f docker-compose.mongodb.yml -f docker-compose.accounts.yml"
   fi
 
   # blocker module - alias "b"
   if [[ ${PORTAL_MODULES:i-1:1} == "b" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.mongodb.yml -f ${cwd}/docker-compose.blocker.yml"
+    COMPOSE_FILES+=" -f docker-compose.mongodb.yml -f docker-compose.blocker.yml"
   fi
 
   # jaeger module - alias "j"
   if [[ ${PORTAL_MODULES:i-1:1} == "j" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.jaeger.yml"
+    COMPOSE_FILES+=" -f docker-compose.jaeger.yml"
   fi
 
   # malware-scanner module - alias "s"
   if [[ ${PORTAL_MODULES:i-1:1} == "s" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.blocker.yml -f ${cwd}/docker-compose.mongodb.yml -f ${cwd}/docker-compose.malware-scanner.yml"
+    COMPOSE_FILES+=" -f docker-compose.blocker.yml -f docker-compose.mongodb.yml -f docker-compose.malware-scanner.yml"
   fi
 
   # mongodb module - alias "m"
   if [[ ${PORTAL_MODULES:i-1:1} == "m" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.mongodb.yml"
+    COMPOSE_FILES+=" -f docker-compose.mongodb.yml"
   fi
 
   # abuse-scanner module - alias "u"
   if [[ ${PORTAL_MODULES:i-1:1} == "u" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.mongodb.yml -f ${cwd}/docker-compose.blocker.yml -f ${cwd}/docker-compose.abuse-scanner.yml"
-  fi
-
-  # pinner module - alias "p"
-  if [[ ${PORTAL_MODULES:i-1:1} == "p" ]]; then
-    COMPOSE_FILES+=" -f ${cwd}/docker-compose.mongodb.yml -f ${cwd}/docker-compose.pinner.yml"
+    COMPOSE_FILES+=" -f docker-compose.mongodb.yml -f docker-compose.blocker.yml -f docker-compose.abuse-scanner.yml"
   fi
 done
 
 # override file if exists
 if [[ -f docker-compose.override.yml ]]; then
-  COMPOSE_FILES+=" -f ${cwd}/docker-compose.override.yml"
+  COMPOSE_FILES+=" -f docker-compose.override.yml"
 fi
 
 docker-compose $COMPOSE_FILES $@

docker-compose.abuse-scanner.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -8,9 +8,7 @@ x-logging: &default-logging
 
 services:
   abuse-scanner:
-    # uncomment "build" and comment out "image" to build from sources
-    # build: https://github.com/SkynetLabs/abuse-scanner.git#main
-    image: skynetlabs/abuse-scanner:0.4.0
+    image: skynetlabs/abuse-scanner
     container_name: abuse-scanner
     restart: unless-stopped
     logging: *default-logging
@@ -36,6 +34,3 @@ services:
     depends_on:
       - mongo
       - blocker
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /tmp:/tmp

docker-compose.accounts.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -20,9 +20,7 @@ services:
       - ACCOUNTS_LIMIT_ACCESS=${ACCOUNTS_LIMIT_ACCESS:-authenticated} # default to authenticated access only
 
   accounts:
-    # uncomment "build" and comment out "image" to build from sources
-    # build: https://github.com/SkynetLabs/skynet-accounts.git#main
-    image: skynetlabs/skynet-accounts:1.3.0
+    image: skynetlabs/skynet-accounts
     container_name: accounts
     restart: unless-stopped
     logging: *default-logging
@@ -55,23 +53,23 @@ services:
       - mongo
 
   dashboard:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-accounts-dashboard.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-accounts-dashboard:2.1.1
+    build:
+      context: ./packages/dashboard
+      dockerfile: Dockerfile
     container_name: dashboard
     restart: unless-stopped
     logging: *default-logging
     env_file:
       - .env
+    environment:
+      - NEXT_PUBLIC_PORTAL_DOMAIN=${PORTAL_DOMAIN}
+      - NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=${STRIPE_PUBLISHABLE_KEY}
     volumes:
-      - ./docker/data/dashboard/.cache:/usr/app/.cache
-      - ./docker/data/dashboard/public:/usr/app/public
+      - ./docker/data/dashboard/.next:/usr/app/.next
     networks:
       shared:
         ipv4_address: 10.10.10.85
     expose:
-      - 9000
+      - 3000
     depends_on:
       - mongo

docker-compose.blocker.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -13,9 +13,7 @@ services:
       - BLOCKER_PORT=4000
 
   blocker:
-    # uncomment "build" and comment out "image" to build from sources
-    # build: https://github.com/SkynetLabs/blocker.git#main
-    image: skynetlabs/blocker:0.1.2
+    image: skynetlabs/blocker
     container_name: blocker
     restart: unless-stopped
     logging: *default-logging

docker-compose.jaeger.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -21,7 +21,7 @@ services:
       - JAEGER_REPORTER_LOG_SPANS=false
 
   jaeger-agent:
-    image: jaegertracing/jaeger-agent:1.38.1
+    image: jaegertracing/jaeger-agent
     command:
       [
         "--reporter.grpc.host-port=jaeger-collector:14250",
@@ -43,7 +43,7 @@ services:
       - jaeger-collector
 
   jaeger-collector:
-    image: jaegertracing/jaeger-collector:1.38.1
+    image: jaegertracing/jaeger-collector
     entrypoint: /wait_to_start.sh
     container_name: jaeger-collector
     restart: on-failure
@@ -68,7 +68,7 @@ services:
       - elasticsearch
 
   jaeger-query:
-    image: jaegertracing/jaeger-query:1.38.1
+    image: jaegertracing/jaeger-query
     entrypoint: /wait_to_start.sh
     container_name: jaeger-query
     restart: on-failure
@@ -93,7 +93,7 @@ services:
       - elasticsearch
 
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.6
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.13.2
     container_name: elasticsearch
     restart: on-failure
     logging: *default-logging

docker-compose.malware-scanner.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -17,14 +17,16 @@ services:
       - ./docker/clamav/clamd.conf:/etc/clamav/clamd.conf:ro
     expose:
       - 3310 # NEVER expose this outside of the local network!
+    deploy:
+      resources:
+        limits:
+          cpus: "${CLAMAV_CPU:-0.50}"
     networks:
       shared:
         ipv4_address: 10.10.10.100
 
   malware-scanner:
-    # uncomment "build" and comment out "image" to build from sources
-    # build: https://github.com/SkynetLabs/malware-scanner.git#main
-    image: skynetlabs/malware-scanner:0.1.0
+    image: skynetlabs/malware-scanner
     container_name: malware-scanner
     restart: unless-stopped
     logging: *default-logging

docker-compose.mongodb.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -14,8 +14,8 @@ services:
       - MONGODB_PASSWORD=${SKYNET_DB_PASS}
 
   mongo:
-    image: mongo:4.4.17
-    command: --keyFile=/data/mgkey --replSet=${SKYNET_DB_REPLICASET:-skynet} --setParameter ShardingTaskExecutorPoolMinSize=10
+    image: mongo:4.4.1
+    command: --keyFile=/data/mgkey --replSet=${SKYNET_DB_REPLICASET:-skynet}
     container_name: mongo
     restart: unless-stopped
     logging: *default-logging

docker-compose.pinner.yml

@@ -1,30 +0,0 @@
-version: "3.8"
-
-x-logging: &default-logging
-  driver: json-file
-  options:
-    max-size: "10m"
-    max-file: "3"
-
-services:
-  pinner:
-    # uncomment "build" and comment out "image" to build from sources
-    # build: https://github.com/SkynetLabs/pinner.git#main
-    image: skynetlabs/pinner:0.7.8
-    container_name: pinner
-    restart: unless-stopped
-    logging: *default-logging
-    env_file:
-      - .env
-    volumes:
-      - ./docker/data/pinner/logs:/logs
-    environment:
-      - PINNER_LOG_LEVEL=${PINNER_LOG_LEVEL:-info}
-    expose:
-      - 4000
-    networks:
-      shared:
-        ipv4_address: 10.10.10.130
-    depends_on:
-      - mongo
-      - sia

docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.7"
 
 x-logging: &default-logging
   driver: json-file
@@ -15,19 +15,16 @@ networks:
 
 services:
   sia:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/docker-skyd.git#main
-    #   dockerfile: scratch/Dockerfile
-    #   args:
-    #     branch: master
-    image: skynetlabs/skyd:1.6.9
-    command: --disable-api-security --api-addr :9980 --modules gctwra
+    build:
+      context: ./docker/sia
+      dockerfile: Dockerfile
+      args:
+        branch: portal-latest
     container_name: sia
     restart: unless-stopped
-    stop_grace_period: 5m
     logging: *default-logging
     environment:
+      - SIA_MODULES=gctwra
       - SKYD_DISK_CACHE_ENABLED=${SKYD_DISK_CACHE_ENABLED:-true}
       - SKYD_DISK_CACHE_SIZE=${SKYD_DISK_CACHE_SIZE:-53690000000} # 50GB
       - SKYD_DISK_CACHE_MIN_HITS=${SKYD_DISK_CACHE_MIN_HITS:-3}
@@ -42,55 +39,40 @@ services:
     expose:
       - 9980
 
-  certbot:
-    # replace this image with the image supporting your dns provider from
-    # https://hub.docker.com/r/certbot/certbot and adjust CERTBOT_ARGS env variable
-    # note: you will need to authenticate your dns request so consult the plugin docs
-    # configuration https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
-    #
-    # =================================================================================
-    # example docker-compose.yml changes required for Cloudflare dns provider:
-    #
-    # image: certbot/dns-cloudflare
-    # environment:
-    #   - CERTBOT_ARGS=--dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
-    #
-    # create ./docker/data/certbot/cloudflare.ini file with the following content:
-    # dns_cloudflare_api_token = <api key generated at https://dash.cloudflare.com/profile/api-tokens>
-    #
-    # make sure that the file has 0400 permissions with:
-    # chmod 0400 ./docker/data/certbot/cloudflare.ini
-    image: certbot/dns-route53:v1.31.0
-    entrypoint: sh /entrypoint.sh
-    container_name: certbot
+  caddy:
+    build:
+      context: ./docker/caddy
+      dockerfile: Dockerfile
+    container_name: caddy
     restart: unless-stopped
     logging: *default-logging
     env_file:
       - .env
-    environment:
-      - CERTBOT_ARGS=--dns-route53
     volumes:
-      - ./docker/certbot/entrypoint.sh:/entrypoint.sh
-      - ./docker/data/certbot:/etc/letsencrypt
+      - ./docker/data/caddy/data:/data
+      - ./docker/data/caddy/config:/config
+    networks:
+      shared:
+        ipv4_address: 10.10.10.20
 
   nginx:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-nginx.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-nginx:1.0.0
+    build:
+      context: ./docker/nginx
+      dockerfile: Dockerfile
     container_name: nginx
     restart: unless-stopped
     logging: *default-logging
     env_file:
       - .env
+    environment:
+      - SKYD_DISK_CACHE_ENABLED=${SKYD_DISK_CACHE_ENABLED:-true}
     volumes:
       - ./docker/data/nginx/cache:/data/nginx/cache
       - ./docker/data/nginx/blocker:/data/nginx/blocker
       - ./docker/data/nginx/logs:/usr/local/openresty/nginx/logs
       - ./docker/data/nginx/skynet:/data/nginx/skynet:ro
       - ./docker/data/sia/apipassword:/data/sia/apipassword:ro
-      - ./docker/data/certbot:/etc/letsencrypt
+      - ./docker/data/caddy/data:/data/caddy:ro
     networks:
       shared:
         ipv4_address: 10.10.10.30
@@ -99,22 +81,18 @@ services:
       - "80:80"
     depends_on:
       - sia
+      - caddy
       - handshake-api
       - dnslink-api
       - website
 
   website:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-website.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-website:0.2.3
+    build:
+      context: ./packages/website
+      dockerfile: Dockerfile
     container_name: website
     restart: unless-stopped
     logging: *default-logging
-    volumes:
-      - ./docker/data/website/.cache:/usr/app/.cache
-      - ./docker/data/website/.public:/usr/app/public
     env_file:
       - .env
     networks:
@@ -124,11 +102,20 @@ services:
       - 9000
 
   handshake:
-    image: handshakeorg/hsd:4.0.2
-    command: --chain-migrate=3 --no-wallet --no-auth --compact-tree-on-init --network=main --http-host=0.0.0.0
+    build:
+      context: ./docker/handshake
+      dockerfile: Dockerfile
+    command: --chain-migrate=2 --wallet-migrate=1
     container_name: handshake
     restart: unless-stopped
     logging: *default-logging
+    environment:
+      - HSD_LOG_CONSOLE=false
+      - HSD_HTTP_HOST=0.0.0.0
+      - HSD_NETWORK=main
+      - HSD_PORT=12037
+    env_file:
+      - .env
     volumes:
       - ./docker/data/handshake/.hsd:/root/.hsd
     networks:
@@ -138,11 +125,9 @@ services:
       - 12037
 
   handshake-api:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-handshake-api.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-handshake-api:0.1.3
+    build:
+      context: ./packages/handshake-api
+      dockerfile: Dockerfile
     container_name: handshake-api
     restart: unless-stopped
     logging: *default-logging
@@ -162,11 +147,9 @@ services:
       - handshake
 
   dnslink-api:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-dnslink-api.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-dnslink-api:0.2.1
+    build:
+      context: ./packages/dnslink-api
+      dockerfile: Dockerfile
     container_name: dnslink-api
     restart: unless-stopped
     logging: *default-logging
@@ -177,11 +160,9 @@ services:
       - 3100
 
   health-check:
-    # uncomment "build" and comment out "image" to build from sources
-    # build:
-    #   context: https://github.com/SkynetLabs/webportal-health-check.git#main
-    #   dockerfile: Dockerfile
-    image: skynetlabs/webportal-health-check:1.0.0
+    build:
+      context: ./packages/health-check
+      dockerfile: Dockerfile
     container_name: health-check
     restart: unless-stopped
     logging: *default-logging
@@ -197,3 +178,5 @@ services:
       - STATE_DIR=/usr/app/state
     expose:
       - 3100
+    depends_on:
+      - caddy

docker/caddy/Dockerfile

@@ -0,0 +1,18 @@
+FROM caddy:2.4.6-builder AS caddy-builder
+
+# available dns resolvers: https://github.com/caddy-dns
+RUN xcaddy build --with github.com/caddy-dns/route53
+
+FROM caddy:2.4.6-alpine
+
+COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
+
+# bash required for mo to work (mo is mustache templating engine - https://github.com/tests-always-included/mo)
+RUN apk add --no-cache bash
+
+COPY caddy.json.template mo /etc/caddy/
+
+CMD [ "sh", "-c", \
+      "/etc/caddy/mo < /etc/caddy/caddy.json.template > /etc/caddy/caddy.json ; \
+       caddy run --config /etc/caddy/caddy.json" \
+    ]

docker/caddy/caddy.json.template

@@ -0,0 +1,39 @@
+{
+  "apps": {
+    "tls": {
+      "certificates": {
+        "automate": [
+          {{#PORTAL_DOMAIN}}
+              "{{PORTAL_DOMAIN}}", "*.{{PORTAL_DOMAIN}}", "*.hns.{{PORTAL_DOMAIN}}"
+          {{/PORTAL_DOMAIN}}
+
+          {{#PORTAL_DOMAIN}}{{#SERVER_DOMAIN}},{{/SERVER_DOMAIN}}{{/PORTAL_DOMAIN}}
+
+          {{#SERVER_DOMAIN}}
+              "{{SERVER_DOMAIN}}", "*.{{SERVER_DOMAIN}}", "*.hns.{{SERVER_DOMAIN}}"
+          {{/SERVER_DOMAIN}}
+        ]
+      },
+      "automation": {
+        "policies": [
+          {
+            "issuers": [
+              {
+                "module": "acme",
+                "email": "{{EMAIL_ADDRESS}}",
+                "challenges": {
+                  "dns": {
+                    "provider": {
+                      "name": "route53"
+                    },
+                    "ttl": "30m"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      }
+    }
+  }
+}

docker/certbot/entrypoint.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-# Portal domain requires 3 domain certificates:
-# - exact portal domain, ie. example.com
-# - wildcard subdomain on portal domain, ie. *.example.com
-#   used for skylinks served from portal subdomain
-# - wildcard subdomain on hns portal domain subdomain, ie. *.hns.example.com
-#   used for resolving handshake domains
-DOMAINS=${PORTAL_DOMAIN},*.${PORTAL_DOMAIN},*.hns.${PORTAL_DOMAIN}
-
-# Add server domain when it is not empty and different from portal domain
-if [ ! -z "${SERVER_DOMAIN}" ] && [ "${PORTAL_DOMAIN}" != "${SERVER_DOMAIN}" ]; then
-    # In case where server domain is not covered by portal domain's
-    # wildcard certificate, add server domain name to domains list.
-    # - server-001.example.com is covered by *.example.com
-    # - server-001.servers.example.com or server-001.example-severs.com
-    #   are not covered by any already requested wildcard certificates
-    #
-    # The condition checks whether server domain does not match portal domain
-    # with exactly one level of subdomain (portal domain wildcard cert):
-    # (start) [anything but the dot] + [dot] + [portal domain] (end)
-    if ! printf "${SERVER_DOMAIN}" | grep -q -E "^[^\.]+\.${PORTAL_DOMAIN}$"; then
-        DOMAINS=${DOMAINS},${SERVER_DOMAIN}
-    fi
-
-    # Server domain requires the same set of domain certificates as portal domain.
-    # Exact server domain case is handled above.
-    DOMAINS=${DOMAINS},*.${SERVER_DOMAIN},*.hns.${SERVER_DOMAIN}
-fi
-
-# The "wait" will prevent an exit from the script while background tasks are
-# still active, so we are adding the line below as a method to prevent orphaning
-# the background child processe. The trap fires when docker terminates the container.
-trap exit TERM
-
-while :; do
-    # Execute certbot and generate or maintain certificates for given domain string.
-    # --non-interactive: we are running this as an automation so we cannot be prompted
-    # --agree-tos: required flag marking agreement with letsencrypt tos
-    # --cert-name: output directory name
-    # --email: required for generating certificates, used for communication with CA
-    # --domains: comma separated list of domains (will generate one bundled SAN cert)
-    # Use CERTBOT_ARGS env variable to pass any additional arguments, ie --dns-route53
-    certbot certonly \
-        --non-interactive --agree-tos --cert-name skynet-portal \
-        --email ${EMAIL_ADDRESS} --domains ${DOMAINS} ${CERTBOT_ARGS}
-
-    # Run a background sleep process that counts down given time
-    # Certbot docs advise running maintenance process every 12 hours
-    sleep 12h &
-    
-    # Await execution until sleep process is finished (it's a background process)
-    # Syntax explanation: ${!} expands to a pid of last ran process
-    wait ${!}
-done

docker/handshake/Dockerfile

@@ -0,0 +1,12 @@
+FROM node:16.14.0-alpine
+
+WORKDIR /opt/hsd
+
+RUN apk update && apk add bash unbound-dev gmp-dev g++ gcc make python2 git
+RUN git clone https://github.com/handshake-org/hsd.git /opt/hsd && \
+    cd /opt/hsd && git checkout v3.0.1 && cd -
+RUN npm install --production
+
+ENV PATH="${PATH}:/opt/hsd/bin:/opt/hsd/node_modules/.bin"
+
+ENTRYPOINT ["hsd"]

docker/nginx/Dockerfile

@@ -0,0 +1,22 @@
+FROM openresty/openresty:1.19.9.1-focal
+
+RUN luarocks install lua-resty-http && \
+    luarocks install hasher && \
+    openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    -subj '/CN=local-certificate' \
+    -keyout /etc/ssl/local-certificate.key \
+    -out /etc/ssl/local-certificate.crt
+
+COPY mo ./
+COPY libs /etc/nginx/libs
+COPY conf.d /etc/nginx/conf.d
+COPY conf.d.templates /etc/nginx/conf.d.templates
+COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+
+CMD [ "bash", "-c", \
+      "./mo < /etc/nginx/conf.d.templates/server.account.conf > /etc/nginx/conf.d/server.account.conf ; \
+       ./mo < /etc/nginx/conf.d.templates/server.api.conf > /etc/nginx/conf.d/server.api.conf; \
+       ./mo < /etc/nginx/conf.d.templates/server.hns.conf > /etc/nginx/conf.d/server.hns.conf; \
+       ./mo < /etc/nginx/conf.d.templates/server.skylink.conf > /etc/nginx/conf.d/server.skylink.conf ; \
+       /usr/local/openresty/bin/openresty '-g daemon off;'" \
+    ]

docker/nginx/conf.d.templates/server.account.conf

@@ -0,0 +1,39 @@
+{{#ACCOUNTS_ENABLED}}
+	{{#PORTAL_DOMAIN}}
+	server {
+		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
+		
+		include /etc/nginx/conf.d/server/server.http;
+	}
+
+	server {
+		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
+
+		ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.crt;
+		ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.key;
+
+		include /etc/nginx/conf.d/server/server.account;
+	}
+	{{/PORTAL_DOMAIN}}
+
+	{{#SERVER_DOMAIN}}
+	server {
+		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
+
+		include /etc/nginx/conf.d/server/server.http;
+
+		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+	}
+
+	server {
+		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
+
+		ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.crt;
+		ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.key;
+
+		include /etc/nginx/conf.d/server/server.account;
+		
+		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+	}
+	{{/SERVER_DOMAIN}}
+{{/ACCOUNTS_ENABLED}}

docker/nginx/conf.d.templates/server.api.conf

@@ -0,0 +1,37 @@
+{{#PORTAL_DOMAIN}}
+server {
+	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
+
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{PORTAL_DOMAIN}}/{{PORTAL_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{PORTAL_DOMAIN}}/{{PORTAL_DOMAIN}}.key;
+
+	include /etc/nginx/conf.d/server/server.api;
+}
+{{/PORTAL_DOMAIN}}
+
+{{#SERVER_DOMAIN}}
+server {
+	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+
+server {
+	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
+
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{SERVER_DOMAIN}}/{{SERVER_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{SERVER_DOMAIN}}/{{SERVER_DOMAIN}}.key;
+
+	include /etc/nginx/conf.d/server/server.api;
+	
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.hns.conf

