worker_processes 2;
daemon off;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /etc/nginx/nginx.error.log;

events {
  worker_connections 256;
  accept_mutex on;
  use epoll;
}

http {
  server_names_hash_bucket_size 128;
  access_log /etc/nginx/nginx.access.log combined buffer=16k flush=5s;

  # allow 10 req/sec from the same IP address, and store the counters in a
  # `zone` or shared memory location tagged as 'one'.
  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

  # enable logging when requests are being throttled
  limit_req_log_level notice;

  # the http status code to return to the client when throttling;
  # 429 is for TooManyRequests,
  # ref. RFC 6585
  limit_req_status 429;

  resolver DNS_SERVER valid=20s;
  
  map $remote_addr $bdb_backend {
    default BIGCHAINDB_BACKEND_HOST;
  }
  
  server {
    listen BIGCHAINDB_FRONTEND_PORT;
    # server_name "FRONTEND_DNS_NAME";
    underscores_in_headers on;

    # max client request body size: avg transaction size
    client_max_body_size 15k;
    
    # keepalive connection settings
    keepalive_timeout 20s;

    # `slowloris` attack mitigation settings
    client_body_timeout 10s;
    client_header_timeout 10s;
    
    location / {
      proxy_ignore_client_abort on;
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      # TODO proxy_set_header X-Forwarded-Proto https;

      # limit requests from the same client, allow `burst` to 20 r/s,
      # `nodelay` or drop connection immediately in case it exceeds this
      # threshold.
      limit_req zone=one burst=20 nodelay;

      proxy_pass http://$bdb_backend:BIGCHAINDB_BACKEND_PORT;
    }
  }

  server {
    listen BIGCHAINDB_WS_FRONTEND_PORT;
    underscores_in_headers on;

    # keepalive connection settings
    keepalive_timeout 20s;

    # `slowloris` attack mitigation settings
    client_body_timeout 10s;
    client_header_timeout 10s;

    location /api/v1/streams/ {
      proxy_read_timeout 300s;
      proxy_pass http://$bdb_backend:BIGCHAINDB_WS_BACKEND_PORT;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
  }
}

# NGINX stream block for TCP and UDP proxies
stream {
  log_format mdb_log '[$time_iso8601] $realip_remote_addr $remote_addr '
                     '$proxy_protocol_addr $proxy_protocol_port '
                     '$protocol $status $session_time $bytes_sent '
                     '$bytes_received "$upstream_addr" "$upstream_bytes_sent" '
                     '"$upstream_bytes_received" "$upstream_connect_time" ';

  access_log /etc/nginx/nginx.stream.access.log mdb_log buffer=16k flush=5s;

  # define a zone 'two' of size 10 megabytes to store the counters
  # that hold number of TCP connections from a specific IP address
  limit_conn_zone $binary_remote_addr zone=two:10m;

  # enable logging when connections are being throttled
  limit_conn_log_level notice;
  
  resolver DNS_SERVER valid=20s;

  map $remote_addr $mdb_backend {
    default MONGODB_BACKEND_HOST;
  }
  
  server {
    listen MONGODB_FRONTEND_PORT so_keepalive=10m:1m:5;
    preread_timeout 30s;
    tcp_nodelay on;
    
    # whitelist
    #MONGODB_WHITELIST
    allow all;
    # deny access to everyone else
    deny all;
    
    # allow 16 connections from the same IP address
    limit_conn two 16;
    
    proxy_pass $mdb_backend:MONGODB_BACKEND_PORT;
  }
}