sudo mkdir -p /usr/local/openresty/nginx/conf/ && cat << 'EOF' | sudo tee /usr/local/openresty/nginx/conf/nginx.conf > /dev/null
user iota;
worker_processes auto;
error_log logs/error.log;
pid /usr/local/openresty/nginx/logs/nginx.pid;
events {
worker_connections 4096;
}
http {
default_type application/json;
keepalive_timeout 70;
init_by_lua 'require "cjson"';
ssl_session_cache shared:SSL:32m;
ssl_session_timeout 5m;
server_tokens off;
add_header X-XSS-Protection '1; mode=block';
add_header X-Content-Type-Options nosniff;
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream iri {
server 127.0.0.1:14267;
}
upstream grafana {
server 127.0.0.1:3000;
}
upstream prometheus {
server 127.0.0.1:9090;
}
upstream iota_exporter {
server 127.0.0.1:9311;
}
upstream ipm {
server 127.0.0.1:8888;
}
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffers 32 4k;
client_max_body_size 1m;
client_body_buffer_size 128k;
limit_req_zone $binary_remote_addr zone=iri:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=grafana:10m rate=25r/s;
limit_req_zone $binary_remote_addr zone=prometheus:10m rate=25r/s;
limit_req_zone $binary_remote_addr zone=iota_exporter:10m rate=25r/s;
limit_req_zone $binary_remote_addr zone=ipm:10m rate=25r/s;
server {
listen 14265 default_server deferred;
listen 443 ssl http2 deferred;
server_name v22018117236076934.nicesrv.de;
ssl_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/v22018117236076934.nicesrv.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains';
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 9.9.9.9 valid=300s;
resolver_timeout 1s;
error_page 405 @error405;
location @error405 {
add_header Allow 'GET, HEAD, OPTIONS, POST' always;
}
location /grafana/ {
limit_req zone=grafana burst=50 nodelay;
limit_req_log_level warn;
limit_req_status 444;
proxy_pass http://grafana/;
}
location /prometheus/ {
auth_basic "Prometheus";
auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
limit_req zone=prometheus burst=50 nodelay;
limit_req_log_level warn;
limit_req_status 444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
sub_filter_once off;
sub_filter '="/' '="/prometheus/';
sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/prometheus";';
rewrite ^/prometheus/?$ /prometheus/graph redirect;
rewrite ^/prometheus/(.*)$ /$1 break;
proxy_pass http://prometheus/;
}
location /iota_exporter/ {
auth_basic "IOTA Prometheus Exporter";
auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
limit_req zone=iota_exporter burst=50 nodelay;
limit_req_log_level warn;
limit_req_status 444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://iota_exporter/;
}
location /ipm/ {
auth_basic "IOTA Peer Manager";
auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
limit_req zone=ipm burst=50 nodelay;
limit_req_log_level warn;
limit_req_status 444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
sub_filter_once off;
sub_filter '="/' '="/ipm/';
sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/ipm";';
rewrite ^/ipm/(.*)$ /$1 break;
proxy_pass http://ipm/;
}
location /socket.io/ {
auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass "http://127.0.0.1:8888";
}
location / {
limit_req zone=iri burst=10 nodelay;
limit_req_log_level warn;
limit_req_status 444;
if ( $request_method !~ ^(HEAD|OPTIONS|POST)$ ) {
return 405;
}
if ( $request_method = OPTIONS ) {
proxy_pass http://iri;
}
if ( $request_method = POST ) {
set $upstream '';
access_by_lua_block {
ngx.req.read_body()
local cjson = require('cjson')
local data = ngx.req.get_body_data()
local json_data = cjson.decode(data)
local req_command = json_data["command"]
local allowed_pub_commands = {
'getNodeInfo',
'getTips',
'findTransactions',
'getTrytes',
'getInclusionStates',
'getBalances',
'getTransactionsToApprove',
'attachToTangle',
'interruptAttachingToTangle',
'broadcastTransactions',
'storeTransactions',
'wereAddressesSpentFrom'
}
local function has_value (tab, val)
for k, v in pairs(tab) do
if v == val then
return true
end
end
return false
end
if has_value(allowed_pub_commands, req_command) then
ngx.var.upstream = "iri"
else
ngx.exit(405)
end
}
proxy_pass http://$upstream;
}
}
}
}
EOF