@@ -0,0 +1,39 @@
+{{#PORTAL_DOMAIN}}
+server {
+	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
+	
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{PORTAL_DOMAIN}}/wildcard_.hns.{{PORTAL_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{PORTAL_DOMAIN}}/wildcard_.hns.{{PORTAL_DOMAIN}}.key;
+    
+	proxy_set_header Host {{PORTAL_DOMAIN}};
+	include /etc/nginx/conf.d/server/server.hns;
+}
+{{/PORTAL_DOMAIN}}
+
+{{#SERVER_DOMAIN}}
+server {
+	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+
+server {
+	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
+	
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{SERVER_DOMAIN}}/wildcard_.hns.{{SERVER_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{SERVER_DOMAIN}}/wildcard_.hns.{{SERVER_DOMAIN}}.key;
+    
+	proxy_set_header Host {{SERVER_DOMAIN}};
+	include /etc/nginx/conf.d/server/server.hns;
+	
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.skylink.conf

@@ -0,0 +1,37 @@
+{{#PORTAL_DOMAIN}}
+server {
+	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
+
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.key;
+	
+	include /etc/nginx/conf.d/server/server.skylink;
+}
+{{/PORTAL_DOMAIN}}
+
+{{#SERVER_DOMAIN}}
+server {
+	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+
+server {
+	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
+	
+	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.crt;
+	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.key;
+	
+	include /etc/nginx/conf.d/server/server.skylink;
+	
+	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
+}
+{{/SERVER_DOMAIN}}

docker/nginx/conf.d/dhparam.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

docker/nginx/conf.d/gzip.conf

@@ -0,0 +1,18 @@
+# enables gzip compression	
+gzip on;
+
+# set the gzip compression level (1-9)	
+gzip_comp_level 6;
+
+# tells proxies to cache both gzipped and regular versions of a resource	
+gzip_vary on;
+
+# informs NGINX to not compress anything smaller than the defined size	
+gzip_min_length 256;
+
+# compress data even for clients that are connecting via proxies if a response header includes 	
+# the "expired", "no-cache", "no-store", "private", and "Authorization" parameters	
+gzip_proxied expired no-cache no-store private auth;
+
+# enables the types of files that can be compressed	
+gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

docker/nginx/conf.d/include/cors

@@ -0,0 +1,9 @@
+if ($request_method = 'OPTIONS') {
+    include /etc/nginx/conf.d/include/cors-headers;
+    more_set_headers 'Access-Control-Max-Age: 1728000';
+    more_set_headers 'Content-Type: text/plain; charset=utf-8';
+    more_set_headers 'Content-Length: 0';
+    return 204;
+}
+
+include /etc/nginx/conf.d/include/cors-headers;

docker/nginx/conf.d/include/cors-headers

@@ -0,0 +1,5 @@
+more_set_headers 'Access-Control-Allow-Origin: $http_origin';
+more_set_headers 'Access-Control-Allow-Credentials: true';
+more_set_headers 'Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS, PUT, PATCH, DELETE';
+more_set_headers 'Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,If-None-Match,Cache-Control,Content-Type,Range,X-HTTP-Method-Override,upload-offset,upload-metadata,upload-length,tus-version,tus-resumable,tus-extension,tus-max-size,upload-concat,location,Skynet-API-Key';
+more_set_headers 'Access-Control-Expose-Headers: Content-Length,Content-Range,ETag,Skynet-File-Metadata,Skynet-Skylink,Skynet-Proof,Skynet-Portal-Api,Skynet-Server-Api,upload-offset,upload-metadata,upload-length,tus-version,tus-resumable,tus-extension,tus-max-size,upload-concat,location';

docker/nginx/conf.d/include/generate-siapath

@@ -0,0 +1,11 @@
+# Extract 2 sets of 2 characters from $request_id and assign to $dir1, $dir2
+# respectfully. The rest of the $request_id is going to be assigned to $dir3.
+# We use those variables to automatically generate a unique path for the uploaded file.
+# This ensures that not all uploaded files end up in the same directory, which is something
+# that causes performance issues in the renter.
+# Example path result: /af/24/9bc5ec894920ccc45634dc9a8065
+if ($request_id ~* "(\w{2})(\w{2})(\w+)") {
+    set $dir1 $1;
+    set $dir2 $2;
+    set $dir3 $3;
+}

docker/nginx/conf.d/include/init-optional-variables

@@ -0,0 +1,18 @@
+# optional variables initialisation - those variables are used in log_format
+# but are not set on every route so we need to initialise them with empty value
+# because otherwise logger with throw error
+
+# set only on hns routes
+set $hns_domain "";
+
+# set only if server has been access through SERVER_DOMAIN
+set $server_alias "";
+
+# expose skylink variable so we can use it in access log
+set $skylink "";
+
+# cached account limits (json string) - applies only if accounts are enabled
+set $account_limits "";
+
+# set this internal flag to true if current request should not be limited in any way
+set $internal_no_limits "false";

docker/nginx/conf.d/include/local-network-only

@@ -0,0 +1,3 @@
+allow 127.0.0.1/32;  # localhost
+allow 10.10.10.0/24; # docker network
+deny all;

docker/nginx/conf.d/include/location-hns

@@ -0,0 +1,95 @@
+include /etc/nginx/conf.d/include/proxy-buffer;
+include /etc/nginx/conf.d/include/proxy-pass-internal;
+include /etc/nginx/conf.d/include/portal-access-check;
+
+# variable definititions - we need to define a variable to be able to access it in lua by ngx.var.something
+set $skylink ''; # placeholder for the raw 46 bit skylink
+
+# resolve handshake domain by requesting to /hnsres endpoint and assign correct values to $skylink and $rest
+rewrite_by_lua_block {
+    local json = require('cjson')
+    local httpc = require("resty.http").new()
+
+    -- make a get request to /hnsres endpoint with the domain name from request_uri
+    -- 10.10.10.50 points to handshake-api service (alias not available when using resty-http)
+    local hnsres_res, hnsres_err = httpc:request_uri("http://10.10.10.50:3100/hnsres/" .. ngx.var.hns_domain)
+
+    -- print error and exit with 500 or exit with response if status is not 200
+    if hnsres_err or (hnsres_res and hnsres_res.status ~= ngx.HTTP_OK) then
+        ngx.status = (hnsres_err and ngx.HTTP_INTERNAL_SERVER_ERROR) or hnsres_res.status
+        ngx.header["content-type"] = "text/plain"
+        ngx.say(hnsres_err or hnsres_res.body)
+        return ngx.exit(ngx.status)
+    end
+
+    -- since /hnsres endpoint response is a json, we need to decode it before we access it
+    -- example response: '{"skylink":"sia://XABvi7JtJbQSMAcDwnUnmp2FKDPjg8_tTTFP4BwMSxVdEg"}'
+    local hnsres_json = json.decode(hnsres_res.body)
+
+    -- define local variable containing rest of the skylink if provided
+    local skylink_rest
+
+    if hnsres_json.skylink then
+        -- try to match the skylink with sia:// prefix
+        skylink, skylink_rest = string.match(hnsres_json.skylink, "sia://([^/?]+)(.*)")
+
+        -- in case the skylink did not match, assume that there is no sia:// prefix and try to match again
+        if skylink == nil then
+            skylink, skylink_rest = string.match(hnsres_json.skylink, "/?([^/?]+)(.*)")
+        end
+    elseif hnsres_json.registry then
+        local publickey = hnsres_json.registry.publickey
+        local datakey = hnsres_json.registry.datakey
+
+        -- make a get request to /skynet/registry endpoint with the credentials from text record
+        -- 10.10.10.10 points to sia service (alias not available when using resty-http)
+        local registry_res, registry_err = httpc:request_uri("http://10.10.10.10:9980/skynet/registry?publickey=" .. publickey .. "&datakey=" .. datakey, {
+            headers = { ["User-Agent"] = "Sia-Agent" }
+        })
+
+        -- print error and exit with 500 or exit with response if status is not 200
+        if registry_err or (registry_res and registry_res.status ~= ngx.HTTP_OK) then
+            ngx.status = (registry_err and ngx.HTTP_INTERNAL_SERVER_ERROR) or registry_res.status
+            ngx.header["content-type"] = "text/plain"
+            ngx.say(registry_err or registry_res.body)
+            return ngx.exit(ngx.status)
+        end
+
+        -- since /skynet/registry endpoint response is a json, we need to decode it before we access it
+        local registry_json = json.decode(registry_res.body)
+        -- response will contain a hex encoded skylink, we need to decode it
+        local data = (registry_json.data:gsub('..', function (cc)
+            return string.char(tonumber(cc, 16))
+        end))
+
+        skylink = data
+    end
+
+    -- fail with a generic 404 if skylink has not been extracted from a valid /hnsres response for some reason
+    if not skylink then
+        return ngx.exit(ngx.HTTP_NOT_FOUND)
+    end
+
+    ngx.var.skylink = skylink
+    if ngx.var.path == "/" and skylink_rest ~= nil and skylink_rest ~= "" and skylink_rest ~= "/" then
+        ngx.var.path = skylink_rest
+    end
+}
+
+# we proxy to another nginx location rather than directly to siad because we do not want to deal with caching here
+proxy_pass https://127.0.0.1/$skylink$path$is_args$args;
+
+# in case siad returns location header, we need to replace the skylink with the domain name
+header_filter_by_lua_block {
+    ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. os.getenv("PORTAL_DOMAIN")
+    ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. os.getenv("SERVER_DOMAIN")
+
+    if ngx.header.location then
+        -- match location redirect part after the skylink
+        local path = string.match(ngx.header.location, "[^/?]+(.*)");
+
+        -- because siad will set the location header to ie. XABvi7JtJbQSMAcDwnUnmp2FKDPjg8_tTTFP4BwMSxVdEg/index.html
+        -- we need to replace the skylink with the domain_name so we are not redirected to skylink
+        ngx.header.location = ngx.var.hns_domain .. path
+    end
+}

