@abtnode/router-provider 1.15.17 → 1.16.0-beta-b16cb035

package/lib/nginx/index.js

@@ -10,75 +10,86 @@ const getPort = require('get-port');
 const uniqBy = require('lodash/uniqBy');
 const isEmpty = require('lodash/isEmpty');
 const cloneDeep = require('lodash/cloneDeep');
-const normalizePathPrefix = require('@abtnode/util/lib/normalize-path-prefix');
+const formatBackSlash = require('@abtnode/util/lib/format-back-slash');
 const {
   DOMAIN_FOR_DEFAULT_SITE,
   ROUTING_RULE_TYPES,
   CONFIG_FOLDER_NAME,
   DEFAULT_ADMIN_PATH,
   SLOT_FOR_IP_DNS_SITE,
-  WELLKNOWN_AUTH_PATH_PREFIX,
+  WELLKNOWN_SERVICE_PATH_PREFIX,
+  USER_AVATAR_PATH_PREFIX,
+  LOG_RETAIN_IN_DAYS,
+  ROUTER_CACHE_GROUPS,
 } = require('@abtnode/constant');
 const md5 = require('@abtnode/util/lib/md5');
 
 const promiseRetry = require('promise-retry');
 
-const logger = require('@abtnode/logger')(`${require('../../package.json').name}:provider:nginx`);
+const logger = require('@abtnode/logger')('router:nginx:controller');
 
 const BaseProvider = require('../base');
-const util = require('./util');
 const {
   addTestServer,
-  decideHttpPort,
-  decideHttpsPort,
   formatError,
   getNginxLoadModuleDirectives,
+  parseNginxConfigArgs,
+  getNginxStatus,
+  rotateNginxLogFile,
+  getMissingModules,
+  getMainTemplate,
+  getUpstreamName,
+  joinNginxPath,
+} = require('./util');
+const {
+  decideHttpPort,
+  decideHttpsPort,
+  getUsablePorts,
   get404Template,
   get502Template,
   get5xxTemplate,
   getWelcomeTemplate,
-  parseNginxConfigArgs,
   trimEndSlash,
   concatPath,
   findCertificate,
-  getNginxStatus,
-  rotateNginxLogFile,
-  getMissingModules,
-} = require('./util');
+  formatRoutingTable,
+} = require('../util');
 
 const REQUIRED_MODULES = [{ configName: 'with-stream', moduleBinaryName: 'ngx_stream_module.so' }];
 
 // TODO: move the did-auth-path-prefix to a constant
-const DID_AUTH_PATH_PREFIX = `${DEFAULT_ADMIN_PATH}/api/did`;
+const ADMIN_DID_AUTH_PATH_PREFIX = `${DEFAULT_ADMIN_PATH}/api/did`;
 
 // convert wildcard domain and ipDnsDomain template to regex
-const parseServerName = (serverName) => {
+const parseServerName = (domain) => {
   // ipDnsDomain template
-  if (serverName.includes(SLOT_FOR_IP_DNS_SITE)) {
-    const name = serverName.replace(/\./g, '\\.').replace(SLOT_FOR_IP_DNS_SITE, '\\d+-\\d+-\\d+-\\d+');
+  if (domain.includes(SLOT_FOR_IP_DNS_SITE)) {
+    const name = domain.replace(/\./g, '\\.').replace(SLOT_FOR_IP_DNS_SITE, '\\d+-\\d+-\\d+-\\d+');
     return `~^${name}$`;
   }
 
   // wildcard domain
-  if (serverName.startsWith('*.')) {
-    const name = serverName.replace('*', '').replace(/\./g, '\\.');
+  if (domain.startsWith('*.')) {
+    const name = domain.replace('*', '').replace(/\./g, '\\.');
     return `~.+${name}$`;
   }
 
-  return serverName;
+  return domain;
 };
 
 class NginxProvider extends BaseProvider {
   /**
-   * @param {string} configDirectory
-   * @param {number} httpPort
-   * @param {number} httpPort
-   * @param {number} cacheDisabled
+   * @param {object} options
+   * @param {string} options.configDir
+   * @param {number} options.httpPort
+   * @param {number} options.httpsPort
+   * @param {boolean} [options.cacheEnabled]
+   * @param {boolean} [options.isTest]
    */
-  constructor({ configDirectory, httpPort, httpsPort, cacheDisabled, isTest }) {
-    super('nginx-provider');
-    if (!configDirectory) {
-      throw new Error('invalid configDirectory');
+  constructor({ configDir, httpPort, httpsPort, cacheEnabled = true, isTest = false }) {
+    super('nginx');
+    if (!configDir) {
+      throw new Error('invalid configDir');
     }
 
     if (shelljs.which('nginx')) {
@@ -88,30 +99,33 @@ class NginxProvider extends BaseProvider {
     }
 
     this.isTest = !!isTest;
-    this.configDirectory = configDirectory;
-    this.logDirectory = path.join(this.configDirectory, 'log');
-    this.accessLogFile = path.join(this.logDirectory, 'access.log');
-    this.errorLogFile = path.join(this.logDirectory, 'error.log');
-    this.tmpDirectory = path.join(this.configDirectory, 'tmp');
-    this.certificateDirectory = path.join(this.configDirectory, 'certs');
-    this.includesDirectory = path.join(this.configDirectory, 'includes');
-    this.wwwDirectory = path.join(this.configDirectory, 'www');
-
-    this.configFilePath = path.join(this.configDirectory, 'nginx.conf');
+    this.configDir = configDir;
+    this.logDir = path.join(this.configDir, 'log');
+    this.accessLog = path.join(this.logDir, 'access.log');
+    this.errorLog = path.join(this.logDir, 'error.log');
+    this.tmpDir = path.join(this.configDir, 'tmp');
+    this.certDir = path.join(this.configDir, 'certs');
+    this.cacheDir = path.join(this.configDir, 'cache');
+    this.includesDir = path.join(this.configDir, 'includes');
+    this.wwwDir = path.join(this.configDir, 'www');
+
+    this.configPath = path.join(this.configDir, 'nginx.conf');
 
     this.httpPort = decideHttpPort(httpPort);
     this.httpsPort = decideHttpsPort(httpsPort);
-    this.cacheDisabled = !!cacheDisabled;
+    this.cacheEnabled = !!cacheEnabled;
+    this.isHttp2Supported = this._isHttp2Supported();
+    this.conf = null; // nginx `conf` object
 
     logger.info('nginx provider config', {
-      configDirectory,
+      configDir,
       httpPort: this.httpPort,
       httpsPort: this.httpsPort,
-      cacheDisabled: this.cacheDisabled,
+      cacheEnabled: this.cacheEnabled,
     });
 
