philomena/docker/web/nginx.conf

upstream philomena {
	server app:4000 fail_timeout=0;
}

map $uri $custom_content_type {
	default			"text/html";
	~(.*\.png)$		"image/png";
	~(.*\.jpe?g)$	"image/jpeg";
	~(.*\.gif)$		"image/gif";
	~(.*\.svg)$		"image/svg+xml";
	~(.*\.mp4)$		"video/mp4";
	~(.*\.webm)$	"video/webm";
}

lua_package_path '/etc/nginx/lua/?.lua;;';
resolver 1.1.1.1 ipv6=off;

init_by_lua_block {
	aws_sig = require('aws-signature')

	function clear_request()
		-- Get rid of any client state that could cause
		-- issues for the proxied request
		for h, _ in pairs(ngx.req.get_headers()) do
			if string.lower(h) ~= 'range' then
				ngx.req.clear_header(h)
			end
		end

		ngx.req.set_uri_args({})
		ngx.req.discard_body()
	end

	function sign_aws_request()
		-- The API token used should not allow writing, but
		-- sanitize this anyway to stop an upstream error
		if ngx.req.get_method() ~= 'GET' then
			ngx.status = ngx.HTTP_UNAUTHORIZED
			ngx.say('Unauthorized')
			return ngx.exit(ngx.HTTP_UNAUTHORIZED)
		end

		clear_request()
		aws_sig.s3_set_headers("$S3_HOST", ngx.var.uri)
	end
}

proxy_cache_path /var/www/cache levels=1:2 keys_zone=s3-cache:8m max_size=1000m inactive=600m;

server {
	listen 80 default;
	listen [::]:80;

	root $APP_DIR/priv/static;

	client_max_body_size       125000000;
	client_body_buffer_size    128k;

	location ~ ^/$S3_BUCKET {
		internal;

		access_by_lua	 		"sign_aws_request()";
		proxy_pass				"$S3_SCHEME://$S3_HOST:$S3_PORT";
		proxy_cache				s3-cache;
		proxy_cache_valid		1h;
		proxy_hide_header		Content-Type;
		proxy_ssl_server_name	on;

		expires 	max;
		add_header	Cache-Control public;
		add_header	Content-Type $custom_content_type;
	}

	location  ~ ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {
		rewrite ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" break;

		access_by_lua	 		"sign_aws_request()";
		proxy_pass				"$S3_SCHEME://$S3_HOST:$S3_PORT";
		proxy_cache				s3-cache;
		proxy_cache_valid		1h;
		proxy_hide_header		Content-Type;
		proxy_ssl_server_name	on;

		expires 	max;
		add_header	Cache-Control public;
		add_header	Content-Type $custom_content_type;
		add_header	Content-Disposition "attachment";
	}

	location  ~ ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {
		rewrite ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" last;
	}

	location  ~ ^/img/(.+)$ {
		rewrite ^/img/(.+)$ "/$S3_BUCKET/images/$1" last;
	}

	location  ~ ^/spns/(.+) {
		rewrite ^/spns/(.+)$ "/$S3_BUCKET/adverts/$1" last;
	}

	location  ~ ^/avatars/(.+) {
		rewrite ^/avatars/(.+)$ "/$S3_BUCKET/avatars/$1" last;
	}

	# The following two location blocks use an -img suffix to avoid
	# conflicting with the application routes. In production, this
	# is not necessary since assets will be on a distinct domain.

	location  ~ ^/badge-img/(.+) {
		rewrite ^/badge-img/(.+)$ "/$S3_BUCKET/badges/$1" last;
	}

	location  ~ ^/tag-img/(.+) {
		rewrite ^/tag-img/(.+)$ "/$S3_BUCKET/tags/$1" last;
	}

	location / {
		try_files $uri @proxy;
	}

	location @proxy {
		proxy_pass         http://philomena;
		proxy_redirect     off;

		proxy_set_header   Host             $host:$server_port;
		proxy_set_header   X-Real-IP        $remote_addr;
		proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

		proxy_connect_timeout      90;
		proxy_send_timeout         90;
		proxy_read_timeout         90;

		proxy_buffer_size          4k;
		proxy_buffers              4 32k;
		proxy_busy_buffers_size    64k;
		proxy_temp_file_write_size 64k;

		# Configuration for Phoenix WS
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
	}
}
docker compose files 2019-12-03 03:04:59 +01:00			`upstream philomena {`
fix non-podman setup 2019-12-03 23:56:26 +01:00			`server app:4000 fail_timeout=0;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Deal with content type screwery 2022-02-11 01:13:14 +01:00			`map $uri $custom_content_type {`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`default "text/html";`
			`~(.*\.png)$ "image/png";`
Deal with content type screwery 2022-02-11 01:13:14 +01:00			`~(.*\.jpe?g)$ "image/jpeg";`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`~(.*\.gif)$ "image/gif";`
			`~(.*\.svg)$ "image/svg+xml";`
			`~(.*\.mp4)$ "video/mp4";`
Deal with content type screwery 2022-02-11 01:13:14 +01:00			`~(.*\.webm)$ "video/webm";`
			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`lua_package_path '/etc/nginx/lua/?.lua;;';`
			`resolver 1.1.1.1 ipv6=off;`