docker/nginx/conf.d/include/location-skylink

@@ -0,0 +1,119 @@
+include /etc/nginx/conf.d/include/cors;
+include /etc/nginx/conf.d/include/proxy-buffer;
+include /etc/nginx/conf.d/include/proxy-cache-downloads;
+include /etc/nginx/conf.d/include/track-download;
+
+limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time
+
+# ensure that skylink that we pass around is base64 encoded (transform base32 encoded ones)
+# this is important because we want only one format in cache keys and logs
+set_by_lua_block $skylink { return require("skynet.skylink").parse(ngx.var.skylink) }
+
+# $skylink_v1 and $skylink_v2 variables default to the same value but in case the requested skylink was:
+# a) skylink v1 - it would not matter, no additional logic is executed
+# b) skylink v2 - in a lua block below we will resolve the skylink v2 into skylink v1 and update 
+#      $skylink_v1 variable so then the proxy request to skyd can be cached in nginx (proxy_cache_key 
+#      in proxy-cache-downloads includes $skylink_v1 as a part of the cache key)
+set $skylink_v1 $skylink;
+set $skylink_v2 $skylink;
+
+# variable for Skynet-Proof header that we need to inject 
+# into a response if the request was for skylink v2
+set $skynet_proof '';
+
+# default download rate to unlimited
+set $limit_rate 0;
+
+access_by_lua_block {
+    -- the block below only makes sense if we are using nginx cache
+    if not ngx.var.skyd_disk_cache_enabled then
+        local httpc = require("resty.http").new()
+
+        -- detect whether requested skylink is v2
+        local isBase32v2 = string.len(ngx.var.skylink) == 55 and string.sub(ngx.var.skylink, 0, 2) == "04"
+        local isBase64v2 = string.len(ngx.var.skylink) == 46 and string.sub(ngx.var.skylink, 0, 2) == "AQ"
+        
+        if isBase32v2 or isBase64v2 then
+            -- 10.10.10.10 points to sia service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.10:9980/skynet/resolve/" .. ngx.var.skylink_v2, {
+                headers = { ["User-Agent"] = "Sia-Agent" }
+            })
+
+            -- print error and exit with 500 or exit with response if status is not 200
+            if err or (res and res.status ~= ngx.HTTP_OK) then
+                ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status
+                ngx.header["content-type"] = "text/plain"
+                ngx.say(err or res.body)
+                return ngx.exit(ngx.status)
+            end
+
+            local json = require('cjson')
+            local resolve = json.decode(res.body)
+            ngx.var.skylink_v1 = resolve.skylink
+            ngx.var.skynet_proof = res.headers["Skynet-Proof"]
+        end
+
+        -- check if skylink v1 is present on blocklist (compare hashes)
+        if require("skynet.blocklist").is_blocked(ngx.var.skylink_v1) then
+            return require("skynet.blocklist").exit_illegal()
+        end
+
+        -- if skylink is found on nocache list then set internal nocache variable
+        -- to tell nginx that it should not try and cache this file (too large)
+        if ngx.shared.nocache:get(ngx.var.skylink_v1) then
+            ngx.var.nocache = "1"
+        end
+    end
+
+    if require("skynet.account").accounts_enabled() then
+        -- check if portal is in authenticated only mode
+        if require("skynet.account").is_access_unauthorized() then
+            return require("skynet.account").exit_access_unauthorized()
+        end
+
+        -- check if portal is in subscription only mode
+        if require("skynet.account").is_access_forbidden() then
+            return require("skynet.account").exit_access_forbidden()
+        end
+
+        -- get account limits of currently authenticated user
+        local limits = require("skynet.account").get_account_limits()
+
+        -- apply download speed limit
+        ngx.var.limit_rate = limits.download
+    end
+}
+
+header_filter_by_lua_block {
+    ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. os.getenv("PORTAL_DOMAIN")
+    ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. os.getenv("SERVER_DOMAIN")
+
+    -- the block below only makes sense if we are using nginx cache
+    if not ngx.var.skyd_disk_cache_enabled then
+        -- not empty skynet_proof means this is a skylink v2 request
+        -- so we should replace the Skynet-Proof header with the one
+        -- we got from /skynet/resolve/ endpoint, otherwise we would
+        -- be serving cached empty v1 skylink Skynet-Proof header
+        if ngx.var.skynet_proof and ngx.var.skynet_proof ~= "" then
+            ngx.header["Skynet-Proof"] = ngx.var.skynet_proof
+        end
+
+        -- add skylink to nocache list if it exceeds 1GB (1e+9 bytes) threshold
+        -- (content length can be nil for already cached files - we can ignore them)
+        if ngx.header["Content-Length"] and tonumber(ngx.header["Content-Length"]) > 1e+9 then
+            ngx.shared.nocache:set(ngx.var.skylink_v1, ngx.header["Content-Length"])
+        end
+    end
+}
+
+limit_rate_after 512k;
+limit_rate $limit_rate;
+
+proxy_read_timeout 600;
+proxy_set_header User-Agent: Sia-Agent;
+
+# in case the requested skylink was v2 and we already resolved it to skylink v1, we are going to pass resolved 
+# skylink v1 to skyd to save that extra skylink v2 lookup in skyd but in turn, in case skyd returns a redirect 
+# we need to rewrite the skylink v1 to skylink v2 in the location header with proxy_redirect
+proxy_redirect $skylink_v1 $skylink_v2;
+proxy_pass http://sia:9980/skynet/skylink/$skylink_v1$path$is_args$args;

docker/nginx/conf.d/include/location-skynet-registry

@@ -0,0 +1,32 @@
+include /etc/nginx/conf.d/include/cors;
+include /etc/nginx/conf.d/include/sia-auth;
+include /etc/nginx/conf.d/include/track-registry;
+
+limit_req zone=registry_access_by_ip burst=600 nodelay;
+limit_req zone=registry_access_by_ip_throttled burst=200 nodelay;
+
+proxy_set_header User-Agent: Sia-Agent;
+proxy_read_timeout 600; # siad should timeout with 404 after 5 minutes
+proxy_pass http://sia:9980/skynet/registry;
+
+access_by_lua_block {
+    if require("skynet.account").accounts_enabled() then
+        -- check if portal is in authenticated only mode
+        if require("skynet.account").is_access_unauthorized() then
+            return require("skynet.account").exit_access_unauthorized()
+        end
+
+        -- check if portal is in subscription only mode
+        if require("skynet.account").is_access_forbidden() then
+            return require("skynet.account").exit_access_forbidden()
+        end
+
+        -- get account limits of currently authenticated user
+        local limits = require("skynet.account").get_account_limits()
+        
+        -- apply registry rate limits (forced delay)
+        if limits.registry > 0 then
+            ngx.sleep(limits.registry / 1000)
+        end
+    end
+}

docker/nginx/conf.d/include/portal-access-check

@@ -0,0 +1,11 @@
+access_by_lua_block {
+    -- check portal access rules and exit if access is restricted
+    if require("skynet.account").is_access_unauthorized() then
+        return require("skynet.account").exit_access_unauthorized()
+    end
+
+    -- check if portal is in subscription only mode
+    if require("skynet.account").is_access_forbidden() then
+        return require("skynet.account").exit_access_forbidden()
+    end
+}

docker/nginx/conf.d/include/proxy-buffer

@@ -0,0 +1,5 @@
+# if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs
+# read more: https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
+proxy_buffer_size 4096k;
+proxy_buffers 64 256k;
+proxy_busy_buffers_size 4096k; # at least as high as proxy_buffer_size

docker/nginx/conf.d/include/proxy-cache-downloads

@@ -0,0 +1,21 @@
+proxy_cache skynet; # cache name
+proxy_cache_key $skylink_v1$path$arg_format$arg_attachment$arg_start$arg_end$http_range; # unique cache key
+proxy_cache_min_uses 3; # cache after 3 uses
+proxy_cache_valid 200 206 307 308 48h; # keep 200, 206, 307 and 308 responses valid for up to 2 days
+add_header X-Proxy-Cache $upstream_cache_status; # add response header to indicate cache hits and misses
+
+# map skyd env variable value to "1" for true and "0" for false (expected by proxy_no_cache)
+set_by_lua_block $skyd_disk_cache_enabled {
+    return os.getenv("SKYD_DISK_CACHE_ENABLED") == "true" and "1" or "0"
+}
+
+# bypass - this will bypass cache hit on request (status BYPASS)
+# but still stores file in cache if cache conditions are met
+proxy_cache_bypass $cookie_nocache $arg_nocache $skyd_disk_cache_enabled;
+
+# no cache - this will ignore cache on request (status MISS)
+# and does not store file in cache under no condition
+set_if_empty $nocache "0";
+
+# disable cache when nocache is set or skyd cache is enabled
+proxy_no_cache $nocache $skyd_disk_cache_enabled;

docker/nginx/conf.d/include/proxy-pass-internal

@@ -0,0 +1,10 @@
+# ----------------------------------------------------------------
+# this file should be included on all locations that proxy_pass to
+# another nginx location - internal nginx traffic
+# ----------------------------------------------------------------
+
+# increase the timeout on internal nginx proxy_pass locations to a
+# value that is significantly higher than expected and let the end
+# location handle correct timeout
+proxy_read_timeout 30m;
+proxy_send_timeout 30m;

docker/nginx/conf.d/include/ratelimited

@@ -0,0 +1,6 @@
+# Add a list of IPs here that should be severely rate limited on upload.
+# Note that it is possible to add IP ranges as well as the full IP address.
+#
+# Examples:
+# 192.168.0.0/24 1;
+# 79.85.222.247 1;

docker/nginx/conf.d/include/sia-auth

@@ -0,0 +1,4 @@
+rewrite_by_lua_block {
+    -- set basic authorization header with base64 encoded apipassword
+    ngx.req.set_header("Authorization", require("skynet.utils").authorization_header())
+}

docker/nginx/conf.d/include/ssl-settings

@@ -0,0 +1,13 @@
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /etc/nginx/conf.d/dhparam.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;