     // ensure directories
-    [this.configDirectory, this.logDirectory, this.tmpDirectory, this.certificateDirectory].forEach((dir) => {
+    [this.configDir, this.logDir, this.cacheDir, this.tmpDir, this.certDir].forEach((dir) => {
       if (!fs.existsSync(dir)) {
         fs.mkdirSync(dir);
       }
@@ -122,23 +136,46 @@ class NginxProvider extends BaseProvider {
     this.initialize();
   }
 
-  async update({ routingTable = [], certificates = [], globalHeaders, services = [], nodeInfo = {} } = {}) {
-    logger.info('routing table:', routingTable);
+  static isDidAuthPrefix(prefix) {
+    return prefix === ADMIN_DID_AUTH_PATH_PREFIX;
+  }
+
+  getRelativeConfigDir(dir) {
+    return path.relative(this.configDir, dir);
+  }
+
+  getConfTemplate() {
+    return getMainTemplate({
+      logDir: this.getRelativeConfigDir(formatBackSlash(this.logDir)),
+      tmpDir: this.getRelativeConfigDir(formatBackSlash(this.tmpDir)),
+      cacheDir: this.getRelativeConfigDir(formatBackSlash(this.cacheDir)),
+      workerProcess: this.getWorkerProcess(),
+      nginxLoadModules: getNginxLoadModuleDirectives(REQUIRED_MODULES, this.readNginxConfigParams()).join(os.EOL),
+    });
+  }
 
+  async update({
+    routingTable = [],
+    certificates = [],
+    commonHeaders,
+    services = [],
+    nodeInfo = {},
+    requestLimit,
+    cacheEnabled,
+  } = {}) {
     if (!Array.isArray(routingTable)) {
       throw new Error('routingTable must be an array');
     }
 
+    if (typeof cacheEnabled !== 'undefined') {
+      this.cacheEnabled = !!cacheEnabled;
+    }
+
     this._addWwwFiles(nodeInfo);
 
     // eslint-disable-next-line consistent-return
     return new Promise((resolve, reject) => {
-      const confTemplate = util.getMainTemplate({
-        logDir: this.logDirectory.replace(this.configDirectory, '').replace(/^\//, ''),
-        tmpDirectory: this.tmpDirectory.replace(this.configDirectory, '').replace(/^\//, ''),
-        workerProcess: this.getWorkerProcess(),
-        nginxLoadModules: getNginxLoadModuleDirectives(REQUIRED_MODULES, this.readNginxConfigParams()).join(os.EOL),
-      });
+      const confTemplate = this.getConfTemplate();
 
       NginxConfFile.createFromSource(confTemplate, (err, conf) => {
         if (err) {
@@ -147,91 +184,47 @@ class NginxProvider extends BaseProvider {
           return;
         }
 
-        conf.on('flushed', () => resolve());
-
-        conf.live(this.configFilePath);
+        this.conf = conf;
 
-        let addedDefaultServer = false;
-        const rulesMap = new Map();
-        const siteCorsConfigs = [];
-
-        routingTable.forEach((site) => {
-          let serverName = site.domain;
-          if (site.domain === DOMAIN_FOR_DEFAULT_SITE) {
-            serverName = '_';
-            addedDefaultServer = true;
-          }
-
-          siteCorsConfigs.push({ serverName, corsAllowedOrigins: site.corsAllowedOrigins });
-
-          if (!rulesMap.has(serverName)) {
-            rulesMap.set(serverName, {
-              rules: [],
-              port: site.port,
-              corsAllowedOrigins: site.corsAllowedOrigins,
-            });
+        conf.on('flushed', () => resolve());
+        conf.live(this.configPath);
+
+        const { sites, configs: siteCorsConfigs } = formatRoutingTable(routingTable, (rules, rule) => {
+          // TODO: this is really hacky, and should be abstracted out
+          if (rule.type === ROUTING_RULE_TYPES.DAEMON && rule.prefix === DEFAULT_ADMIN_PATH) {
+            const clonedRule = cloneDeep(rule);
+            clonedRule.prefix = ADMIN_DID_AUTH_PATH_PREFIX;
+            rules.push(clonedRule);
           }
-
-          (site.rules || []).forEach((x) => {
-            const prefix = trimEndSlash(x.from.pathPrefix || '/');
-            const groupPrefix = trimEndSlash(x.from.groupPathPrefix || '/');
-            const suffix = trimEndSlash(x.from.pathSuffix || '');
-
-            const rule = {
-              ruleId: x.id,
-              type: x.to.type,
-              prefix,
-              groupPrefix,
-              suffix,
-            };
-            if (x.to.type === ROUTING_RULE_TYPES.REDIRECT) {
-              rule.redirectCode = x.to.redirectCode || 302;
-              rule.url = x.to.url;
-            } else {
-              rule.port = x.to.port;
-              rule.did = x.to.did;
-              rule.realDid = x.to.realDid;
-              rule.target = trimEndSlash(normalizePathPrefix(x.to.target || '/'));
-              rule.services = x.services || [];
-            }
-
-            const tmpPath = concatPath(prefix, suffix);
-            const tmpRules = rulesMap.get(serverName).rules;
-            if (!tmpRules.find(({ prefix: p, suffix: s }) => concatPath(p, s) === tmpPath)) {
-              rulesMap.get(serverName).rules.push(rule);
-
-              if (rule.type === ROUTING_RULE_TYPES.DAEMON && rule.prefix === DEFAULT_ADMIN_PATH) {
-                const clonedRule = cloneDeep(rule);
-                clonedRule.prefix = DID_AUTH_PATH_PREFIX;
-                rulesMap.get(serverName).rules.push(clonedRule);
-              }
-            }
-          });
         });
 
-        logger.debug('rule map:', { rulesMap });
-
         this._addCorsMap(conf, siteCorsConfigs);
-
-        // disable server version
         conf.nginx.http._add('server_tokens', 'off');
-        this._addGlobalHeaders(conf, globalHeaders);
-
+        this._addCommonResHeaders(conf.nginx.http, commonHeaders);
         this._addExposeServices(conf, services);
+        if (requestLimit && requestLimit.enabled) {
+          this.addGlobalReqLimit(conf.nginx.http, requestLimit);
+        }
+
+        const allRules = sites.reduce((acc, site) => {
+          acc.push(...(site.rules || []));
+          return acc;
+        }, []);
+
+        this.ensureUpstreamServers(allRules);
 
         // eslint-disable-next-line no-restricted-syntax
-        for (const [serverName, { rules: locations, corsAllowedOrigins, port }] of rulesMap) {
-          const certificate = findCertificate(certificates, serverName);
-          const isHttps = !!certificate;
+        for (const site of sites) {
+          const { domain, port, rules, corsAllowedOrigins, blockletDid } = site;
+          const certificate = findCertificate(certificates, domain);
 
-          const parsedServerName = parseServerName(serverName);
-          const sortedLocations = this._sortLocations(locations);
-          if (isHttps) {
+          const parsedServerName = parseServerName(domain);
+          if (certificate) {
             // HTTPS configurations
             // update all certs to disk
             certificates.forEach((item) => {
-              const crtPath = `${path.join(this.certificateDirectory, item.domain)}.crt`;
-              const keyPath = `${path.join(this.certificateDirectory, item.domain)}.key`;
+              const crtPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.crt`;
+              const keyPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.key`;
               fs.writeFileSync(crtPath, item.certificate);
               fs.writeFileSync(keyPath, item.privateKey);
             });
@@ -239,25 +232,29 @@ class NginxProvider extends BaseProvider {
             // if match certificate, then add https server
             this._addHttpsServer({
               conf,
-              locations: sortedLocations,
+              locations: rules,
               certificateFileName: certificate.domain,
               serverName: parsedServerName,
               corsAllowedOrigins,
               daemonPort: nodeInfo.port,
+              commonHeaders,
+              blockletDid,
             });
           } else {
             this._addHttpServer({
               conf,
-              locations: sortedLocations,
+              locations: rules,
               serverName: parsedServerName,
               corsAllowedOrigins,
               port,
               daemonPort: nodeInfo.port,
+              commonHeaders,
+              blockletDid,
             });
           }
         }
 
-        if (addedDefaultServer === false) {
+        if (!sites.find((x) => x.domain === '_')) {
           this._addDefaultServer(conf, nodeInfo.port);
         }
 
@@ -267,8 +264,8 @@ class NginxProvider extends BaseProvider {
   }
 
   async reload() {
-    const nginxStatus = await getNginxStatus(this.configFilePath);
-    if (nginxStatus.ownByABTNode) {
+    const nginxStatus = await getNginxStatus(this.configPath);
+    if (nginxStatus.managed) {
       const result = this._exec('reload');
       logger.info('reload:reload', { result: result.stdout });
       return result;
@@ -291,26 +288,19 @@ class NginxProvider extends BaseProvider {
 
   async stop() {
     logger.info('stop');
+
     return this._exec('stop');
   }
 
   // FIXME: 这个函数可以不暴露出去？
   initialize() {
-    if (!fs.existsSync(this.configFilePath)) {
-      fs.writeFileSync(
-        this.configFilePath,
-        util.getMainTemplate({
-          logDir: this.logDirectory.replace(this.configDirectory, '').replace(/^\//, ''),
-          tmpDirectory: this.tmpDirectory.replace(this.configDirectory, '').replace(/^\//, ''),
-          nginxLoadModules: getNginxLoadModuleDirectives(REQUIRED_MODULES, this.readNginxConfigParams()).join(os.EOL),
-          workerProcess: this.getWorkerProcess(),
-        })
-      );
+    if (!fs.existsSync(this.configPath)) {
+      fs.writeFileSync(this.configPath, this.getConfTemplate());
     }
   }
 
   async validateConfig() {
-    const command = `${this.binPath} -t -c ${this.configFilePath} -p ${this.configDirectory}`; // eslint-disable-line no-param-reassign
+    const command = `${this.binPath} -t -c ${this.configPath} -p ${this.configDir}`; // eslint-disable-line no-param-reassign
     const result = shelljs.exec(command, { silent: true });
     if (result.code !== 0) {
       logger.info(`exec ${command} error`, { error: result.stderr });
@@ -318,47 +308,36 @@ class NginxProvider extends BaseProvider {
     }
   }
 
