108 lines
3.0 KiB
Plaintext
108 lines
3.0 KiB
Plaintext
|
server {
|
||
|
listen 80;
|
||
|
server_name my.example.com;
|
||
|
|
||
|
# See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
|
||
|
# and https://datatracker.ietf.org/doc/html/rfc8555
|
||
|
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
|
||
|
default_type text/plain;
|
||
|
return 200 "$1.MY_ACCOUNT_THUMBPRINT_GOES_HERE";
|
||
|
}
|
||
|
|
||
|
location / {
|
||
|
return 301 https://$host$request_uri;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
upstream geth-pool {
|
||
|
keepalive 100;
|
||
|
hash $user_id consistent;
|
||
|
server server-a:8545;
|
||
|
server server-b:8545;
|
||
|
server server-c:8545;
|
||
|
}
|
||
|
|
||
|
# self-reg happens on one server for clarity
|
||
|
upstream reg-ui-pool {
|
||
|
keepalive 100;
|
||
|
server server-a:8085;
|
||
|
}
|
||
|
|
||
|
upstream reg-api-pool {
|
||
|
keepalive 100;
|
||
|
server server-a:8086;
|
||
|
}
|
||
|
|
||
|
# auth uses server-a if available
|
||
|
upstream auth-pool {
|
||
|
keepalive 100;
|
||
|
server server-a:8080;
|
||
|
server server-b:8080 backup;
|
||
|
server server-c:8080 backup;
|
||
|
}
|
||
|
|
||
|
log_format upstreamlog '[$time_local] $remote_addr $user_id - $server_name $host to: $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
|
||
|
proxy_cache_path /var/cache/nginx/auth_cache levels=1 keys_zone=auth_cache:1m max_size=5m inactive=60m;
|
||
|
server {
|
||
|
listen 443 ssl http2;
|
||
|
server_name my.example.com;
|
||
|
access_log /var/log/nginx/my.example.com-access.log upstreamlog;
|
||
|
error_log /var/log/nginx/my.example.com-error.log;
|
||
|
|
||
|
ssl_certificate /etc/nginx/ssl/my.example.com/cert.pem;
|
||
|
ssl_certificate_key /etc/nginx/ssl/my.example.com/key.pem;
|
||
|
|
||
|
error_page 500 502 503 504 /50x.html;
|
||
|
location = /50x.html {
|
||
|
root /usr/share/nginx/html;
|
||
|
}
|
||
|
|
||
|
#rewrite ^/?$ /newuser/;
|
||
|
rewrite ^/?$ https://www.example.com/;
|
||
|
|
||
|
|
||
|
# geth-pool ETH API
|
||
|
location ~ ^/v1/eth/?([^/]*)$ {
|
||
|
set $apiKey $1;
|
||
|
if ($apiKey = '') {
|
||
|
set $apiKey $http_X_API_KEY;
|
||
|
}
|
||
|
auth_request /auth;
|
||
|
auth_request_set $user_id $sent_http_x_user_id;
|
||
|
rewrite /.*$ / break;
|
||
|
|
||
|
client_max_body_size 3m;
|
||
|
client_body_buffer_size 3m;
|
||
|
proxy_buffer_size 32k;
|
||
|
proxy_buffers 16 32k;
|
||
|
proxy_busy_buffers_size 96k;
|
||
|
|
||
|
proxy_pass http://geth-pool;
|
||
|
proxy_set_header X-Original-Remote-Addr $remote_addr;
|
||
|
proxy_set_header X-User-Id $user_id;
|
||
|
}
|
||
|
|
||
|
# keycloak
|
||
|
location = /auth {
|
||
|
internal;
|
||
|
proxy_cache auth_cache;
|
||
|
proxy_cache_key "$apiKey";
|
||
|
proxy_cache_valid 200 300s;
|
||
|
proxy_cache_valid 401 30s;
|
||
|
proxy_pass http://auth-pool/auth/realms/cerc/check?memberOf=eth&apiKey=$apiKey;
|
||
|
proxy_pass_request_body off;
|
||
|
proxy_set_header Content-Length "";
|
||
|
proxy_set_header X-Original-URI $request_uri;
|
||
|
proxy_set_header X-Original-Remote-Addr $remote_addr;
|
||
|
proxy_set_header X-Original-Host $host;
|
||
|
}
|
||
|
|
||
|
location /newuser/ {
|
||
|
proxy_pass http://reg-ui-pool/;
|
||
|
}
|
||
|
|
||
|
location /user-api/ {
|
||
|
proxy_pass http://reg-api-pool/;
|
||
|
}
|
||
|
}
|