docker/nginx/conf.d/include/track-download

@@ -0,0 +1,51 @@
+# register the download in accounts service (cookies should contain jwt)
+log_by_lua_block {
+    -- this block runs only when accounts are enabled
+    if require("skynet.account").accounts_enabled() then
+        local function track(premature, skylink, status, body_bytes_sent, jwt)
+            if premature then return end
+
+            local httpc = require("resty.http").new()
+            local query = table.concat({ "status=" .. status, "bytes=" .. body_bytes_sent }, "&")
+
+            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/download/" .. skylink .. "?" .. query, {
+                method = "POST",
+                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+            })
+
+            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
+                ngx.log(ngx.ERR, "Failed accounts service request /track/download/" .. skylink .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            end
+        end
+
+        if ngx.header["Skynet-Skylink"] and ngx.var.skynet_jwt ~= "" and ngx.status >= ngx.HTTP_OK and ngx.status < ngx.HTTP_SPECIAL_RESPONSE then
+            local ok, err = ngx.timer.at(0, track, ngx.header["Skynet-Skylink"], ngx.status, ngx.var.body_bytes_sent, ngx.var.skynet_jwt)
+            if err then ngx.log(ngx.ERR, "Failed to create timer: ", err) end
+        end
+    end
+
+    -- this block runs only when scanner module is enabled
+    if os.getenv("PORTAL_MODULES"):match("s") then
+        local function scan(premature, skylink)
+            if premature then return end
+
+            local httpc = require("resty.http").new()
+
+            -- 10.10.10.101 points to malware-scanner service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.101:4000/scan/" .. skylink, {
+                method = "POST",
+            })
+
+            if err or (res and res.status ~= ngx.HTTP_OK) then
+                ngx.log(ngx.ERR, "Failed malware-scanner request /scan/" .. skylink .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            end
+        end
+
+        -- scan all skylinks but make sure to only run if skylink is present (empty if request failed)
+        if ngx.header["Skynet-Skylink"] then
+            local ok, err = ngx.timer.at(0, scan, ngx.header["Skynet-Skylink"])
+            if err then ngx.log(ngx.ERR, "Failed to create timer: ", err) end
+        end
+    end
+}

docker/nginx/conf.d/include/track-registry

@@ -0,0 +1,30 @@
+# register the registry access in accounts service (cookies should contain jwt)
+log_by_lua_block {
+    -- this block runs only when accounts are enabled
+    if require("skynet.account").accounts_enabled() then
+        local function track(premature, request_method, jwt)
+            if premature then return end
+
+            local httpc = require("resty.http").new()
+
+            -- based on request method we assign a registry action string used 
+            -- in track endpoint namely "read" for GET and "write" for POST
+            local registry_action = request_method == "GET" and "read" or "write"
+
+            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/registry/" .. registry_action, {
+                method = "POST",
+                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+            })
+            
+            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
+                ngx.log(ngx.ERR, "Failed accounts service request /track/registry/" .. registry_action .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            end
+        end
+
+        if ngx.var.skynet_jwt ~= "" and (ngx.status == ngx.HTTP_OK or ngx.status == ngx.HTTP_NOT_FOUND) then
+            local ok, err = ngx.timer.at(0, track, ngx.req.get_method(), ngx.var.skynet_jwt)
+            if err then ngx.log(ngx.ERR, "Failed to create timer: ", err) end
+        end
+    end
+}

docker/nginx/conf.d/include/track-upload

@@ -0,0 +1,51 @@
+# register the upload in accounts service (cookies should contain jwt)
+log_by_lua_block {
+    -- this block runs only when accounts are enabled
+    if require("skynet.account").accounts_enabled() then
+        local function track(premature, skylink, jwt)
+            if premature then return end
+
+            local httpc = require("resty.http").new()
+
+            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/upload/" .. skylink, {
+                method = "POST",
+                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+            })
+
+            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
+                ngx.log(ngx.ERR, "Failed accounts service request /track/upload/" .. skylink .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            end
+        end
+
+        -- report all skylinks (header empty if request failed) but only if jwt is preset (user is authenticated)
+        if ngx.header["Skynet-Skylink"] and ngx.var.skynet_jwt ~= "" then
+            local ok, err = ngx.timer.at(0, track, ngx.header["Skynet-Skylink"], ngx.var.skynet_jwt)
+            if err then ngx.log(ngx.ERR, "Failed to create timer: ", err) end
+        end
+    end
+
+    -- this block runs only when scanner module is enabled
+    if os.getenv("PORTAL_MODULES"):match("s") then
+        local function scan(premature, skylink)
+            if premature then return end
+
+            local httpc = require("resty.http").new()
+
+            -- 10.10.10.101 points to malware-scanner service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.101:4000/scan/" .. skylink, {
+                method = "POST",
+            })
+
+            if err or (res and res.status ~= ngx.HTTP_OK) then
+                ngx.log(ngx.ERR, "Failed malware-scanner request /scan/" .. skylink .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            end
+        end
+
+        -- scan all skylinks but make sure to only run if skylink is present (empty if request failed)
+        if ngx.header["Skynet-Skylink"] then
+            local ok, err = ngx.timer.at(0, scan, ngx.header["Skynet-Skylink"])
+            if err then ngx.log(ngx.ERR, "Failed to create timer: ", err) end
+        end
+    end
+}

docker/nginx/conf.d/server-override/example

@@ -0,0 +1,7 @@
+# Every file from within this directory will be included in the server block
+# of the nginx configuration, at the very end. See client.conf.
+#
+# Example:
+# location /blog {
+#     root /var/www/blog;
+# }

docker/nginx/conf.d/server.dnslink.conf

@@ -0,0 +1,16 @@
+lua_shared_dict dnslink 10m;
+
+server {
+    listen 80 default_server;
+    
+    include /etc/nginx/conf.d/server/server.dnslink;
+}
+
+server {
+    listen 443 default_server;
+
+    ssl_certificate     /etc/ssl/local-certificate.crt;
+    ssl_certificate_key /etc/ssl/local-certificate.key;
+
+    include /etc/nginx/conf.d/server/server.dnslink;
+}

docker/nginx/conf.d/server.local.conf

@@ -0,0 +1,9 @@
+server {
+    # local server - do not expose this port externally
+    listen 8000;
+
+    # secure traffic by limiting to only local networks
+    include /etc/nginx/conf.d/include/local-network-only;
+
+    include /etc/nginx/conf.d/server/server.local;
+}

docker/nginx/conf.d/server/server.account

@@ -0,0 +1,43 @@
+listen 443 ssl http2;
+
+include /etc/nginx/conf.d/include/ssl-settings;
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location / {
+    proxy_pass http://dashboard:3000;
+}
+
+location /health {
+    proxy_pass http://accounts:3000;
+}
+
+location /stripe/webhook {
+    proxy_pass http://accounts:3000;
+}
+
+location /api/stripe/billing {
+    proxy_pass http://dashboard:3000;
+}
+
+location /api/stripe/checkout {
+    proxy_pass http://dashboard:3000;
+}
+
+location /api {
+    rewrite /api/(.*) /$1 break;
+    proxy_pass http://accounts:3000;
+}
+
+location /api/register {
+    include /etc/nginx/conf.d/include/cors;
+
+    rewrite /api/(.*) /$1 break;
+    proxy_pass http://accounts:3000;
+}
+
+location /api/login {
+    include /etc/nginx/conf.d/include/cors;
+
+    rewrite /api/(.*) /$1 break;
+    proxy_pass http://accounts:3000;
+}