-  async rotateLogs() {
-    const nginxStatus = await getNginxStatus(this.configDirectory);
-    if (!nginxStatus.ownByABTNode) {
-      logger.warn('nginx does not running');
+  async rotateLogs({ retain = LOG_RETAIN_IN_DAYS } = {}) {
+    const nginxStatus = await getNginxStatus(this.configDir);
+    if (!nginxStatus.managed) {
+      logger.warn('nginx is not running');
       return;
     }
 
     logger.info('start rotate nginx log files');
-    const files = [this.accessLogFile, this.errorLogFile];
+    const files = [this.accessLog, this.errorLog];
     const rotateTasks = files.map(
-      (file) => rotateNginxLogFile({ file, nginxPid: nginxStatus.pid, cwd: this.logDirectory })
+      (file) => rotateNginxLogFile({ file, nginxPid: nginxStatus.pid, cwd: this.logDir, retain })
       // eslint-disable-next-line function-paren-newline
     );
     await Promise.all(rotateTasks);
     logger.info('rotate nginx log files finished');
   }
 
-  getWorkerProcess() {
-    if (this.isTest) {
-      return 1;
-    }
-
-    if (process.env.NODE_ENV === 'production') {
-      return os.cpus().length;
-    }
-
-    return 1;
-  }
-
   /**
    * execute nginx command, default is to start nginx
    * @param {string} param param of nginx -s {param}
    */
   _exec(param = '') {
     logger.info('exec', { param });
-    let command = `${this.binPath}  -c ${this.configFilePath} -p ${this.configDirectory}`; // eslint-disable-line no-param-reassign
+    let command = `${this.binPath} -c ${this.configPath} -p ${formatBackSlash(this.configDir)}`; // eslint-disable-line no-param-reassign
     if (param) {
       command = `${command} -s ${param}`;
     }
 
     logger.info('exec command:', { command });
+
     const result = shelljs.exec(command, { silent: true });
     if (result.code !== 0) {
       logger.error(`exec ${command} error`, { error: result.stderr });
@@ -368,6 +347,11 @@ class NginxProvider extends BaseProvider {
     return result;
   }
 
+  _isHttp2Supported() {
+    const configArgs = this.readNginxConfigParams();
+    return typeof configArgs['with-http_v2_module'] !== 'undefined';
+  }
+
   readNginxConfigParams() {
     const result = shelljs.exec(`${this.binPath} -V`, { silent: true });
 
@@ -385,7 +369,9 @@ class NginxProvider extends BaseProvider {
     return parseNginxConfigArgs(result.stderr);
   }
 
-  _addReverseProxy({ type, ...args }) {
+  _addReverseProxy(args) {
+    const { type } = args;
+
     if (type === ROUTING_RULE_TYPES.REDIRECT) {
       this._addRedirectTypeLocation(args);
       return;
@@ -396,6 +382,11 @@ class NginxProvider extends BaseProvider {
       return;
     }
 
+    if (type === ROUTING_RULE_TYPES.DIRECT_RESPONSE) {
+      this._addDirectResponseLocation(args);
+      return;
+    }
+
     if (type === ROUTING_RULE_TYPES.NONE) {
       this._addNotFoundLocation(args);
       return;
@@ -404,21 +395,50 @@ class NginxProvider extends BaseProvider {
     this._addBlockletTypeLocation(args);
   }
 
+  addUpstreamServer(port) {
+    this.conf.nginx.http._add('upstream', getUpstreamName(port));
+    const upstream = this.conf.nginx.http.upstream.length
+      ? this.conf.nginx.http.upstream[this.conf.nginx.http.upstream.length - 1]
+      : this.conf.nginx.http.upstream;
+
+    upstream._add('server', `127.0.0.1:${port} max_fails=1 fail_timeout=2s`);
+    upstream._add('keepalive', '2');
+  }
+
+  ensureUpstreamServers(rules) {
+    const upstreamMap = new Map();
+
+    const servicePort = process.env.ABT_NODE_SERVICE_PORT;
+
+    if (!upstreamMap.has(servicePort)) {
+      this.addUpstreamServer(servicePort);
+      upstreamMap.set(servicePort, 1);
+    }
+
+    for (let i = 0; i < rules.length; i++) {
+      const rule = rules[i];
+
+      if (
+        [
+          ROUTING_RULE_TYPES.DAEMON,
+          ROUTING_RULE_TYPES.SERVICE,
+          ROUTING_RULE_TYPES.BLOCKLET,
+          ROUTING_RULE_TYPES.GENERAL_PROXY,
+        ].includes(rule.type) &&
+        !upstreamMap.has(String(rule.port))
+      ) {
+        this.addUpstreamServer(rule.port);
+        upstreamMap.set(String(rule.port), 1);
+      }
+    }
+  }
+
   /**
    * Returns:
    * server /flash/ {
    *     rewrite ^/flash/(.*) /$1  break;
    *     proxy_pass http://127.0.0.1:8090;
-   *     proxy_set_header Host $host;
-   *     proxy_set_header X-Real-IP $remote_addr;
-   *     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    * }
-   * @param {object} server
-   * @param {number} port
-   * @param {string} pathPrefix
-   * @param {string} pathSuffix
-   * @param {string} did root blocklet did
-   * @param {string} realDid child blocklet did
    */
   _addBlockletTypeLocation({
     server,
@@ -428,58 +448,62 @@ class NginxProvider extends BaseProvider {
     groupPrefix,
     suffix,
     did,
-    realDid,
+    componentId,
     corsAllowedOrigins,
     target,
+    targetPrefix, // used to strip prefix from target
     ruleId,
-    services = [],
+    type,
+    commonHeaders,
+    cacheGroup,
   }) {
     server._add('location', concatPath(prefix, suffix));
 
     const location = this._getLastLocation(server);
-    const isDidAuthPath = prefix === DID_AUTH_PATH_PREFIX;
-    const rewritePathPrefix = isDidAuthPath ? DEFAULT_ADMIN_PATH : prefix;
+    const isDidAuthPath = NginxProvider.isDidAuthPrefix(prefix);
 
