API tools faq
paste
Advertisement
tylerw13

Untitled

tylerw13
May 24th, 2019
441
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.25 KB | None | 0 0
raw download clone embed print report
  1. user iota;
  2. worker_processes auto;
  3. worker_rlimit_nofile 40960;
  4. error_log logs/error.log;
  5. pid /usr/local/openresty/nginx/logs/nginx.pid;
  6.  
  7. events {
  8. worker_connections 40960;
  9. multi_accept on;
  10. }
  11.  
  12. http {
  13. default_type application/json;
  14. keepalive_timeout 5m;
  15. send_timeout 6m;
  16. init_by_lua 'require "cjson"';
  17. ssl_session_cache shared:SSL:32m;
  18. ssl_session_timeout 5m;
  19. server_tokens off;
  20. add_header X-XSS-Protection '1; mode=block';
  21. add_header X-Content-Type-Options nosniff;
  22.  
  23. log_format main '$remote_addr - $remote_user [$time_local] $status '
  24. '"$request" $body_bytes_sent "$http_referer" '
  25. '"$http_user_agent" "$http_x_forwarded_for"';
  26.  
  27. map $http_upgrade $connection_upgrade {
  28. default upgrade;
  29. '' close;
  30. }
  31.  
  32. upstream iri {
  33. server 127.0.0.1:8080;
  34. }
  35.  
  36. upstream grafana {
  37. server 127.0.0.1:3000;
  38. }
  39.  
  40. upstream prometheus {
  41. server 127.0.0.1:9090;
  42. }
  43.  
  44. upstream iota_exporter {
  45. server 127.0.0.1:9311;
  46. }
  47.  
  48. upstream ipm {
  49. server 127.0.0.1:8888;
  50. }
  51.  
  52. proxy_redirect off;
  53. proxy_set_header Host $host;
  54. proxy_set_header X-Real-IP $remote_addr;
  55. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  56.  
  57. proxy_connect_timeout 2m;
  58. proxy_send_timeout 2m;
  59. proxy_read_timeout 2m;
  60.  
  61. proxy_buffer_size 4k;
  62. proxy_buffers 4 32k;
  63. proxy_busy_buffers_size 64k;
  64. proxy_temp_file_write_size 64k;
  65.  
  66. client_max_body_size 1m;
  67. client_body_buffer_size 128k;
  68.  
  69. limit_req_zone $binary_remote_addr zone=iri:5m rate=50r/s;
  70. limit_req_zone $binary_remote_addr zone=grafana:5m rate=120r/s;
  71. limit_req_zone $binary_remote_addr zone=prometheus:5m rate=55r/s;
  72. limit_req_zone $binary_remote_addr zone=iota_exporter:5m rate=55r/s;
  73. limit_req_zone $binary_remote_addr zone=ipm:5m rate=15r/s;
  74.  
  75. server {
  76. listen 14265 default_server deferred;
  77. listen 443 ssl http2 deferred;
  78. server_name www.iotaqubic.us;
  79.  
  80.  
  81. ssl_certificate /etc/letsencrypt/live/www.iotaqubic.us/fullchain.pem;
  82. ssl_certificate_key /etc/letsencrypt/live/www.iotaqubic.us/privkey.pem;
  83. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  84. ssl_ciphers HIGH:!aNULL:!MD5;
  85. ssl_prefer_server_ciphers on;
  86.  
  87. add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains';
  88.  
  89. ssl_stapling on;
  90. ssl_stapling_verify on;
  91. ssl_trusted_certificate /etc/letsencrypt/live/www.iotaqubic.us/fullchain.pem;
  92. resolver 1.1.1.1 8.8.8.8 8.8.4.4 9.9.9.9 valid=300s;
  93. resolver_timeout 5s;
  94.  
  95. error_page 405 @error405;
  96. location @error405 {
  97. add_header Allow 'GET, HEAD, OPTIONS, POST' always;
  98. }
  99.  
  100. location /grafana/ {
  101. limit_req zone=grafana burst=150;
  102. limit_req_log_level warn;
  103. limit_req_status 444;
  104.  
  105. proxy_pass http://grafana/;
  106. }
  107.  
  108. location /prometheus/ {
  109. auth_basic "Prometheus";
  110. auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
  111.  
  112. limit_req zone=prometheus burst=70;
  113. limit_req_log_level warn;
  114. limit_req_status 444;
  115.  
  116. proxy_set_header Host $host;
  117. proxy_set_header X-Real-IP $remote_addr;
  118. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  119. proxy_set_header X-Forwarded-Proto $scheme;
  120.  
  121. sub_filter_once off;
  122. sub_filter '="/' '="/prometheus/';
  123. sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/prometheus";';
  124.  
  125. rewrite ^/prometheus/?$ /prometheus/graph redirect;
  126. rewrite ^/prometheus/(.*)$ /$1 break;
  127.  
  128. proxy_pass http://prometheus/;
  129. }
  130.  
  131. location /iota_exporter/ {
  132. auth_basic "IOTA Exporter";
  133. auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
  134.  
  135. limit_req zone=iota_exporter burst=70;
  136. limit_req_log_level warn;
  137. limit_req_status 444;
  138.  
  139. proxy_set_header Host $host;
  140. proxy_set_header X-Real-IP $remote_addr;
  141. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  142. proxy_set_header X-Forwarded-Proto $scheme;
  143.  
  144. proxy_pass http://iota_exporter/;
  145. }
  146.  
  147. location /ipm/ {
  148. auth_basic "IOTA Peer Manager";
  149. auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
  150.  
  151. limit_req zone=ipm burst=20;
  152. limit_req_log_level warn;
  153. limit_req_status 444;
  154.  
  155. proxy_set_header Host $host;
  156. proxy_set_header X-Real-IP $remote_addr;
  157. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  158. proxy_set_header X-Forwarded-Proto $scheme;
  159.  
  160. sub_filter_once off;
  161. sub_filter '="/' '="/ipm/';
  162. sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/ipm";';
  163.  
  164. rewrite ^/ipm/(.*)$ /$1 break;
  165.  
  166. proxy_pass http://ipm/;
  167. }
  168.  
  169. location /socket.io/ {
  170. auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
  171.  
  172. limit_req zone=ipm burst=20;
  173. limit_req_log_level warn;
  174. limit_req_status 444;
  175.  
  176. proxy_http_version 1.1;
  177. proxy_set_header Upgrade $http_upgrade;
  178. proxy_set_header Connection "upgrade";
  179. proxy_redirect off;
  180.  
  181.  
  182. proxy_set_header Host $host;
  183. proxy_set_header X-Real-IP $remote_addr;
  184. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  185. proxy_set_header X-Forwarded-Proto $scheme;
  186.  
  187. proxy_pass "http://127.0.0.1:8888";
  188. }
  189.  
  190. location / {
  191. limit_req zone=iri burst=20;
  192. limit_req_log_level warn;
  193. limit_req_status 444;
  194.  
  195. if ( $request_method !~ ^(HEAD|OPTIONS|POST)$ ) {
  196. return 405;
  197. }
  198.  
  199. if ( $request_method = OPTIONS ) {
  200. add_header 'Access-Control-Allow-Origin' '*';
  201. add_header 'Access-Control-Allow-Headers' 'Content-type,X-IOTA-API-Version';
  202. proxy_pass http://iri;
  203. }
  204.  
  205. if ( $request_method = POST ) {
  206. add_header 'Access-Control-Allow-Origin' '*';
  207. add_header 'Access-Control-Allow-Headers' 'Content-type,X-IOTA-API-Version';
  208. set $upstream '';
  209. access_by_lua_block {
  210. ngx.req.read_body()
  211. local cjson = require('cjson')
  212. local data = ngx.req.get_body_data()
  213. local json_data = cjson.decode(data)
  214. local req_command = json_data["command"]
  215. local allowed_pub_commands = {
  216. 'getNodeInfo',
  217. 'getTips',
  218. 'findTransactions',
  219. 'getTrytes',
  220. 'getInclusionStates',
  221. 'getBalances',
  222. 'getTransactionsToApprove',
  223. 'attachToTangle',
  224. 'interruptAttachingToTangle',
  225. 'broadcastTransactions',
  226. 'storeTransactions',
  227. 'wereAddressesSpentFrom',
  228. 'checkConsistency'
  229. }
  230.  
  231. local function has_value (tab, val)
  232. for k, v in pairs(tab) do
  233. if v == val then
  234. return true
  235. end
  236. end
  237.  
  238. return false
  239. end
  240.  
  241. if has_value(allowed_pub_commands, req_command) then
  242. ngx.var.upstream = "iri"
  243. else
  244. ngx.exit(405)
  245. end
  246. }
  247.  
  248. proxy_pass http://$upstream;
  249. }
  250. }
  251. }
  252. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!