From 4de1d017ad2e926218d6b4789e448c1bd4cbfe67 Mon Sep 17 00:00:00 2001 From: wiz Date: Tue, 4 Jan 2022 15:28:17 +0900 Subject: [PATCH 1/3] Update production configurations + README for v2.3 * Refactor production nginx configuration files * Update README for new networks, SQL, etc. --- production/README.md | 202 +++++++----- production/nginx-bisq.conf | 75 ----- production/nginx-liquid.conf | 167 ---------- production/nginx-mempool-ssr.conf | 212 ------------ production/nginx-mempool.conf | 272 ---------------- production/nginx.conf | 301 ------------------ production/nginx/http-basic.conf | 39 +++ production/nginx/http-language.conf | 57 ++++ production/nginx/http-proxy-cache.conf | 4 + .../nginx/location-api-v1-contributors.conf | 8 + .../location-api-v1-donations-images.conf | 11 + .../nginx/location-api-v1-donations.conf | 8 + production/nginx/location-api.conf | 43 +++ production/nginx/location-liquid-api.conf | 12 + .../nginx/location-liquidtestnet-api.conf | 12 + production/nginx/location-redirects.conf | 46 +++ production/nginx/location-signet-api.conf | 12 + production/nginx/location-testnet-api.conf | 12 + production/nginx/nginx.conf | 124 ++++++++ production/nginx/server-bisq.conf | 85 +++++ production/nginx/server-common.conf | 65 ++++ production/nginx/server-electrs.conf | 35 ++ production/nginx/server-liquid.conf | 7 + production/nginx/server-mempool.conf | 8 + production/nginx/upstream-electrs.conf | 15 + production/nginx/upstream-mempool.conf | 18 ++ 26 files changed, 751 insertions(+), 1099 deletions(-) delete mode 100644 production/nginx-bisq.conf delete mode 100644 production/nginx-liquid.conf delete mode 100644 production/nginx-mempool-ssr.conf delete mode 100644 production/nginx-mempool.conf delete mode 100644 production/nginx.conf create mode 100644 production/nginx/http-basic.conf create mode 100644 production/nginx/http-language.conf create mode 100644 production/nginx/http-proxy-cache.conf create mode 100644 production/nginx/location-api-v1-contributors.conf create mode 100644 production/nginx/location-api-v1-donations-images.conf create mode 100644 production/nginx/location-api-v1-donations.conf create mode 100644 production/nginx/location-api.conf create mode 100644 production/nginx/location-liquid-api.conf create mode 100644 production/nginx/location-liquidtestnet-api.conf create mode 100644 production/nginx/location-redirects.conf create mode 100644 production/nginx/location-signet-api.conf create mode 100644 production/nginx/location-testnet-api.conf create mode 100644 production/nginx/nginx.conf create mode 100644 production/nginx/server-bisq.conf create mode 100644 production/nginx/server-common.conf create mode 100644 production/nginx/server-electrs.conf create mode 100644 production/nginx/server-liquid.conf create mode 100644 production/nginx/server-mempool.conf create mode 100644 production/nginx/upstream-electrs.conf create mode 100644 production/nginx/upstream-mempool.conf diff --git a/production/README.md b/production/README.md index 51c595945..d093aa47c 100644 --- a/production/README.md +++ b/production/README.md @@ -1,80 +1,88 @@ -# mempool.space v2 production website hosting +# mempool enterprise production instance -These instructions are for setting up a serious production mempool website for Mainnet, Testnet, and Liquid. For home users, follow the main instructions instead. +These instructions are for setting up a serious production mempool website for Bitcoin mainnet, testnet, signet, Liquid mainnet and testnet, and Bisq. For home users, you should use one-click installation methods instead, and for advanced manual deployments of mainnet only see the top-level installation instructions. ### Server Hardware -Mempool V2 is powered by electrs, which is a beast. I recommend a beefy server: +Mempool V2 is powered by blockstream/electrs, which is a beast. I recommend a beefy server: -* 16C CPU (more is better) +* 20C CPU (more is better) * 64G RAM (more is better) -* 2TB SSD (NVMe is better) +* 4TB SSD (NVMe is better) ### HDD vs SSD vs NVMe If you don't have a fast SSD or NVMe backed disk, that's fine. What you do is, go online and buy some fast new NVMe drives and wait for them to arrive. After you install them, throw away your old HDDs and then proceed with the rest of this guide. -## FreeBSD 12 +## FreeBSD 13 The mempool.space site is powered by FreeBSD with ZFS root and ARC cache for maximum performance. Linux probably works fine too, but why settle? ### Filesystem -For maximum performance, I use 2x 1TB NVMe SSDs in a RAID 0 using ZFS with lots of RAM for the ARC L2 cache. +For maximum performance, I use 2x 2TB NVMe SSDs in a RAID 0 using ZFS with lots of RAM for the ARC L2 cache. ``` -# zpool list -v nvmraid -NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT -nvmraid 1.81T 1.04T 787G - - 0% 57% 1.00x ONLINE - - nvd0 928G 535G 393G - - 0% 57% - nvd1 928G 534G 394G - - 0% 57% +% zpool list -v +NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT +nvm 3.62T 1.25T 2.38T - - 2% 34% 1.00x ONLINE - + nvd0p3 1.81T 629G 1.20T - - 2% 33.9% - ONLINE + nvd1p3 1.81T 646G 1.18T - - 2% 34.8% - ONLINE ``` -For maximum flexibility of configuration, I configure the partitions separately for each data folder: +For maximum flexibility of configuration, I recommend partitions separately for each data folder: ``` Filesystem Size Used Avail Capacity Mounted on -nvmraid/mempool 732G 3.0G 729G 0% /mempool -nvmraid/mysql 730G 618M 729G 0% /mysql -nvmraid/bisq 729G 88K 729G 0% /bisq -nvmraid/elements 731G 1.8G 729G 0% /elements -nvmraid/elements/liquidv1 737G 7.2G 729G 1% /elements/liquidv1 -nvmraid/elements/electrs 730G 434M 729G 0% /elements/electrs -nvmraid/bitcoin 730G 694M 729G 0% /bitcoin -nvmraid/bitcoin/chainstate 733G 3.9G 729G 1% /bitcoin/chainstate -nvmraid/bitcoin/indexes 757G 27G 729G 4% /bitcoin/indexes -nvmraid/bitcoin/electrs 730G 853M 729G 0% /bitcoin/electrs -nvmraid/bitcoin/blocks 1.0T 306G 729G 30% /bitcoin/blocks -nvmraid/bitcoin/testnet3 729G 13M 729G 0% /bitcoin/testnet3 -nvmraid/bitcoin/testnet3/blocks 756G 26G 729G 3% /bitcoin/testnet3/blocks -nvmraid/bitcoin/testnet3/chainstate 731G 1.3G 729G 0% /bitcoin/testnet3/chainstate -nvmraid/bitcoin/testnet3/indexes 733G 3.8G 729G 1% /bitcoin/testnet3/indexes -nvmraid/electrs/liquid/cache 729G 39M 729G 0% /electrs/liquid/newindex/cache -nvmraid/electrs/liquid/history 730G 737M 729G 0% /electrs/liquid/newindex/history -nvmraid/electrs/liquid/txstore 736G 6.2G 729G 1% /electrs/liquid/newindex/txstore -nvmraid/electrs/mainnet/cache 729G 44M 729G 0% /electrs/mainnet/newindex/cache -nvmraid/electrs/mainnet/history 964G 234G 729G 24% /electrs/mainnet/newindex/history -nvmraid/electrs/mainnet/txstore 1.1T 392G 729G 35% /electrs/mainnet/newindex/txstore -nvmraid/electrs/testnet/cache 729G 40M 729G 0% /electrs/testnet/newindex/cache -nvmraid/electrs/testnet/history 747G 18G 729G 2% /electrs/testnet/newindex/history -nvmraid/electrs/testnet/txstore 764G 34G 729G 4% /electrs/testnet/newindex/txstore +nvm/bisq 766G 1.1G 765G 0% /bisq +nvm/bitcoin 766G 648M 765G 0% /bitcoin +nvm/bitcoin/blocks 1.1T 375G 765G 33% /bitcoin/blocks +nvm/bitcoin/chainstate 770G 4.5G 765G 1% /bitcoin/chainstate +nvm/bitcoin/electrs 772G 7.3G 765G 1% /bitcoin/electrs +nvm/bitcoin/indexes 799G 34G 765G 4% /bitcoin/indexes +nvm/bitcoin/testnet3 765G 5.0M 765G 0% /bitcoin/testnet3 +nvm/bitcoin/testnet3/blocks 786G 21G 765G 3% /bitcoin/testnet3/blocks +nvm/bitcoin/testnet3/chainstate 766G 1.1G 765G 0% /bitcoin/testnet3/chainstate +nvm/bitcoin/testnet3/indexes 768G 2.9G 765G 0% /bitcoin/testnet3/indexes +nvm/electrs 765G 128K 765G 0% /electrs +nvm/electrs/liquid 765G 104K 765G 0% /electrs/liquid +nvm/electrs/liquid/cache 765G 7.8M 765G 0% /electrs/liquid/newindex/cache +nvm/electrs/liquid/history 766G 886M 765G 0% /electrs/liquid/newindex/history +nvm/electrs/liquid/txstore 775G 10G 765G 1% /electrs/liquid/newindex/txstore +nvm/electrs/liquidtestnet 765G 112K 765G 0% /electrs/liquidtestnet +nvm/electrs/liquidtestnet/cache 765G 96K 765G 0% /electrs/liquidtestnet/newindex/cache +nvm/electrs/liquidtestnet/history 765G 96K 765G 0% /electrs/liquidtestnet/newindex/history +nvm/electrs/liquidtestnet/txstore 765G 96K 765G 0% /electrs/liquidtestnet/newindex/txstore +nvm/electrs/mainnet 765G 112K 765G 0% /electrs/mainnet +nvm/electrs/mainnet/cache 765G 4.4M 765G 0% /electrs/mainnet/newindex/cache +nvm/electrs/mainnet/history 1.0T 300G 765G 28% /electrs/mainnet/newindex/history +nvm/electrs/mainnet/txstore 1.3T 530G 765G 41% /electrs/mainnet/newindex/txstore +nvm/electrs/signet 766G 522M 765G 0% /electrs/signet +nvm/electrs/testnet 765G 104K 765G 0% /electrs/testnet +nvm/electrs/testnet/cache 765G 1.6M 765G 0% /electrs/testnet/newindex/cache +nvm/electrs/testnet/history 784G 19G 765G 2% /electrs/testnet/newindex/history +nvm/electrs/testnet/txstore 803G 38G 765G 5% /electrs/testnet/newindex/txstore +nvm/elements 766G 927M 765G 0% /elements +nvm/elements/electrs 766G 716M 765G 0% /elements/electrs +nvm/elements/liquidv1 777G 11G 765G 1% /elements/liquidv1 +nvm/mempool 789G 24G 765G 3% /mempool +nvm/mysql 766G 648M 765G 0% /mysql +tmpfs 1.0G 1.3M 1.0G 0% /var/cache/nginx +tmpfs 3.0G 1.9G 1.1G 63% /bisq/statsnode-data/btc_mainnet/db/json ``` ### Build Dependencies You'll probably need these: ``` -pkg install -y zsh sudo git screen vim-console curl wget neovim rsync -pkg install -y openssl openssh-portable open-vm-tools-nox11 py37-pip -pkg install -y boost-libs autoconf automake gmake gcc libevent libtool pkgconf -pkg install -y mariadb55-server mariadb55-client nginx py37-certbot-nginx npm +pkg install -y zsh sudo git screen curl wget neovim rsync nginx openssl openssh-portable py38-pip py38-certbot-nginx boost-libs autoconf automake gmake gcc libevent libtool pkgconf mariadb105-server mariadb105-client ``` ### NodeJS / npm I recommend to build nodejs / npm from source using nvm: ``` -curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | zsh +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | zsh source $HOME/.zshrc -nvm install node +nvm install v16.10.0 nvm alias default node ``` @@ -107,11 +115,18 @@ DataDirectory /var/db/tor DataDirectoryGroupReadable 1 HiddenServiceDir /var/db/tor/mempool -HiddenServicePort 80 127.0.0.1:80 +HiddenServicePort 80 127.0.0.1:81 +HiddenServiceVersion 3 + +HiddenServiceDir /var/db/tor/bisq +HiddenServicePort 80 127.0.0.1:82 +HiddenServiceVersion 3 + +HiddenServiceDir /var/db/tor/liquid +HiddenServicePort 80 127.0.0.1:83 HiddenServiceVersion 3 ``` - ### Bitcoin Build [Bitcoin Core](https://github.com/bitcoin/bitcoin) from source. Alternatively, install the OS packages: @@ -121,25 +136,35 @@ pkg install -y bitcoin-daemon bitcoin-utils Configure your bitcoin.conf like this: ``` +datadir=/bitcoin server=1 -daemon=1 +txindex=1 listen=1 discover=1 -txindex=1 -dbcache=3700 -maxconnections=1337 +par=16 +dbcache=4096 +maxmempool=1337 +mempoolexpiry=999999 +maxconnections=42 onion=127.0.0.1:9050 rpcallowip=127.0.0.1 -rpcuser=0cd862dce678b830bd2aa36f10b9b6b2 -rpcpassword=2d89d36cac4a13c87b5d19ef8f577e37 +rpcuser=foo +rpcpassword=bar [main] bind=127.0.0.1:8333 rpcbind=127.0.0.1:8332 +whitelist=bloomfilter@127.0.0.1 [test] +daemon=1 bind=127.0.0.1:18333 rpcbind=127.0.0.1:18332 + +[signet] +daemon=1 +bind=127.0.0.1:38333 +rpcbind=127.0.0.1:38332 ``` ### Elements @@ -158,15 +183,39 @@ Configure your elements.conf like this: server=1 daemon=1 listen=1 -chain=liquidv1 -rpcuser=liquiduser -rpcpassword=liquidpass -validatepegin=1 +rpcuser=foo +rpcpassword=bar mainchainrpchost=127.0.0.1 -mainchainrpcport=8332 -mainchainrpcuser=user -mainchainrpcpassword=pass +mainchainrpcuser=foo +mainchainrpcpassword=bar txindex=1 + +[liquidv1] +validatepegin=1 +mainchainrpcport=8332 + +[liquidtestnet] +validatepegin=0 +anyonecanspendaremine=0 +initialfreecoins=2100000000000000 +con_dyna_deploy_start=0 +con_max_block_sig_size=150 +checkblockindex=0 +fallbackfee=0.00000100 +con_has_parent_chain=0 +parentgenesisblockhash=NULL +pubkeyprefix=36 +scriptprefix=19 +blindedprefix=23 +bech32_hrp=tex +blech32_hrp=tlq +pchmessagestart=410edd62 +dynamic_epoch_length=1000 +signblockscript=51210217e403ddb181872c32a0cd468c710040b2f53d8cac69f18dad07985ee37e9a7151ae +evbparams=dynafed:0::: +addnode=liquid-testnet.blockstream.com:18892 +addnode=liquidtestnet.com:18891 +addnode=liquid.network:18444 ``` Start elementsd and wait for it to sync the Liquid blockchain. @@ -180,11 +229,13 @@ cd electrs git checkout new-index ``` -You'll need 3 instances, one for each network. Build one at a time: +You'll need one instance per network. Build and run them one at a time: ``` ./electrs-start-mainnet ./electrs-start-testnet +./electrs-start-signet ./electrs-start-liquid +./electrs-start-liquidtestnet ``` ### MariaDB @@ -194,19 +245,25 @@ Import historical mempool fee database snapshot, or the blank mariadb structure mysql -u root create database mempool; grant all on mempool.* to 'mempool'@'localhost' identified by 'mempool'; -create database tmempool; -grant all on tmempool.* to 'tmempool'@'localhost' identified by 'tmempool'; -create database lmempool; -grant all on lmempool.* to 'lmempool'@'localhost' identified by 'lmempool'; +create database mempool_testnet; +grant all on mempool_testnet.* to 'mempool_testnet'@'localhost' identified by 'mempool_testnet'; +create database mempool_signet; +grant all on mempool_signet.* to 'mempool_signet'@'localhost' identified by 'mempool_signet'; +create database mempool_liquid; +grant all on mempool_liquid.* to 'mempool_liquid'@'localhost' identified by 'mempool_liquid'; +create database mempool_liquidtestnet; +grant all on mempool_liquidtestnet.* to 'mempool_liquidtestnet'@'localhost' identified by 'mempool_liquidtestnet'; ``` -Then import +### Bisq + +Build bisq-statsnode normally and run using options like this: ``` -mysql -u mempool -p mempool < /mempool/mempool/mariadb-structure.sql -mysql -u tmempool -p tmempool < /mempool/mempool/mariadb-structure.sql -mysql -u lmempool -p lmempool < /mempool/mempool/mariadb-structure.sql +./bisq-statsnode --dumpBlockchainData=true --dumpStatistics=true ``` +If bisq is happy, it should dump JSON files for Bisq Markets and BSQ data into /bisq that the mempool backend will use. + ### Mempool After all 3 electrs instances are fully indexed, install your 3 mempool nodes: @@ -224,13 +281,15 @@ Finally, start your 3 mempool backends: Get SSL certificate using certbot: ``` -certbot --nginx -d mempool.space +certbot --nginx -d mempool.ninja ``` -Install nginx.conf from this repo, edit as necessary: +Make a symlink from /usr/local/etc/nginx/mempool to /mempool/mempool, and copy the nginx.conf and edit as necessary. You probably only need to edit the top-level nginx.conf file. ``` -cp nginx.conf /usr/local/etc/nginx/nginx.conf -vi /usr/local/etc/nginx/nginx.conf +cd /usr/local/etc/nginx +ln -s /mempool/mempool +cp /mempool/mempool/nginx.conf . +vi nginx.conf ``` Restart nginx @@ -241,4 +300,3 @@ service nginx restart ### Done Your site should look like https://mempool.space/ -If it doesn't ask wiz on Keybase DM or Twitter for help. diff --git a/production/nginx-bisq.conf b/production/nginx-bisq.conf deleted file mode 100644 index 25873c78c..000000000 --- a/production/nginx-bisq.conf +++ /dev/null @@ -1,75 +0,0 @@ -root /mempool/public_html/markets/en-US; -index index.html; - -set $frameOptions "DENY"; -set $contentSecurityPolicy "frame-ancestors 'none'"; -if ($http_referer ~ ^https://bisq.markets/) -{ - set $frameOptions "ALLOW-FROM https://bisq.markets"; - set $contentSecurityPolicy "frame-ancestors https://bisq.markets"; -} -if ($http_referer ~ ^https://bisq.network/) -{ - set $frameOptions "ALLOW-FROM https://bisq.network"; - set $contentSecurityPolicy "frame-ancestors https://bisq.network"; -} -add_header X-Frame-Options $frameOptions; -add_header Content-Security-Policy $contentSecurityPolicy; -add_header Link "; rel=\"canonical\""; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; -#add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - -proxy_cache markets; -proxy_cache_valid 200 30s; - -location / { - try_files $uri $uri/ /index.html; -} -location /api { - rewrite ^/api$ / break; - rewrite ^/api/$ / break; - rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; - try_files $uri $uri/ @mempool; -} -location /bisq/api/markets { - rewrite ^/bisq/api/markets/(.