stack-orchestrator/app/data/config/mainnet-eth-keycloak/nginx.example

108 lines
3.0 KiB
Plaintext
Raw Normal View History

server {
listen 80;
server_name my.example.com;
# See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
# and https://datatracker.ietf.org/doc/html/rfc8555
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
default_type text/plain;
return 200 "$1.MY_ACCOUNT_THUMBPRINT_GOES_HERE";
}
location / {
return 301 https://$host$request_uri;
}
}
upstream geth-pool {
keepalive 100;
hash $user_id consistent;
server server-a:8545;
server server-b:8545;
server server-c:8545;
}
# self-reg happens on one server for clarity
upstream reg-ui-pool {
keepalive 100;
server server-a:8085;
}
upstream reg-api-pool {
keepalive 100;
server server-a:8086;
}
# auth uses server-a if available
upstream auth-pool {
keepalive 100;
server server-a:8080;
server server-b:8080 backup;
server server-c:8080 backup;
}
log_format upstreamlog '[$time_local] $remote_addr $user_id - $server_name $host to: $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
proxy_cache_path /var/cache/nginx/auth_cache levels=1 keys_zone=auth_cache:1m max_size=5m inactive=60m;
server {
listen 443 ssl http2;
server_name my.example.com;
access_log /var/log/nginx/my.example.com-access.log upstreamlog;
error_log /var/log/nginx/my.example.com-error.log;
ssl_certificate /etc/nginx/ssl/my.example.com/cert.pem;
ssl_certificate_key /etc/nginx/ssl/my.example.com/key.pem;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
#rewrite ^/?$ /newuser/;
rewrite ^/?$ https://www.example.com/;
# geth-pool ETH API
location ~ ^/v1/eth/?([^/]*)$ {
set $apiKey $1;
if ($apiKey = '') {
set $apiKey $http_X_API_KEY;
}
auth_request /auth;
auth_request_set $user_id $sent_http_x_user_id;
rewrite /.*$ / break;
client_max_body_size 3m;
client_body_buffer_size 3m;
proxy_buffer_size 32k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 96k;
proxy_pass http://geth-pool;
proxy_set_header X-Original-Remote-Addr $remote_addr;
proxy_set_header X-User-Id $user_id;
}
# keycloak
location = /auth {
internal;
proxy_cache auth_cache;
proxy_cache_key "$apiKey";
proxy_cache_valid 200 300s;
proxy_cache_valid 401 30s;
proxy_pass http://auth-pool/auth/realms/cerc/check?memberOf=eth&apiKey=$apiKey;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Remote-Addr $remote_addr;
proxy_set_header X-Original-Host $host;
}
location /newuser/ {
proxy_pass http://reg-ui-pool/;
}
location /user-api/ {
proxy_pass http://reg-api-pool/;
}
}