docker/nginx/conf.d/server/server.api

@@ -0,0 +1,432 @@
+listen 443 ssl http2;
+
+include /etc/nginx/conf.d/include/ssl-settings;
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+# ddos protection: closing slow connections
+client_body_timeout 1h;
+client_header_timeout 1h;
+send_timeout 1h;
+
+proxy_connect_timeout 1h;
+proxy_read_timeout 1h;
+proxy_send_timeout 1h;
+
+# Increase the body buffer size, to ensure the internal POSTs can always
+# parse the full POST contents into memory.
+client_body_buffer_size 128k;
+client_max_body_size 128k;
+
+# legacy endpoint rewrite
+rewrite ^/portals /skynet/portals permanent;
+rewrite ^/stats /skynet/stats permanent;
+rewrite ^/skynet/blacklist /skynet/blocklist permanent;
+
+location / {
+    include /etc/nginx/conf.d/include/cors;
+
+    set $skylink "0404dsjvti046fsua4ktor9grrpe76erq9jot9cvopbhsvsu76r4r30";
+    set $path $uri;
+    set $internal_no_limits "true";
+
+    include /etc/nginx/conf.d/include/location-skylink;
+
+    proxy_intercept_errors on;
+    error_page 400 404 490 500 502 503 504 =200 @fallback;
+}
+
+location @fallback {
+    proxy_pass http://website:9000;
+}
+
+location /docs {
+    proxy_pass https://skynetlabs.github.io/skynet-docs;
+}
+
+location /skynet/blocklist {
+    include /etc/nginx/conf.d/include/cors;
+
+    proxy_cache skynet;
+    proxy_cache_valid any 1m; # cache blocklist for 1 minute
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980/skynet/blocklist;
+}
+
+location /skynet/portals {
+    include /etc/nginx/conf.d/include/cors;
+
+    proxy_cache skynet;
+    proxy_cache_valid any 1m; # cache portals for 1 minute
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980/skynet/portals;
+}
+
+location /skynet/stats {
+    include /etc/nginx/conf.d/include/cors;
+
+    proxy_cache skynet;
+    proxy_cache_valid any 1m; # cache stats for 1 minute
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_read_timeout 5m; # extend the read timeout
+    proxy_pass http://sia:9980/skynet/stats;
+}
+
+location /nginx/stats {
+    include /etc/nginx/conf.d/include/cors;
+
+    charset utf-8;
+    charset_types application/json;
+    default_type application/json;
+
+    content_by_lua_block {
+        local json = require('cjson')
+        ngx.say(json.encode{
+            -- current number of active client connections including waiting connections
+            connections_active = tonumber(ngx.var.connections_active),
+            -- current number of connections where nginx is reading the request header
+            connections_reading = tonumber(ngx.var.connections_reading),
+            -- current number of connections where nginx is writing the response back to the client
+            connections_writing = tonumber(ngx.var.connections_writing),
+            -- current number of idle client connections waiting for a request
+            connections_waiting = tonumber(ngx.var.connections_waiting),
+        })
+        return ngx.exit(ngx.HTTP_OK)
+    }
+}
+
+# Define path for server load endpoint
+location /serverload {
+    # Define root directory in the nginx container to load file from
+    root /usr/local/share;
+
+    # including this because of peer pressure from the other routes
+    include /etc/nginx/conf.d/include/cors;
+
+    # tell nginx to expect json
+    default_type 'application/json';
+
+    # Allow for /serverload to load /serverload.json file
+    try_files $uri $uri.json =404;
+}
+
+location /skynet/health {
+    include /etc/nginx/conf.d/include/cors;
+
+    proxy_cache skynet;
+    proxy_cache_key $request_uri; # use whole request uri (uri + args) as cache key
+    proxy_cache_valid any 1m; # cache responses for 1 minute
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_read_timeout 5m; # extend the read timeout
+    proxy_pass http://sia:9980;
+}
+
+location /health-check {
+    include /etc/nginx/conf.d/include/cors;
+
+    access_log off; # do not log traffic to health-check endpoint
+
+    proxy_pass http://10.10.10.60:3100; # hardcoded ip because health-check waits for nginx
+}
+
+location /abuse {
+    return 308 /0404guluqu38oaqapku91ed11kbhkge55smh9lhjukmlrj37lfpm8no/;
+}
+
+location /abuse/report {
+    include /etc/nginx/conf.d/include/cors;
+
+    # 10.10.10.110 points to blocker service
+    proxy_pass http://10.10.10.110:4000/powblock;
+}
+
+location /hns {
+    include /etc/nginx/conf.d/include/cors;
+
+    # match the request_uri and extract the hns domain and anything that is passed in the uri after it
+    # example: /hns/something/foo/bar matches:
+    # > hns_domain: something
+    # > path: /foo/bar/
+    set_by_lua_block $hns_domain { return string.match(ngx.var.uri, "/hns/([^/?]+)") }
+    set_by_lua_block $path { return string.match(ngx.var.uri, "/hns/[^/?]+(.*)") }
+
+    proxy_set_header Host $host;
+    include /etc/nginx/conf.d/include/location-hns;
+}
+
+location /hnsres {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    proxy_pass http://handshake-api:3100;
+}
+
+location /skynet/registry {
+    include /etc/nginx/conf.d/include/location-skynet-registry;
+}
+
+location /skynet/restore {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/sia-auth;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    client_max_body_size 5M;
+
+    # increase request timeouts
+    proxy_read_timeout 600;
+    proxy_send_timeout 600;
+
+    proxy_request_buffering off; # stream uploaded files through the proxy as it comes in
+    proxy_set_header Expect $http_expect;
+    proxy_set_header User-Agent: Sia-Agent;
+
+    # proxy this call to siad endpoint (make sure the ip is correct)
+    proxy_pass http://sia:9980;
+}
+
+location /skynet/registry/subscription {
+    include /etc/nginx/conf.d/include/cors;
+
+    # default to unlimited bandwidth and no delay
+    set $bandwidthlimit "0";
+    set $notificationdelay "0";
+
+    rewrite_by_lua_block {
+        -- this block runs only when accounts are enabled
+        if os.getenv("PORTAL_MODULES"):match("a") then
+            local httpc = require("resty.http").new()
+
+            -- fetch account limits and set download bandwidth and registry delays accordingly
+            local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
+                headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt }
+            })
+
+            -- fail gracefully in case /user/limits failed
+            if err or (res and res.status ~= ngx.HTTP_OK) then
+                ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            elseif res and res.status == ngx.HTTP_OK then
+                local json = require('cjson')
+                local limits = json.decode(res.body)
+                ngx.var.bandwidthlimit = limits.download
+                ngx.var.notificationdelay = limits.registry
+            end
+        end
+    }
+
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+
+    proxy_pass http://sia:9980/skynet/registry/subscription?bandwidthlimit=$bandwidthlimit&notificationdelay=$notificationdelay;
+}
+
+location /skynet/skyfile {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/sia-auth;
+    include /etc/nginx/conf.d/include/track-upload;
+    include /etc/nginx/conf.d/include/generate-siapath;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    limit_req zone=uploads_by_ip burst=10 nodelay;
+    limit_req zone=uploads_by_ip_throttled;
+
+    limit_conn upload_conn 5;
+    limit_conn upload_conn_rl 1;
+
+    client_max_body_size 5000M; # make sure to limit the size of upload to a sane value
+
+    # increase request timeouts
+    proxy_read_timeout 600;
+    proxy_send_timeout 600;
+
+    proxy_request_buffering off; # stream uploaded files through the proxy as it comes in
+    proxy_set_header Expect $http_expect;
+    proxy_set_header User-Agent: Sia-Agent;
+
+    # proxy this call to siad endpoint (make sure the ip is correct)
+    proxy_pass http://sia:9980/skynet/skyfile/$dir1/$dir2/$dir3$is_args$args;
+}
+
+# endpoint implementing resumable file uploads open protocol https://tus.io
+location /skynet/tus {
+    include /etc/nginx/conf.d/include/cors-headers; # include cors headers but do not overwrite OPTIONS response
+    include /etc/nginx/conf.d/include/track-upload;
+
+    limit_req zone=uploads_by_ip burst=10 nodelay;
+    limit_req zone=uploads_by_ip_throttled;
+
+    limit_conn upload_conn 5;
+    limit_conn upload_conn_rl 1;
+
+    # TUS chunks size is 40M + leaving 10M of breathing room
+    client_max_body_size 50M;
+
+    # Those timeouts need to be elevated since skyd can stall reading
+    # data for a while when overloaded which would terminate connection
+    client_body_timeout 1h;
+    proxy_send_timeout  1h;
+
+    # Add X-Forwarded-* headers
+    proxy_set_header X-Forwarded-Host  $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # rewrite proxy request to use correct host uri from env variable (required to return correct location header)
+    set_by_lua_block $server_domain { return os.getenv("SERVER_DOMAIN") }
+    proxy_redirect $scheme://$host $scheme://$server_domain;
+
+    # proxy /skynet/tus requests to siad endpoint with all arguments
+    proxy_pass http://sia:9980;
+
+    access_by_lua_block {
+        if require("skynet.account").accounts_enabled() then
+            -- check if portal is in authenticated only mode
+            if require("skynet.account").is_access_unauthorized() then
+                return require("skynet.account").exit_access_unauthorized()
+            end
+
+            -- check if portal is in subscription only mode
+            if require("skynet.account").is_access_forbidden() then
+                return require("skynet.account").exit_access_forbidden()
+            end
+            
+            -- get account limits of currently authenticated user
+            local limits = require("skynet.account").get_account_limits()
+        
+            -- apply upload size limits
+            ngx.req.set_header("SkynetMaxUploadSize", limits.maxUploadSize)
+        end
+    }
+
+    # extract skylink from base64 encoded upload metadata and assign to a proper header
+    header_filter_by_lua_block {
+        ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. os.getenv("PORTAL_DOMAIN")
+        ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. os.getenv("SERVER_DOMAIN")
+
+        if ngx.header["Upload-Metadata"] then
+            local encodedSkylink = string.match(ngx.header["Upload-Metadata"], "Skylink ([^,?]+)")
+
+            if encodedSkylink then
+                ngx.header["Skynet-Skylink"] = ngx.decode_base64(encodedSkylink)
+            end
+        end
+    }
+}
+
+location /skynet/pin {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/sia-auth;
+    include /etc/nginx/conf.d/include/track-upload;
+    include /etc/nginx/conf.d/include/generate-siapath;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    limit_req zone=uploads_by_ip burst=10 nodelay;
+    limit_req zone=uploads_by_ip_throttled;
+
+    limit_conn upload_conn 5;
+    limit_conn upload_conn_rl 1;
+
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980$uri?siapath=$dir1/$dir2/$dir3&$args;
+}
+
+location /skynet/metadata {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    header_filter_by_lua_block {
+        ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. os.getenv("PORTAL_DOMAIN")
+        ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. os.getenv("SERVER_DOMAIN")
+    }
+
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980;
+}
+
+location /skynet/resolve {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/portal-access-check;
+
+    header_filter_by_lua_block {
+        ngx.header["Skynet-Portal-Api"] = ngx.var.scheme .. "://" .. os.getenv("PORTAL_DOMAIN")
+        ngx.header["Skynet-Server-Api"] = ngx.var.scheme .. "://" .. os.getenv("SERVER_DOMAIN")
+    }
+
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980;
+}
+
+location ~ "^/(([a-zA-Z0-9-_]{46}|[a-z0-9]{55})(/.*)?)$" {
+    set $skylink $2;
+    set $path $3;
+
+    include /etc/nginx/conf.d/include/location-skylink;
+}
+
+location ~ "^/file/(([a-zA-Z0-9-_]{46}|[a-z0-9]{55})(/.*)?)$" {
+    set $skylink $2;
+    set $path $3;
+    set $args attachment=true&$args;
+    #set $is_args ?;
+
+    include /etc/nginx/conf.d/include/location-skylink;
+}
+
+location /skynet/trustless/basesector {
+    include /etc/nginx/conf.d/include/cors;
+    include /etc/nginx/conf.d/include/proxy-buffer;
+    include /etc/nginx/conf.d/include/track-download;
+
+    limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time
+
+    # default download rate to unlimited
+    set $limit_rate 0;
+
+    access_by_lua_block {
+        if require("skynet.account").accounts_enabled() then
+            -- check if portal is in authenticated only mode
+            if require("skynet.account").is_access_unauthorized() then
+                return require("skynet.account").exit_access_unauthorized()
+            end
+
+            -- check if portal is in subscription only mode
+            if require("skynet.account").is_access_forbidden() then
+                return require("skynet.account").exit_access_forbidden()
+            end
+
+            -- get account limits of currently authenticated user
+            local limits = require("skynet.account").get_account_limits()
+
+            -- apply download speed limit
+            ngx.var.limit_rate = limits.download
+        end
+    }
+
+    limit_rate_after 512k;
+    limit_rate $limit_rate;
+
+    proxy_set_header User-Agent: Sia-Agent;
+    proxy_pass http://sia:9980;
+}
+
+location /__internal/do/not/use/accounts {
+    include /etc/nginx/conf.d/include/cors;
+
+    charset utf-8;
+    charset_types application/json;
+    default_type application/json;
+
+    content_by_lua_block {
+        local json = require('cjson')
+        local accounts_enabled = require("skynet.account").accounts_enabled()
+        local is_auth_required = require("skynet.account").is_auth_required()
+        local is_authenticated = accounts_enabled and require("skynet.account").is_authenticated()
+
+        ngx.say(json.encode{
+            enabled = accounts_enabled,
+            auth_required = is_auth_required,
+            authenticated = is_authenticated,
+        })
+        return ngx.exit(ngx.HTTP_OK)
+    }
+}
+
+include /etc/nginx/conf.d/server-override/*;

docker/nginx/conf.d/server/server.dnslink

@@ -0,0 +1,46 @@
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location / {
+    set $skylink "";
+    set $path $uri;
+
+    rewrite_by_lua_block {
+        local cache = ngx.shared.dnslink
+        local cache_value = cache:get(ngx.var.host)
+
+        if cache_value == nil then
+            local httpc = require("resty.http").new()
+
+            -- 10.10.10.55 points to dnslink-api service (alias not available when using resty-http)
+            local res, err = httpc:request_uri("http://10.10.10.55:3100/dnslink/" .. ngx.var.host)
+
+            if err or (res and res.status ~= ngx.HTTP_OK) then
+                -- check whether we can fallback to regular skylink request
+                local match_skylink = ngx.re.match(ngx.var.uri, "^/([a-zA-Z0-9-_]{46}|[a-z0-9]{55})(/.*)?")
+
+                if match_skylink then
+                    ngx.var.skylink = match_skylink[1]
+                    ngx.var.path = match_skylink[2] or "/"
+                else
+                    ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status
+                    ngx.header["content-type"] = "text/plain"
+                    ngx.say(err or res.body)
+                    ngx.exit(ngx.status)
+                end
+            else
+                ngx.var.skylink = res.body
+
+                local cache_ttl = 300 -- 5 minutes cache expire time
+                cache:set(ngx.var.host, ngx.var.skylink, cache_ttl)
+            end
+        else
+            ngx.var.skylink = cache_value
+        end
+
+        ngx.var.skylink = require("skynet.skylink").parse(ngx.var.skylink)
+        ngx.var.skylink_v1 = ngx.var.skylink
+        ngx.var.skylink_v2 = ngx.var.skylink
+    }
+
+    include /etc/nginx/conf.d/include/location-skylink;
+}

