zjcqoo 6 years ago
parent
commit
a73cb9dab8
6 changed files with 50 additions and 21 deletions
  1. 26 10
      api.conf
  2. 1 1
      i.sh
  3. 14 4
      lua/http-enc-res-hdr.lua
  4. 5 2
      nginx.conf
  5. 3 2
      upload.sh
  6. 1 2
      www/.gitignore

+ 26 - 10
api.conf

@@ -1,12 +1,3 @@
-if ($_origin_id = '') {
-  return              403   'ERROR: origin `$http_origin` is not allowed';
-}
-if ($http_x_jsproxy) {
-  return              500   'ERROR: circular dependency';
-}
-proxy_set_header      x-jsproxy   1;
-proxy_set_header      Connection  $http_connection;
-
 set                   $_level     '';
 set                   $_level     '';
 set                   $_switched  '';
 set                   $_switched  '';
 set                   $_url       '';
 set                   $_url       '';
@@ -16,6 +7,20 @@ set                   $_type      '';
 set                   $_mode      '';
 set                   $_mode      '';
 set                   $_bodyhash  '';
 set                   $_bodyhash  '';
 
 
+error_page            500 502 504 /error;
+
+location = /error {
+  internal;
+  access_log          off;
+  more_set_headers
+    'access-control-allow-origin: *'
+    'access-control-expose-headers: gateway-err--'
+    'gateway-err--: {"msg": "$arg_msg", "addr": "$upstream_addr"}'
+  ;
+  return              200;
+}
+
+
 location = /preflight {
 location = /preflight {
   internal;
   internal;
   access_log          off;
   access_log          off;
@@ -31,8 +36,19 @@ location = /preflight {
 
 
 # HTTP(S) Proxy
 # HTTP(S) Proxy
 location = /http {
 location = /http {
+  # see ./allowed-sites.conf
+  if ($_origin_id = '') {
+    rewrite             ^   /error?msg=ORIGIN_NOT_ALLOWED;
+  }
+  if ($http_x_jsproxy) {
+    rewrite             ^   /error?msg=CIRCULAR_DEPENDENCY;
+  }
+  proxy_set_header      x-jsproxy   1;
+  proxy_set_header      Connection  $http_connection;
+  
+
   if ($http_access_control_request_headers) {
   if ($http_access_control_request_headers) {
-    rewrite           ^   /preflight;
+    rewrite             ^   /preflight;
   }
   }
 
 
   access_by_lua_file    ../lua/http-dec-req-hdr.lua;
   access_by_lua_file    ../lua/http-dec-req-hdr.lua;

+ 1 - 1
i.sh

@@ -57,7 +57,7 @@ gen_cert() {
     ip=$(curl -s $i)
     ip=$(curl -s $i)
 
 
     if [[ ! $ip ]]; then
     if [[ ! $ip ]]; then
-      warn "获取失败"
+      warn "获取失败"
       continue
       continue
     fi
     fi
 
 

+ 14 - 4
lua/http-enc-res-hdr.lua

@@ -23,17 +23,27 @@ end
 
 
 local function flushHdr()
 local function flushHdr()
   if detail then
   if detail then
-    expose = expose .. ',--s'
+    if status ~= 200 then
+      expose = expose .. ',--s'
+    end
     -- 该字段不在 aceh 中,如果浏览器能读取到,说明支持 * 通配
     -- 该字段不在 aceh 中,如果浏览器能读取到,说明支持 * 通配
     ngx.header['--t'] = '1'
     ngx.header['--t'] = '1'
   end
   end
 
 
-  local status = ngx.status
-
   ngx.header['access-control-expose-headers'] = expose
   ngx.header['access-control-expose-headers'] = expose
   ngx.header['access-control-allow-origin'] = '*'
   ngx.header['access-control-allow-origin'] = '*'
   ngx.header['vary'] = vary
   ngx.header['vary'] = vary
-  ngx.header['--s'] = status
+
+  local status = ngx.status
+
+  -- 前端优先使用该字段作为状态码
+  if status ~= 200 then
+    ngx.header['--s'] = status
+  end
+
+  -- 保留原始状态码,便于控制台调试
+  -- 例如 404 显示红色,如果统一设置成 200 则没有颜色区分
+  -- 需要转义 30X 重定向,否则不符合 cors 标准
   if
   if
     status == 301 or
     status == 301 or
     status == 302 or
     status == 302 or

+ 5 - 2
nginx.conf

@@ -35,7 +35,7 @@ http {
   proxy_cache_path        cache
   proxy_cache_path        cache
     levels=1:2
     levels=1:2
     keys_zone=my_cache:32m
     keys_zone=my_cache:32m
-    max_size=20g
+    max_size=16g
     inactive=6h
     inactive=6h
     use_temp_path=off
     use_temp_path=off
   ;
   ;
@@ -45,7 +45,10 @@ http {
   proxy_buffer_size       16k;
   proxy_buffer_size       16k;
   proxy_buffers           4 32k;
   proxy_buffers           4 32k;
   proxy_busy_buffers_size 64k;
   proxy_busy_buffers_size 64k;
-  proxy_send_timeout      10s;
+  proxy_send_timeout      30s;
+  proxy_read_timeout      30s;
+  proxy_connect_timeout   10s;
+  proxy_ssl_verify        on;
 
 
   lua_load_resty_core     off;
   lua_load_resty_core     off;
 
 

+ 3 - 2
upload.sh

@@ -4,8 +4,9 @@
 HOST=etherdream.com
 HOST=etherdream.com
 NODE=(
 NODE=(
   aliyun-hk-0
   aliyun-hk-0
-  aliyun-hk-2
-  aliyun-hk-3
+  aliyun-hk-1
+  # aliyun-hk-2
+  # aliyun-hk-3
   aliyun-hk-4
   aliyun-hk-4
   aliyun-sg
   aliyun-sg
 )
 )

+ 1 - 2
www/.gitignore

@@ -1,3 +1,2 @@
 *
 *
-!README.md
-!.gitignore
+!README.md