     // Note: 下面这段代码比较 tricky，不要在这段代码之前添加任何 add_header, proxy_set_header, proxy_hide_header 的语句，否则 nginx 配置可能无法按预期工作
-    if (!isEmpty(corsAllowedOrigins)) {
-      if (corsAllowedOrigins.includes(DOMAIN_FOR_DEFAULT_SITE) || isDidAuthPath) {
-        location._add('include', 'includes/cors-loose');
-        location._add('include', 'includes/security');
-      } else {
-        location._add('add_header', `Access-Control-Allow-Origin $allow_origin_${md5(serverName)} always`);
-        location._add('include', 'includes/cors-strict');
-        location._add('include', 'includes/security');
-      }
+    this._addCors({ location, corsAllowedOrigins, serverName, isDidAuthPath });
 
-      location._addVerbatimBlock('if ($request_method = "OPTIONS")', 'return 204;');
-    } else {
-      location._add('include', 'includes/security');
+    this._addCommonResHeaders(location, commonHeaders);
+    if (!cacheGroup && !suffix) {
+      this._addTailSlashRedirection(location, prefix); // Note: 末尾 "/" 的重定向要放在 CORS(OPTIONS) 响应之后, 这样不会影响 OPTIONS 的响应
     }
 
-    this._addTailSlashRedirection(location, prefix); // Note: 末尾 "/" 的重定向要放在 CORS(OPTIONS) 响应之后, 这样不会影响 OPTIONS 的响应
-
     if (did) {
       location._add('set', `$did "${did}"`);
       location._add('proxy_set_header', `X-Blocklet-Did "${did}"`);
-      if (realDid) {
-        location._add('proxy_set_header', `X-Blocklet-Real-Did "${realDid}"`);
+      if (componentId) {
+        location._add('proxy_set_header', `X-Blocklet-Component-Id "${componentId}"`);
       }
     }
 
+    location._add('include', 'includes/proxy');
+
     // kill cache
-    if (this.cacheDisabled) {
+    if (this.cacheEnabled === false) {
       location._add('expires', '-1');
+    } else if (ROUTER_CACHE_GROUPS[cacheGroup]) {
+      location._add('proxy_cache', cacheGroup);
+      location._add('proxy_cache_valid', `200 ${ROUTER_CACHE_GROUPS[cacheGroup].period}`);
+      location._add('include', 'includes/cache');
     }
 
-    location._add('include', 'includes/proxy');
-    location._add('proxy_set_header', `X-Path-Prefix "${rewritePathPrefix}"`);
-    if (groupPrefix) {
-      location._add('proxy_set_header', `X-Group-Path-Prefix "${groupPrefix}"`);
-    }
+    // Redirect blocklet traffic
+    if (type === ROUTING_RULE_TYPES.BLOCKLET) {
+      // FIXME: logic related to server gateway should not in provider
+      let rewritePathPrefix = prefix.replace(WELLKNOWN_SERVICE_PATH_PREFIX, '').replace(USER_AVATAR_PATH_PREFIX, '');
 
-    // Redirect traffic to service process
-    if (services.length > 0) {
       // Add header
+      if (targetPrefix) {
+        rewritePathPrefix = rewritePathPrefix.replace(targetPrefix, '');
+      }
+
+      location._add('proxy_set_header', `X-Path-Prefix "${rewritePathPrefix}"`);
+      if (groupPrefix) {
+        location._add('proxy_set_header', `X-Group-Path-Prefix "${groupPrefix}"`);
+      }
+
       location._add('proxy_set_header', `X-Blocklet-Url "http://127.0.0.1:${port}"`);
       if (ruleId) {
         location._add('proxy_set_header', `X-Routing-Rule-Id "${ruleId}"`);
@@ -490,42 +514,44 @@ class NginxProvider extends BaseProvider {
       }
 
       // Rewrite path
-      const rewrite = target === WELLKNOWN_AUTH_PATH_PREFIX ? `${target}/`.replace(/\/\//g, '/') : '/';
-      location._add('rewrite', `^${rewritePathPrefix}/?(.*) ${rewrite}$1  break`);
-
-      location._add('proxy_pass', `http://127.0.0.1:${process.env.ABT_NODE_SERVICE_PORT}`);
+      location._add('rewrite', `^${rewritePathPrefix}/?(.*) /$1  break`);
+      location._add('proxy_pass', `http://${getUpstreamName(process.env.ABT_NODE_SERVICE_PORT)}/`);
 
       return;
     }
 
-    // Redirect traffic to blocklet process
-
-    // Rewrite path
+    // Redirect daemon traffic
+    const rewritePathPrefix = isDidAuthPath ? DEFAULT_ADMIN_PATH : prefix;
+    location._add('proxy_set_header', `X-Path-Prefix "${rewritePathPrefix}"`);
     if (!suffix && prefix !== target) {
       location._add('rewrite', `^${rewritePathPrefix}/?(.*) ${`${target}/`.replace(/\/\//g, '/')}$1  break`);
     }
 
-    location._add('proxy_pass', `http://127.0.0.1:${port}`);
+    location._add('proxy_pass', `http://${getUpstreamName(port)}`);
   }
 
-  _addRedirectTypeLocation({ server, url, redirectCode, prefix, suffix }) {
-    const formatedUrl = trimEndSlash(url);
-
+  _addRedirectTypeLocation({ server, url, redirectCode, prefix, suffix, corsAllowedOrigins, serverName }) {
+    const cleanUrl = trimEndSlash(url);
     server._add('location', `${concatPath(prefix, suffix)}`);
     const location = this._getLastLocation(server);
+
+    const isDidAuthPath = NginxProvider.isDidAuthPrefix(prefix);
+
+    this._addCors({ location, corsAllowedOrigins, serverName, isDidAuthPath });
+
     location._add('set $abt_query_string', '""');
     location._addVerbatimBlock('if ($query_string)', 'set $abt_query_string "?$query_string";');
 
