sudo mkdir -p /usr/local/openresty/nginx/conf/ && cat << 'EOF' | sudo tee /usr/local/openresty/nginx/conf/nginx.conf > /dev/null user iota; worker_processes auto; error_log logs/error.log; pid /usr/local/openresty/nginx/logs/nginx.pid; events { worker_connections 4096; } http { default_type application/json; keepalive_timeout 70; init_by_lua 'require "cjson"'; ssl_session_cache shared:SSL:32m; ssl_session_timeout 5m; server_tokens off; add_header X-XSS-Protection '1; mode=block'; add_header X-Content-Type-Options nosniff; log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream iri { server 127.0.0.1:14267; } upstream grafana { server 127.0.0.1:3000; } upstream prometheus { server 127.0.0.1:9090; } upstream iota_exporter { server 127.0.0.1:9311; } upstream ipm { server 127.0.0.1:8888; } proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 120; proxy_send_timeout 120; proxy_read_timeout 120; proxy_buffers 32 4k; client_max_body_size 1m; client_body_buffer_size 128k; limit_req_zone $binary_remote_addr zone=iri:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=grafana:10m rate=25r/s; limit_req_zone $binary_remote_addr zone=prometheus:10m rate=25r/s; limit_req_zone $binary_remote_addr zone=iota_exporter:10m rate=25r/s; limit_req_zone $binary_remote_addr zone=ipm:10m rate=25r/s; server { listen 14265 default_server deferred; listen 443 ssl http2 deferred; server_name v22018117236076934.nicesrv.de; ssl_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/v22018117236076934.nicesrv.de/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/v22018117236076934.nicesrv.de/fullchain.pem; resolver 8.8.8.8 8.8.4.4 9.9.9.9 valid=300s; resolver_timeout 1s; error_page 405 @error405; location @error405 { add_header Allow 'GET, HEAD, OPTIONS, POST' always; } location /grafana/ { limit_req zone=grafana burst=50 nodelay; limit_req_log_level warn; limit_req_status 444; proxy_pass http://grafana/; } location /prometheus/ { auth_basic "Prometheus"; auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd; limit_req zone=prometheus burst=50 nodelay; limit_req_log_level warn; limit_req_status 444; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; sub_filter_once off; sub_filter '="/' '="/prometheus/'; sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/prometheus";'; rewrite ^/prometheus/?$ /prometheus/graph redirect; rewrite ^/prometheus/(.*)$ /$1 break; proxy_pass http://prometheus/; } location /iota_exporter/ { auth_basic "IOTA Prometheus Exporter"; auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd; limit_req zone=iota_exporter burst=50 nodelay; limit_req_log_level warn; limit_req_status 444; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://iota_exporter/; } location /ipm/ { auth_basic "IOTA Peer Manager"; auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd; limit_req zone=ipm burst=50 nodelay; limit_req_log_level warn; limit_req_status 444; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; sub_filter_once off; sub_filter '="/' '="/ipm/'; sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = "/ipm";'; rewrite ^/ipm/(.*)$ /$1 break; proxy_pass http://ipm/; } location /socket.io/ { auth_basic_user_file /usr/local/openresty/nginx/conf/.htpasswd; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass "http://127.0.0.1:8888"; } location / { limit_req zone=iri burst=10 nodelay; limit_req_log_level warn; limit_req_status 444; if ( $request_method !~ ^(HEAD|OPTIONS|POST)$ ) { return 405; } if ( $request_method = OPTIONS ) { proxy_pass http://iri; } if ( $request_method = POST ) { set $upstream ''; access_by_lua_block { ngx.req.read_body() local cjson = require('cjson') local data = ngx.req.get_body_data() local json_data = cjson.decode(data) local req_command = json_data["command"] local allowed_pub_commands = { 'getNodeInfo', 'getTips', 'findTransactions', 'getTrytes', 'getInclusionStates', 'getBalances', 'getTransactionsToApprove', 'attachToTangle', 'interruptAttachingToTangle', 'broadcastTransactions', 'storeTransactions', 'wereAddressesSpentFrom' } local function has_value (tab, val) for k, v in pairs(tab) do if v == val then return true end end return false end if has_value(allowed_pub_commands, req_command) then ngx.var.upstream = "iri" else ngx.exit(405) end } proxy_pass http://$upstream; } } } } EOF