Public Reverse Proxy

.github/workflows/production-deploy.yml

@@ -2,7 +2,7 @@ name: production-deploy
 on:
   push:
     branches:
-      - main
+      - public-rev-proxy
 
 jobs:
   deploy:
@@ -16,13 +16,13 @@ jobs:
       - name: Run deploy on production
         uses: appleboy/[email protected]
         with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.SSH_PORT }}
+          host: ${{ secrets.NEW_SSH_HOST }}
+          username: ${{ secrets.NEW_SSH_USERNAME }}
+          key: ${{ secrets.NEW_SSH_KEY }}
+          port: ${{ secrets.NEW_SSH_PORT }}
           script_stop: true
           script: |
-            cd /home/akatsuki/nginx-conf
+            cd /home/programming/nginx-conf
             git fetch origin
             git checkout origin/${{ steps.extract_branch.outputs.branch }}
             git pull origin ${{ steps.extract_branch.outputs.branch }}

CODEOWNERS

@@ -0,0 +1,6 @@
+* @cmyui @infernalfire72
+
+# Infrastructure
+/.github/* @cmyui
+/tf/* @cmyui
+/chart/* @cmyui

nginx.conf

@@ -23,22 +23,33 @@ http {
         include /etc/nginx/mime.types;
         default_type application/octet-stream;
 
+        # nginx uses http/1.0 by default
+        # but istio/envoy proxy requires 1.1
+        proxy_http_version 1.1;
+
         # ssl settings
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
         ssl_prefer_server_ciphers on;
 
         # logging Settings
         log_format main '[$time_local] $http_CF_Connecting_IP - '
-                        '"$request_method $uri" $status $body_bytes_sent '
+                        '"$request_method $host $uri" $status $body_bytes_sent '
                         '"$http_referer" "$http_user_agent"';
 
         map $status $loggable {
-                ~^[23] 0;
+                ~^[23] 1;
                 default 1;
         }
         access_log /var/log/nginx/access.log main if=$loggable;
         error_log /var/log/nginx/error.log;
 
+        map $http_origin $cors_allowed_origin {
+            default "";
+            "https://akatsuki.gg" "https://akatsuki.gg";
+            "https://next.akatsuki.gg" "https://next.akatsuki.gg";
+            "http://localhost:3000" "http://localhost:3000";
+        }
+
         # connection header for WebSocket reverse proxy
         map $http_upgrade $connection_upgrade {
             default upgrade;
@@ -56,8 +67,11 @@ http {
         }
 
         # define rate limiting zones
-        limit_req_zone $http_CF_Connecting_IP zone=api_zone:10m rate=10r/s;
+        limit_req_zone $http_CF_Connecting_IP zone=web_zone:10m rate=10r/s;
+        limit_req_zone $http_CF_Connecting_IP zone=api_zone:10m rate=20r/s;
         limit_req_zone $http_CF_Connecting_IP zone=osu_zone:10m rate=20r/s;
+        limit_req_zone $http_CF_Connecting_IP zone=beatmaps_zone:10m rate=10r/s;
+        limit_req_zone $http_CF_Connecting_IP zone=users_zone:10m rate=10r/s;
 
         # virtual host configs
         include /etc/nginx/sites-enabled/*.conf;

sites-enabled/admin_panel.conf

@@ -1,29 +1,20 @@
 server {
     listen 80;
-    server_name old.akatsuki.pw old.akatsuki.gg;
+    server_name old.akatsuki.gg old.akatsuki.pw;
 
-    root /home/akatsuki/admin-panel;
+    location /phpmyadmin {
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
 
-    location ~ \.php$ {
-        add_header Access-Control-Allow-Origin *;
-        try_files $uri =404;
-
-        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-
-        include fastcgi.conf;
-
-    }
-
-    location /.git/ {
-        return 200 "yes";
+        proxy_pass http://k8s_production;
     }
 
     location / {
-        add_header Access-Control-Allow-Origin *;
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
 
-        index index.php;
-        rewrite ^/(?:u|d)/\d+$ /rewrite.php;
+        proxy_pass http://k8s_production;
     }
 }

sites-enabled/air_conditioning.conf

@@ -2,11 +2,25 @@ server {
     listen 80;
     server_name air_conditioning.akatsuki.pw air_conditioning.akatsuki.gg;
 