*) /api/v1/bisq/markets/$1 break; - try_files $uri $uri/ @mempool; -} -location /bisq/api/v1/markets { - rewrite ^/bisq/api/v1/markets/(.*) /api/v1/bisq/markets/$1 break; - try_files $uri $uri/ @mempool; -} -location /bisq/api/v1/ws { - proxy_pass http://127.0.0.1:8996/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -location /api/markets { - rewrite ^/api/markets/(.*) /api/v1/bisq/markets/$1 break; - try_files $uri $uri/ @mempool; -} -location /api/v1/markets { - rewrite ^/api/v1/markets/(.*) /api/v1/bisq/markets/$1 break; - try_files $uri $uri/ @mempool; -} -location /api/v1/ws { - proxy_pass http://127.0.0.1:8996/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -location @mempool { - proxy_pass http://127.0.0.1:8996; - proxy_http_version 1.1; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_cache_bypass $http_upgrade; - proxy_redirect off; - proxy_set_header X-Forwarded-Proto $scheme; -} diff --git a/production/nginx-liquid.conf b/production/nginx-liquid.conf deleted file mode 100644 index 37451fdb7..000000000 --- a/production/nginx-liquid.conf +++ /dev/null @@ -1,167 +0,0 @@ -root /mempool/public_html/liquid/; - -index index.html; - -set $frameOptions "DENY"; -set $contentSecurityPolicy "frame-ancestors 'none'"; -if ($http_referer ~ ^https://mempool.space/) -{ - set $frameOptions "ALLOW-FROM https://mempool.space"; - set $contentSecurityPolicy "frame-ancestors https://mempool.space"; -} -if ($http_referer ~ ^https://mempool.ninja/) -{ - set $frameOptions "ALLOW-FROM https://mempool.ninja"; - set $contentSecurityPolicy "frame-ancestors https://mempool.ninja"; -} -if ($http_referer ~ ^https://wiz.biz/) -{ - set $frameOptions "ALLOW-FROM https://wiz.biz"; - set $contentSecurityPolicy "frame-ancestors https://wiz.biz"; -} - -add_header X-Frame-Options $frameOptions; -add_header Content-Security-Policy $contentSecurityPolicy; -add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - -# fallback for all URLs i.e. /address/foo /tx/foo /block/000 -location / { - try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; - add_header Cache-Control "public, no-transform"; - add_header X-Frame-Options $frameOptions; - add_header Content-Security-Policy $contentSecurityPolicy; - add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - expires 10m; -} -location /resources { - try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; - add_header Cache-Control "public, no-transform"; - add_header X-Frame-Options $frameOptions; - add_header Content-Security-Policy $contentSecurityPolicy; - add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - expires 1h; -} -location @index-redirect { - add_header Vary accept-language; - add_header X-Frame-Options $frameOptions; - add_header Content-Security-Policy $contentSecurityPolicy; - add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - rewrite (.*) /$lang/index.html; -} - -# location block using regex are matched in order - -# used to rewrite resources from // to /en-US/ -location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/resources/ { - rewrite ^/[a-zA-Z-]*/resources/(.*) /en-US/resources/$1; -} -# used for cookie override -location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/ { - try_files $uri $uri/ /$1/index.html =404; -} - -# static API docs -location = /api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} -location = /api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} -location = /liquid/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} -location = /liquid/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} -location = /testnet/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} -location = /testnet/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; -} - -# mainnet API -location /api/v1/contributors { - proxy_pass https://mempool.space; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; -} -location /api/v1/donations { - proxy_pass https://mempool.space; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; -} -location /api/v1/donations/images { - proxy_pass https://mempool.space; - proxy_cache services; - proxy_cache_valid 200 1d; - expires 7d; - add_header Cache-Control "public, no-transform"; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; -} -location /api/v1/ws { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -location /api/v1 { - proxy_pass http://127.0.0.1:8998/api/v1; -} -location /api/address { - proxy_pass http://electrs-liquid/address; -} -location /api/tx { - proxy_pass http://electrs-liquid/tx; -} -location /api/block { - proxy_pass http://electrs-liquid/block; -} -location /api/ { - proxy_pass http://electrs-liquid/; -} - -# liquid API -location /liquid/api/v1/ws { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -location /liquid/api/v1 { - proxy_pass http://127.0.0.1:8998/api/v1; -} -location /liquid/api/ { - proxy_pass http://electrs-liquid/; -} - -# liquidtestnet API -location /liquidtestnet/api/v1/ws { - proxy_pass http://127.0.0.1:8994/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -location /liquidtestnet/api/v1 { - proxy_pass http://127.0.0.1:8994/api/v1; -} -location /liquidtestnet/api/ { - proxy_pass http://electrs-liquidtestnet/; -} diff --git a/production/nginx-mempool-ssr.conf b/production/nginx-mempool-ssr.conf deleted file mode 100644 index 5c80bb75f..000000000 --- a/production/nginx-mempool-ssr.conf +++ /dev/null @@ -1,212 +0,0 @@ - root /mempool/public_html/mainnet/; - - index index.html; - - add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - set $frameOptions "DENY"; - set $contentSecurityPolicy "frame-ancestors 'none'"; - if ($http_referer ~ ^https://mempool.space/) - { - set $frameOptions "ALLOW-FROM https://mempool.space"; - set $contentSecurityPolicy "frame-ancestors https://mempool.space"; - } - if ($http_referer ~ ^https://mempool.ninja/) - { - set $frameOptions "ALLOW-FROM https://mempool.ninja"; - set $contentSecurityPolicy "frame-ancestors https://mempool.ninja"; - } - if ($http_referer ~ ^https://node100.bitcoin.wiz.biz/) - { - set $frameOptions "ALLOW-FROM https://node100.bitcoin.wiz.biz"; - set $contentSecurityPolicy "frame-ancestors https://node100.bitcoin.wiz.biz"; - } - if ($http_referer ~ ^https://wiz.biz/) - { - set $frameOptions "ALLOW-FROM https://wiz.biz"; - set $contentSecurityPolicy "frame-ancestors https://wiz.biz"; - } - - add_header X-Frame-Options $frameOptions; - add_header Content-Security-Policy $contentSecurityPolicy; - - # fallback for all URLs i.e. /address/foo /tx/foo /block/000 - location / { - #try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; - proxy_pass http://127.0.0.1:4000; - } - location @index-redirect { - add_header vary accept-language; - rewrite (.*) /$lang/index.html; - } - - # location block using regex are matched in order - - # used to rewrite resources from // to /en-US/ - location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/resources/ { - #rewrite ^/[a-zA-Z-]*/resources/(.*) /resources/$1; - try_files $uri /en-US/$uri =404; - } - location /resources/ { - try_files $uri /en-US/$uri =404; - } - # used for cookie override - location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/ { - #try_files $uri $uri/ /$1/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - - # add /sitemap for production SEO - location /sitemap { - try_files $uri =410; - } - # old /explorer redirect from v1 days - location /explorer { - rewrite /explorer/(.