@abtnode/router-provider 1.17.7-beta-20251227-001958-ea2ba3f5 → 1.17.7-beta-20251229-085620-84f09930

package/lib/nginx/includes/params

@@ -7,4 +7,4 @@ keepalive_timeout 30;
 client_body_buffer_size 32k;
 client_header_buffer_size 16k;
 large_client_header_buffers 4 256k;
-server_names_hash_bucket_size 512;
+server_names_hash_bucket_size 2048;

package/lib/nginx/index.js

@@ -14,6 +14,7 @@ const pick = require('lodash/pick');
 const camelCase = require('lodash/camelCase');
 const toLower = require('lodash/toLower');
 const isEmpty = require('lodash/isEmpty');
+const objectHash = require('object-hash');
 const formatBackSlash = require('@abtnode/util/lib/format-back-slash');
 const {
   ROUTING_RULE_TYPES,
@@ -30,6 +31,7 @@ const {
   CSP_SYSTEM_SOURCES,
   CSP_THIRD_PARTY_SOURCES,
   CSP_ICONIFY_SOURCES,
+  DEFAULT_WELLKNOWN_PORT,
 } = require('@abtnode/constant');
 const { toHex } = require('@ocap/util');
 const promiseRetry = require('promise-retry');
@@ -137,6 +139,7 @@ class NginxProvider extends BaseProvider {
     this.securityLog = path.join(this.logDir, 'modsecurity.log');
     this.tmpDir = path.join(this.configDir, 'tmp');
     this.certDir = path.join(this.configDir, 'certs');
+    this.sitesDir = path.join(this.configDir, 'sites');
     this.cacheDir = path.join(this.configDir, 'cache');
     this.includesDir = path.join(this.configDir, 'includes');
     this.wwwDir = path.join(this.configDir, 'www');
@@ -152,6 +155,14 @@ class NginxProvider extends BaseProvider {
     this.conf = null; // nginx `conf` object
     this.requestLimit = null;
 
+    // Hash storage for incremental updates
+    this.hashFilePath = path.join(this.configDir, 'config-hashes.json');
+    this.configHashes = {
+      global: null,
+      blocklets: new Map(), // blockletDid -> hash
+    };
+    this._loadHashes();
+
     logger.info('nginx provider config', {
       configDir,
       httpPort: this.httpPort,
@@ -160,7 +171,7 @@ class NginxProvider extends BaseProvider {
     });
 
     // ensure directories
-    [this.configDir, this.logDir, this.cacheDir, this.tmpDir, this.certDir].forEach((dir) => {
+    [this.configDir, this.logDir, this.cacheDir, this.tmpDir, this.certDir, this.sitesDir].forEach((dir) => {
       if (!fs.existsSync(dir)) {
         try {
           fs.mkdirSync(dir, { recursive: true });
@@ -208,12 +219,13 @@ class NginxProvider extends BaseProvider {
     wafDisabledBlocklets = [],
     enableDefaultServer = false,
     enableIpServer = false,
+    skipBlockletSites = false,
   } = {}) {
     logger.info('update nginx config', {
-      snapshotHash: nodeInfo?.routing?.snapshotHash,
       enableDefaultServer,
       enableIpServer,
       cacheEnabled,
+      skipBlockletSites,
     });
 
     if (!Array.isArray(routingTable)) {
@@ -230,125 +242,348 @@ class NginxProvider extends BaseProvider {
     return new Promise((resolve, reject) => {
       const confTemplate = this.getConfTemplate(proxyPolicy);
 
-      NginxConfFile.createFromSource(confTemplate, (err, conf) => {
+      NginxConfFile.createFromSource(confTemplate, async (err, conf) => {
         if (err) {
           logger.error('createFromSource error', { err });
           reject(new Error(err.message));
           return;
         }
 
-        this.conf = conf;
+        try {
+          this.conf = conf;
 
-        conf.on('flushed', () => resolve());
-        conf.live(this.configPath);
+          conf.on('flushed', () => resolve());
+          conf.live(this.configPath);
 
-        const { sites, cacheGroups } = formatRoutingTable(routingTable);
+          const { sites } = formatRoutingTable(routingTable);
 
-        if (this.cacheEnabled) {
-          this._addCacheGroups(conf, cacheGroups);
-        }
-        conf.nginx.http._add('server_tokens', 'off');
-        this._addCommonResHeaders(conf.nginx.http, commonHeaders);
-        this._addExposeServices(conf, services);
+          // Cache zones are now defined statically in the main template (blockletProxy)
+          // No need to add per-blocklet cache zones dynamically
+          conf.nginx.http._add('server_tokens', 'off');
+          this._addCommonResHeaders(conf.nginx.http, commonHeaders);
+          this._addExposeServices(conf, services);
 
