NGINX
The file /etc/slashdb/nginx.confg contains default NGINX configuration of reversed proxy to pass HTTP requests to SlashDB WSGI server.
If you are using other web server than NGINX, this file can be used as a information source / template for your custom setup.
Changes to this file require restating the SlashDB service.
sudo service slashdb restart
Response Headers
The following response headers are sent back with all responses:
add_header Retry-After $retry_after always;
add_header Cache-Control "no-cache, private" always;
# Secure headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy same-origin always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' lic.slashdb.net login.microsoftonline.com; img-src 'self' data:;" always;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Permissions-Policy "fullscreen=(self \"https://www.youtube.com\"), clipboard-read=(self), clipboard-write=(self)" always;
add_header Cross-Origin-Opener-Policy same-origin always;
add_header Cross-Origin-Resource-Policy same-origin always;
For more information on these headers, refer to the Mozilla HTTP Headers documentation and the Mozilla Cross-Origin Resource Sharing (CORS) documentation.
Config File
This is the NGINX configuration file that is distributed with SlashDB.
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
# https://ssl-config.mozilla.org
##
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers off;
##
# Logging Settings
##
# strip timezone, replace T
map $time_iso8601 $time_iso8601mod {
"~(.+)T([0-9]{2}:[0-9]{2}:[0-9]{2})" "$1 $2";
}
# remove dot
map $msec $msec_int {
"~(.+)\.(.+)" "$1$2";
}
map $status $timeout_err_status {
499 1;
504 1;
default 0;
}
log_format timeout_err_format '$status $request_id';
log_format sdblog '$time_iso8601mod | $msec_int | nginx | nginx_logger | INFO '
'| $pid | | $request_id | $request_method | $request_uri '
'| $status | $request_time | $request_length | $bytes_sent '
'| $remote_addr | $http_referer | $http_user_agent | | | | ';
# write 499/504 errors to named pipe
access_log /var/run/slashdb/timeout_log_fifo timeout_err_format if=$timeout_err_status;
access_log /var/log/nginx/access.log sdblog;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# uWSGI Cache Settings
##
uwsgi_cache_path /var/cache/slashdb/responses levels=1:2
keys_zone=SDB_CACHE:10m
inactive=5m;
upstream slashdb_app {
server 127.0.0.1:8001; # for a web port socket
}
# limit only for POST
map $request_method $limit_login_post {
default "";
POST $binary_remote_addr;
}
map $request_method $limit_db_check_post {
default "";
POST $binary_remote_addr;
}
# limit login zone, rate 0.5 r/s. 20m - 160k entries
limit_req_zone $limit_login_post zone=login_limit:20m rate=1r/m;
limit_req_zone $limit_db_check_post zone=db_check_limit:20m rate=1r/s;
limit_req_status 429;
# retry-after 2s for /login
map $status $retry_after {
default '';
429 '2';
}
# Redirect HTTP to HTTPS
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# location / {return 301 https://$host$request_uri;}
# }
server {
################## SETTINGS #########################
# General Settings
# server_name your-slashdb.com;
listen 80;
# listen 443 ssl;
# ssl_certificate /pah/to/certificate;
# ssl_certificate_key /path/to/key;
send_timeout 5m;
charset utf-8;
add_header Retry-After $retry_after always;
add_header Cache-Control "no-cache, private" always;
# Secure headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy same-origin always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' lic.slashdb.net login.microsoftonline.com; img-src 'self' data:;" always;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Permissions-Policy "fullscreen=(self \"https://www.youtube.com\"), clipboard-read=(self), clipboard-write=(self)" always;
# add_header Cross-Origin-Embedder-Policy require-corp always;
add_header Cross-Origin-Opener-Policy same-origin always;
add_header Cross-Origin-Resource-Policy same-origin always;
# Cache Settings
# By default authentication keys are named as follows:
# - user_key for single key authentication
# - app_id and app_key for a pair key authentication
# If you rename them in slashdb.ini make sure they are the same here.
# When using a pair of AppID and App Key
set $api_key_get $arg_appid$arg_apikey;
set $api_key_header $http_appid$http_apikey;
# When using single User Key (also known as API Key)
#set $api_key_get $arg_apikey;
#set $api_key_header $http_apikey;
# Cache Settings
# To enable cache please remove comment on next two lines and
# uwsgi_cache in location context.
#uwsgi_cache_valid 200 302 5m;
#uwsgi_cache_valid 301 1d;
uwsgi_cache_valid any 0;
uwsgi_connect_timeout 120s;
uwsgi_read_timeout 120s;
uwsgi_send_timeout 120s;
################### DON'T EDIT BELOW THIS ########################
location ~ /db*|/query* {
uwsgi_pass slashdb_app;
include uwsgi_params;
uwsgi_param REQUEST_ID $request_id;
# Uncomment the next line to enable uwsgi cache for this location
#uwsgi_cache SDB_CACHE;
uwsgi_cache_key $host$request_uri$http_authorization$cookie_auth_tkt$api_key_get$api_key_header;
uwsgi_cache_min_uses 1;
uwsgi_cache_use_stale error timeout invalid_header http_500;
}
location / {
uwsgi_pass slashdb_app;
include uwsgi_params;
uwsgi_param REQUEST_ID $request_id;
location /login {
# allow up to 5 requests in queue, then reject
limit_req zone=login_limit burst=5 nodelay;
uwsgi_pass slashdb_app;
}
location /settings/check-database-connection.json {
# allow up to 5 requests in queue, then reject
limit_req zone=db_check_limit burst=5 nodelay;
uwsgi_pass slashdb_app;
}
location /settings/check-database-mapping-connection.json {
# allow up to 5 requests in queue, then reject
limit_req zone=db_check_limit burst=5 nodelay;
uwsgi_pass slashdb_app;
}
location /settings/check-database-credentials-connection.json {
# allow up to 5 requests in queue, then reject
limit_req zone=db_check_limit burst=5 nodelay;
uwsgi_pass slashdb_app;
}
}
}
include /etc/slashdb/sites-enabled/*;
}