# nginx.conf  --  docker-openresty
#
# This file is installed to:
#   `/usr/local/openresty/nginx/conf/nginx.conf`
# and is the file loaded by nginx at startup,
# unless the user specifies otherwise.
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
#     `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`.  It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#

user root;
worker_processes auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

# declare env variables to use it in config
env SKYNET_PORTAL_API;
env SKYNET_SERVER_API;
env ACCOUNTS_ENABLED;

events {
    worker_connections 8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" $upstream_response_time '
        '$upstream_bytes_sent $upstream_bytes_received '
        '"$upstream_http_content_type" "$upstream_cache_status" '
        '"$server_alias" "$sent_http_skynet_skylink" '
        '$upstream_connect_time $upstream_header_time '
        '$request_time "$hns_domain"';

    access_log  logs/access.log  main;

    # See Move default writable paths to a dedicated directory (#119)
    # https://github.com/openresty/docker-openresty/issues/119
    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    # globally enable http 1.1 on all proxied requests
    # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
    proxy_http_version 1.1;

    # proxy cache definition
    proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=50g inactive=48h use_temp_path=off;

    # this runs before forking out nginx worker processes
    init_by_lua_block { 
        require "cjson" 
        require "resty.http"
    }

    # include skynet-portal-api and skynet-server-api header on every request
    header_filter_by_lua_block {
        ngx.header["Skynet-Portal-Api"] = os.getenv("SKYNET_PORTAL_API")
        ngx.header["Skynet-Server-Api"] = os.getenv("SKYNET_SERVER_API")
    }

    # ratelimit specified IPs
    geo $limit {
        default 0;
        include /etc/nginx/conf.d/include/ratelimited;
    }

    map $limit $limit_key {
        0 "";
        1 $binary_remote_addr;
    }

    limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
    limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;

    limit_req_zone $binary_remote_addr zone=registry_access_by_ip:10m rate=60r/m;
    limit_req_zone $limit_key zone=registry_access_by_ip_throttled:10m rate=20r/m;

    limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
    limit_conn_zone $limit_key zone=upload_conn_rl:10m;

    limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;

    limit_req_status 429;
    limit_conn_status 429;

    # Add X-Forwarded-* headers
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    # skynet-jwt contains dash so we cannot use $cookie_skynet-jwt
    # https://richardhart.me/2012/03/18/logging-nginx-cookies-with-dashes/
    map $http_cookie $skynet_jwt {
        default '';
        ~skynet-jwt=(?<match>[^\;]+) $match;
    }

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/conf.extra.d/*.conf;
}