docker/nginx/conf.d/server/server.hns

@@ -0,0 +1,11 @@
+listen 443 ssl http2;
+
+include /etc/nginx/conf.d/include/ssl-settings;
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location / {
+    set_by_lua_block $hns_domain { return string.match(ngx.var.host, "[^%.]+") }
+    set $path $uri;
+
+    include /etc/nginx/conf.d/include/location-hns;
+}

docker/nginx/conf.d/server/server.http

@@ -0,0 +1,7 @@
+listen 80;
+
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location / {
+    return 301 https://$host$request_uri;
+}

docker/nginx/conf.d/server/server.local

@@ -0,0 +1,37 @@
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location /skynet/blocklist {
+    client_max_body_size 10m; # increase max body size to account for large lists
+    client_body_buffer_size 10m; # force whole body to memory so we can read it
+
+    content_by_lua_block {        
+        local httpc = require("resty.http").new()
+
+        ngx.req.read_body() -- ensure the post body data is read before using get_body_data
+
+        -- proxy blocklist update request
+        -- 10.10.10.10 points to sia service (alias not available when using resty-http)
+        local res, err = httpc:request_uri("http://10.10.10.10:9980/skynet/blocklist", {
+            method = "POST",
+            body = ngx.req.get_body_data(),
+            headers = {
+                ["Content-Type"] = "application/x-www-form-urlencoded",
+                ["Authorization"] = require("skynet.utils").authorization_header(),
+                ["User-Agent"] = "Sia-Agent",
+            }
+        })
+
+        -- print error and exit with 500 or exit with response if status is not 204
+        if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
+            ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status
+            ngx.header["content-type"] = "text/plain"
+            ngx.say(err or res.body)
+            return ngx.exit(ngx.status)
+        end
+
+        require("skynet.blocklist").reload()
+
+        ngx.status = ngx.HTTP_NO_CONTENT
+        return ngx.exit(ngx.status)
+    }
+}

docker/nginx/conf.d/server/server.skylink

@@ -0,0 +1,16 @@
+listen 443 ssl http2;
+
+include /etc/nginx/conf.d/include/ssl-settings;
+include /etc/nginx/conf.d/include/init-optional-variables;
+
+location / {
+    set_by_lua_block $skylink { return string.match(ngx.var.host, "%w+") }
+    set_by_lua_block $path {
+        -- strip ngx.var.request_uri from query params - this is basically the same as ngx.var.uri but
+        -- do not use ngx.var.uri because it will already be unescaped and we need to use escaped path
+        -- examples: escaped uri "/b%20r56+7" and unescaped uri "/b r56 7"
+        return string.gsub(ngx.var.request_uri, "?.*", "")
+    }
+
+    include /etc/nginx/conf.d/include/location-skylink;
+}

docker/nginx/libs/basexx.lua

@@ -0,0 +1,301 @@
+-- source: https://github.com/aiq/basexx
+-- license: MIT
+-- modified: exposed from_basexx and to_basexx generic functions
+
+--------------------------------------------------------------------------------
+-- util functions
+--------------------------------------------------------------------------------
+
+local function divide_string( str, max )
+   local result = {}
+
+   local start = 1
+   for i = 1, #str do
+      if i % max == 0 then
+         table.insert( result, str:sub( start, i ) )
+         start = i + 1
+      elseif i == #str then
+         table.insert( result, str:sub( start, i ) )
+      end
+   end
+
+   return result
+end
+ 
+local function number_to_bit( num, length )
+   local bits = {}
+
+   while num > 0 do
+      local rest = math.floor( math.fmod( num, 2 ) )
+      table.insert( bits, rest )
+      num = ( num - rest ) / 2
+   end
+
+   while #bits < length do
+      table.insert( bits, "0" )
+   end
+
+   return string.reverse( table.concat( bits ) )
+end
+
+local function ignore_set( str, set )
+   if set then
+      str = str:gsub( "["..set.."]", "" )
+   end
+   return str
+end
+
+local function pure_from_bit( str )
+   return ( str:gsub( '........', function ( cc )
+               return string.char( tonumber( cc, 2 ) )
+            end ) )
+end
+
+local function unexpected_char_error( str, pos )
+   local c = string.sub( str, pos, pos )
+   return string.format( "unexpected character at position %d: '%s'", pos, c )
+end
+
+--------------------------------------------------------------------------------
+
+local basexx = {}
+
+--------------------------------------------------------------------------------
+-- base2(bitfield) decode and encode function
+--------------------------------------------------------------------------------
+
+local bitMap = { o = "0", i = "1", l = "1" }
+
+function basexx.from_bit( str, ignore )
+   str = ignore_set( str, ignore )
+   str = string.lower( str )
+   str = str:gsub( '[ilo]', function( c ) return bitMap[ c ] end )
+   local pos = string.find( str, "[^01]" )
+   if pos then return nil, unexpected_char_error( str, pos ) end
+
+   return pure_from_bit( str )
+end
+
+function basexx.to_bit( str )
+   return ( str:gsub( '.', function ( c )
+               local byte = string.byte( c )
+               local bits = {}
+               for _ = 1,8 do
+                  table.insert( bits, byte % 2 )
+                  byte = math.floor( byte / 2 )
+               end
+               return table.concat( bits ):reverse()
+            end ) )
+end
+
+--------------------------------------------------------------------------------
+-- base16(hex) decode and encode function
+--------------------------------------------------------------------------------
+
+function basexx.from_hex( str, ignore )
+   str = ignore_set( str, ignore )
+   local pos = string.find( str, "[^%x]" )
+   if pos then return nil, unexpected_char_error( str, pos ) end
+
+   return ( str:gsub( '..', function ( cc )
+               return string.char( tonumber( cc, 16 ) )
+            end ) )
+end
+
+function basexx.to_hex( str )
+   return ( str:gsub( '.', function ( c )
+               return string.format('%02X', string.byte( c ) )
+            end ) )
+end
+
+--------------------------------------------------------------------------------
+-- generic function to decode and encode base32/base64
+--------------------------------------------------------------------------------
+
+function basexx.from_basexx( str, alphabet, bits )
+   local result = {}
+   for i = 1, #str do
+      local c = string.sub( str, i, i )
+      if c ~= '=' then
+         local index = string.find( alphabet, c, 1, true )
+         if not index then
+            return nil, unexpected_char_error( str, i )
+         end
+         table.insert( result, number_to_bit( index - 1, bits ) )
+      end
+   end
+
+   local value = table.concat( result )
+   local pad = #value % 8
+   return pure_from_bit( string.sub( value, 1, #value - pad ) )
+end
+
+function basexx.to_basexx( str, alphabet, bits, pad )
+   local bitString = basexx.to_bit( str )
+
+   local chunks = divide_string( bitString, bits )
+   local result = {}
+   for _,value in ipairs( chunks ) do
+      if ( #value < bits ) then
+         value = value .. string.rep( '0', bits - #value )
+      end
+      local pos = tonumber( value, 2 ) + 1
+      table.insert( result, alphabet:sub( pos, pos ) )
+   end
+
+   table.insert( result, pad )
+   return table.concat( result )   
+end
+
+--------------------------------------------------------------------------------
+-- rfc 3548: http://www.rfc-editor.org/rfc/rfc3548.txt
+--------------------------------------------------------------------------------
+
+local base32Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
+local base32PadMap = { "", "======", "====", "===", "=" }
+
+function basexx.from_base32( str, ignore )
+   str = ignore_set( str, ignore )
+   return basexx.from_basexx( string.upper( str ), base32Alphabet, 5 )
+end
+
+function basexx.to_base32( str )
+   return basexx.to_basexx( str, base32Alphabet, 5, base32PadMap[ #str % 5 + 1 ] )
+end
+
+--------------------------------------------------------------------------------
+-- crockford: http://www.crockford.com/wrmg/base32.html
+--------------------------------------------------------------------------------
+
+local crockfordAlphabet = "0123456789ABCDEFGHJKMNPQRSTVWXYZ"
+local crockfordMap = { O = "0", I = "1", L = "1" }
+
+function basexx.from_crockford( str, ignore )
+   str = ignore_set( str, ignore )
+   str = string.upper( str )
+   str = str:gsub( '[ILOU]', function( c ) return crockfordMap[ c ] end )
+   return basexx.from_basexx( str, crockfordAlphabet, 5 )
+end
+
+function basexx.to_crockford( str )
+   return basexx.to_basexx( str, crockfordAlphabet, 5, "" )
+end
+
+--------------------------------------------------------------------------------
+-- base64 decode and encode function
+--------------------------------------------------------------------------------
+
+local base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+                     "abcdefghijklmnopqrstuvwxyz"..
+                     "0123456789+/"
+local base64PadMap = { "", "==", "=" }
+
+function basexx.from_base64( str, ignore )
+   str = ignore_set( str, ignore )
+   return basexx.from_basexx( str, base64Alphabet, 6 )
+end
+
+function basexx.to_base64( str )
+   return basexx.to_basexx( str, base64Alphabet, 6, base64PadMap[ #str % 3 + 1 ] )
+end
+
+--------------------------------------------------------------------------------
+-- URL safe base64 decode and encode function
+--------------------------------------------------------------------------------
+
+local url64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+                     "abcdefghijklmnopqrstuvwxyz"..
+                     "0123456789-_"
+
+function basexx.from_url64( str, ignore )
+   str = ignore_set( str, ignore )
+   return basexx.from_basexx( str, url64Alphabet, 6 )
+end
+
+function basexx.to_url64( str )
+   return basexx.to_basexx( str, url64Alphabet, 6, "" )
+end
+
+--------------------------------------------------------------------------------
+--
+--------------------------------------------------------------------------------
+
+local function length_error( len, d )
+   return string.format( "invalid length: %d - must be a multiple of %d", len, d )
+end
+
+local z85Decoder = { 0x00, 0x44, 0x00, 0x54, 0x53, 0x52, 0x48, 0x00,
+                     0x4B, 0x4C, 0x46, 0x41, 0x00, 0x3F, 0x3E, 0x45, 
+                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 
+                     0x08, 0x09, 0x40, 0x00, 0x49, 0x42, 0x4A, 0x47, 
+                     0x51, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 
+                     0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 
+                     0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 
+                     0x3B, 0x3C, 0x3D, 0x4D, 0x00, 0x4E, 0x43, 0x00, 
+                     0x00, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 
+                     0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 
+                     0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 
+                     0x21, 0x22, 0x23, 0x4F, 0x00, 0x50, 0x00, 0x00 }
+
+function basexx.from_z85( str, ignore )
+   str = ignore_set( str, ignore )
+   if ( #str % 5 ) ~= 0 then
+      return nil, length_error( #str, 5 )
+   end
+
+   local result = {}
+
+   local value = 0
+   for i = 1, #str do
+      local index = string.byte( str, i ) - 31
+      if index < 1 or index >= #z85Decoder then
+         return nil, unexpected_char_error( str, i )
+      end
+      value = ( value * 85 ) + z85Decoder[ index ]
+      if ( i % 5 ) == 0 then
+         local divisor = 256 * 256 * 256
+         while divisor ~= 0 do
+            local b = math.floor( value / divisor ) % 256
+            table.insert( result, string.char( b ) )
+            divisor = math.floor( divisor / 256 )
+         end
+         value = 0
+      end
+   end
+
+   return table.concat( result )
+end
+
+local z85Encoder = "0123456789"..
+                  "abcdefghijklmnopqrstuvwxyz"..
+                  "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+                  ".-:+=^!/*?&<>()[]{}@%$#"
+
+function basexx.to_z85( str )
+   if ( #str % 4 ) ~= 0 then
+      return nil, length_error( #str, 4 )
+   end
+
+   local result = {}
+
+   local value = 0
+   for i = 1, #str do
+      local b = string.byte( str, i )
+      value = ( value * 256 ) + b
+      if ( i % 4 ) == 0 then
+         local divisor = 85 * 85 * 85 * 85
+         while divisor ~= 0 do
+            local index = ( math.floor( value / divisor ) % 85 ) + 1
+            table.insert( result, z85Encoder:sub( index, index ) )
+            divisor = math.floor( divisor / 85 )
+         end
+         value = 0
+      end
+   end
+
+   return table.concat( result )
+end
+
+--------------------------------------------------------------------------------
+
+return basexx

