summaryrefslogtreecommitdiffstats
path: root/examples/rgw-cache/nginx-slicing.conf
blob: d3c8f623b473fa49c7946b3b378c52d8610c8bbf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#config cache size and path to the cache directory, you should make sure that the user that is running nginx have permissions to access the cache directory
#max_size means that Nginx will not cache more than 20G, It should be tuned to a larger number if the /data/cache is bigger
proxy_cache_path /data/cache levels=2:2:2 keys_zone=mycache:999m max_size=20G inactive=1d use_temp_path=off;
upstream rgws {
    # List of all rgws (ips or resolvable names)
    server rgw1:8000 max_fails=2 fail_timeout=5s;
    server rgw2:8000 max_fails=2 fail_timeout=5s;
    server rgw3:8000 max_fails=2 fail_timeout=5s;
}
server {
    listen       80;
    server_name  cacher;
    location /authentication {
        internal;
        client_max_body_size 0;
        proxy_pass http://rgws$request_uri;
        proxy_pass_request_body off;
        proxy_set_header Host $host;
        # setting x-rgw-auth allow the RGW the ability to only authorize the request without fetching the obj data 
        proxy_set_header x-rgw-auth "yes";
        proxy_set_header Authorization $http_authorization;
        proxy_http_version 1.1;
        proxy_method $request_method;
        # Do not convert HEAD requests into GET requests
        proxy_cache_convert_head off;
        error_page 404 = @outage;
        proxy_intercept_errors on;
        if ($request_uri = "/") {
            return 200;
        }
        # URI included with question mark is not being cached
        if ($request_uri ~* (\?)) {
            return 200;
        }
        if ($request_method = "PUT") {
            return 200;
        }
        if ($request_method = "POST") {
            return 200;
        }
        if ($request_method = "HEAD") {
            return 200;
        }
        if ($request_method = "COPY") {
            return 200;
        }
        if ($request_method = "DELETE") {
            return 200;
        }
        if ($http_if_match) {
            return 200;
        }
        if ($http_authorization !~* "aws4_request") {
            return 200;
        }
    }
    location @outage{
        return 403;
    }
    location / {
        slice 1m;
        auth_request /authentication;
        proxy_set_header Range $slice_range;
        proxy_pass http://rgws;
        set $authvar '';
        # if $do_not_cache is not empty the request would not be cached, this is relevant for list op for example
        set $do_not_cache '';
        # the IP or name of the RGWs
        rewrite_by_lua_file /etc/nginx/nginx-lua-file.lua;
        #proxy_set_header Authorization $http_authorization;
        # my cache configured at the top of the file
        proxy_cache mycache;
        proxy_cache_lock_timeout 0s;
        proxy_cache_lock_age 1000s;
        proxy_http_version 1.1;
        set $date $aws_auth_date;
        # Getting 403 if this header not set
        proxy_set_header Host $host;
        # Cache all 200 OK's for 1 day
        proxy_cache_valid 200 206 1d;
        # Use stale cache file in all errors from upstream if we can
        proxy_cache_use_stale updating;
        proxy_cache_background_update on;
        # Try to check if etag have changed, if yes, do not re-fetch from rgw the object
        proxy_cache_revalidate on;
        # Lock the cache so that only one request can populate it at a time
        proxy_cache_lock on;
        # prevent convertion of head requests to get requests
        proxy_cache_convert_head off;
        # Listing all buckets should not be cached 
        if ($request_uri = "/") {
            set $do_not_cache "no";
            set $date $http_x_amz_date;
        }
        # URI including question mark are not supported to prevent bucket listing cache
        if ($request_uri ~* (\?)) {
            set $do_not_cache "no";
            set $date $http_x_amz_date;
        }
        # Only aws4 requests are being cached - As the aws auth module supporting only aws v2
        if ($http_authorization !~* "aws4_request") {
            set $date $http_x_amz_date;
        }
        if ($request_method = "PUT") {
            set $date $http_x_amz_date;
        }
        if ($request_method = "POST") {
            set $date $http_x_amz_date;
        }
        if ($request_method = "HEAD") {
            set $do_not_cache "no";
            set $date $http_x_amz_date;
        }
        if ($request_method = "COPY") {
            set $do_not_cache "no";
            set $date $http_x_amz_date;
        }
        if ($http_if_match) {
            #set $do_not_cache "no";
            set $date $http_x_amz_date;
            set $myrange $slice_range;
        }
        if ($request_method = "DELETE") {
            set $do_not_cache "no";
            set $date $http_x_amz_date;
        }
        proxy_set_header if_match $http_if_match;
        # Use the original x-amz-date if the aws auth module didn't create one 
        proxy_set_header x-amz-date $date;
        proxy_set_header X-Amz-Cache $authvar;
        proxy_no_cache $do_not_cache;
        proxy_set_header Authorization $awsauthfour;
        # This is on which content the nginx to use for hashing the cache keys 
        proxy_cache_key "$request_uri$request_method$request_body$slice_range";
        client_max_body_size 0;
    }
}