# nginx.conf -- docker-openresty # # This file is installed to: # `/usr/local/openresty/nginx/conf/nginx.conf` # and is the file loaded by nginx at startup, # unless the user specifies otherwise. # # It tracks the upstream OpenResty's `nginx.conf`, but removes the `server` # section and adds this directive: # `include /etc/nginx/conf.d/*.conf;` # # The `docker-openresty` file `nginx.vh.default.conf` is copied to # `/etc/nginx/conf.d/default.conf`. It contains the `server section # of the upstream `nginx.conf`. # # See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files # user root; worker_processes auto; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; # declare env variables to use it in config env SKYNET_PORTAL_API; env SKYNET_SERVER_API; env ACCOUNTS_ENABLED; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; lua_package_path "/etc/nginx/libs/?.lua;;"; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $upstream_response_time ' '$upstream_bytes_sent $upstream_bytes_received ' '"$upstream_http_content_type" "$upstream_cache_status" ' '"$server_alias" "$sent_http_skynet_skylink" ' '$upstream_connect_time $upstream_header_time ' '$request_time "$hns_domain" "$skylink"'; access_log logs/access.log main; # See Move default writable paths to a dedicated directory (#119) # https://github.com/openresty/docker-openresty/issues/119 client_body_temp_path /var/run/openresty/nginx-client-body; proxy_temp_path /var/run/openresty/nginx-proxy; fastcgi_temp_path /var/run/openresty/nginx-fastcgi; uwsgi_temp_path /var/run/openresty/nginx-uwsgi; scgi_temp_path /var/run/openresty/nginx-scgi; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; # globally enable http 1.1 on all proxied requests # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version proxy_http_version 1.1; # proxy cache definition proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=50g min_free=100g inactive=48h use_temp_path=off; # create a shared blocklist dictionary with size of 30 megabytes # estimated capacity of 1 megabyte dictionary is 3500 blocklist entries # that gives us capacity of around 100k entries in 30 megabyte dictionary lua_shared_dict blocklist 30m; # create a shared dictionary to fill with skylinks that should not # be cached due to the large size or some other reasons lua_shared_dict nocache 10m; # this runs before forking out nginx worker processes init_by_lua_block { require "cjson" require "resty.http" require "skynet.blocklist" require "skynet.skylink" require "skynet.utils" } # include skynet-portal-api and skynet-server-api header on every request header_filter_by_lua_block { ngx.header["Skynet-Portal-Api"] = os.getenv("SKYNET_PORTAL_API") ngx.header["Skynet-Server-Api"] = os.getenv("SKYNET_SERVER_API") } # ratelimit specified IPs geo $limit { default 0; include /etc/nginx/conf.d/include/ratelimited; } map $limit $limit_key { 0 ""; 1 $binary_remote_addr; } limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s; limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m; limit_req_zone $binary_remote_addr zone=registry_access_by_ip:10m rate=60r/m; limit_req_zone $limit_key zone=registry_access_by_ip_throttled:10m rate=20r/m; limit_conn_zone $binary_remote_addr zone=upload_conn:10m; limit_conn_zone $limit_key zone=upload_conn_rl:10m; limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m; limit_req_status 429; limit_conn_status 429; # Add X-Forwarded-* headers proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; # skynet-jwt contains dash so we cannot use $cookie_skynet-jwt # https://richardhart.me/2012/03/18/logging-nginx-cookies-with-dashes/ map $http_cookie $skynet_jwt { default ''; ~skynet-jwt=(?[^\;]+) $match; } include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.extra.d/*.conf; }