docker/nginx/libs/skynet/account.lua

@@ -0,0 +1,107 @@
+local _M = {}
+
+-- fallback - remember to keep those updated
+local anon_limits = { ["tierName"] = "anonymous", ["upload"] = 655360, ["download"] = 655360, ["maxUploadSize"] = 1073741824, ["registry"] = 250 }
+
+-- no limits applied 
+local no_limits = { ["tierName"] = "internal", ["upload"] = 0, ["download"] = 0, ["maxUploadSize"] = 0, ["registry"] = 0 }
+
+-- free tier name
+local free_tier = "free"
+
+-- handle request exit when access to portal should be restricted to authenticated users only
+function _M.exit_access_unauthorized(message)
+    ngx.status = ngx.HTTP_UNAUTHORIZED
+    ngx.header["content-type"] = "text/plain"
+    ngx.say(message or "Portal operator restricted access to authenticated users only")
+    return ngx.exit(ngx.status)
+end
+
+-- handle request exit when access to portal should be restricted to subscription users only
+function _M.exit_access_forbidden(message)
+    ngx.status = ngx.HTTP_FORBIDDEN
+    ngx.header["content-type"] = "text/plain"
+    ngx.say(message or "Portal operator restricted access to users with active subscription only")
+    return ngx.exit(ngx.status)
+end
+
+function _M.accounts_enabled()
+    return os.getenv("PORTAL_MODULES"):match("a") ~= nil
+end
+
+function _M.get_account_limits()
+    local cjson = require('cjson')
+
+    if ngx.var.internal_no_limits == "true" then
+        return no_limits
+    end
+
+    if ngx.var.skynet_jwt == "" then
+        return anon_limits
+    end
+
+    if ngx.var.account_limits == "" then
+        local httpc = require("resty.http").new()
+        
+        -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
+        local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
+            headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt }
+        })
+        
+        -- fail gracefully in case /user/limits failed
+        if err or (res and res.status ~= ngx.HTTP_OK) then
+            ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+            ngx.var.account_limits = cjson.encode(anon_limits)
+        elseif res and res.status == ngx.HTTP_OK then
+            ngx.var.account_limits = res.body
+        end
+    end
+
+    return cjson.decode(ngx.var.account_limits)
+end
+
+-- detect whether current user is authenticated
+function _M.is_authenticated()
+    local limits = _M.get_account_limits()
+
+    return limits.tierName ~= anon_limits.tierName
+end
+
+-- detect whether current user has active subscription
+function _M.is_subscription_account()
+    local limits = _M.get_account_limits()
+
+    return limits.tierName ~= anon_limits.tierName and limits.tierName ~= free_tier
+end
+
+function _M.is_auth_required()
+    return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "authenticated"
+end
+
+function _M.is_subscription_required()
+    return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "subscription"
+end
+
+function is_access_always_allowed()
+    -- options requests do not attach cookies - should always be available
+    -- requests should not be limited based on accounts if accounts are not enabled
+    return ngx.req.get_method() == "OPTIONS" or not _M.accounts_enabled()
+end
+
+-- check whether access is restricted if portal requires authorization
+function _M.is_access_unauthorized()
+    if is_access_always_allowed() then return false end
+
+    -- check if authentication is required and request is not authenticated
+    return _M.is_auth_required() and not _M.is_authenticated()
+end
+
+-- check whether user is authenticated but does not have access to given resources
+function _M.is_access_forbidden()
+    if is_access_always_allowed() then return false end
+
+    -- check if active subscription is required and request is from user without it
+    return _M.is_subscription_required() and not _M.is_subscription_account()
+end
+
+return _M

docker/nginx/libs/skynet/blocklist.lua

@@ -0,0 +1,66 @@
+local _M = {}
+
+function _M.reload()
+    local httpc = require("resty.http").new()
+
+    -- fetch blocklist records (all blocked skylink hashes)
+    -- 10.10.10.10 points to sia service (alias not available when using resty-http)
+    local res, err = httpc:request_uri("http://10.10.10.10:9980/skynet/blocklist", {
+        headers = {
+            ["User-Agent"] = "Sia-Agent",
+        }
+    })
+
+    -- fail whole request in case this request failed, we want to make sure
+    -- the blocklist is pre cached before serving first skylink
+    if err or (res and res.status ~= ngx.HTTP_OK) then
+        ngx.log(ngx.ERR, "Failed skyd service request /skynet/blocklist: ", err or ("[HTTP " .. res.status .. "] " .. res.body))
+        ngx.status = (err and ngx.HTTP_INTERNAL_SERVER_ERROR) or res.status
+        ngx.header["content-type"] = "text/plain"
+        ngx.say(err or res.body)
+        return ngx.exit(ngx.status)
+    elseif res and res.status == ngx.HTTP_OK then
+        local json = require('cjson')
+        local data = json.decode(res.body)
+
+        -- mark all existing entries as expired
+        ngx.shared.blocklist:flush_all()
+
+        -- check if blocklist is table (it is null when empty)
+        if type(data.blocklist) == "table" then
+            -- set all cache entries one by one (resets expiration)
+            for i, hash in ipairs(data.blocklist) do
+                ngx.shared.blocklist:set(hash, true)
+            end
+        end
+
+        -- ensure that init flag is persisted
+        ngx.shared.blocklist:set("__init", true)
+
+        -- remove all leftover expired entries
+        ngx.shared.blocklist:flush_expired()
+    end
+end
+
+function _M.is_blocked(skylink)
+    -- make sure that blocklist has been preloaded
+    if not ngx.shared.blocklist:get("__init") then _M.reload() end
+
+    -- hash skylink before comparing it with blocklist
+    local hash = require("skynet.skylink").hash(skylink)
+
+    -- we need to use get_stale because we are expiring previous
+    -- entries when the blocklist is reloading and we still want
+    -- to block them until the reloading is finished
+    return ngx.shared.blocklist:get_stale(hash) == true
+end
+
+-- exit with 416 illegal content status code
+function _M.exit_illegal()
+    ngx.status = ngx.HTTP_ILLEGAL
+    ngx.header["content-type"] = "text/plain"
+    ngx.say("Unavailable For Legal Reasons")
+    return ngx.exit(ngx.status)
+end
+
+return _M

docker/nginx/libs/skynet/skylink.lua

@@ -0,0 +1,40 @@
+local _M = {}
+
+local basexx = require("basexx")
+local hasher = require("hasher")
+
+-- parse any skylink and return base64 version
+function _M.parse(skylink)
+    if string.len(skylink) == 55 then
+        local decoded = basexx.from_basexx(string.upper(skylink), "0123456789ABCDEFGHIJKLMNOPQRSTUV", 5)
+
+        return basexx.to_url64(decoded)
+    end
+
+    return skylink
+end
+
+-- hash skylink into 32 bytes hash used in blocklist
+function _M.hash(skylink)
+    -- ensure that the skylink is base64 encoded
+    local base64Skylink = _M.parse(skylink)
+
+    -- decode skylink from base64 encoding
+    local rawSkylink = basexx.from_url64(base64Skylink)
+
+    -- drop first two bytes and leave just merkle root
+    local rawMerkleRoot = string.sub(rawSkylink, 3)
+
+    -- parse with blake2b with key length of 32
+    local blake2bHashed = hasher.blake2b(rawMerkleRoot, 32)
+    
+    -- hex encode the blake hash
+    local hexHashed = basexx.to_hex(blake2bHashed)
+
+    -- lowercase the hex encoded hash
+    local lowerHexHashed = string.lower(hexHashed)
+
+    return lowerHexHashed
+end
+
+return _M

docker/nginx/libs/skynet/skylink.spec.lua

@@ -0,0 +1,23 @@
+local skynet_skylink = require("skynet.skylink")
+
+describe("parse", function()
+   local base32 = "0404dsjvti046fsua4ktor9grrpe76erq9jot9cvopbhsvsu76r4r30"
+   local base64 = "AQBG8n_sgEM_nlEp3G0w3vLjmdvSZ46ln8ZXHn-eObZNjA"
+
+   it("should return unchanged base64 skylink", function()
+      assert.is.same(skynet_skylink.parse(base64), base64)
+   end)
+   
+   it("should transform base32 skylink into base64", function()
+      assert.is.same(skynet_skylink.parse(base32), base64)
+   end)
+end)
+
+describe("hash", function()
+   local base64 = "EADi4QZWt87sSDCSjVTcmyI5tE_YAsuC90BcCi_jEmG5NA"
+   local hash = "6cfb9996ad74e5614bbb8e7228e72f1c1bc14dd9ce8a83b3ccabdb6d8d70f330"
+
+   it("should hash skylink", function()
+      assert.is.same(hash, skynet_skylink.hash(base64))
+   end)
+end)