			`init_by_lua_block {`
			`aws_sig = require('aws-signature')`

			`function clear_request()`
			`-- Get rid of any client state that could cause`
			`-- issues for the proxied request`
			`for h, _ in pairs(ngx.req.get_headers()) do`
			`if string.lower(h) ~= 'range' then`
			`ngx.req.clear_header(h)`
			`end`
			`end`

			`ngx.req.set_uri_args({})`
			`ngx.req.discard_body()`
			`end`

			`function sign_aws_request()`
			`-- The API token used should not allow writing, but`
			`-- sanitize this anyway to stop an upstream error`
			`if ngx.req.get_method() ~= 'GET' then`
			`ngx.status = ngx.HTTP_UNAUTHORIZED`
			`ngx.say('Unauthorized')`
			`return ngx.exit(ngx.HTTP_UNAUTHORIZED)`
			`end`

			`clear_request()`
			`aws_sig.s3_set_headers("$S3_HOST", ngx.var.uri)`
			`end`
			`}`

Add proxy cache 2022-05-15 02:33:31 +02:00			`proxy_cache_path /var/www/cache levels=1:2 keys_zone=s3-cache:8m max_size=1000m inactive=600m;`

docker compose files 2019-12-03 03:04:59 +01:00			`server {`
			`listen 80 default;`
			`listen [::]:80;`

			`root $APP_DIR/priv/static;`

bump app upload limit to 125MB 2020-10-21 20:10:11 +02:00			`client_max_body_size 125000000;`
allow uploading of large images 2020-04-03 02:46:12 +02:00			`client_body_buffer_size 128k;`

Prioritize bucket URL matches 2022-05-16 23:18:29 +02:00			`location ~ ^/$S3_BUCKET {`
Add proxy cache 2022-05-15 02:33:31 +02:00			`internal;`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`access_by_lua "sign_aws_request()";`
			`proxy_pass "$S3_SCHEME://$S3_HOST:$S3_PORT";`
Add proxy cache 2022-05-15 02:33:31 +02:00			`proxy_cache s3-cache;`
			`proxy_cache_valid 1h;`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`proxy_hide_header Content-Type;`
			`proxy_ssl_server_name on;`

			`expires max;`
			`add_header Cache-Control public;`
			`add_header Content-Type $custom_content_type;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`location ~ ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {`
			`rewrite ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" break;`
Add proxy cache 2022-05-15 02:33:31 +02:00
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`access_by_lua "sign_aws_request()";`
			`proxy_pass "$S3_SCHEME://$S3_HOST:$S3_PORT";`
Add proxy cache 2022-05-15 02:33:31 +02:00			`proxy_cache s3-cache;`
			`proxy_cache_valid 1h;`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`proxy_hide_header Content-Type;`
			`proxy_ssl_server_name on;`

Add proxy cache 2022-05-15 02:33:31 +02:00			`expires max;`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`add_header Cache-Control public;`
			`add_header Content-Type $custom_content_type;`
			`add_header Content-Disposition "attachment";`
nginx configuration to serve files 2022-02-09 03:32:12 +01:00			`}`

Add proxy cache 2022-05-15 02:33:31 +02:00			`location ~ ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {`
			`rewrite ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" last;`
			`}`
Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00
Add proxy cache 2022-05-15 02:33:31 +02:00			`location ~ ^/img/(.+)$ {`
			`rewrite ^/img/(.+)$ "/$S3_BUCKET/images/$1" last;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`location ~ ^/spns/(.+) {`
Add proxy cache 2022-05-15 02:33:31 +02:00			`rewrite ^/spns/(.+)$ "/$S3_BUCKET/adverts/$1" last;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`location ~ ^/avatars/(.+) {`
Add proxy cache 2022-05-15 02:33:31 +02:00			`rewrite ^/avatars/(.+)$ "/$S3_BUCKET/avatars/$1" last;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`# The following two location blocks use an -img suffix to avoid`
			`# conflicting with the application routes. In production, this`
			`# is not necessary since assets will be on a distinct domain.`

			`location ~ ^/badge-img/(.+) {`
Add proxy cache 2022-05-15 02:33:31 +02:00			`rewrite ^/badge-img/(.+)$ "/$S3_BUCKET/badges/$1" last;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

Authenticate requests to remote S3 endpoint 2022-05-14 19:46:23 +02:00			`location ~ ^/tag-img/(.+) {`
Add proxy cache 2022-05-15 02:33:31 +02:00			`rewrite ^/tag-img/(.+)$ "/$S3_BUCKET/tags/$1" last;`
docker compose files 2019-12-03 03:04:59 +01:00			`}`

			`location / {`
			`try_files $uri @proxy;`
			`}`

			`location @proxy {`
			`proxy_pass http://philomena;`
			`proxy_redirect off;`

			`proxy_set_header Host $host:$server_port;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`

			`proxy_connect_timeout 90;`
			`proxy_send_timeout 90;`
			`proxy_read_timeout 90;`

			`proxy_buffer_size 4k;`
			`proxy_buffers 4 32k;`
			`proxy_busy_buffers_size 64k;`
			`proxy_temp_file_write_size 64k;`

			`# Configuration for Phoenix WS`
add firehose API 2020-06-12 18:56:11 +02:00			`proxy_http_version 1.1;`
docker compose files 2019-12-03 03:04:59 +01:00			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`}`
			`}`