-        if (requestLimit) {
-          this.requestLimit = requestLimit;
-          this.addRequestLimiting(conf.nginx.http, requestLimit);
-        }
-        if (blockPolicy) {
-          this.updateBlacklist(blockPolicy.enabled ? blockPolicy.blacklist : []);
-        } else {
-          this.updateBlacklist([]);
-        }
+          if (requestLimit) {
+            this.requestLimit = requestLimit;
+            this.addRequestLimiting(conf.nginx.http, requestLimit);
+          }
+          if (blockPolicy) {
+            this.updateBlacklist(blockPolicy.enabled ? blockPolicy.blacklist : []);
+          } else {
+            this.updateBlacklist([]);
+          }
+
+          this.updateWhitelist();
 
-        this.updateWhitelist();
+          this.updateProxyPolicy(proxyPolicy, commonHeaders);
 
-        this.updateProxyPolicy(proxyPolicy);
+          const allRules = sites.reduce((acc, site) => {
+            acc.push(...(site.rules || []));
+            return acc;
+          }, []);
 
-        const allRules = sites.reduce((acc, site) => {
-          acc.push(...(site.rules || []));
-          return acc;
-        }, []);
+          this.ensureUpstreamServers(allRules);
 
-        this.ensureUpstreamServers(allRules);
+          this._addModSecurity(conf, wafPolicy, wafDisabledBlocklets);
 
-        this._addModSecurity(conf, wafPolicy, wafDisabledBlocklets);
+          // Group sites by blockletDid for separate conf files
+          const blockletSitesMap = new Map(); // blockletDid -> sites[]
+          const systemSites = []; // sites without blockletDid
 
-        // eslint-disable-next-line no-restricted-syntax
-        for (const site of sites) {
-          const { domain, port, rules, corsAllowedOrigins, blockletDid } = site;
-          const certificate = findCertificate(certificates, domain);
+          // eslint-disable-next-line no-restricted-syntax
+          for (const site of sites) {
+            if (site.blockletDid && site.blockletDid !== nodeInfo.did) {
+              if (!blockletSitesMap.has(site.blockletDid)) {
+                blockletSitesMap.set(site.blockletDid, []);
+              }
+              blockletSitesMap.get(site.blockletDid).push(site);
+            } else {
+              systemSites.push(site);
+            }
+          }
 
-          const parsedServerName = parseServerName(domain);
-          if (!parsedServerName) {
-            logger.warn('invalid site, empty server name:', { site: JSON.stringify(site), domain, parsedServerName });
-            // eslint-disable-next-line no-continue
-            continue;
+          // Process system sites in main conf
+          // eslint-disable-next-line no-restricted-syntax
+          for (const site of systemSites) {
+            const { domain, port, rules, blockletDid } = site;
+            const certificate = findCertificate(certificates, domain);
+
+            const parsedServerName = parseServerName(domain);
+            if (!parsedServerName) {
+              logger.warn('invalid site, empty server name:', { site: JSON.stringify(site), domain, parsedServerName });
+              // eslint-disable-next-line no-continue
+              continue;
+            }
+
+            if (certificate) {
+              // HTTPS configurations
+              // update all certs to disk
+              certificates.forEach((item) => {
+                const crtPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.crt`;
+                const keyPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.key`;
+                fs.writeFileSync(crtPath, item.certificate);
+                fs.writeFileSync(keyPath, item.privateKey);
+              });
+
+              // if match certificate, then add https server
+              this._addHttpsServer({
+                conf,
+                serviceType: site.serviceType,
+                locations: rules,
+                certificateFileName: certificate.domain,
+                serverName: parsedServerName,
+                daemonPort: nodeInfo.port,
+                commonHeaders,
+                blockletDid,
+              });
+            } else {
+              this._addHttpServer({
+                conf,
+                serviceType: site.serviceType,
+                locations: rules,
+                serverName: parsedServerName,
+                port,
+                daemonPort: nodeInfo.port,
+                commonHeaders,
+                blockletDid,
+              });
+            }
           }
 
