proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off; limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m; limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m; limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m; limit_req_status 429; limit_conn_status 429; # since we are proxying request to nginx from caddy, access logs will contain caddy's ip address # as the request address so we need to use real_ip_header module to use ip address from # X-Forwarded-For header as a real ip address of the request set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; real_ip_header X-Forwarded-For; # note that we point uploads to port '9970', do this when you want to # run in a configuration where you have two siad instances, one for # downloads and one for uploads. This drastically improves the up - and # download speed of your portal. When running your portal in this double # siad setup, make sure only the download portal runs in 'portal mode'. # The upload siad can be run in normal mode. Set the port to '9980' if # you do not want to run your portal in the double siad setup. upstream siad-upload { server docker-host:9980; } upstream siad-download { server docker-host:9980; } server { listen 80 default_server; listen [::]:80 default_server; # ddos protection: closing slow connections client_body_timeout 5s; client_header_timeout 5s; # Increase the body buffer size, to ensure the internal POSTs can always # parse the full POST contents into memory. client_body_buffer_size 128k; client_max_body_size 128k; location / { include /etc/nginx/conf.d/include/cors; root /var/www/webportal; } location /blacklist { include /etc/nginx/conf.d/include/cors; proxy_cache skynet; proxy_cache_valid any 1m; # cache blacklist for 1 minute proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; proxy_pass http://siad-download/skynet/blacklist; } location /portals { include /etc/nginx/conf.d/include/cors; proxy_cache skynet; proxy_cache_valid any 1m; # cache portals for 1 minute proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; proxy_pass http://siad-download/skynet/portals; } location /stats { include /etc/nginx/conf.d/include/cors; proxy_cache skynet; proxy_cache_valid any 1m; # cache stats for 1 minute proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; proxy_pass http://siad-upload/skynet/stats; } location /statsdown { include /etc/nginx/conf.d/include/cors; proxy_cache skynet; proxy_cache_valid any 1m; # cache stats for 1 minute proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; proxy_pass http://siad-download/skynet/stats; } location /health-check { include /etc/nginx/conf.d/include/cors; proxy_set_header Access-Control-Allow-Origin: *; proxy_pass http://health-check:3100; } location /hns { include /etc/nginx/conf.d/include/cors; proxy_set_header Access-Control-Allow-Origin: *; proxy_pass http://handshake-api:3100; } location /hnsres { include /etc/nginx/conf.d/include/cors; proxy_set_header Access-Control-Allow-Origin: *; proxy_pass http://handshake-api:3100; } location /skynet/skyfile { include /etc/nginx/conf.d/include/cors; limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time client_max_body_size 1000M; # make sure to limit the size of upload to a sane value proxy_read_timeout 600; proxy_request_buffering off; # stream uploaded files through the proxy as it comes in proxy_set_header Expect $http_expect; proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; # Extract 3 sets of 2 characters from $request_id and assign to $dir1, $dir2, $dir3 # respectfully. The rest of the $request_id is going to be assigned to $dir4. # We use those variables to automatically generate a unique path for the uploaded file. # This ensures that not all uploaded files end up in the same directory, which is something # that causes performance issues in the renter. # Example path result: /af/24/9b/c5ec894920ccc45634dc9a8065 if ($request_id ~* "(\w{2})(\w{2})(\w{2})(\w+)") { set $dir1 $1; set $dir2 $2; set $dir3 $3; set $dir4 $4; } # proxy this call to siad endpoint (make sure the ip is correct) proxy_pass http://siad-upload/skynet/skyfile/$dir1/$dir2/$dir3/$dir4$is_args$args; # rewrite_by_lua_block { # local b64 = require("ngx.base64") # -- open apipassword file for reading (b flag is required for some reason) # -- (file /etc/.sia/apipassword has to be mounted from the host system) # local apipassword_file = io.open("/etc/.sia/apipassword", "rb") # -- read apipassword file contents and trim newline (important) # local apipassword = apipassword_file:read("*all"):gsub("%s+", "") # -- make sure to close file after reading the password # apipassword_file.close() # -- encode the user:password authorization string # -- (in our case user is empty so it is just :password) # local content = b64.encode_base64url(":" .. apipassword) # -- set authorization header with proper base64 encoded string # ngx.req.set_header("Authorization", "Basic " .. content) # } } location ~ "/skynet/skyfile/(.+)" { include /etc/nginx/conf.d/include/cors; limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time client_max_body_size 1000M; # make sure to limit the size of upload to a sane value proxy_read_timeout 600; proxy_request_buffering off; # stream uploaded files through the proxy as it comes in proxy_set_header Expect $http_expect; proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; # we need to explicitly use set directive here because $1 will contain the siapath with # decoded whitespaces and set will re-encode it for us before passing it to proxy_pass set $siapath $1; # proxy this call to siad endpoint (make sure the ip is correct) proxy_pass http://siad-upload/skynet/skyfile/$siapath$is_args$args; } location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" { include /etc/nginx/conf.d/include/cors; limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time # we need to explicitly use set directive here because $1 will contain the skylink with # decoded whitespaces and set will re-encode it for us before passing it to proxy_pass set $skylink $1; proxy_read_timeout 600; proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; # proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is correct) proxy_pass http://siad-download/skynet/skylink/$skylink$is_args$args; # if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs proxy_buffer_size 128k; proxy_buffers 4 128k; # cache frequent (> 10) downloads for 24 hours proxy_cache skynet; proxy_cache_key $uri; proxy_cache_min_uses 10; proxy_cache_valid 200 1440m; } location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" { include /etc/nginx/conf.d/include/cors; limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time # we need to explicitly use set directive here because $1 will contain the skylink with # decoded whitespaces and set will re-encode it for us before passing it to proxy_pass set $skylink $1; proxy_read_timeout 600; proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header User-Agent: Sia-Agent; # proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is correct) # this alias also adds attachment=true url param to force download the file proxy_pass http://siad-download/skynet/skylink/$skylink?attachment=true&$args; # if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs proxy_buffer_size 128k; proxy_buffers 4 128k; # cache frequent (> 10) downloads for 24 hours proxy_cache skynet; proxy_cache_key $uri; proxy_cache_min_uses 10; proxy_cache_valid 200 1440m; } }