*) https://$host/$1 permanent; - } - - # static API docs - location = /api { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /api/ { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /liquid/api { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /liquid/api/ { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /testnet/api { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /testnet/api/ { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /bisq/api { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - location = /bisq/api/ { - #return 302 https://mempool.space/$request_uri; - #try_files $uri $uri/ /en-US/index.html =404; - proxy_pass http://127.0.0.1:4000; - } - - # mainnet API - location /api/v1/donations { - proxy_pass http://127.0.0.1:8999; - # don't rate limit this API prefix - } - location /api/v1/donations/images { - proxy_pass http://127.0.0.1:8999; - proxy_cache services; - proxy_cache_valid 200 1d; - } - location /api/v1/ws { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /api/v1 { - proxy_pass http://127.0.0.1:8999/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /api/ { - proxy_pass http://[::1]:3000/; - limit_req burst=50 nodelay zone=electrs; - } - - # liquid API - location /liquid/api/v1/ws { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /liquid/api/v1 { - proxy_pass http://127.0.0.1:8998/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /liquid/api/ { - proxy_pass http://[::1]:3001/; - limit_req burst=50 nodelay zone=electrs; - } - - # testnet API - location /testnet/api/v1/ws { - proxy_pass http://127.0.0.1:8997/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /testnet/api/v1 { - proxy_pass http://127.0.0.1:8997/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /testnet/api/ { - proxy_pass http://[::1]:3002/; - limit_req burst=50 nodelay zone=electrs; - } - - # bisq API - location /bisq/api/v1/ws { - proxy_pass http://127.0.0.1:8996/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /bisq/api/v1/markets { - proxy_pass http://127.0.0.1:8996/api/v1/bisq/markets; - #limit_req burst=50 nodelay zone=api; - } - location /bisq/api/v1 { - proxy_pass http://127.0.0.1:8996/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /bisq/api { - proxy_pass http://127.0.0.1:8996/api/v1/bisq; - limit_req burst=50 nodelay zone=api; - } - - # mainnet API - location /ws { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/mainnet { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/liquid { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/testnet { - proxy_pass http://127.0.0.1:8997/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } diff --git a/production/nginx-mempool.conf b/production/nginx-mempool.conf deleted file mode 100644 index 8b948b305..000000000 --- a/production/nginx-mempool.conf +++ /dev/null @@ -1,272 +0,0 @@ - root /mempool/public_html/mainnet/; - - index index.html; - - # tor onion redirect - add_header Onion-Location http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion$request_uri; - - # HSTS preload enable - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - # generate frame configuration from origin header - set $frameOptions "DENY"; - set $contentSecurityPolicy "frame-ancestors 'none'"; - if ($http_referer ~ ^https://mempool.space/) - { - set $frameOptions "ALLOW-FROM https://mempool.space"; - set $contentSecurityPolicy "frame-ancestors https://mempool.space"; - } - if ($http_referer ~ ^https://mempool.ninja/) - { - set $frameOptions "ALLOW-FROM https://mempool.ninja"; - set $contentSecurityPolicy "frame-ancestors https://mempool.ninja"; - } - if ($http_referer ~ ^https://wiz.biz/) - { - set $frameOptions "ALLOW-FROM https://wiz.biz"; - set $contentSecurityPolicy "frame-ancestors https://wiz.biz"; - } - - # restrict usage of frames - add_header X-Frame-Options $frameOptions; - add_header Content-Security-Policy $contentSecurityPolicy; - - # enable browser and proxy caching - add_header Cache-Control "public, no-transform"; - - # vary cache if user changes language preference - add_header Vary Accept-Language; - add_header Vary Cookie; - - # fallback for all URLs i.e. /address/foo /tx/foo /block/000 - location / { - try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; - expires 10m; - } - location /resources { - try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; - expires 1h; - } - location @index-redirect { - rewrite (.*) /$lang/index.html; - } - - # location block using regex are matched in order - - # used to rewrite resources from // to /en-US/ - location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh|hi)/resources/ { - rewrite ^/[a-zA-Z-]*/resources/(.*) /en-US/resources/$1; - } - # used for cookie override - location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh|hi)/ { - try_files $uri $uri/ /$1/index.html =404; - } - - # add /sitemap for production SEO - location /sitemap { - try_files $uri =410; - } - # old /explorer redirect from v1 days - location /explorer { - rewrite /explorer/(.*) https://$host/$1 permanent; - } - - # static API docs - location = /api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /liquid/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /liquid/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /testnet/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /testnet/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /bisq/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /bisq/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /signet/api { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - location = /signet/api/ { - #return 302 https://mempool.space/$request_uri; - try_files $uri $uri/ /en-US/index.html =404; - } - - # serivces API - location /api/v1/contributors { - # don't rate limit this API prefix - proxy_pass https://mempool.space; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; - } - location /api/v1/donations { - # don't rate limit this API prefix - proxy_pass https://mempool.space; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; - } - location /api/v1/donations/images { - # don't rate limit this API prefix - proxy_pass https://mempool.space; - proxy_cache services; - proxy_cache_valid 200 1d; - expires 7d; - add_header Cache-Control "public, no-transform"; - proxy_hide_header onion-location; - proxy_hide_header strict-transport-security; - proxy_hide_header content-security-policy; - proxy_hide_header x-frame-options; - } - - # mainnet API - location /api/v1/ws { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /api/v1 { - proxy_pass http://127.0.0.1:8999/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /api/address { - proxy_pass http://electrs-mainnet/address; - limit_req burst=50 nodelay zone=electrs-address; - } - location /api/tx { - proxy_pass http://electrs-mainnet/tx; - limit_req burst=50 nodelay zone=electrs-tx; - } - location /api/block { - proxy_pass http://electrs-mainnet/block; - limit_req burst=50 nodelay zone=electrs-block; - } - location /api/ { - proxy_pass http://electrs-mainnet/; - limit_req burst=50 nodelay zone=electrs; - } - - # liquid API - location /liquid/api/v1/ws { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /liquid/api/v1 { - proxy_pass http://127.0.0.1:8998/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /liquid/api/ { - proxy_pass http://electrs-liquid/; - limit_req burst=50 nodelay zone=electrs; - } - - # testnet API - location /testnet/api/v1/ws { - proxy_pass http://127.0.0.1:8997/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /testnet/api/v1 { - proxy_pass http://127.0.0.1:8997/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /testnet/api/ { - proxy_pass http://electrs-testnet/; - limit_req burst=50 nodelay zone=electrs; - } - - # bisq API - location /bisq/api/v1/ws { - proxy_pass http://127.0.0.1:8996/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /bisq/api/v1/markets { - proxy_pass http://127.0.0.1:8996/api/v1/bisq/markets; - #limit_req burst=50 nodelay zone=api; - } - location /bisq/api/v1 { - proxy_pass http://127.0.0.1:8996/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /bisq/api { - proxy_pass http://127.0.0.1:8996/api/v1/bisq; - limit_req