- sudo mkdir -p /usr/local/openresty/nginx/conf/ && cat << 'EOF' | sudo tee /usr/local/openresty/nginx/conf/nginx.conf > /dev/null
- user iota;
- worker_processes auto;
- error_log logs/error.log;
- pid /usr/local/openresty/nginx/logs/nginx.pid;
- events {
- worker_connections 4096;
- }
- http {
- default_type application/json;
- keepalive_timeout 70;
- init_by_lua 'require "cjson"';
- ssl_session_cache shared:SSL:32m;
- ssl_session_timeout 5m;
- server_tokens off;
- add_header X-XSS-Protection '1; mode=block';
- add_header X-Content-Type-Options nosniff;
- log_format main '$remote_addr - $remote_user [$time_local] $status '
- '"$request" $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
- map $http_upgrade $connection_upgrade {
- default upgrade;
- '' close;
- }
- upstream iri {
- server 127.0.0.1:14267;
- }
- upstream grafana {
- server 127.0.0.1:3000;
- }
- upstream prometheus {
- server 127.0.0.1:9090;
- }
- upstream iota_exporter {
- server 127.0.0.1:9311;
- }
- upstream ipm {
- server 127.0.0.1:8888;
- }
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_connect_timeout 120;
- proxy_send_timeout 120;
- proxy_read_timeout 120;
- proxy_buffers 32 4k;
- client_max_body_size 1m;
- client_body_buffer_size 128k;
- limit_req_zone $binary_remote_addr zone=iri:10m rate=5r/s;
- limit_req_zone $binary_remote_addr zone=grafana:10m rate=25r/s;
- limit_req_zone $binary_remote_addr zone=prometheus:10m rate=25r/s;
- limit_req_zone $binary_remote_addr zone=iota_exporter:10m rate=25r/s;
- limit_req_zone $binary_remote_addr zone=ipm:10m rate=25r/s;
- server {
- listen 14265 default_server deferred;
- listen 443 ssl http2 deferred;
- server_name v22018117236076934.nicesrv.de;
- ssl_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/v22018117236076934.nicesrv.de/privkey.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
- add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains';
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem;
- resolver 8.8.8.8 8.8.4.4 9.9.9.9 valid=300s;
- resolver_timeout 1s;
- error_page 405 @error405;
- location @error405 {
- add_header Allow 'GET, HEAD, OPTIONS, POST' always;
- }
- location /grafana/ {
- limit_req zone=grafana burst=50 nodelay;
- limit_req_log_level warn;
- limit_req_status 444;
- proxy_pass http://grafana/;
- }
- location /prometheus/ {
- auth_basic "Prometheus";
- auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
- limit_req zone=prometheus burst=50 nodelay;
- limit_req_log_level warn;
- limit_req_status 444;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- sub_filter_once off;
- sub_filter '="/' '="/prometheus/';
- sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/prometheus";';
- rewrite ^/prometheus/?$ /prometheus/graph redirect;
- rewrite ^/prometheus/(.*)$ /$1 break;
- proxy_pass http://prometheus/;
- }
- location /iota_exporter/ {
- auth_basic "IOTA Prometheus Exporter";
- auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
- limit_req zone=iota_exporter burst=50 nodelay;
- limit_req_log_level warn;
- limit_req_status 444;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://iota_exporter/;
- }
- location /ipm/ {
- auth_basic "IOTA Peer Manager";
- auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
- limit_req zone=ipm burst=50 nodelay;
- limit_req_log_level warn;
- limit_req_status 444;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- sub_filter_once off;
- sub_filter '="/' '="/ipm/';
- sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/ipm";';
- rewrite ^/ipm/(.*)$ /$1 break;
- proxy_pass http://ipm/;
- }
- location /socket.io/ {
- auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass "http://127.0.0.1:8888";
- }
- location / {
- limit_req zone=iri burst=10 nodelay;
- limit_req_log_level warn;
- limit_req_status 444;
- if ( $request_method !~ ^(HEAD|OPTIONS|POST)$ ) {
- return 405;
- }
- if ( $request_method = OPTIONS ) {
- proxy_pass http://iri;
- }
- if ( $request_method = POST ) {
- set $upstream '';
- access_by_lua_block {
- ngx.req.read_body()
- local cjson = require('cjson')
- local data = ngx.req.get_body_data()
- local json_data = cjson.decode(data)
- local req_command = json_data["command"]
- local allowed_pub_commands = {
- 'getNodeInfo',
- 'getTips',
- 'findTransactions',
- 'getTrytes',
- 'getInclusionStates',
- 'getBalances',
- 'getTransactionsToApprove',
- 'attachToTangle',
- 'interruptAttachingToTangle',
- 'broadcastTransactions',
- 'storeTransactions',
- 'wereAddressesSpentFrom'
- }
- local function has_value (tab, val)
- for k, v in pairs(tab) do
- if v == val then
- return true
- end
- end
- return false
- end
- if has_value(allowed_pub_commands, req_command) then
- ngx.var.upstream = "iri"
- else
- ngx.exit(405)
- end
- }
- proxy_pass http://$upstream;
- }
- }
- }
- }
- EOF