forked from Blockstream/esplora
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf.in
132 lines (115 loc) · 3.61 KB
/
nginx.conf.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Set the IP ranges of your Google Cloud Load Balancer
set_real_ip_from 130.211.0.0/22;
set_real_ip_from 35.191.0.0/16;
# Use the IP address in the X-Forwarded-For header as the client IP
real_ip_header X-Forwarded-For;
real_ip_recursive on;
geo $limit {
default 1;
34.70.28.228/32 0;
127.0.0.1/32 0;
216.38.154.82 0;
}
map $limit $limit_key {
0 "";
1 $http_x_forwarded_for;
}
limit_req_zone $limit_key zone=lightlimitzone:10m rate=50r/s;
limit_req_zone $limit_key zone=heavylimitzone:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_status 429;
limit_conn_status 429;
upstream backend {
server unix:/var/electrs-rest.sock;
keepalive 300;
}
upstream prerenderer {
server unix:/var/prerender-http.sock;
keepalive 300;
}
upstream electrum_websocket {
server unix:/var/electrum-websocket.sock;
keepalive 300;
}
server {
listen 80;
keepalive_requests 100000;
gzip on;
gzip_types application/json text/plain application/xml application/javascript;
gzip_proxied any;
gzip_vary on;
root {STATIC_DIR};
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 650s;
{NGINX_LOGGING};
server_tokens off;
# client timeouts
client_body_timeout 5s;
client_header_timeout 5s;
add_header X-Frame-Options SAMEORIGIN always;
add_header Content-Security-Policy "{NGINX_CSP}" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
location /{NGINX_PATH}api/ {
limit_req zone=heavylimitzone burst=10 nodelay;
limit_conn conn_limit_per_ip 10;
proxy_pass http://backend/;
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Expose-Headers 'x-total-results';
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /{NGINX_PATH}nojs/ {
limit_req zone=lightlimitzone burst=10 nodelay;
proxy_pass http://prerenderer/;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /{NGINX_PATH}electrum-websocket/ {
limit_req zone=heavylimitzone burst=10 nodelay;
limit_conn conn_limit_per_ip 10;
client_body_timeout 60s;
proxy_pass http://electrum_websocket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 1d;
proxy_send_timeout 1d;
}
location = /{NGINX_PATH}nojs {
limit_req zone=lightlimitzone burst=10 nodelay;
return 301 " /{NGINX_PATH}nojs/";
}
location ~ ^/{NGINX_PATH}((tx|block|block-height|address|assets?)/|[a-zA-Z0-9]+$) {
limit_req zone=heavylimitzone burst=10 nodelay;
limit_conn conn_limit_per_ip 10;
expires 60m;
if ($args = "nojs") {
{NGINX_REWRITE_NOJS};
}
try_files $uri /index.html;
}
location /{NGINX_PATH} {
limit_req zone=lightlimitzone burst=10 nodelay;
expires 60m;
if ($args = "nojs") {
{NGINX_REWRITE_NOJS};
}
{NGINX_REWRITE}
}
location = /{NGINX_NOSLASH_PATH} {
limit_req zone=lightlimitzone burst=10 nodelay;
if ($args = "nojs") {
{NGINX_REWRITE_NOJS};
}
return 301 " /{NGINX_PATH}";
}
error_page 404 /{NGINX_PATH}notfound.html;
location = /notfound.html {
internal;
}
}