burst=50 nodelay zone=api; - } - - # signet API - location /signet/api/v1/ws { - proxy_pass http://127.0.0.1:8995/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /signet/api/v1 { - proxy_pass http://127.0.0.1:8995/api/v1; - limit_req burst=50 nodelay zone=api; - } - location /signet/api/ { - proxy_pass http://electrs-signet/; - limit_req burst=50 nodelay zone=electrs; - } - - # websockets - location /ws { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/mainnet { - proxy_pass http://127.0.0.1:8999/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/liquid { - proxy_pass http://127.0.0.1:8998/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/testnet { - proxy_pass http://127.0.0.1:8997/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - location /ws/signet { - proxy_pass http://127.0.0.1:8995/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } diff --git a/production/nginx.conf b/production/nginx.conf deleted file mode 100644 index 7a00580dc..000000000 --- a/production/nginx.conf +++ /dev/null @@ -1,301 +0,0 @@ -user nobody; -pid /var/run/nginx.pid; - -worker_processes auto; -worker_rlimit_nofile 100000; - -events { - worker_connections 9000; - multi_accept on; -} - -http { - sendfile on; - tcp_nopush on; - tcp_nodelay on; - - server_tokens off; - server_name_in_redirect off; - - include /usr/local/etc/nginx/mime.types; - default_type application/octet-stream; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - # reset timed out connections freeing ram - reset_timedout_connection on; - # maximum time between packets the client can pause when sending nginx any data - client_body_timeout 10s; - # maximum time the client has to send the entire header to nginx - client_header_timeout 10s; - # timeout which a single keep-alive client connection will stay open - keepalive_timeout 69s; - # maximum time between packets nginx is allowed to pause when sending the client data - send_timeout 10s; - - # number of requests per connection, does not affect SPDY - keepalive_requests 100; - - # enable gzip compression - gzip on; - gzip_vary on; - gzip_comp_level 6; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - # text/html is always compressed by gzip module - gzip_types application/javascript application/json application/ld+json application/manifest+json application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard; - - # limit request body size - client_max_body_size 10m; - - # proxy cache - proxy_cache off; - proxy_cache_path /var/cache/nginx/services keys_zone=services:20m levels=1:2 inactive=600s max_size=100m; - proxy_cache_path /var/cache/nginx/markets keys_zone=markets:20m levels=1:2 inactive=600s max_size=100m; - proxy_cache_path /var/cache/nginx/mainnet keys_zone=mainnet:20m levels=1:2 inactive=600s max_size=100m; - proxy_cache_path /var/cache/nginx/testnet keys_zone=testnet:20m levels=1:2 inactive=600s max_size=100m; - proxy_cache_path /var/cache/nginx/liquid keys_zone=liquid:20m levels=1:2 inactive=600s max_size=100m; - proxy_cache_path /var/cache/nginx/signet keys_zone=signet:20m levels=1:2 inactive=600s max_size=100m; - types_hash_max_size 2048; - - map $http_accept_language $header_lang { - default en-US; - ~*^en-US en-US; - ~*^en en-US; - ~*^ar ar; - ~*^cs cs; - ~*^de de; - ~*^es es; - ~*^fa fa; - ~*^fr fr; - ~*^ko ko; - ~*^hi hi; - ~*^it it; - ~*^ka ka; - ~*^hu hu; - ~*^nl nl; - ~*^ja ja; - ~*^nb nb; - ~*^pl pl; - ~*^pt pt; - ~*^sl sl; - ~*^fi fi; - ~*^sv sv; - ~*^tr tr; - ~*^uk uk; - ~*^vi vi; - ~*^zh zh; - } - - map $cookie_lang $lang { - default $header_lang; - ~*^en-US en-US; - ~*^en en-US; - ~*^ar ar; - ~*^cs cs; - ~*^de de; - ~*^es es; - ~*^fa fa; - ~*^fr fr; - ~*^hi hi; - ~*^it it; - ~*^ka ka; - ~*^hu hu; - ~*^ja ja; - ~*^ko ko; - ~*^nb nb; - ~*^nl nl; - ~*^pl pl; - ~*^pt pt; - ~*^sl sl; - ~*^fi fi; - ~*^sv sv; - ~*^tr tr; - ~*^uk uk; - ~*^vi vi; - ~*^zh zh; - } - - server { - listen 80; - listen [::]:80; - server_name node206.mempool.space mempool.space mempool.ninja bisq.markets liquid.network; - - if ($host = mempool.space) - { - return 301 https://$host$request_uri; - } - if ($host = mempool.ninja) - { - return 301 https://$host$request_uri; - } - if ($host = bisq.markets) - { - return 301 https://$host$request_uri; - } - if ($host = liquid.network) - { - return 301 https://$host$request_uri; - } - if ($host = node206.mempool.space) - { - return 301 https://$host$request_uri; - } - return 503; - } - - upstream electrs-mainnet { - server [2401:b140:1::92:201]:3000 backup; - server [2401:b140:1::92:202]:3000 backup; - server [2401:b140:1::92:203]:3000 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:204]:3000 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:205]:3000 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:206]:3000 weight=9999 fail_timeout=10s max_fails=10; - } - server { - listen 127.0.0.1:4000; - access_log /dev/null; - location / { - proxy_pass http://electrs-mainnet; - } - } - - upstream electrs-liquid { - server [2401:b140:1::92:201]:3001 backup; - server [2401:b140:1::92:202]:3001 backup; - server [2401:b140:1::92:203]:3001 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:204]:3001 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:205]:3001 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:206]:3001 weight=9999 fail_timeout=10s max_fails=10; - } - server { - listen 127.0.0.1:4001; - access_log /dev/null; - location / { - proxy_pass http://electrs-liquid; - } - } - - upstream electrs-testnet { - server [2401:b140:1::92:201]:3002 backup; - server [2401:b140:1::92:202]:3002 backup; - server [2401:b140:1::92:203]:3002 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:204]:3002 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:205]:3002 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:206]:3002 weight=9999 fail_timeout=10s max_fails=10; - } - server { - listen 127.0.0.1:4002; - access_log /dev/null; - location / { - proxy_pass http://electrs-testnet; - } - } - - upstream electrs-signet { - server [2401:b140:1::92:201]:3003 backup; - server [2401:b140:1::92:202]:3003 backup; - server [2401:b140:1::92:203]:3003 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:204]:3003 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:205]:3003 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:206]:3003 weight=9999 fail_timeout=10s max_fails=10; - } - server { - listen 127.0.0.1:4003; - access_log /dev/null; - location / { - proxy_pass http://electrs-signet; - } - } - - upstream electrs-liquidtestnet { - server [2401:b140:1::92:201]:3004 backup; - server [2401:b140:1::92:202]:3004 backup; - server [2401:b140:1::92:203]:3004 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:204]:3004 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:205]:3004 weight=1 fail_timeout=10s max_fails=10; - server [2401:b140:1::92:206]:3004 weight=9999 fail_timeout=10s max_fails=10; - } - server { - listen 127.0.0.1:4004; - access_log /dev/null; - location / { - proxy_pass http://electrs-liquidtestnet; - } - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name mempool.space node206.mempool.space; - - include /usr/local/etc/nginx/ssl/mempool.conf; - include /usr/local/etc/nginx/nginx-mempool.conf; - access_log /var/log/nginx/mempool-access.log; - error_log /var/log/nginx/mempool-error.log; - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name liquid.network; - include /usr/local/etc/nginx/ssl/mempool.conf; - include /usr/local/etc/nginx/nginx-liquid.conf; - access_log /var/log/nginx/liquid-access.log; - error_log /var/log/nginx/liquid-error.log; - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name bisq.markets; - include /usr/local/etc/nginx/ssl/mempool.conf; - include /usr/local/etc/nginx/nginx-bisq.conf; - access_log /var/log/nginx/bisq-access.log; - error_log /var/log/nginx/bisq-error.log; - - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name mempool.ninja; - ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem; - include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; - - include /usr/local/etc/nginx/nginx-mempool.conf; - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name liquid.place; - ssl_certificate /usr/local/etc/letsencrypt/live/liquid.place/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.place/privkey.pem; - include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; - - include /usr/local/etc/nginx/nginx-liquid.conf; - } - - server { - listen 127.0.0.1:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name bisq.ninja; - ssl_certificate /usr/local/etc/letsencrypt/live/bisq.ninja/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/bisq.ninja/privkey.pem; - include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; - - include /usr/local/etc/nginx/nginx-bisq.conf; - } -} diff --git a/production/nginx/http-basic.conf b/production/nginx/http-basic.conf new file mode 100644 index 000000000..ce257591a --- /dev/null +++ b/production/nginx/http-basic.conf @@ -0,0 +1,39 @@ +# basics +sendfile on; +tcp_nopush on; +tcp_nodelay on; +server_tokens off; +server_name_in_redirect off; +include /usr/local/etc/nginx/mime.types; +default_type application/octet-stream; + +# default logs +access_log /var/log/nginx/access.log; +error_log /var/log/nginx/error.log; + +# reset timed out connections freeing ram +reset_timedout_connection on; +# maximum time between packets the client can pause when sending nginx any data +client_body_timeout 10s; +# maximum time the client has to send the entire header to nginx +client_header_timeout 10s; +# timeout which a single keep-alive client connection will stay open +keepalive_timeout 69s; +# maximum time between packets nginx is allowed to pause when sending the client data +send_timeout 10s; + +# number of requests per connection, does not affect SPDY +keepalive_requests 100; + +# enable gzip compression +gzip on; +gzip_vary on; +gzip_comp_level 6; +gzip_min_length 1000; +gzip_proxied expired no-cache no-store private auth; +# text/html is always compressed by gzip module +gzip_types application/javascript application/json application/ld+json application/manifest+json application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard; + +# limit request body size +client_max_body_size 10m; + diff --git a/production/nginx/http-language.conf b/production/nginx/http-language.conf new file mode 100644 index 000000000..aacb030c4 --- /dev/null +++ b/production/nginx/http-language.conf @@ -0,0 +1,57 @@ +map $http_accept_language $header_lang { + default en-US; + ~*^en-US en-US; + ~*^en en-US; + ~*^ar ar; + ~*^cs cs; + ~*^de de; + ~*^es es; + ~*^fa fa; + ~*^fr fr; + ~*^ko ko; + ~*^hi hi; + ~*^it it; + ~*^ka ka; + ~*^hu hu; + ~*^nl nl; + ~*^ja ja; + ~*^nb nb; + ~*^pl pl; + ~*^pt pt; + ~*^sl sl; + ~*^fi fi; + ~*^sv sv; + ~*^tr tr; + ~*^uk uk; + ~*^vi vi; + ~*^zh zh; +} +map $cookie_lang $lang { + default $header_lang; + ~*^en-US en-US; + ~*^en en-US; + ~*^ar ar; + ~*^cs cs; + ~*^de de; + ~*^es es; + ~*^fa fa; + ~*^fr fr; + ~*^hi hi; + ~*^it it; + ~*^ka ka; + ~*^hu hu; + ~*^ja ja; + ~*^ko ko; + ~*^nb nb; + ~*^nl nl; + ~*^pl pl; + ~*^pt pt; + ~*^sl sl; + ~*^fi fi; + ~*^sv sv; + ~*^tr tr; + ~*^uk uk; + ~*^vi vi; + ~*^zh zh; +} + diff --git a/production/nginx/http-proxy-cache.conf b/production/nginx/http-proxy-cache.conf new file mode 100644 index 000000000..84efabffc --- /dev/null +++ b/production/nginx/http-proxy-cache.conf @@ -0,0 +1,4 @@ +# proxy cache +proxy_cache_path /var/cache/nginx/services keys_zone=services:20m levels=1:2 inactive=600s max_size=100m; +proxy_cache_path /var/cache/nginx/markets keys_zone=markets:20m levels=1:2 inactive=600s max_size=100m; +types_hash_max_size 2048; diff --git a/production/nginx/location-api-v1-contributors.conf b/production/nginx/location-api-v1-contributors.conf new file mode 100644 index 000000000..34fb5d06c --- /dev/null +++ b/production/nginx/location-api-v1-contributors.conf @@ -0,0 +1,8 @@ +location /api/v1/contributors { + proxy_pass https://mempool.space; + proxy_hide_header onion-location; + proxy_hide_header strict-transport-security; + proxy_hide_header content-security-policy; + proxy_hide_header x-frame-options; + # don't rate limit this API prefix +} diff --git a/production/nginx/location-api-v1-donations-images.conf b/production/nginx/location-api-v1-donations-images.conf new file mode 100644 index 000000000..bbd83738a --- /dev/null +++ b/production/nginx/location-api-v1-donations-images.conf @@ -0,0 +1,11 @@ +location /api/v1/donations/images { + proxy_pass https://mempool.space; + proxy_cache services; + proxy_cache_valid 200 1d; + expires 7d; + add_header Cache-Control "public, no-transform"; + proxy_hide_header onion-location; + proxy_hide_header strict-transport-security; + proxy_hide_header content-security-policy; + proxy_hide_header x-frame-options; +} diff --git a/production/nginx/location-api-v1-donations.conf b/production/nginx/location-api-v1-donations.conf new file mode 100644 index 000000000..8c748beea --- /dev/null +++ b/production/nginx/location-api-v1-donations.conf @@ -0,0 +1,8 @@ +location /api/v1/donations { + proxy_pass https://mempool.space; + proxy_hide_header onion-location; + proxy_hide_header strict-transport-security; + proxy_hide_header content-security-policy; + proxy_hide_header x-frame-options; + # don't rate limit this API prefix +} diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf new file mode 100644 index 000000000..75cc1f5a2 --- /dev/null +++ b/production/nginx/location-api.conf @@ -0,0 +1,43 @@ +location /api/v1/ws { + proxy_pass $mempoolBackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} +location /api/v1 { + try_files /dev/null @mempool-api-v1; +} +location /api/ { + rewrite ^/api/(.*) /$1 break; + try_files /dev/null @electrs-api; +} + +location @mempool-api-v1 { + proxy_pass $mempoolBackend; + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + proxy_set_header X-Forwarded-Proto $scheme; +} + +location @electrs-api { + proxy_pass $electrsBackend; + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/production/nginx/location-liquid-api.conf b/production/nginx/location-liquid-api.conf new file mode 100644 index 000000000..be87f060e --- /dev/null +++ b/production/nginx/location-liquid-api.conf @@ -0,0 +1,12 @@ +location /liquid/api/v1/ws { + proxy_pass http://127.0.0.1:8998/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} +location /liquid/api/v1 { + proxy_pass http://127.0.0.1:8998/api/v1; +} +location /liquid/api/ { + proxy_pass http://electrs-liquid-mainnet/; +} diff --git a/production/nginx/location-liquidtestnet-api.conf b/production/nginx/location-liquidtestnet-api.conf new file mode 100644 index 000000000..1ef22c95b --- /dev/null +++ b/production/nginx/location-liquidtestnet-api.conf @@ -0,0 +1,12 @@ +location /liquidtestnet/api/v1/ws { + proxy_pass http://127.0.0.1:8994/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} +location /liquidtestnet/api/v1 { + proxy_pass http://127.0.0.1:8994/api/v1; +} +location /liquidtestnet/api/ { + proxy_pass http://electrs-liquid-testnet/; +} diff --git a/production/nginx/location-redirects.conf b/production/nginx/location-redirects.conf new file mode 100644 index 000000000..c6f20e7ad --- /dev/null +++ b/production/nginx/location-redirects.conf @@ -0,0 +1,46 @@ +# redirect mempool.space/liquid to liquid.network +location /liquid { + rewrite /liquid/(.*) https://liquid.network/$1; + rewrite /liquid https://liquid.network/; + return 308; +} + +# redirect mempool.space/liquidtestnet to liquid.network/testnet +location /liquidtestnet { + rewrite /liquidtestnet/(.*) https://liquid.network/testnet/$1; + rewrite /liquidtestnet/ https://liquid.network/testnet/; + rewrite /liquidtestnet https://liquid.network/testnet; + return 308; +} + +# redirect mempool.space/bisq to bisq.markets +location /bisq { + rewrite /bisq/(.