Fix stale nginx domain, add upstream health checks, rate limiting, and WebSocket timeouts

rpc/mainnet/etc/nginx/sites-available/default

@@ -0,0 +1,104 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+limit_req_zone $binary_remote_addr zone=rpc_limit:10m rate=30r/s;
+
+upstream validator {
+	server <internal-ip-val-m1>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-m2>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-m3>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-m4>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-m5>:9650 max_fails=3 fail_timeout=30s;
+	keepalive 16;
+}
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+}
+
+server {
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+    server_name mainnetrpc.num.network; # managed by Certbot
+
+
+	location / {
+		#try_files $uri $uri/ =404;
+
+		limit_req zone=rpc_limit burst=50 nodelay;
+		client_max_body_size 1m;
+		proxy_connect_timeout 10s;
+		proxy_read_timeout 60s;
+		proxy_send_timeout 60s;
+		proxy_pass http://validator/ext/bc/<mainnet-chain-id>/rpc;
+	}
+
+	location /ws {
+		proxy_pass http://validator/ext/bc/<mainnet-chain-id>/ws;
+		proxy_http_version 1.1;
+		proxy_read_timeout 3600s;
+		proxy_send_timeout 3600s;
+		proxy_buffering off;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mainnetrpc.num.network/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mainnetrpc.num.network/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = mainnetrpc.num.network) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	listen 80 ;
+	listen [::]:80 ;
+    server_name mainnetrpc.num.network;
+    return 404; # managed by Certbot
+
+
+}

rpc/testnet/etc/nginx/sites-available/default

@@ -16,12 +16,15 @@
 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
 ##
 
+limit_req_zone $binary_remote_addr zone=rpc_limit:10m rate=30r/s;
+
 upstream validator {
-	server <internal-ip-val-t1>:9650;
-	server <internal-ip-val-t2>:9650;
-	server <internal-ip-val-t3>:9650;
-	server <internal-ip-val-t4>:9650;
-	server <internal-ip-val-t5>:9650;
+	server <internal-ip-val-t1>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-t2>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-t3>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-t4>:9650 max_fails=3 fail_timeout=30s;
+	server <internal-ip-val-t5>:9650 max_fails=3 fail_timeout=30s;
+	keepalive 16;
 }
 
 # Default server configuration
@@ -120,23 +123,33 @@ server {
 
 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;
-    server_name testnetrpc.numbersprotocol.io; # managed by Certbot
+    server_name testnetrpc.num.network; # managed by Certbot
 
 
 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		#try_files $uri $uri/ =404;
 
+		limit_req zone=rpc_limit burst=50 nodelay;
+		client_max_body_size 1m;
+		proxy_connect_timeout 10s;
+		proxy_read_timeout 60s;
+		proxy_send_timeout 60s;
 		proxy_pass http://validator/ext/bc/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/rpc;
 	}
 
 	location /ws {
 		proxy_pass http://validator/ext/bc/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/ws;
 		proxy_http_version 1.1;
+		proxy_read_timeout 3600s;
+		proxy_send_timeout 3600s;
+		proxy_buffering off;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "Upgrade";
 		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	}
 
 	# pass PHP scripts to FastCGI server
@@ -160,21 +173,21 @@ server {
 
     listen [::]:443 ssl ipv6only=on; # managed by Certbot
     listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/testnetrpc.numbersprotocol.io/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/testnetrpc.numbersprotocol.io/privkey.pem; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/testnetrpc.num.network/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/testnetrpc.num.network/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
 }
 server {
-    if ($host = testnetrpc.numbersprotocol.io) {
+    if ($host = testnetrpc.num.network) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
 
 
 	listen 80 ;
 	listen [::]:80 ;
-    server_name testnetrpc.numbersprotocol.io;
+    server_name testnetrpc.num.network;
     return 404; # managed by Certbot