@abtnode/router-provider 1.16.34-beta-20241129-100152-679bd732 → 1.16.34-beta-20241204-140321-4d75ca21

package/lib/nginx/includes/params

@@ -8,7 +8,3 @@ client_body_buffer_size 32k;
 client_header_buffer_size 16k;
 large_client_header_buffers 4 256k;
 server_names_hash_bucket_size 512;
-
-## proxy
-real_ip_header X-Forwarded-For;
-real_ip_recursive on;

package/lib/nginx/index.js

@@ -137,7 +137,7 @@ class NginxProvider extends BaseProvider {
     return path.relative(this.configDir, dir);
   }
 
-  getConfTemplate() {
+  getConfTemplate(proxyPolicy) {
     return getMainTemplate({
       logDir: this.getRelativeConfigDir(formatBackSlash(this.logDir)),
       tmpDir: this.getRelativeConfigDir(formatBackSlash(this.tmpDir)),
@@ -145,6 +145,7 @@ class NginxProvider extends BaseProvider {
       workerProcess: this.getWorkerProcess(),
       nginxLoadModules: getNginxLoadModuleDirectives(REQUIRED_MODULES, this.readNginxConfigParams()).join(os.EOL),
       capabilities: this.capabilities,
+      proxyPolicy,
     });
   }
 
@@ -156,6 +157,8 @@ class NginxProvider extends BaseProvider {
     services = [],
     nodeInfo = {},
     requestLimit,
+    blockPolicy,
+    proxyPolicy,
     cacheEnabled,
   } = {}) {
     if (!Array.isArray(routingTable)) {
@@ -170,7 +173,7 @@ class NginxProvider extends BaseProvider {
 
     // eslint-disable-next-line consistent-return
     return new Promise((resolve, reject) => {
-      const confTemplate = this.getConfTemplate();
+      const confTemplate = this.getConfTemplate(proxyPolicy);
 
       NginxConfFile.createFromSource(confTemplate, (err, conf) => {
         if (err) {
@@ -193,7 +196,10 @@ class NginxProvider extends BaseProvider {
         this._addCommonResHeaders(conf.nginx.http, commonHeaders);
         this._addExposeServices(conf, services);
         if (requestLimit && requestLimit.enabled) {
-          this.addGlobalReqLimit(conf.nginx.http, requestLimit);
+          this.addRequestLimiting(conf.nginx.http, requestLimit);
+        }
+        if (blockPolicy && blockPolicy?.enabled) {
+          this.updateBlacklist(blockPolicy.blacklist);
         }
 
         const allRules = sites.reduce((acc, site) => {
@@ -661,6 +667,8 @@ class NginxProvider extends BaseProvider {
     }
 
     server._add('root', this.getRelativeConfigDir(this.wwwDir));
+    server._addVerbatimBlock('if ($access_blocked)', 'return 403;');
+
     server._add('error_page', '404 =404 /_abtnode_404');
     server._add('error_page', '502 =502 /_abtnode_502');
     server._add('error_page', '500 502 503 504 =500 /_abtnode_5xx');
@@ -889,13 +897,17 @@ class NginxProvider extends BaseProvider {
     });
   }
 
-  addGlobalReqLimit(block, limit) {
-    const key = limit.ipHeader ? `$http_${limit.ipHeader}` : '$binary_remote_addr';
-    block._add('limit_req_zone', `${key} zone=ip_limit:20m rate=${limit.rate || 5}r/s`);
-    block._add('limit_req', `zone=ip_limit burst=${limit.maxInstantRate || 30} delay=10`);
+  addRequestLimiting(block, limit) {
+    block._add('limit_req_zone', `$binary_remote_addr zone=req_limit_per_ip:20m rate=${limit.rate || 5}r/s`);
+    block._add('limit_req', `zone=req_limit_per_ip burst=${limit.maxInstantRate || 30} delay=10`);
     block._add('limit_req_status', 429);
   }
 
+  updateBlacklist(blacklist) {
+    const blacklistFile = path.join(this.includesDir, 'blacklist');
+    fs.writeFileSync(blacklistFile, blacklist.map((x) => `${x} 1;`).join(os.EOL));
+  }
+
   getLogFilesForToday() {
     return {
       access: this.accessLog,

package/lib/nginx/util.js

@@ -182,6 +182,7 @@ const getMainTemplate = ({
   workerProcess,
   maxBodySize = CLIENT_MAX_BODY_SIZE,
   capabilities = {},
+  proxyPolicy = {},
 }) =>
   `${nginxLoadModules}
 ${getDynamicModulesDirective(capabilities)}
@@ -197,6 +198,17 @@ events {
 }
 
 http {
+    ${
+      proxyPolicy?.enabled
+        ? `${(proxyPolicy?.trustedProxies || ['0.0.0.0/0']).map((x) => `set_real_ip_from ${x};`).join(os.EOL)}
+real_ip_header ${proxyPolicy?.realIpHeader || 'X-Forwarded-For'};
+real_ip_recursive ${proxyPolicy?.trustRecursive ? 'on' : 'off'};`
+        : ''
+    }
+    geo $access_blocked {
+      default 0;
+      include includes/blacklist;
+    }
     map $http_upgrade $connection_upgrade {
       default upgrade;
       '' "";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.16.34-beta-20241129-100152-679bd732",
+  "version": "1.16.34-beta-20241204-140321-4d75ca21",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,10 +32,10 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.16.34-beta-20241129-100152-679bd732",
-    "@abtnode/logger": "1.16.34-beta-20241129-100152-679bd732",
-    "@abtnode/router-templates": "1.16.34-beta-20241129-100152-679bd732",
-    "@abtnode/util": "1.16.34-beta-20241129-100152-679bd732",
+    "@abtnode/constant": "1.16.34-beta-20241204-140321-4d75ca21",
+    "@abtnode/logger": "1.16.34-beta-20241204-140321-4d75ca21",
+    "@abtnode/router-templates": "1.16.34-beta-20241204-140321-4d75ca21",
+    "@abtnode/util": "1.16.34-beta-20241204-140321-4d75ca21",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
     "axios": "^1.7.5",
@@ -59,5 +59,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "eb4b66b66af715559402fea679fe15b2a19cce2f"
+  "gitHead": "85435dd99298c727eb7bb6c361f9dee6ef11cf08"
 }