-          if (certificate) {
-            // HTTPS configurations
-            // update all certs to disk
-            certificates.forEach((item) => {
-              const crtPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.crt`;
-              const keyPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.key`;
-              fs.writeFileSync(crtPath, item.certificate);
-              fs.writeFileSync(keyPath, item.privateKey);
-            });
-
-            // if match certificate, then add https server
-            this._addHttpsServer({
-              conf,
-              serviceType: site.serviceType,
-              locations: rules,
-              certificateFileName: certificate.domain,
-              serverName: parsedServerName,
-              corsAllowedOrigins,
-              daemonPort: nodeInfo.port,
-              commonHeaders,
-              blockletDid,
-            });
+          // Clean up old site conf files and generate new ones (skip when skipBlockletSites is true)
+          if (!skipBlockletSites) {
+            this._cleanupSiteConfFiles([...blockletSitesMap.keys()]);
+
+            // Generate separate conf files for each blocklet
+            const blockletConfPromises = [...blockletSitesMap.entries()].map(([blockletDid, blockletSites]) =>
+              this._generateBlockletSiteConfFile({
+                blockletDid,
+                sites: blockletSites,
+                certificates,
+                nodeInfo,
+                commonHeaders,
+              })
+            );
+            await Promise.all(blockletConfPromises);
+          }
+
+          conf.nginx.http._add('include', `${this.getRelativeConfigDir(this.sitesDir)}/*.conf`);
+
+          if (!enableIpServer) {
+            this._addIpBlackHoleServer(conf);
+            logger.info('add ip blackhole server success');
+          }
+
+          if (process.env.ABT_NODE_DOMAIN_BLACKLIST) {
+            this._addUnknownHostBlackHoleServer(conf, process.env.ABT_NODE_DOMAIN_BLACKLIST);
+            logger.info('add unknown host blacklist server success');
+          }
+
+          if (enableDefaultServer) {
+            const existDefaultServer = !!sites.find((x) => x.domain === '_');
+            if (existDefaultServer) {
+              logger.info('default server is declared by blocklet server');
+            } else {
+              this._addDefaultServer(conf, nodeInfo.port);
+              logger.info('add default server success');
+            }
           } else {
-            this._addHttpServer({
-              conf,
-              serviceType: site.serviceType,
-              locations: rules,
-              serverName: parsedServerName,
-              corsAllowedOrigins,
-              port,
-              daemonPort: nodeInfo.port,
-              commonHeaders,
-              blockletDid,
-            });
+            this._addDefaultBlackHoleServer(conf);
+            logger.info('add default blackhole server success');
           }
+
+          this._addStubStatusLocation(conf);
+
+          // Compute and save hashes for incremental updates
+          this._updateHashesAfterFullRegeneration({
+            nodeInfo,
+            requestLimit,
+            blockPolicy,
+            proxyPolicy,
+            wafPolicy,
+            cacheEnabled,
+            enableDefaultServer,
+            enableIpServer,
+            certificates,
+            services,
+            systemSites,
+            blockletSitesMap,
+            wafDisabledBlocklets,
+            skipBlockletSites,
+          });
+
+          conf.flush();
+        } catch (error) {
+          logger.error('update nginx config error', { error });
+          reject(error);
         }
+      });
+    });
+  }
 
-        if (!enableIpServer) {
-          this._addIpBlackHoleServer(conf);
-          logger.info('add ip blackhole server success');
+  /**
+   * Update hashes after a full regeneration
+   * @private
+   */
+  _updateHashesAfterFullRegeneration(params) {
+    const {
+      nodeInfo,
+      requestLimit,
+      blockPolicy,
+      proxyPolicy,
+      wafPolicy,
+      cacheEnabled,
+      enableDefaultServer,
+      enableIpServer,
+      certificates,
+      services,
+      systemSites,
+      blockletSitesMap,
+      wafDisabledBlocklets,
+      skipBlockletSites = false,
+    } = params;
+
+    // Compute and store global hash
+    this.configHashes.global = this._computeGlobalConfigHash({
+      nodeInfo,
+      requestLimit,
+      blockPolicy,
+      proxyPolicy,
+      wafPolicy,
+      cacheEnabled,
+      enableDefaultServer,
+      enableIpServer,
+      certificates,
+      services,
+      systemSites,
+    });
+
+    // Compute and store hashes for each blocklet (skip when skipBlockletSites is true)
+    if (!skipBlockletSites) {
+      this.configHashes.blocklets.clear();
+      // eslint-disable-next-line no-restricted-syntax
+      for (const [did, blockletSites] of blockletSitesMap) {
+        const wafDisabled = wafDisabledBlocklets.some((b) => b.did === did);
+        const hash = this._computeBlockletConfigHash(did, blockletSites, certificates, wafDisabled);
+        this.configHashes.blocklets.set(did, hash);
+      }
+    }
+
+    // Persist to disk
+    this._saveHashes();
+
+    logger.info('updated hashes after full regeneration', {
+      global: this.configHashes.global?.substring(0, 8),
+      blockletCount: this.configHashes.blocklets.size,
+    });
+  }
+
+  /**
+   * Clean up old site conf files that are no longer needed
+   * @param {string[]} keepDids - list of blockletDids to keep
+   */
+  _cleanupSiteConfFiles(keepDids = []) {
+    try {
+      if (!fs.existsSync(this.sitesDir)) {
+        return;
+      }
+      const existingFiles = fs.readdirSync(this.sitesDir).filter((f) => f.endsWith('.conf'));
+      // eslint-disable-next-line no-restricted-syntax
+      for (const file of existingFiles) {
+        const did = file.replace('.conf', '');
+        if (!keepDids.includes(did)) {
+          fs.unlinkSync(path.join(this.sitesDir, file));
+          logger.info('removed old site conf file', { file });
         }
+      }
+    } catch (error) {
+      logger.error('Failed to cleanup site conf files', { error });
+    }
+  }
 
