138 lines
4.5 KiB
Nginx Configuration File
138 lines
4.5 KiB
Nginx Configuration File
# nginx.conf -- docker-openresty
|
|
#
|
|
# This file is installed to:
|
|
# `/usr/local/openresty/nginx/conf/nginx.conf`
|
|
# and is the file loaded by nginx at startup,
|
|
# unless the user specifies otherwise.
|
|
#
|
|
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
|
|
# section and adds this directive:
|
|
# `include /etc/nginx/conf.d/*.conf;`
|
|
#
|
|
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
|
|
# `/etc/nginx/conf.d/default.conf`. It contains the `server section
|
|
# of the upstream `nginx.conf`.
|
|
#
|
|
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
|
|
#
|
|
|
|
user root;
|
|
worker_processes auto;
|
|
|
|
#error_log logs/error.log;
|
|
#error_log logs/error.log notice;
|
|
#error_log logs/error.log info;
|
|
|
|
#pid logs/nginx.pid;
|
|
|
|
# declare env variables to use it in config
|
|
env SKYNET_PORTAL_API;
|
|
env SKYNET_SERVER_API;
|
|
env ACCOUNTS_ENABLED;
|
|
|
|
events {
|
|
worker_connections 8192;
|
|
}
|
|
|
|
http {
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
lua_package_path "/etc/nginx/libs/?.lua;;";
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" $upstream_response_time '
|
|
'$upstream_bytes_sent $upstream_bytes_received '
|
|
'"$upstream_http_content_type" "$upstream_cache_status" '
|
|
'"$server_alias" "$sent_http_skynet_skylink" '
|
|
'$upstream_connect_time $upstream_header_time '
|
|
'$request_time "$hns_domain" "$skylink"';
|
|
|
|
access_log logs/access.log main;
|
|
|
|
# See Move default writable paths to a dedicated directory (#119)
|
|
# https://github.com/openresty/docker-openresty/issues/119
|
|
client_body_temp_path /var/run/openresty/nginx-client-body;
|
|
proxy_temp_path /var/run/openresty/nginx-proxy;
|
|
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
|
|
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
|
|
scgi_temp_path /var/run/openresty/nginx-scgi;
|
|
|
|
sendfile on;
|
|
#tcp_nopush on;
|
|
|
|
#keepalive_timeout 0;
|
|
keepalive_timeout 65;
|
|
|
|
# globally enable http 1.1 on all proxied requests
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
|
|
proxy_http_version 1.1;
|
|
|
|
# proxy cache definition
|
|
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=50g min_free=100g inactive=48h use_temp_path=off;
|
|
|
|
# create a shared blocklist dictionary with size of 30 megabytes
|
|
# estimated capacity of 1 megabyte dictionary is 3500 blocklist entries
|
|
# that gives us capacity of around 100k entries in 30 megabyte dictionary
|
|
lua_shared_dict blocklist 30m;
|
|
|
|
# create a shared dictionary to fill with skylinks that should not
|
|
# be cached due to the large size or some other reasons
|
|
lua_shared_dict nocache 10m;
|
|
|
|
# this runs before forking out nginx worker processes
|
|
init_by_lua_block {
|
|
require "cjson"
|
|
require "resty.http"
|
|
require "skynet.blocklist"
|
|
require "skynet.skylink"
|
|
require "skynet.utils"
|
|
}
|
|
|
|
# include skynet-portal-api and skynet-server-api header on every request
|
|
header_filter_by_lua_block {
|
|
ngx.header["Skynet-Portal-Api"] = os.getenv("SKYNET_PORTAL_API")
|
|
ngx.header["Skynet-Server-Api"] = os.getenv("SKYNET_SERVER_API")
|
|
}
|
|
|
|
# ratelimit specified IPs
|
|
geo $limit {
|
|
default 0;
|
|
include /etc/nginx/conf.d/include/ratelimited;
|
|
}
|
|
|
|
map $limit $limit_key {
|
|
0 "";
|
|
1 $binary_remote_addr;
|
|
}
|
|
|
|
limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
|
|
limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;
|
|
|
|
limit_req_zone $binary_remote_addr zone=registry_access_by_ip:10m rate=60r/m;
|
|
limit_req_zone $limit_key zone=registry_access_by_ip_throttled:10m rate=20r/m;
|
|
|
|
limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
|
|
limit_conn_zone $limit_key zone=upload_conn_rl:10m;
|
|
|
|
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
|
|
|
|
limit_req_status 429;
|
|
limit_conn_status 429;
|
|
|
|
# Add X-Forwarded-* headers
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# skynet-jwt contains dash so we cannot use $cookie_skynet-jwt
|
|
# https://richardhart.me/2012/03/18/logging-nginx-cookies-with-dashes/
|
|
map $http_cookie $skynet_jwt {
|
|
default '';
|
|
~skynet-jwt=(?<match>[^\;]+) $match;
|
|
}
|
|
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/conf.extra.d/*.conf;
|
|
}
|