*) https://bisq.markets/$1; + rewrite /bisq https://bisq.markets/; + return 308; +} + +# redirect /api to /docs/api +location = /api { + return 308 https://$host/docs/api; +} +location = /api/ { + return 308 https://$host/docs/api; +} + +# redirect /testnet/api to /testnet/docs/api +location = /testnet/api { + return 308 https://$host/testnet/docs/api; +} +location = /testnet/api/ { + return 308 https://$host/testnet/docs/api; +} + +# redirect /signet/api to /signet/docs/api +location = /signet/api { + return 308 https://$host/signet/docs/api; +} +location = /signet/api/ { + return 308 https://$host/signet/docs/api; +} + diff --git a/production/nginx/location-signet-api.conf b/production/nginx/location-signet-api.conf new file mode 100644 index 000000000..245979229 --- /dev/null +++ b/production/nginx/location-signet-api.conf @@ -0,0 +1,12 @@ +location /signet/api/v1/ws { + proxy_pass http://mempool-bitcoin-signet/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} +location /signet/api/v1 { + proxy_pass http://mempool-bitcoin-signet/api/v1; +} +location /signet/api/ { + proxy_pass http://electrs-bitcoin-signet/; +} diff --git a/production/nginx/location-testnet-api.conf b/production/nginx/location-testnet-api.conf new file mode 100644 index 000000000..857b1b957 --- /dev/null +++ b/production/nginx/location-testnet-api.conf @@ -0,0 +1,12 @@ +location /testnet/api/v1/ws { + proxy_pass http://mempool-bitcoin-testnet/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} +location /testnet/api/v1 { + proxy_pass http://mempool-bitcoin-testnet/api/v1; +} +location /testnet/api/ { + proxy_pass http://electrs-bitcoin-testnet/; +} diff --git a/production/nginx/nginx.conf b/production/nginx/nginx.conf new file mode 100644 index 000000000..01ed722c3 --- /dev/null +++ b/production/nginx/nginx.conf @@ -0,0 +1,124 @@ +# FreeBSD configuration +user nobody; +pid /var/run/nginx.pid; + +worker_processes auto; +worker_rlimit_nofile 100000; + +events { + worker_connections 9000; + multi_accept on; +} + +http { + # DNS servers for on-demand recursive resolver + resolver 8.8.8.8; + + # HTTP basic configuration + include mempool/production/nginx/http-basic.conf; + include mempool/production/nginx/http-proxy-cache.conf; + include mempool/production/nginx/http-language.conf; + + # mempool backend configuration + include mempool/production/nginx/upstream-mempool.conf; + + # electrs backend configuration + include mempool/production/nginx/upstream-electrs.conf; + include mempool/production/nginx/server-electrs.conf; + + # MEMPOOL.NINJA + server { + # clearnet v4/v6 + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name mempool.ninja; + set $mempoolBackend "http://mempool-bitcoin-mainnet"; + set $electrsBackend "http://electrs-bitcoin-mainnet"; + + # tor v3 + listen 127.0.0.1:81; + set $onion "mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad"; + + # filesystem paths + root /mempool/public_html/mainnet/; + access_log /var/log/nginx/mempool-access.log; + error_log /var/log/nginx/mempool-error.log; + + # ssl configuration + ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem; + ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem; + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; + + # site configuration + include mempool/production/nginx/server-mempool.conf; + } + # BISQ.NINJA + server { + # clearnet v4/v6 + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name bisq.ninja; + set $mempoolBackend "http://mempool-bisq-mainnet"; + set $electrsBackend "http://electrs-bitcoin-mainnet"; + + # tor v3 + listen 127.0.0.1:82; + set $onion "mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad"; + + # filesystem paths + root /mempool/public_html/bisq/; + access_log /var/log/nginx/bisq-access.log; + error_log /var/log/nginx/bisq-error.log; + + # ssl configuration + ssl_certificate /usr/local/etc/letsencrypt/live/bisq.ninja/fullchain.pem; + ssl_certificate_key /usr/local/etc/letsencrypt/live/bisq.ninja/privkey.pem; + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; + + # site configuration + include mempool/production/nginx/server-bisq.conf; + } + # LIQUID.PLACE + server { + # clearnet v4/v6 + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name liquid.place; + set $mempoolBackend "http://mempool-liquid-mainnet"; + set $electrsBackend "http://electrs-liquid-mainnet"; + + # tor v3 + listen 127.0.0.1:83; + set $onion "mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad"; + + # filesystem paths + root /mempool/public_html/liquid/; + access_log /var/log/nginx/liquid-access.log; + error_log /var/log/nginx/liquid-error.log; + + # ssl configuration + ssl_certificate /usr/local/etc/letsencrypt/live/liquid.place/fullchain.pem; + ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.place/privkey.pem; + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; + + # site configuration + include mempool/production/nginx/server-liquid.conf; + } + # HTTP to HTTPS redirect + server { + # clearnet v4/v6 + listen 80; + listen [::]:80; + server_name _; + + # only redirect for our hosted domains + if ($host ~ "^(mempool.ninja|bisq.ninja|liquid.place)$") + { + return 301 https://$host$request_uri; + } + return 503; + } +} diff --git a/production/nginx/server-bisq.conf b/production/nginx/server-bisq.conf new file mode 100644 index 000000000..dc65b3600 --- /dev/null +++ b/production/nginx/server-bisq.conf @@ -0,0 +1,85 @@ +include mempool/production/nginx/server-common.conf; +include mempool/production/nginx/location-api-v1-contributors.conf; +include mempool/production/nginx/location-api-v1-donations.conf; +include mempool/production/nginx/location-api-v1-donations-images.conf; + +proxy_cache markets; +proxy_cache_valid 200 30s; + +# route electrs APIs to electrs +location /api/tx/ { + proxy_pass http://electrs-bitcoin-mainnet/tx/; +} + +# rewrite APIs to match what backend expects +location /api/currencies { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/depth { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/hloc { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/offers { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/ticker { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/trades { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/volumes { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/markets { + rewrite ^/api/(.*) /api/v1/bisq/markets/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api/v1 { + rewrite ^/api/v1/(.*) /api/v1/bisq/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /api { + rewrite ^/api/(.*) /api/v1/bisq/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /bisq/api/v1 { + rewrite ^/bisq/api/v1/(.*) /api/v1/bisq/$1 break; + try_files $uri $uri/ @mempool-bisq; +} +location /bisq/api { + rewrite ^/bisq/api/(.*) /api/v1/bisq/$1 break; + try_files $uri $uri/ @mempool-bisq; +} + +# special handling for websocket +location /api/v1/ws { + proxy_pass http://127.0.0.1:8996/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; +} + +location @mempool-bisq { + proxy_pass http://127.0.0.1:8996; + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/production/nginx/server-common.conf b/production/nginx/server-common.conf new file mode 100644 index 000000000..ba53ba543 --- /dev/null +++ b/production/nginx/server-common.conf @@ -0,0 +1,65 @@ +# angular builds to index.html +index index.html; + +# tor onion redirect +add_header Onion-Location http://$onion.onion$request_uri; + +# HSTS preload enable +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + +# generate frame configuration from origin header +set $frameOptions "DENY"; +set $contentSecurityPolicy "frame-ancestors 'none'"; + +# used for iframes on https://mempool.space/network +if ($http_referer ~ ^https://mempool.space/) +{ + set $frameOptions "ALLOW-FROM https://mempool.space"; + set $contentSecurityPolicy "frame-ancestors https://mempool.space"; +} +# used for iframes on https://mempool.ninja/network +if ($http_referer ~ ^https://mempool.ninja/) +{ + set $frameOptions "ALLOW-FROM https://mempool.ninja"; + set $contentSecurityPolicy "frame-ancestors https://mempool.ninja"; +} +# used for iframes on https://wiz.biz/bitcoin/nodes +if ($http_referer ~ ^https://wiz.biz/) +{ + set $frameOptions "ALLOW-FROM https://wiz.biz"; + set $contentSecurityPolicy "frame-ancestors https://wiz.biz"; +} + +# restrict usage of frames +add_header X-Frame-Options $frameOptions; +add_header Content-Security-Policy $contentSecurityPolicy; + +# enable browser and proxy caching +add_header Cache-Control "public, no-transform"; + +# vary cache if user changes language preference +add_header Vary Accept-Language; +add_header Vary Cookie; + +# fallback for all URLs i.e. /address/foo /tx/foo /block/000 +location / { + try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; + expires 10m; +} +location /resources { + try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect; + expires 1h; +} +location @index-redirect { + rewrite (.