-        if (process.env.ABT_NODE_DOMAIN_BLACKLIST) {
-          this._addUnknownHostBlackHoleServer(conf, process.env.ABT_NODE_DOMAIN_BLACKLIST);
-          logger.info('add unknown host blacklist server success');
+  /**
+   * Generate a separate nginx conf file for a blocklet's server blocks
+   * @param {object} options
+   * @param {string} options.blockletDid - the blocklet DID
+   * @param {Array} options.sites - sites belonging to this blocklet
+   * @param {Array} options.certificates - available certificates
+   * @param {object} options.nodeInfo - node info containing daemonPort
+   * @param {object} options.commonHeaders - common response headers
+   */
+  // eslint-disable-next-line require-await
+  async _generateBlockletSiteConfFile({ blockletDid, sites, certificates, nodeInfo, commonHeaders }) {
+    const confPath = path.join(this.sitesDir, `${blockletDid}.conf`);
+    // Minimal template with http block - we'll extract just the server blocks
+    const template = 'events {}\nhttp {}\n';
+
+    return new Promise((resolve, reject) => {
+      NginxConfFile.createFromSource(template, (err, conf) => {
+        if (err) {
+          reject(err);
+          return;
         }
 
-        if (enableDefaultServer) {
-          const existDefaultServer = !!sites.find((x) => x.domain === '_');
-          if (existDefaultServer) {
-            logger.info('default server is declared by blocklet server');
-          } else {
-            this._addDefaultServer(conf, nodeInfo.port);
-            logger.info('add default server success');
+        try {
+          // eslint-disable-next-line no-restricted-syntax
+          for (const site of sites) {
+            const { domain, rules, port, serviceType } = site;
+            const certificate = findCertificate(certificates, domain);
+            const parsedServerName = parseServerName(domain);
+
+            if (!parsedServerName) {
+              logger.warn('invalid site, empty server name:', { site: JSON.stringify(site), domain, parsedServerName });
+              // eslint-disable-next-line no-continue
+              continue;
+            }
+
+            if (certificate) {
+              // Write certificates to disk
+              certificates.forEach((item) => {
+                const crtPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.crt`;
+                const keyPath = `${path.join(this.certDir, item.domain.replace('*', '-'))}.key`;
+                fs.writeFileSync(crtPath, item.certificate);
+                fs.writeFileSync(keyPath, item.privateKey);
+              });
+
+              this._addHttpsServer({
+                conf,
+                serviceType,
+                locations: rules,
+                certificateFileName: certificate.domain,
+                serverName: parsedServerName,
+                daemonPort: nodeInfo.port,
+                commonHeaders,
+                blockletDid,
+              });
+            } else {
+              this._addHttpServer({
+                conf,
+                serviceType,
+                locations: rules,
+                serverName: parsedServerName,
+                port,
+                daemonPort: nodeInfo.port,
+                commonHeaders,
+                blockletDid,
+              });
+            }
           }
-        } else {
-          this._addDefaultBlackHoleServer(conf);
-          logger.info('add default blackhole server success');
-        }
 
-        this._addStubStatusLocation(conf);
+          // Extract server blocks from http { } wrapper
+          const fullConfText = conf.toString();
+          const serverBlocksMatch = fullConfText.match(/http\s*\{([\s\S]*)\}/);
+          const serverBlocks = serverBlocksMatch?.[1]?.trim() || '';
 
-        conf.flush();
+          if (serverBlocks) {
+            fs.writeFileSync(confPath, serverBlocks);
+            logger.info('generated blocklet site conf', { blockletDid, confPath });
+          }
+
+          resolve();
+        } catch (error) {
+          logger.error('Failed to generate blocklet site conf', { blockletDid, error });
+          reject(error);
+        }
       });
     });
   }
@@ -537,17 +772,23 @@ class NginxProvider extends BaseProvider {
       return;
     }
 
+    // Check for static serving (public static blocklets served directly by Nginx)
+    if (type === ROUTING_RULE_TYPES.BLOCKLET && args.staticRoot) {
+      this._addStaticLocation(args);
+      return;
+    }
+
     this._addBlockletTypeLocation(args);
   }
 
-  addUpstreamServer(port) {
+  addUpstreamServer(port, keepalive = '2') {
     this.conf.nginx.http._add('upstream', getUpstreamName(port));
     const upstream = this.conf.nginx.http.upstream.length
       ? this.conf.nginx.http.upstream[this.conf.nginx.http.upstream.length - 1]
       : this.conf.nginx.http.upstream;
 
     upstream._add('server', `127.0.0.1:${port} max_fails=1 fail_timeout=2s`);
-    upstream._add('keepalive', '2');
+    upstream._add('keepalive', keepalive);
   }
 
   ensureUpstreamServers(rules) {
@@ -556,7 +797,7 @@ class NginxProvider extends BaseProvider {
     const servicePort = process.env.ABT_NODE_SERVICE_PORT;
 
     if (!upstreamMap.has(servicePort)) {
-      this.addUpstreamServer(servicePort);
+      this.addUpstreamServer(servicePort, '16');
       upstreamMap.set(servicePort, 1);
     }
 
