nginx: further improve rewrite rules (get rid of most ifs)

parent 9a551dc1
Pipeline #70698024 failed with stage
in 7 minutes and 6 seconds
......@@ -32,7 +32,6 @@ location /vks/v1/request-verify {
location /vks/v1/ {
location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ {
limit_req zone=search_fpr_keyid burst=30;
error_page 429 /errors-static/429-rate-limit-vks-fpr.htm;
error_page 404 /errors-static/404-by-fpr.htm;
default_type application/pgp-keys;
......@@ -56,10 +55,12 @@ location /vks/v1/ {
limit_req zone=search_email burst=50 nodelay;
error_page 429 /errors-static/429-rate-limit-vks-email.htm;
set $args "";
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://127.0.0.1:8080;
# we have some trouble with uri encoding here. just route through
# hagrid, for now.
proxy_pass http://127.0.0.1:8080;
# error_page 404 /errors-static/404-by-email.htm;
# default_type application/pgp-keys;
# add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
......@@ -71,59 +72,83 @@ location /vks/v1/ {
return 400;
}
location /pks/internal/index {
internal;
# Common HKP requests.
location /pks/lookup {
# if the search argument contains angle brackets, strip everything around them
if ($arg_search ~ ".*\<([^&<>]+)\>.*") {
set $arg_search "$1";
}
limit_req zone=pks_index burst=30 nodelay;
limit_req_status 429;
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
# rewrite this to a path we can match on (right below)
if ($args ~ "op=.*search=") {
rewrite . /pks/internal/$arg_op/$arg_search last;
}
proxy_pass http://127.0.0.1:8080;
add_header 'Access-Control-Allow-Origin' '*';
error_page 400 /errors-static/400-pks-invalid.htm;
return 400;
}
# Common HKP requests.
location /pks/lookup {
location /pks/internal {
internal;
# search by key id
# sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") {
location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{16})$" {
set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
set $args "";
rewrite . /vks/v1/by-keyid/$keyid last;
}
# search by fpr
# gpg --receive-keys <FINGERPRINT>
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") {
location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{40})$" {
set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
set $args "";
rewrite . /vks/v1/by-fingerprint/$fingerprint last;
}
# search by email
# gpg --locate-key <EMAIL>
if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]+(?:%40|@)[^&]+)") {
location ~ "^/pks/internal/get/(.+(?:%40|@).+)$" {
set_by_lua $email "return ngx.arg[1]:lower()" $1;
set $args "";
rewrite . /vks/v1/by-email/$email last;
}
# index by email, stripping angle brackets
# gpg --search-keys <QUERY>
if ($request_uri ~ "^/pks/lookup\?op=index&options=mr&search=[^&<>]*\<([^&<>]+)\>") {
set $query $1;
# index by fingerprint
# gpg --search-keys <FINGEPRINT>
location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{40})$" {
limit_req zone=search_fpr_keyid burst=30;
limit_req_status 429;
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
set $args "";
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://127.0.0.1:8080;
}
# index by keyid
# gpg --search-keys <KEYID>
location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{16})$" {
limit_req zone=search_fpr_keyid burst=30;
limit_req_status 429;
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
set $args "";
rewrite . /pks/internal/index/$query last;
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://127.0.0.1:8080;
}
# index by email
# gpg --search-keys <QUERY>
if ($request_uri ~ "^/pks/lookup\?op=index&options=mr&search=\<?([^&]+)\>?") {
set $query $1;
location ~ ^/pks/internal/index/(.+(?:%40|@).+)$ {
limit_req zone=search_email burst=50 nodelay;
limit_req_status 429;
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
set $args "";
rewrite . /pks/internal/index/$query last;
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://127.0.0.1:8080;
}
# forward to backend, which will like serve via x-accel-redirect
add_header 'Access-Control-Allow-Origin' '*';
error_page 400 /errors-static/400-pks-invalid.htm;
return 400;
......
# allow 6 requests per min -> one each 10s on avg.
limit_req_zone $binary_remote_addr zone=search_email:10m rate=1r/m;
limit_req_zone $binary_remote_addr zone=search_fpr_keyid:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=pks_index:10m rate=1r/m;
proxy_cache_path /tmp/nginx_cache use_temp_path=off keys_zone=static_cache:10m;
proxy_cache_valid 200 5m;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment