nginx: further improve rewrite rules (get rid of most ifs)

2023-02-13 20:55:02 -05:00 · 2019-07-12 12:23:16 +02:00 · 2019-07-12 12:23:16 +02:00 · 4dcdff15c2
commit 4dcdff15c2
parent 9a551dc16e
2 changed files with 52 additions and 28 deletions
--- a/hagrid-routes.conf
+++ b/hagrid-routes.conf
@ -32,7 +32,6 @@ location /vks/v1/request-verify {
 location /vks/v1/ {
    location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ {
        limit_req zone=search_fpr_keyid burst=30;
-        error_page 429 /errors-static/429-rate-limit-vks-fpr.htm;

        error_page 404 /errors-static/404-by-fpr.htm;
        default_type application/pgp-keys;
@ -56,10 +55,12 @@ location /vks/v1/ {
        limit_req zone=search_email burst=50 nodelay;
        error_page 429 /errors-static/429-rate-limit-vks-email.htm;

+        set $args "";
        add_header 'Access-Control-Allow-Origin' '*';
+        proxy_pass http://127.0.0.1:8080;
+
        # we have some trouble with uri encoding here. just route through
        # hagrid, for now.
-        proxy_pass http://127.0.0.1:8080;
        # error_page 404 /errors-static/404-by-email.htm;
        # default_type application/pgp-keys;
        # add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
@ -71,59 +72,83 @@ location /vks/v1/ {
    return 400;
 }

-location /pks/internal/index {
-    internal;
-
-    limit_req zone=pks_index burst=30 nodelay;
-    limit_req_status 429;
-    error_page 429 /errors-static/429-rate-limit-pks-index.htm;
-
-    proxy_pass http://127.0.0.1:8080;
-}
-
 # Common HKP requests.
 location /pks/lookup {
+    # if the search argument contains angle brackets, strip everything around them
+    if ($arg_search ~ ".*\<([^&<>]+)\>.*") {
+        set $arg_search "$1";
+    }
+
+    # rewrite this to a path we can match on (right below)
+    if ($args ~ "op=.*search=") {
+        rewrite . /pks/internal/$arg_op/$arg_search last;
+    }
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    error_page 400 /errors-static/400-pks-invalid.htm;
+    return 400;
+}
+
+location /pks/internal {
+    internal;
+
    # search by key id
    # sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
-    if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") {
+    location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{16})$" {
        set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
-        set $args "";
        rewrite . /vks/v1/by-keyid/$keyid last;
    }

    # search by fpr
    # gpg --receive-keys <FINGERPRINT>
-    if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") {
+    location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{40})$" {
        set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
-        set $args "";
        rewrite . /vks/v1/by-fingerprint/$fingerprint last;
    }

    # search by email
    # gpg --locate-key <EMAIL>
-    if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]+(?:%40|@)[^&]+)") {
+    location ~ "^/pks/internal/get/(.+(?:%40|@).+)$" {
        set_by_lua $email "return ngx.arg[1]:lower()" $1;
-        set $args "";
        rewrite . /vks/v1/by-email/$email last;
    }

-    # index by email, stripping angle brackets
-    # gpg --search-keys <QUERY>
-    if ($request_uri ~ "^/pks/lookup\?op=index&options=mr&search=[^&<>]*\<([^&<>]+)\>") {
-        set $query $1;
+    # index by fingerprint
+    # gpg --search-keys <FINGEPRINT>
+    location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{40})$" {
+        limit_req zone=search_fpr_keyid burst=30;
+        limit_req_status 429;
+        error_page 429 /errors-static/429-rate-limit-pks-index.htm;
+
        set $args "";
-        rewrite . /pks/internal/index/$query last;
+        add_header 'Access-Control-Allow-Origin' '*';
+        proxy_pass http://127.0.0.1:8080;
+    }
+
+    # index by keyid
+    # gpg --search-keys <KEYID>
+    location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{16})$" {
+        limit_req zone=search_fpr_keyid burst=30;
+        limit_req_status 429;
+        error_page 429 /errors-static/429-rate-limit-pks-index.htm;
+
+        set $args "";
+        add_header 'Access-Control-Allow-Origin' '*';
+        proxy_pass http://127.0.0.1:8080;
    }

    # index by email
    # gpg --search-keys <QUERY>
-    if ($request_uri ~ "^/pks/lookup\?op=index&options=mr&search=\<?([^&]+)\>?") {
-        set $query $1;
+    location ~ ^/pks/internal/index/(.+(?:%40|@).+)$ {
+        limit_req zone=search_email burst=50 nodelay;
+        limit_req_status 429;
+        error_page 429 /errors-static/429-rate-limit-pks-index.htm;
+
        set $args "";
-        rewrite . /pks/internal/index/$query last;
+        add_header 'Access-Control-Allow-Origin' '*';
+        proxy_pass http://127.0.0.1:8080;
    }

-    # forward to backend, which will like serve via x-accel-redirect
    add_header 'Access-Control-Allow-Origin' '*';
    error_page 400 /errors-static/400-pks-invalid.htm;
    return 400;
--- a/nginx-site.conf
+++ b/nginx-site.conf
@ -1,7 +1,6 @@
 # allow 6 requests per min -> one each 10s on avg.
 limit_req_zone $binary_remote_addr zone=search_email:10m rate=1r/m;
 limit_req_zone $binary_remote_addr zone=search_fpr_keyid:10m rate=5r/s;
-limit_req_zone $binary_remote_addr zone=pks_index:10m rate=1r/m;

 proxy_cache_path /tmp/nginx_cache use_temp_path=off keys_zone=static_cache:10m;
 proxy_cache_valid 200 5m;