@@ -564,16 +805,14 @@ class NginxProvider extends BaseProvider {
       const rule = rules[i];
 
       if (
-        [
-          ROUTING_RULE_TYPES.DAEMON,
-          ROUTING_RULE_TYPES.SERVICE,
-          ROUTING_RULE_TYPES.BLOCKLET,
-          ROUTING_RULE_TYPES.GENERAL_PROXY,
-        ].includes(rule.type) &&
+        [ROUTING_RULE_TYPES.DAEMON, ROUTING_RULE_TYPES.SERVICE].includes(rule.type) &&
         rule.port &&
         !upstreamMap.has(String(rule.port))
       ) {
-        this.addUpstreamServer(rule.port);
+        this.addUpstreamServer(rule.port, '16');
+        upstreamMap.set(String(rule.port), 1);
+      } else if (rule.port === DEFAULT_WELLKNOWN_PORT && !upstreamMap.has(String(rule.port))) {
+        this.addUpstreamServer(rule.port, '16');
         upstreamMap.set(String(rule.port), 1);
       }
     }
@@ -610,7 +849,6 @@ class NginxProvider extends BaseProvider {
     ruleId,
     type,
     proxyBehavior,
-    commonHeaders,
     cacheGroup,
     pageGroup,
     serviceType,
@@ -619,13 +857,11 @@ class NginxProvider extends BaseProvider {
 
     const location = this._getLastLocation(server);
 
-    this._addCommonResHeaders(location, commonHeaders);
     if (!cacheGroup && !suffix) {
       this._addTailSlashRedirection(location, prefix); // Note: 末尾 "/" 的重定向要放在 CORS(OPTIONS) 响应之后, 这样不会影响 OPTIONS 的响应
     }
 
     if (did) {
-      location._add('set', `$did "${did}"`);
       location._add('proxy_set_header', `X-Blocklet-Did "${did}"`);
       if (componentId) {
         location._add('proxy_set_header', `X-Blocklet-Component-Id "${componentId}"`);
@@ -688,7 +924,47 @@ class NginxProvider extends BaseProvider {
       location._add('rewrite', `^${prefix}/?(.*) ${`${target}/`.replace(/\/\//g, '/')}$1  break`);
     }
 
-    location._add('proxy_pass', `http://${getUpstreamName(port)}`);
+    if (port === DEFAULT_WELLKNOWN_PORT) {
+      location._add('proxy_pass', `http://${getUpstreamName(port)}`);
+    } else {
+      location._add('proxy_pass', `http://127.0.0.1:${port}`);
+    }
+  }
+
+  /**
+   * Add a static location block for serving files directly from Nginx
+   * Used for public static blocklets to bypass blocklet-service
+   *
+   * Generated config:
+   * location /app-path {
+   *     alias /path/to/static/files/;
+   *     try_files $uri $uri/ /app-path/index.html;
+   *     expires 30d;
+   *     add_header Cache-Control "public, max-age=2592000";
+   * }
+   */
+  _addStaticLocation({ server, prefix, staticRoot, commonHeaders, serviceType }) {
+    server._add('location', prefix);
+    const location = this._getLastLocation(server);
+
+    // Serve static files from blocklet directory
+    // Use alias to map the location to the static root directory
+    location._add('alias', `${staticRoot}/`);
+
+    // SPA fallback - try file, then directory, then fallback to index.html
+    // For paths like /app-path/some/route, if no file exists, serve index.html
+    location._add('try_files', `$uri $uri/ ${prefix === '/' ? '' : prefix}/index.html`);
+
+    // Cache control for static assets
+    location._add('expires', '30d');
+    location._add('add_header', 'Cache-Control "public, max-age=2592000"');
+
+    // Security headers
+    location._add('add_header', 'X-Content-Type-Options "nosniff"');
+
+    // Add common response headers
+    this._addCommonResHeaders(location, commonHeaders);
+    this._addSecurityHeaders(location, serviceType);
   }
 
   _addRedirectTypeLocation({ server, url, redirectCode, prefix, suffix, serviceType }) {
@@ -748,7 +1024,11 @@ class NginxProvider extends BaseProvider {
       location._add('rewrite', `^${targetPrefix}/?(.*) /$1  break`);
     }
 
-    location._add('proxy_pass', `http://${getUpstreamName(port)}`);
+    if (port === DEFAULT_WELLKNOWN_PORT) {
+      location._add('proxy_pass', `http://${getUpstreamName(port)}`);
+    } else {
+      location._add('proxy_pass', `http://127.0.0.1:${port}`);
+    }
   }
 
   _addDirectResponseLocation({ server, response, prefix, suffix }) {
@@ -786,13 +1066,7 @@ class NginxProvider extends BaseProvider {
   }
 
   _addCommonHeader(location) {
-    location._add('set', '$abt_proto $scheme');
-    // use $http_host to keep port when redirecting
-    // https://stackoverflow.com/questions/43397365/nginx-keep-port-number-when-301-redirecting
-    location._add('set', '$abt_host $http_host');
     location._add('set', '$abt_query_string ""');
-    location._addVerbatimBlock('if ($http_x_forwarded_proto)', 'set $abt_proto $http_x_forwarded_proto;');
-    location._addVerbatimBlock('if ($http_x_forwarded_host)', 'set $abt_host $http_x_forwarded_host;');
     location._addVerbatimBlock('if ($query_string)', 'set $abt_query_string "?$query_string";');
   }
 