     // 如果当前请求的 path 和 prefix 一样，则不需要重写，直接返回重定向地址就可以了
-    location._addVerbatimBlock(`if ($uri = ${prefix})`, `return ${redirectCode} ${formatedUrl}$abt_query_string;`);
+    location._addVerbatimBlock(`if ($uri = ${prefix})`, `return ${redirectCode} ${cleanUrl}$abt_query_string;`);
 
     // 如果 prefix 是根路径，则不需要重写，直接将当前的请求附加到设置的重定向地址后面
     if (prefix === '/') {
-      location._add('return', `${redirectCode} ${formatedUrl}$request_uri`);
+      location._add('return', `${redirectCode} ${cleanUrl}$request_uri`);
     } else {
       // 将当前请求中的 prefix 去掉，然后拼接对应的重定地址
       location._add('rewrite', `^${prefix}(.*) $1`);
-      location._add('return', `${redirectCode} ${formatedUrl === '/' ? '' : formatedUrl}$1$abt_query_string`);
+      location._add('return', `${redirectCode} ${cleanUrl === '/' ? '' : cleanUrl}$1$abt_query_string`);
     }
   }
 
@@ -537,12 +563,27 @@ class NginxProvider extends BaseProvider {
     location._add('try_files', '$uri /404.html break');
   }
 
-  _addGeneralProxyLocation({ server, port, prefix, suffix }) {
+  _addGeneralProxyLocation({ server, port, prefix, suffix, blockletDid }) {
+    server._add('location', concatPath(prefix, suffix));
+    const location = this._getLastLocation(server);
+    this._addCommonHeader(location);
+    location._add('include', 'includes/proxy');
+    if (blockletDid) {
+      location._add('proxy_set_header', `X-Blocklet-Did ${blockletDid}`);
+    }
+
+    location._add('proxy_pass', `http://${getUpstreamName(port)}`);
+  }
+
+  _addDirectResponseLocation({ server, response, prefix, suffix }) {
     server._add('location', concatPath(prefix, suffix));
     const location = this._getLastLocation(server);
     this._addCommonHeader(location);
+    if (response.contentType) {
+      location._add('default_type', response.contentType);
+    }
 
-    location._add('proxy_pass', `http://127.0.0.1:${port}`);
+    location._add('return', `${response.status} "${response.body}"`);
   }
 
   /**
@@ -564,10 +605,7 @@ class NginxProvider extends BaseProvider {
         // eslint-disable-next-line no-template-curly-in-string
         'set $tail_slash_redirect_flag "${tail_slash_redirect_flag}2";'
       );
-      location._addVerbatimBlock(
-        'if ($tail_slash_redirect_flag = 12)',
-        `return 307 $abt_proto://$abt_host${prefix}/$abt_query_string;`
-      );
+      location._addVerbatimBlock('if ($tail_slash_redirect_flag = 12)', `return 307 ${prefix}/$abt_query_string;`);
     }
   }
 
@@ -591,7 +629,7 @@ class NginxProvider extends BaseProvider {
       throw new Error('daemonPort is required');
     }
 
-    server._add('root', this.wwwDirectory.replace(this.configDirectory, '').replace(/^\//, ''));
+    server._add('root', this.getRelativeConfigDir(this.wwwDir));
     server._add('error_page', '404 =404 /_abtnode_404');
     server._add('error_page', '502 =502 /_abtnode_502');
     server._add('error_page', '500 502 503 504 =500 /_abtnode_5xx');
@@ -616,28 +654,34 @@ class NginxProvider extends BaseProvider {
 
   _addWwwFiles(nodeInfo) {
     const welcomePage = nodeInfo.enableWelcomePage ? getWelcomeTemplate(nodeInfo) : get404Template(nodeInfo);
-    fs.writeFileSync(`${this.wwwDirectory}/index.html`, welcomePage); // disable index.html
-    fs.writeFileSync(`${this.wwwDirectory}/404.html`, get404Template(nodeInfo));
-    fs.writeFileSync(`${this.wwwDirectory}/502.html`, get502Template(nodeInfo));
-    fs.writeFileSync(`${this.wwwDirectory}/5xx.html`, get5xxTemplate(nodeInfo));
+
+    fs.writeFileSync(`${this.wwwDir}/index.html`, welcomePage); // disable index.html
+    fs.writeFileSync(`${this.wwwDir}/404.html`, get404Template(nodeInfo));
+    fs.writeFileSync(`${this.wwwDir}/502.html`, get502Template(nodeInfo));
+    fs.writeFileSync(`${this.wwwDir}/5xx.html`, get5xxTemplate(nodeInfo));
+    // 将 @abtnode/router-templates/lib/styles (font 相关样式) 复制到 www/router-template-styles 中
+    fs.copySync(
+      `${path.dirname(require.resolve('@abtnode/router-templates/package.json'))}/lib/styles`,
+      `${this.wwwDir}/router-template-styles`
+    );
   }
 
   _copyConfigFiles() {
-    fs.copySync(path.join(__dirname, 'includes'), this.includesDirectory, {
+    fs.copySync(path.join(__dirname, 'includes'), this.includesDir, {
       overwrite: true,
     });
-    fs.copySync(path.join(__dirname, '..', 'www'), this.wwwDirectory, { overwrite: true });
+    fs.copySync(path.join(__dirname, '..', 'www'), this.wwwDir, { overwrite: true });
   }
 
   _ensureDhparam() {
-    const targetFile = path.join(this.includesDirectory, 'dhparam.pem');
+    const targetFile = path.join(this.includesDir, 'dhparam.pem');
     if (fs.existsSync(targetFile)) {
       this._isDhparamGenerated = true;
       return;
     }
 
     if (this.isTest || process.env.NODE_ENV === 'test') {
-      fs.copySync(path.join(__dirname, 'includes/dhparam.pem'), targetFile, { overwrite: true });
+      fs.copySync(path.join(__dirname, 'includes', 'dhparam.pem'), targetFile, { overwrite: true });
       this._isDhparamGenerated = true;
       return;
     }
@@ -658,26 +702,13 @@ class NginxProvider extends BaseProvider {
     }
   }
 
