worker_processes 2;
daemon off;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /etc/nginx/nginx.error.log;

events {
  worker_connections 256;
  accept_mutex on;
  use epoll;
}

http {
  server_names_hash_bucket_size 128;
  resolver 8.8.8.8 8.8.4.4;
  access_log /etc/nginx/nginx.access.log combined buffer=16k flush=5s;

  # allow 10 req/sec from the same IP address, and store the counters in a
  # `zone` or shared memory location tagged as 'one'.
  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

  # enable logging when requests are being throttled
  limit_req_log_level notice;

  # the http status code to return to the client when throttling;
  # 429 is for TooManyRequests,
  # ref. RFC 6585
  limit_req_status 429;

  upstream bdb_backend {
    server BIGCHAINDB_BACKEND_HOST:BIGCHAINDB_BACKEND_PORT max_fails=5 fail_timeout=30;
  }
  
  server {
    listen BIGCHAINDB_FRONTEND_PORT;
    # server_name "FRONTEND_DNS_NAME";
    underscores_in_headers on;

    # max client request body size: avg transaction size
    client_max_body_size 15k;
    
    # keepalive connection settings
    keepalive_timeout 20s;

    # `slowloris` attack mitigation settings
    client_body_timeout 10s;
    client_header_timeout 10s;
    
    location / {
      proxy_ignore_client_abort on;
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      # TODO proxy_set_header X-Forwarded-Proto https;

      # limit requests from the same client, allow `burst` to 20 r/s,
      # `nodelay` or drop connection immediately in case it exceeds this
      # threshold.
      limit_req zone=one burst=20 nodelay;

      proxy_pass http://bdb_backend;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
      root /etc/nginx/50x.html;
    }
  }
}

# NGINX stream block for TCP and UDP proxies
stream {
  log_format mdb_log '[$time_iso8601] $realip_remote_addr $remote_addr '
                     '$proxy_protocol_addr $proxy_protocol_port '
                     '$protocol $status $session_time $bytes_sent '
                     '$bytes_received "$upstream_addr" "$upstream_bytes_sent" '
                     '"$upstream_bytes_received" "$upstream_connect_time" ';

  access_log /etc/nginx/nginx.stream.access.log mdb_log buffer=16k flush=5s;

  # define a zone 'two' of size 10 megabytes to store the counters
  # that hold number of TCP connections from a specific IP address
  limit_conn_zone $binary_remote_addr zone=two:10m;

  # enable logging when connections are being throttled
  limit_conn_log_level notice;
  
  upstream mdb_backend {
    server MONGODB_BACKEND_HOST:MONGODB_BACKEND_PORT max_fails=5 fail_timeout=30 max_conns=1024;
  }
  
  server {
    listen MONGODB_FRONTEND_PORT so_keepalive=10m:1m:5;
    preread_timeout 30s;
    tcp_nodelay on;
    
    # whitelist
    MONGODB_WHITELIST
    # deny access to everyone else
    deny all;
    
    # allow 512 connections from the same IP address
    limit_conn two 512;
    
    proxy_pass     mdb_backend;
  }
}