141 lines
4.6 KiB
Nginx Configuration File
141 lines
4.6 KiB
Nginx Configuration File
# Copyright © 2020 Interplanetary Database Association e.V.,
|
|
# BigchainDB and IPDB software contributors.
|
|
# SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
|
|
# Code is Apache-2.0 and docs are CC-BY-4.0
|
|
|
|
# NOTE: You must replace example.testnet2.com
|
|
# with your node's actual DNS name in TWO PLACES below.
|
|
|
|
# Frontend API server
|
|
worker_processes 4;
|
|
user nobody nogroup;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
events {
|
|
# Each worker handles up to 512 connections. Increase this for heavy
|
|
# workloads.
|
|
worker_connections 64;
|
|
accept_mutex on;
|
|
use epoll;
|
|
}
|
|
|
|
http {
|
|
access_log /var/log/nginx/access.log combined buffer=16k flush=5s;
|
|
|
|
# Allow 10 req/sec from the same IP address, and store the counters in a
|
|
# `zone` or shared memory location tagged as 'one'.
|
|
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
|
|
|
|
# Enable logging when requests are being throttled.
|
|
limit_req_log_level notice;
|
|
|
|
# HTTP status code that is returned to the client; 429 is for TooManyRequests,
|
|
# ref. RFC 6585
|
|
limit_req_status 429;
|
|
|
|
# Limit requests from the same client, allow `burst` to 20 r/s,
|
|
# `nodelay` or drop connection immediately in case it exceeds this
|
|
# threshold.
|
|
limit_req zone=one burst=20 nodelay;
|
|
|
|
# `slowloris` attack mitigation settings.
|
|
client_body_timeout 10s;
|
|
client_header_timeout 10s;
|
|
|
|
# Do not expose NGINX data/version number in error response and header
|
|
server_tokens off;
|
|
|
|
# To prevent cross-site scripting
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
keepalive_timeout 60s;
|
|
|
|
# Frontend server for the external clients; acts as HTTPS termination point.
|
|
server {
|
|
listen 443 ssl;
|
|
server_name "example.testnet2.com";
|
|
|
|
ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/cert.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
|
underscores_in_headers on;
|
|
|
|
# Forward websockets directly to backend BDB.
|
|
location /api/v1/streams/valid_transactions {
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_pass http://localhost:9985;
|
|
proxy_read_timeout 600s;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
# Forward other URL paths as per business logic/use case to BDB
|
|
location / {
|
|
proxy_ignore_client_abort on;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# max client request body size: average transaction size.
|
|
client_max_body_size 15k;
|
|
|
|
# GET requests are forwarded to BDB.
|
|
if ($request_method = GET) {
|
|
proxy_pass http://localhost:9984;
|
|
}
|
|
|
|
# POST requests: Enable CORS then forward to BDB.
|
|
if ($request_method = POST) {
|
|
add_header 'Access-Control-Allow-Origin' '*';
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
|
|
proxy_pass http://localhost:9984;
|
|
}
|
|
|
|
# OPTIONS requests: Enable CORS and return 204.
|
|
if ($request_method = 'OPTIONS') {
|
|
add_header 'Access-Control-Allow-Origin' '*';
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
add_header 'Access-Control-Max-Age' 43200;
|
|
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
|
add_header 'Content-Length' 0;
|
|
return 204;
|
|
}
|
|
|
|
# Only return this response if request_method is neither POST|GET|OPTIONS
|
|
if ($request_method !~ ^(GET|OPTIONS|POST)$) {
|
|
return 444;
|
|
}
|
|
}
|
|
}
|
|
|
|
# Frontend server for the load balancer to respond to health checks.
|
|
server {
|
|
listen 9000;
|
|
|
|
location = /health {
|
|
return 200;
|
|
}
|
|
}
|
|
|
|
# Frontend server for the external clients; returns a pretty error message
|
|
# when an HTTP request is sent instead of HTTPS.
|
|
server {
|
|
listen 80;
|
|
server_name "example.testnet2.com";
|
|
|
|
location / {
|
|
add_header Upgrade "TLS/1.2, HTTP/1.1" always;
|
|
default_type text/plain;
|
|
return 426 'Consider using the HTTPS protocol next time!';
|
|
}
|
|
}
|
|
}
|