-  _sortLocations(rules = []) {
-    const rulesWithoutSuffix = rules.filter((x) => !x.suffix);
-    const rulesWithSuffix = rules
-      .filter((x) => x.suffix)
-      .sort((a, b) => {
-        const lenA = (a.prefix || '').length + (a.prefix || '').length;
-        const lenB = (b.prefix || '').length + (b.prefix || '').length;
-        return lenB - lenA;
-      });
-
-    return rulesWithoutSuffix.concat(rulesWithSuffix);
-  }
-
-  _addGlobalHeaders(conf, headers) {
+  _addCommonResHeaders(block, headers) {
     if (!headers || Object.prototype.toString.call(headers) !== '[object Object]') {
       return;
     }
 
     Object.keys(headers).forEach((key) => {
-      conf.nginx.http._add('add_header', `${key} ${headers[key]}`);
+      block._add('add_header', `${key} ${headers[key]}`);
     });
   }
 
@@ -709,14 +740,32 @@ class NginxProvider extends BaseProvider {
       : conf.nginx.stream.server;
   }
 
-  _addHttpServer({ locations = [], serverName, conf, corsAllowedOrigins, port, daemonPort }) {
+  _addHttpServer({
+    locations = [],
+    serverName,
+    conf,
+    corsAllowedOrigins,
+    port,
+    daemonPort,
+    commonHeaders,
+    blockletDid,
+  }) {
     const httpServerUnit = this._addHttpServerUnit({ conf, serverName, port });
     this._addDefaultLocations(httpServerUnit, daemonPort);
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, corsAllowedOrigins })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid })); // prettier-ignore
   }
 
-  _addHttpsServer({ conf, locations, certificateFileName, serverName, corsAllowedOrigins, daemonPort }) {
+  _addHttpsServer({
+    conf,
+    locations,
+    certificateFileName,
+    serverName,
+    corsAllowedOrigins,
+    daemonPort,
+    commonHeaders,
+    blockletDid,
+  }) {
     const httpsServerUnit = this._addHttpsServerUnit({ conf, serverName, certificateFileName });
 
     const httpServerUnit = this._addHttpServerUnit({ conf, serverName });
@@ -724,7 +773,7 @@ class NginxProvider extends BaseProvider {
 
     this._addDefaultLocations(httpsServerUnit, daemonPort);
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, corsAllowedOrigins })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid })); // prettier-ignore
   }
 
   _addHttpServerUnit({ conf, serverName, port }) {
@@ -746,10 +795,10 @@ class NginxProvider extends BaseProvider {
     conf.nginx.http._add('server');
     const httpsServerUnit = this._getLastServer(conf);
 
-    const crtPath = `${path.join(this.certificateDirectory, certificateFileName)}.crt`;
-    const keyPath = `${path.join(this.certificateDirectory, certificateFileName)}.key`;
+    const crtPath = `${joinNginxPath(this.certDir, certificateFileName.replace('*', '-'))}.crt`;
+    const keyPath = `${joinNginxPath(this.certDir, certificateFileName.replace('*', '-'))}.key`;
 
-    let listen = `${this.httpsPort} ssl`;
+    let listen = `${this.httpsPort} ssl ${this.isHttp2Supported ? 'http2' : ''}`.trim();
     if (serverName === '_') {
       listen = `${listen} default_server`;
     }
@@ -783,7 +832,13 @@ class NginxProvider extends BaseProvider {
       validServices.forEach((service) => {
         conf.nginx.stream._add('server');
         const server = this._getLastStreamServer(conf);
-        const protocol = service.protocol === 'tcp' ? '' : ` ${service.protocol}`;
+        let protocol = '';
+        if (service.protocol === 'udp') {
+          protocol = ` ${service.protocol}`;
+          server._add('proxy_responses', 1);
+          server._add('proxy_timeout', '1s');
+        }
+
         server._add('listen', `${service.port}${protocol}`);
         server._add('proxy_pass', `127.0.0.1:${service.upstreamPort}`);
       });
@@ -804,12 +859,47 @@ class NginxProvider extends BaseProvider {
 
         allowedOrigins.push('default "";');
         conf.nginx.http._addVerbatimBlock(
-          `map $http_origin $allow_origin_${md5(parseServerName(corsConfig.serverName))}`,
+          `map $http_origin $allow_origin_${md5(parseServerName(corsConfig.domain))}`,
           allowedOrigins.join(' ')
         );
       }
     });
   }
+
+  _addCors({ location, corsAllowedOrigins, serverName, isDidAuthPath }) {
+    if (!isEmpty(corsAllowedOrigins)) {
+      if (corsAllowedOrigins.includes(DOMAIN_FOR_DEFAULT_SITE) || isDidAuthPath) {
+        location._add('include', 'includes/cors-loose');
+        location._add('include', 'includes/security');
+      } else {
+        location._add('add_header', `Access-Control-Allow-Origin $allow_origin_${md5(serverName)} always`);
+        location._add('include', 'includes/cors-strict');
+        location._add('include', 'includes/security');
+      }
+
+      location._addVerbatimBlock('if ($request_method = "OPTIONS")', 'return 204;');
+    } else {
+      location._add('include', 'includes/security');
+    }
+  }
+
+  addGlobalReqLimit(block, limit) {
+    const key = limit.ipHeader ? `$http_${limit.ipHeader}` : '$binary_remote_addr';
+    block._add('limit_req_zone', `${key} zone=ip_limit:20m rate=${limit.rate || 5}r/s`);
+    block._add('limit_req', `zone=ip_limit burst=${limit.maxInstantRate || 30} delay=10`);
+    block._add('limit_req_status', 429);
+  }
+
+  getLogFilesForToday() {
+    return {
+      access: this.accessLog,
+      error: this.errorLog,
+    };
+  }
+
+  getLogDir() {
+    return this.logDir;
+  }
 }
 
