mirror of
https://gitlab.com/keys.openpgp.org/hagrid.git
synced 2025-10-06 00:23:08 +02:00
nginx: add some rate limiting and improve error handling
This commit is contained in:
Vincent Breitmoser
@@ -28,19 +28,11 @@ location /vks/v1/request-verify {
|
||||
}
|
||||
|
||||
location /vks/v1/ {
|
||||
location ~ ^/vks/v1/by-email/([^/][^/])([^/][^/])([^/]*)$ {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
# we have some trouble with uri encoding here. just route through
|
||||
# hagrid, for now.
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
# error_page 404 /errors/404-by-email.htm;
|
||||
# default_type application/pgp-keys;
|
||||
# add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
||||
# try_files /keys/links/by-email/$1/$2/$3 =404;
|
||||
}
|
||||
|
||||
location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ {
|
||||
error_page 404 /errors/404-by-fpr.htm;
|
||||
limit_req zone=search_fpr_keyid burst=30;
|
||||
error_page 503 /errors-static/503-rate-limit-vks-fpr.htm;
|
||||
|
||||
error_page 404 /errors-static/404-by-fpr.htm;
|
||||
default_type application/pgp-keys;
|
||||
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
@@ -48,42 +40,37 @@ location /vks/v1/ {
|
||||
}
|
||||
|
||||
location ~ ^/vks/v1/by-keyid/(?:0x)?([^/][^/])([^/][^/])(.*)$ {
|
||||
error_page 404 /errors/404-by-keyid.htm;
|
||||
limit_req zone=search_fpr_keyid burst=30;
|
||||
error_page 503 /errors-static/503-rate-limit-vks-fpr.htm;
|
||||
|
||||
error_page 404 /errors-static/404-by-keyid.htm;
|
||||
default_type application/pgp-keys;
|
||||
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
try_files /keys/links/by-keyid/$1/$2/$3 =404;
|
||||
}
|
||||
|
||||
location /vks/v1/by-email/ {
|
||||
limit_req zone=search_email burst=50 nodelay;
|
||||
error_page 503 /errors-static/503-rate-limit-vks-email.htm;
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
# we have some trouble with uri encoding here. just route through
|
||||
# hagrid, for now.
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
# error_page 404 /errors-static/404-by-email.htm;
|
||||
# default_type application/pgp-keys;
|
||||
# add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
||||
# try_files /keys/links/by-email/$1/$2/$3 =404;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
error_page 400 /errors/400-vks-invalid.htm;
|
||||
error_page 400 /errors-static/400-vks-invalid.htm;
|
||||
return 400;
|
||||
}
|
||||
|
||||
# Common HKP requests.
|
||||
location /pks/lookup {
|
||||
# sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
|
||||
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") {
|
||||
set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-keyid/$keyid last;
|
||||
}
|
||||
|
||||
# gpg --receive-keys <FINGERPRINT>
|
||||
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") {
|
||||
set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-fingerprint/$fingerprint last;
|
||||
}
|
||||
|
||||
# gpg --locate-key <EMAIL>
|
||||
if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]{3,}%40[^&]+)") {
|
||||
set_by_lua $email "return ngx.arg[1]:lower()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-email/$email last;
|
||||
}
|
||||
|
||||
# gpg --search '<address@example.org>'
|
||||
# strip angle brackets - we don't need them, but they cause issues
|
||||
# with the Rocket framework
|
||||
# see https://gitlab.com/sequoia-pgp/hagrid/issues/94
|
||||
@@ -95,17 +82,48 @@ location /pks/lookup {
|
||||
rewrite . /pks/lookup?$left$middle$right? break;
|
||||
}
|
||||
|
||||
# search by key id
|
||||
# sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
|
||||
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") {
|
||||
set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-keyid/$keyid last;
|
||||
}
|
||||
|
||||
# search by fpr
|
||||
# gpg --receive-keys <FINGERPRINT>
|
||||
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") {
|
||||
set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-fingerprint/$fingerprint last;
|
||||
}
|
||||
|
||||
# search by email
|
||||
# gpg --locate-key <EMAIL>
|
||||
if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]+(?:%40|@)[^&]+)") {
|
||||
set_by_lua $email "return ngx.arg[1]:lower()" $1;
|
||||
set $args "";
|
||||
rewrite . /vks/v1/by-email/$email last;
|
||||
}
|
||||
|
||||
# forward to backend, which will like serve via x-accel-redirect
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
error_page 400 /errors-static/400-pks-invalid.htm;
|
||||
return 400;
|
||||
}
|
||||
|
||||
location /errors-static {
|
||||
internal;
|
||||
}
|
||||
|
||||
location /errors {
|
||||
internal;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
proxy_cache static_cache;
|
||||
}
|
||||
|
||||
location /search {
|
||||
limit_req zone=search_email burst=50 nodelay;
|
||||
error_page 503 /errors/503/rate-limit-web;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user