+    client_max_body_size 100M;
+
+    location /loader-hub {
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_cache_bypass $http_upgrade;
+        proxy_buffering off;
+
+        proxy_pass http://k8s_production;
+    }
+
     location / {
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://air_conditioning_service;
+        proxy_pass http://k8s_production;
     }
 }

sites-enabled/assets.conf

@@ -0,0 +1,24 @@
+server {
+	listen 80;
+	server_name a.akatsuki.pw a.akatsuki.gg;
+
+	location /profile-backgrounds {
+		proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header Host $http_host;
+
+		rewrite /profile-backgrounds/(.*) /public/api/v1/profile-backgrounds/$1 break;
+		proxy_pass http://k8s_production;
+	}
+
+	# If they hit /{filename} directly, default to avatars
+	location / {
+		proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header Host $http_host;
+		add_header Cache-Control no-cache;
+
+		rewrite /(.*) /public/api/v1/avatars/$1 break;
+		proxy_pass http://k8s_production;
+	}
+}

sites-enabled/bancho.conf

@@ -10,7 +10,24 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://bancho_server;
+        proxy_pass http://k8s_production;
+    }
+
+    location /api {
+        limit_req zone=osu_zone burst=10 nodelay;
+        limit_req_status 429;
+
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Add CORS headers on /api routes
+
+        add_header 'Access-Control-Allow-Origin' $cors_allowed_origin always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' '*';
+
+        proxy_pass http://k8s_production;
     }
 }
 

sites-enabled/beatmaps.conf

@@ -0,0 +1,16 @@
+server {
+    listen 80;
+    server_name beatmaps.akatsuki.gg;
+
+    location / {
+        limit_req zone=beatmaps_zone burst=10 nodelay;
+        limit_req_status 429;
+
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        rewrite /(.*) /public/$1 break;
+        proxy_pass http://k8s_production;
+    }
+}

sites-enabled/frontend.conf

@@ -26,7 +26,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://score_server;
+        proxy_pass http://k8s_production;
     }
 
     # /web/replays for replay downloads (hanayo)
@@ -38,7 +38,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://score_server;
+        proxy_pass http://k8s_production;
     }
 
     # Redirect osu! avatar edit to hanayo
@@ -51,44 +51,35 @@ server {
         limit_req zone=api_zone burst=10 nodelay;
         limit_req_status 429;
 
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'X-Ripple-Token';
-        add_header 'Access-Control-Max-Age' '21600';
-        #add_header Access-Control-Allow-Origin "https://akatsuki.gg";
-        #add_header Access-Control-Allow-Origin "https://akatsuki.pw";
+        add_header 'Access-Control-Allow-Origin' $cors_allowed_origin always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' '*';
+        add_header 'Access-Control-Allow-Credentials' 'true';
 
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://akatsuki_api;
+        proxy_pass http://k8s_production;
     }
 
     location /api/v1/profile-history {
         limit_req zone=api_zone burst=10 nodelay;
         limit_req_status 429;
 
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'X-Ripple-Token';
-        add_header 'Access-Control-Max-Age' '21600';
+        add_header 'Access-Control-Allow-Origin' $cors_allowed_origin always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' '*';
 
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
-        proxy_pass http://profile_history_service;
+        proxy_pass http://k8s_production;
     }
 
     # https://osu.ppy.sh/beatmapsets/1117775#osu/2334952 -> https://osu.ppy.sh/b/2334952
     rewrite ^/beatmapsets/\d+#osu/(\d+)/?$ /b/$1 last;
 
-    location /static/ {
-        #add_header Access-Control-Allow-Origin "akatest.space";
-        alias /home/akatsuki/hanayo/web/static/;
-
-    }
-
     location /discord {
         return 302 $scheme://discord.gg/5cBtMPW;
     }
@@ -98,10 +89,11 @@ server {
     }
 
     location / {
+        limit_req zone=web_zone burst=10 nodelay;
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://hanayo;
+        proxy_pass http://k8s_production;
     }
 }