*) /$lang/index.html; +} + +# location block using regex are matched in order + +# used to rewrite resources from // to /en-US/ + location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/resources/ { + rewrite ^/[a-zA-Z-]*/resources/(.*) /en-US/resources/$1; +} +# used for cookie override + location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/ { + try_files $uri $uri/ /$1/index.html =404; diff --git a/production/nginx/server-electrs.conf b/production/nginx/server-electrs.conf new file mode 100644 index 000000000..b817b8163 --- /dev/null +++ b/production/nginx/server-electrs.conf @@ -0,0 +1,35 @@ +server { + listen 127.0.0.1:4000; + access_log /dev/null; + location / { + proxy_pass http://electrs-bitcoin-mainnet; + } +} +server { + listen 127.0.0.1:4001; + access_log /dev/null; + location / { + proxy_pass http://electrs-liquid-mainnet; + } +} +server { + listen 127.0.0.1:4002; + access_log /dev/null; + location / { + proxy_pass http://electrs-bitcoin-testnet; + } +} +server { + listen 127.0.0.1:4003; + access_log /dev/null; + location / { + proxy_pass http://electrs-bitcoin-signet; + } +} +server { + listen 127.0.0.1:4004; + access_log /dev/null; + location / { + proxy_pass http://electrs-liquid-testnet; + } +} diff --git a/production/nginx/server-liquid.conf b/production/nginx/server-liquid.conf new file mode 100644 index 000000000..a7161af29 --- /dev/null +++ b/production/nginx/server-liquid.conf @@ -0,0 +1,7 @@ +include mempool/production/nginx/server-common.conf; +include mempool/production/nginx/location-api-v1-contributors.conf; +include mempool/production/nginx/location-api-v1-donations-images.conf; +include mempool/production/nginx/location-api-v1-donations.conf; +include mempool/production/nginx/location-api.conf; +include mempool/production/nginx/location-liquid-api.conf; +include mempool/production/nginx/location-liquidtestnet-api.conf; diff --git a/production/nginx/server-mempool.conf b/production/nginx/server-mempool.conf new file mode 100644 index 000000000..9bbbb1b8c --- /dev/null +++ b/production/nginx/server-mempool.conf @@ -0,0 +1,8 @@ +include mempool/production/nginx/server-common.conf; +include mempool/production/nginx/location-redirects.conf; +include mempool/production/nginx/location-api-v1-contributors.conf; +include mempool/production/nginx/location-api-v1-donations.conf; +include mempool/production/nginx/location-api-v1-donations-images.conf; +include mempool/production/nginx/location-api.conf; +include mempool/production/nginx/location-testnet-api.conf; +include mempool/production/nginx/location-signet-api.conf; diff --git a/production/nginx/upstream-electrs.conf b/production/nginx/upstream-electrs.conf new file mode 100644 index 000000000..476b73054 --- /dev/null +++ b/production/nginx/upstream-electrs.conf @@ -0,0 +1,15 @@ +upstream electrs-bitcoin-mainnet { + server [::1]:3000 fail_timeout=10s max_fails=10 weight=99999; +} +upstream electrs-liquid-mainnet { + server [::1]:3001 fail_timeout=10s max_fails=10 weight=99999; +} +upstream electrs-bitcoin-testnet { + server [::1]:3002 fail_timeout=10s max_fails=10 weight=99999; +} +upstream electrs-bitcoin-signet { + server [::1]:3003 fail_timeout=10s max_fails=10 weight=99999; +} +upstream electrs-liquid-testnet { + server [::1]:3004 fail_timeout=10s max_fails=10 weight=99999; +} diff --git a/production/nginx/upstream-mempool.conf b/production/nginx/upstream-mempool.conf new file mode 100644 index 000000000..8e0f12ab6 --- /dev/null +++ b/production/nginx/upstream-mempool.conf @@ -0,0 +1,18 @@ +upstream mempool-bitcoin-mainnet { + server 127.0.0.1:8999 fail_timeout=10s max_fails=10 weight=99999; +} +upstream mempool-liquid-mainnet { + server 127.0.0.1:8998 fail_timeout=10s max_fails=10 weight=99999; +} +upstream mempool-bitcoin-testnet { + server 127.0.0.1:8997 fail_timeout=10s max_fails=10 weight=99999; +} +upstream mempool-bitcoin-bisq { + server 127.0.0.1:8996 fail_timeout=10s max_fails=10 weight=99999; +} +upstream mempool-bitcoin-signet { + server 127.0.0.1:8995 fail_timeout=10s max_fails=10 weight=99999; +} +upstream mempool-liquid-testnet { + server 127.0.0.1:8994 fail_timeout=10s max_fails=10 weight=99999; +} From c778e8424704af0dd1225ad913d3ac8380126ce7 Mon Sep 17 00:00:00 2001 From: wiz Date: Tue, 4 Jan 2022 17:27:37 +0900 Subject: [PATCH 2/3] Add missing } at end of nginx/server-common.conf --- production/nginx/server-common.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/production/nginx/server-common.conf b/production/nginx/server-common.conf index ba53ba543..c380831cc 100644 --- a/production/nginx/server-common.conf +++ b/production/nginx/server-common.conf @@ -63,3 +63,4 @@ location @index-redirect { # used for cookie override location ~ ^/(ar|bg|bs|ca|cs|da|de|et|el|es|eo|eu|fa|fr|gl|ko|hr|id|it|he|ka|lv|lt|hu|mk|ms|nl|ja|ka|no|nb|nn|pl|pt|pt-BR|ro|ru|sk|sl|sr|sh|fi|sv|th|tr|uk|vi|zh)/ { try_files $uri $uri/ /$1/index.html =404; +} From 81bb31090efd8eb8465c315369d8befe2e341337 Mon Sep 17 00:00:00 2001 From: wiz Date: Wed, 5 Jan 2022 18:12:05 +0900 Subject: [PATCH 3/3] Use upstream hostnames in production nginx configuration --- production/nginx/location-liquid-api.conf | 4 ++-- production/nginx/location-liquidtestnet-api.conf | 4 ++-- production/nginx/server-bisq.conf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/production/nginx/location-liquid-api.conf b/production/nginx/location-liquid-api.conf index be87f060e..7c2f927a6 100644 --- a/production/nginx/location-liquid-api.conf +++ b/production/nginx/location-liquid-api.conf @@ -1,11 +1,11 @@ location /liquid/api/v1/ws { - proxy_pass http://127.0.0.1:8998/; + proxy_pass http://mempool-liquid-mainnet/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } location /liquid/api/v1 { - proxy_pass http://127.0.0.1:8998/api/v1; + proxy_pass http://mempool-liquid-mainnet/api/v1; } location /liquid/api/ { proxy_pass http://electrs-liquid-mainnet/; diff --git a/production/nginx/location-liquidtestnet-api.conf b/production/nginx/location-liquidtestnet-api.conf index 1ef22c95b..8b03c6fc4 100644 --- a/production/nginx/location-liquidtestnet-api.conf +++ b/production/nginx/location-liquidtestnet-api.conf @@ -1,11 +1,11 @@ location /liquidtestnet/api/v1/ws { - proxy_pass http://127.0.0.1:8994/; + proxy_pass http://mempool-liquid-testnet/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } location /liquidtestnet/api/v1 { - proxy_pass http://127.0.0.1:8994/api/v1; + proxy_pass http://mempool-liquid-testnet/api/v1; } location /liquidtestnet/api/ { proxy_pass http://electrs-liquid-testnet/; diff --git a/production/nginx/server-bisq.conf b/production/nginx/server-bisq.conf index dc65b3600..2a6886f4b 100644 --- a/production/nginx/server-bisq.conf +++ b/production/nginx/server-bisq.conf @@ -63,14 +63,14 @@ location /bisq/api { # special handling for websocket location /api/v1/ws { - proxy_pass http://127.0.0.1:8996/; + proxy_pass http://mempool-bitcoin-bisq/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } location @mempool-bisq { - proxy_pass http://127.0.0.1:8996; + proxy_pass http://mempool-bitcoin-bisq; proxy_http_version 1.1; proxy_set_header Host $http_host;