@@ -822,8 +1096,6 @@ class NginxProvider extends BaseProvider {
     server._add('location', '/_abtnode_502');
     const location502 = server.location[server.location.length - 1];
     location502._add('internal');
-    location502._addVerbatimBlock('if ($did ~ "^$")', 'set $did "";');
-    location502._add('proxy_set_header', 'x-did "$did"');
     location502._add('proxy_pass', `http://127.0.0.1:${daemonPort}/error/502`);
 
     server._add('location', '/_abtnode_5xx');
@@ -847,10 +1119,6 @@ class NginxProvider extends BaseProvider {
   }
 
   _copyConfigFiles() {
-    if (fs.existsSync(this.includesDir)) {
-      fs.rmSync(this.includesDir, { recursive: true });
-    }
-
     fs.copySync(path.join(__dirname, 'includes'), this.includesDir, { overwrite: true });
     fs.copySync(path.join(__dirname, '..', 'www'), this.wwwDir, { overwrite: true });
   }
@@ -1092,21 +1360,11 @@ class NginxProvider extends BaseProvider {
       : conf.nginx.stream.server;
   }
 
-  _addHttpServer({
-    locations = [],
-    serverName,
-    conf,
-    corsAllowedOrigins,
-    port,
-    daemonPort,
-    commonHeaders,
-    blockletDid,
-    serviceType,
-  }) {
+  _addHttpServer({ locations = [], serverName, conf, port, daemonPort, commonHeaders, blockletDid, serviceType }) {
     const httpServerUnit = this._addHttpServerUnit({ conf, serverName, port });
     this._addDefaultLocations({ server: httpServerUnit, daemonPort, serverName });
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid, serviceType })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, commonHeaders, blockletDid, serviceType })); // prettier-ignore
   }
 
   _addHttpsServer({
@@ -1115,7 +1373,6 @@ class NginxProvider extends BaseProvider {
     certificateFileName,
     serverName,
     serviceType,
-    corsAllowedOrigins,
     daemonPort,
     commonHeaders,
     blockletDid,
@@ -1130,7 +1387,7 @@ class NginxProvider extends BaseProvider {
 
     this._addDefaultLocations({ server: httpsServerUnit, daemonPort, serverName });
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid, serviceType })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, commonHeaders, blockletDid, serviceType })); // prettier-ignore
   }
 
   _addHttpServerUnit({ conf, serverName, port = '' }) {
@@ -1294,17 +1551,6 @@ class NginxProvider extends BaseProvider {
     }
   }
 
-  _addCacheGroups(conf, cacheGroups) {
-    const cacheDir = this.getRelativeConfigDir(formatBackSlash(this.cacheDir));
-    cacheGroups.forEach((group) => {
-      const config = ROUTER_CACHE_GROUPS.blockletProxy;
-      conf.nginx.http._add(
-        'proxy_cache_path',
-        `${cacheDir}/${group} levels=1:2 keys_zone=${group}:${config.minSize} inactive=${config.period} max_size=${config.maxSize}`
-      );
-    });
-  }
-
   addRequestLimiting(block, limit) {
     if (!limit?.enabled) {
       return;
@@ -1354,18 +1600,26 @@ class NginxProvider extends BaseProvider {
     }
   }
 
