blob: 3de4c67fcf0fc9bd637fd1fea96405ea725760de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
#config cache size and path to the cache directory, you should make sure that the user that is running nginx have permissions to access the cache directory
#max_size means that Nginx will not cache more than 20G, It should be tuned to a larger number if the /data/cache is bigger
proxy_cache_path /data/cache levels=2:2:2 keys_zone=mycache:999m max_size=20G inactive=1d use_temp_path=off;
upstream rgws {
# List of all rgws (ips or resolvable names)
server rgw1:8000 max_fails=2 fail_timeout=5s;
server rgw2:8000 max_fails=2 fail_timeout=5s;
server rgw3:8000 max_fails=2 fail_timeout=5s;
}
server {
listen 80;
server_name cacher;
location /authentication {
internal;
client_max_body_size 0;
proxy_pass http://rgws$request_uri;
proxy_pass_request_body off;
proxy_set_header Host $host;
# setting x-rgw-auth allow the RGW the ability to only authorize the request without fetching the obj data
proxy_set_header x-rgw-auth "yes";
proxy_set_header Authorization $http_authorization;
proxy_http_version 1.1;
proxy_method $request_method;
# Do not convert HEAD requests into GET requests
proxy_cache_convert_head off;
error_page 404 = @outage;
proxy_intercept_errors on;
if ($request_uri = "/") {
return 200;
}
# URI included with question mark is not being cached
if ($request_uri ~* (\?)) {
return 200;
}
if ($request_method = "PUT") {
return 200;
}
if ($request_method = "POST") {
return 200;
}
if ($request_method = "HEAD") {
return 200;
}
if ($request_method = "COPY") {
return 200;
}
if ($request_method = "DELETE") {
return 200;
}
if ($http_if_match) {
return 200;
}
if ($http_authorization !~* "aws4_request") {
return 200;
}
}
location @outage{
return 403;
}
location / {
slice 1m;
auth_request /authentication;
proxy_set_header Range $slice_range;
proxy_pass http://rgws;
set $authvar '';
# if $do_not_cache is not empty the request would not be cached, this is relevant for list op for example
set $do_not_cache '';
# the IP or name of the RGWs
rewrite_by_lua_file /etc/nginx/nginx-lua-file.lua;
#proxy_set_header Authorization $http_authorization;
# my cache configured at the top of the file
proxy_cache mycache;
proxy_cache_lock_timeout 0s;
proxy_cache_lock_age 1000s;
proxy_http_version 1.1;
set $date $aws_auth_date;
# Getting 403 if this header not set
proxy_set_header Host $host;
# Cache all 200 OK's for 1 day
proxy_cache_valid 200 206 1d;
# Use stale cache file in all errors from upstream if we can
proxy_cache_use_stale updating;
proxy_cache_background_update on;
# Try to check if etag have changed, if yes, do not re-fetch from rgw the object
proxy_cache_revalidate on;
# Lock the cache so that only one request can populate it at a time
proxy_cache_lock on;
# prevent conversion of head requests to get requests
proxy_cache_convert_head off;
# Listing all buckets should not be cached
if ($request_uri = "/") {
set $do_not_cache "no";
set $date $http_x_amz_date;
}
# URI including question mark are not supported to prevent bucket listing cache
if ($request_uri ~* (\?)) {
set $do_not_cache "no";
set $date $http_x_amz_date;
}
# Only aws4 requests are being cached - As the aws auth module supporting only aws v2
if ($http_authorization !~* "aws4_request") {
set $date $http_x_amz_date;
}
if ($request_method = "PUT") {
set $date $http_x_amz_date;
}
if ($request_method = "POST") {
set $date $http_x_amz_date;
}
if ($request_method = "HEAD") {
set $do_not_cache "no";
set $date $http_x_amz_date;
}
if ($request_method = "COPY") {
set $do_not_cache "no";
set $date $http_x_amz_date;
}
if ($http_if_match) {
#set $do_not_cache "no";
set $date $http_x_amz_date;
set $myrange $slice_range;
}
if ($request_method = "DELETE") {
set $do_not_cache "no";
set $date $http_x_amz_date;
}
proxy_set_header if_match $http_if_match;
# Use the original x-amz-date if the aws auth module didn't create one
proxy_set_header x-amz-date $date;
proxy_set_header X-Amz-Cache $authvar;
proxy_no_cache $do_not_cache;
proxy_set_header Authorization $awsauthfour;
# This is on which content the nginx to use for hashing the cache keys
proxy_cache_key "$request_uri$request_method$request_body$slice_range";
client_max_body_size 0;
}
}
|