 NginxProvider.describe = async ({ configDir = '' } = {}) => {
@@ -834,7 +924,6 @@ NginxProvider.describe = async ({ configDir = '' } = {}) => {
  * @param {string} param.configDir nginx config directory
  */
 NginxProvider.check = async ({ configDir = '' } = {}) => {
-  logger.info('check nginx provider');
   logger.info('check formal config directory', { configDir });
   const binPath = shelljs.which('nginx');
   const result = {
@@ -846,21 +935,22 @@ NginxProvider.check = async ({ configDir = '' } = {}) => {
 
   if (!binPath) {
     result.available = false;
-    result.error = 'nginx is not detected, make sure you have nginx installed.';
+    result.error =
+      'Nginx is not detected, to have nginx installed you can checkout: https://nginx.org/en/docs/install.html.';
     return result;
   }
 
   const nginxStatus = await getNginxStatus(configDir);
-  if (nginxStatus.running && !nginxStatus.ownByABTNode) {
+  if (nginxStatus.running && !nginxStatus.managed) {
     result.available = false;
     result.error =
-      'seems a nginx daemon is already running on your machine, a controlled nginx is required by Blocklet Server to work properly, please terminate the running nginx daemon before try again.';
+      'Seems a nginx daemon already running, a controlled nginx is required by Blocklet Server to work properly, please terminate the running nginx daemon before try again.';
 
     return result;
   }
 
-  if (nginxStatus.ownByABTNode) {
-    const pidFile = path.join(configDir, 'nginx/nginx.pid');
+  if (nginxStatus.managed) {
+    const pidFile = path.join(configDir, 'nginx', 'nginx.pid');
     if (fs.existsSync(pidFile)) {
       const diskPid = Number(fs.readFileSync(pidFile).toString().trim());
       // If we have the pid lock file, but not the same as running nginx pid, nginx should be killed
@@ -875,49 +965,75 @@ NginxProvider.check = async ({ configDir = '' } = {}) => {
     }
   }
 
-  const tempConfigDirectory = path.join(
-    os.tmpdir(),
-    `test_abtnode_nginx_provider-${Date.now()}-${Math.ceil(Math.random() * 100)}`,
-    CONFIG_FOLDER_NAME
-  );
-  fs.mkdirSync(tempConfigDirectory, { recursive: true });
+  const testDir = path.join(os.tmpdir(), `test_nginx_provider-${Date.now()}-${Math.ceil(Math.random() * 10000)}`);
+  try {
+    const tempConfDir = path.join(testDir, CONFIG_FOLDER_NAME);
+    fs.mkdirSync(tempConfDir, { recursive: true });
 
-  const nginxProvider = new NginxProvider({ configDirectory: tempConfigDirectory, isTest: true });
-  nginxProvider.initialize();
+    const provider = new NginxProvider({ configDir: tempConfDir, isTest: true });
+    provider.initialize();
 
-  logger.info('check:addTestServer', { configFilePath: nginxProvider.configFilePath });
-  await addTestServer({
-    configFilePath: nginxProvider.configFilePath,
-    port: await getPort(),
-    upstreamPort: await getPort(),
-  });
+    logger.info('check:addTestServer', { configPath: provider.configPath });
+    await addTestServer({
+      configPath: provider.configPath,
+      port: await getPort(),
+      upstreamPort: await getPort(),
+    });
 
-  const missingModules = getMissingModules(nginxProvider.readNginxConfigParams());
+    const missingModules = getMissingModules(provider.readNginxConfigParams());
 
-  if (missingModules.length > 0) {
+    if (missingModules.length > 0) {
+      result.available = false;
+      result.error = `Blocklet Server depends on some modules of Nginx that are not compiled: ${missingModules.join(
+        ', '
+      )}`;
+      return result;
+    }
+
+    await provider.start();
+    await provider.stop();
+
+    return result;
+  } catch (error) {
     result.available = false;
-    result.error = `Blocklet Server depends on some modules of Nginx that are not compiled: ${missingModules.join(
-      ', '
-    )}`;
+    result.error = error.message;
+    logger.error('check nginx failed', { error });
     return result;
+  } finally {
+    if (fs.existsSync(testDir)) {
+      fs.rmSync(testDir, { recursive: true, force: true });
+    }
   }
+};
+
+const hasPortPermission = async (port) => {
+  const configDir = path.join(
+    os.tmpdir(),
+    `test_nginx_provider-${Date.now()}-${Math.ceil(Math.random() * 10000)}`,
+    CONFIG_FOLDER_NAME
+  );
+  try {
+    fs.mkdirSync(configDir, { recursive: true });
 
-  await nginxProvider.start();
+    const provider = new NginxProvider({ configDir, isTest: true });
+    provider.initialize();
 
-  await nginxProvider.stop();
+    await addTestServer({ configPath: provider.configPath, port });
+    await provider.start();
+    await provider.stop();
 
-  return result;
+    return true;
+  } catch (err) {
+    return false;
+  } finally {
+    fs.rmSync(configDir, { recursive: true, force: true });
+  }
 };
 
 NginxProvider.getStatus = getNginxStatus;
 NginxProvider.exists = () => !!shelljs.which('nginx');
-NginxProvider.getLogFilesOfCurrentDay = (routerDirectory) => {
-  const logDirectory = path.join(routerDirectory, 'log');
 
-  return {
-    access: path.join(logDirectory, 'access.log'),
-    error: path.join(logDirectory, 'error.log'),
-  };
-};
+NginxProvider.getUsablePorts = async () => getUsablePorts('nginx', hasPortPermission);
+NginxProvider.hasPortPermission = hasPortPermission;
 
 module.exports = NginxProvider;