-  updateProxyPolicy(proxyPolicy) {
+  updateProxyPolicy(proxyPolicy, commonHeaders = {}) {
     const proxyRaw = fs.readFileSync(path.join(this.includesDir, 'proxy.raw'), 'utf8');
     const proxyPolicyFile = path.join(this.includesDir, 'proxy');
+
+    const lines = ['add_header X-Request-ID $request_id;'];
+    Object.keys(commonHeaders).forEach((key) => {
+      lines.push(`add_header ${key} ${commonHeaders[key]};`);
+    });
+
     if (proxyPolicy?.enabled) {
       fs.writeFileSync(
         proxyPolicyFile,
-        [proxyRaw, 'proxy_set_header X-Forwarded-For "$http_x_forwarded_for,$realip_remote_addr";'].join(os.EOL)
+        [...lines, proxyRaw, 'proxy_set_header X-Forwarded-For "$http_x_forwarded_for,$realip_remote_addr";'].join(
+          os.EOL
+        )
       );
     } else {
       fs.writeFileSync(
         proxyPolicyFile,
-        [proxyRaw, 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'].join(os.EOL)
+        [...lines, proxyRaw, 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'].join(os.EOL)
       );
     }
   }
@@ -1518,6 +1772,193 @@ ctl:ruleEngine=${wafPolicy?.enabled ? defaultWAF : 'Off'}"`;
       return [];
     }
   }
+
+  // ============================================================================
+  // Hash-based incremental update methods
+  // ============================================================================
+
+  /**
+   * Load config hashes from file on startup
+   */
+  _loadHashes() {
+    try {
+      if (fs.existsSync(this.hashFilePath)) {
+        const data = JSON.parse(fs.readFileSync(this.hashFilePath, 'utf8'));
+        this.configHashes.global = data.global || null;
+        this.configHashes.blocklets = new Map(Object.entries(data.blocklets || {}));
+        logger.info('loaded config hashes', {
+          global: !!this.configHashes.global,
+          blockletCount: this.configHashes.blocklets.size,
+        });
+      }
+    } catch (error) {
+      logger.warn('failed to load config hashes, will regenerate all', { error: error.message });
+      this.configHashes = { global: null, blocklets: new Map() };
+    }
+  }
+
+  /**
+   * Check if hash file exists (indicates non-first startup)
+   * @returns {boolean}
+   */
+  hasHashFile() {
+    return fs.existsSync(this.hashFilePath) && this.configHashes.global !== null;
+  }
+
+  /**
+   * Persist config hashes to file
+   */
+  _saveHashes() {
+    try {
+      const data = {
+        global: this.configHashes.global,
+        blocklets: Object.fromEntries(this.configHashes.blocklets),
+        savedAt: new Date().toISOString(),
+      };
+      fs.writeFileSync(this.hashFilePath, JSON.stringify(data, null, 2));
+      logger.debug('saved config hashes');
+    } catch (error) {
+      logger.warn('failed to save config hashes', { error: error.message });
+    }
+  }
+
+  /**
+   * Compute hash for global config (main nginx.conf settings)
+   * @param {object} params - Update parameters
+   * @returns {string} Hash of global config
+   */
+  _computeGlobalConfigHash(params) {
+    const {
+      nodeInfo = {},
+      requestLimit,
+      blockPolicy,
+      proxyPolicy,
+      wafPolicy,
+      cacheEnabled,
+      enableDefaultServer,
+      enableIpServer,
+      certificates = [],
+      services = [],
+      systemSites = [],
+    } = params;
+
+    const hashInput = {
+      requestLimit: requestLimit?.enabled ? requestLimit : { enabled: false },
+      blockPolicy: blockPolicy?.enabled
+        ? { enabled: true, blacklistCount: blockPolicy.blacklist?.length || 0 }
+        : { enabled: false },
+      proxyPolicy,
+      wafPolicy: wafPolicy?.enabled ? wafPolicy : { enabled: false },
+      cacheEnabled,
+      enableDefaultServer,
+      enableIpServer,
+      headers: nodeInfo?.routing?.headers || {},
+      certDomains: certificates.map((c) => c.domain).sort(),
+      services: services.map((s) => ({ port: s.port, protocol: s.protocol })),
+      systemSites: systemSites.map((s) => ({
+        domain: s.domain,
+        rulesHash: objectHash(s.rules || []),
+      })),
+      httpPort: this.httpPort,
+      httpsPort: this.httpsPort,
+    };
+
+    return objectHash(hashInput);
+  }
+
+  /**
+   * Compute hash for a specific blocklet's config
+   * @param {string} blockletDid - Blocklet DID
+   * @param {Array} blockletSites - Sites for this blocklet
+   * @param {Array} certificates - All certificates
+   * @param {boolean} wafDisabled - Whether WAF is disabled for this blocklet
+   * @returns {string} Hash of blocklet config
+   */
+  _computeBlockletConfigHash(blockletDid, blockletSites, certificates, wafDisabled) {
+    const relevantCerts = certificates.filter((c) =>
+      blockletSites.some((s) => findCertificate(certificates, s.domain)?.domain === c.domain)
+    );
+
+    const hashInput = {
+      blockletDid,
+      sites: blockletSites.map((s) => ({
+        domain: s.domain,
+        domainAliases: (s.domainAliases || []).map((a) => (typeof a === 'string' ? a : a.value)).sort(),
+        rulesHash: objectHash(s.rules || []),
+        port: s.port,
+      })),
+      certDomains: relevantCerts.map((c) => c.domain).sort(),
+      wafDisabled,
+    };
+
+    return objectHash(hashInput);
+  }
+
+  /**
+   * Update a single blocklet's config file
+   * @param {string} blockletDid - The blocklet DID
+   * @param {object} params - Update parameters
+   */
+  async updateSingleBlocklet(blockletDid, params) {
+    const { routingTable = [], certificates = [], commonHeaders, nodeInfo = {}, wafDisabledBlocklets = [] } = params;
+
+    const { sites } = formatRoutingTable(routingTable);
+    const blockletSites = sites.filter((s) => s.blockletDid === blockletDid);
+
+    if (blockletSites.length === 0) {
+      logger.warn('updateSingleBlocklet: no sites found for blocklet', { blockletDid });
+      return false;
+    }
+
+    await this._generateBlockletSiteConfFile({
+      blockletDid,
+      sites: blockletSites,
+      certificates,
+      nodeInfo,
+      commonHeaders,
+    });
+
+    // Update hash
+    const wafDisabled = wafDisabledBlocklets.some((b) => b.did === blockletDid);
+    const hash = this._computeBlockletConfigHash(blockletDid, blockletSites, certificates, wafDisabled);
+    this.configHashes.blocklets.set(blockletDid, hash);
+    this._saveHashes();
+
+    logger.info('updated single blocklet config', { blockletDid });
+    return true;
+  }
+
+  /**
+   * Remove a blocklet's config file
+   * @param {string} blockletDid - The blocklet DID
+   */
+  _removeBlockletConfig(blockletDid) {
+    const confPath = path.join(this.sitesDir, `${blockletDid}.conf`);
+    try {
+      if (fs.existsSync(confPath)) {
+        fs.unlinkSync(confPath);
+        logger.info('removed blocklet config', { blockletDid, confPath });
+      }
+      this.configHashes.blocklets.delete(blockletDid);
+    } catch (error) {
+      logger.error('failed to remove blocklet config', { blockletDid, error: error.message });
+    }
+  }
+
+  /**
+   * Remove a blocklet and trigger reload
+   * @param {string} blockletDid - The blocklet DID
+   */
+  async removeBlockletAndReload(blockletDid) {
+    this._removeBlockletConfig(blockletDid);
+    this._saveHashes();
+    await this.reload();
+    logger.info('removed blocklet and reloaded nginx', { blockletDid });
+  }
+
+  getStatus() {
+    return util.getNginxStatus(this.configDir);
+  }
 }
 
 NginxProvider.describe = async ({ configDir = '' } = {}) => {

package/lib/util.js

@@ -3,7 +3,6 @@ const fs = require('fs-extra');
 const path = require('path');
 const getPort = require('get-port');
 const portUsed = require('port-used');
-const uniq = require('lodash/uniq');
 const sortBy = require('lodash/sortBy');
 const isValidDomain = require('@arcblock/is-valid-domain');
 const checkDomainMatch = require('@abtnode/util/lib/check-domain-match');
@@ -52,7 +51,6 @@ const concatPath = (prefix = '', suffix = '', root = false) => {
 
 const formatRoutingTable = (routingTable) => {
   const sites = {};
-  const cacheGroups = [];
   const configs = [];
 
   routingTable.forEach((site) => {
@@ -61,20 +59,14 @@ const formatRoutingTable = (routingTable) => {
       domain = '_';
     }
 
-    let corsAllowedOrigins = Array.isArray(site.corsAllowedOrigins) ? site.corsAllowedOrigins : [];
-    if (corsAllowedOrigins.includes('*')) {
-      corsAllowedOrigins = ['*'];
-    }
-    configs.push({ domain, corsAllowedOrigins });
+    configs.push({ domain });
 
     if (!sites[domain]) {
-      cacheGroups.push(site.blockletDid);
       sites[domain] = {
         domain,
         blockletDid: site.blockletDid,
         rules: [],
         port: site.port,
-        corsAllowedOrigins: site.corsAllowedOrigins,
         serviceType: site.serviceType,
       };
     }
@@ -107,12 +99,17 @@ const formatRoutingTable = (routingTable) => {
       } else {
         rule.port = +x.to.port;
         rule.did = x.to.did;
-        rule.cacheGroup = x.to.cacheGroup ? site.blockletDid || x.to.did : '';
+        // Use shared cache zone for all blocklets (defined in nginx.conf http block)
+        rule.cacheGroup = x.to.cacheGroup ? 'blockletProxy' : '';
         rule.componentId = x.to.componentId;
         rule.target = trimEndSlash(normalizePathPrefix(x.to.target || '/'));
         rule.targetPrefix = x.to.targetPrefix || '';
         rule.services = x.services || [];
         rule.pageGroup = x.to.pageGroup;
+        // Static serving fields for engine-based blocklets
+        if (x.to.staticRoot) {
+          rule.staticRoot = trimEndSlash(x.to.staticRoot);
+        }
       }
 
       const addRule = (r) => {
@@ -133,7 +130,7 @@ const formatRoutingTable = (routingTable) => {
     sites[domain].rules = rulesWithoutSuffix.concat(rulesWithSuffix);
   });
 
-  return { sites: Object.values(sites), cacheGroups: uniq(cacheGroups).filter(Boolean), configs };
+  return { sites: Object.values(sites), configs };
 };
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.17.7-beta-20251227-001958-ea2ba3f5",
+  "version": "1.17.7-beta-20251229-085620-84f09930",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -30,11 +30,11 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.17.7-beta-20251227-001958-ea2ba3f5",
-    "@abtnode/db-cache": "1.17.7-beta-20251227-001958-ea2ba3f5",
-    "@abtnode/logger": "1.17.7-beta-20251227-001958-ea2ba3f5",
-    "@abtnode/router-templates": "1.17.7-beta-20251227-001958-ea2ba3f5",
-    "@abtnode/util": "1.17.7-beta-20251227-001958-ea2ba3f5",
+    "@abtnode/constant": "1.17.7-beta-20251229-085620-84f09930",
+    "@abtnode/db-cache": "1.17.7-beta-20251229-085620-84f09930",
+    "@abtnode/logger": "1.17.7-beta-20251229-085620-84f09930",
+    "@abtnode/router-templates": "1.17.7-beta-20251229-085620-84f09930",
+    "@abtnode/util": "1.17.7-beta-20251229-085620-84f09930",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
     "@ocap/util": "^1.27.16",
@@ -60,5 +60,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "ec0a542fc2c66f2530d25884b43bddfa28d921a0"
+  "gitHead": "fe2ffc3cf431bbaa89ac802bed793aa1188da4c3"
 }