setup-scripts/skynet-nginx.conf

limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
limit_req_status 429;
limit_conn_status 429;

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

server {
   	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name siasky.net www.siasky.net; # replace with actual server names
	
	# ddos protection: closing slow connections
	client_body_timeout 5s;
	client_header_timeout 5s;

	# Enable the following line if you want to have auto uuid support. This
	# means users are able to upload Pubfiles without having to provide a uuid
	# themselves.
	# rewrite ^/pubaccess/pubfile/?$ /pubaccess/pubfile/$request_id$1;

	# NOTE: make sure to enable any additional configuration you might need like gzip

	location / {
		root /home/user/skynet-webportal/public; # path to root of index.html
	}

	location /stats {
		limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
		proxy_set_header Access-Control-Allow-Origin: *;
		proxy_set_header User-Agent: ScPrime-Agent;

    # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
		# for sia user is empty so it's just :<password>
		# to generate the passcode use https://www.base64encode.org or any other base64 encoder
		proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
		proxy_pass http://127.0.0.1:4280/pubaccess/stats;
  }

	location /statsdown {
		limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
		proxy_set_header Access-Control-Allow-Origin: *;
		proxy_set_header User-Agent: ScPrime-Agent;

    # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
		# for sia user is empty so it's just :<password>
		# to generate the passcode use https://www.base64encode.org or any other base64 encoder
		proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
		proxy_pass http://127.0.0.1:4280/pubaccess/stats;
  }

	location /pubaccess/pubfile/ {
		limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
		client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
		proxy_read_timeout 600;
		
		# Extract 3 sets of 2 characters from $request_id and assign to $dir1, $dir2, $dir3
		# respectfully. The rest of the $request_id is going to be assigned to $dir4.
		# We use those variables to automatically generate a unique path for the uploaded file.
		# This ensures that not all uploaded files end up in the same directory, which is something
		# that causes performance issues in the renter.
		# Example path result: /af/24/9b/c5ec894920ccc45634dc9a8065
		if ($request_id ~* "(\w{2})(\w{2})(\w{2})(\w+)") {
			set $dir1 $1;
			set $dir2 $2;
			set $dir3 $3;
			set $dir4 $4;
		}

		# proxy this call to spd endpoint (make sure the ip is correct)
		#
		# note that we point uploads to port '4270', do this when you want to
		# run in a configuration where you have two spd instances, one for
		# downloads and one for uploads. This drastically improves the up - and
		# download speed of your portal. When running your portal in this double
		# spd setup, make sure only the download portal runs in 'portal mode'.
		# The upload spd can be run in normal mode. Set the port to '4280' if
		# you do not want to run your portal in the double spd setup.
		proxy_pass http://127.0.0.1:4270/pubaccess/pubfile/$dir1/$dir2/$dir3/$dir4;

		proxy_set_header Expect $http_expect;
		add_header Access-Control-Allow-Origin *;
		proxy_hide_header Access-Control-Allow-Origin;
		# make sure to override user agent header - spd requirement
		proxy_set_header User-Agent: ScPrime-Agent; 
		# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
		# for sia user is empty so it's just :<password>
		# to generate the passcode use https://www.base64encode.org or any other base64 encoder
		proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
	}

	location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
		limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time

		# we need to explicitly use set directive here because $1 will contain the publink with
		# decoded whitespaces and set will re-encode it for us before passing it to proxy_pass
		set $publink $1;
		proxy_read_timeout 600;
		# proxy this call to spd /pubaccess/publink/ endpoint (make sure the ip is
		# correct)
		proxy_pass http://127.0.0.1:4280/pubaccess/publink/$publink$is_args$args;
		proxy_set_header Access-Control-Allow-Origin: *;
		# make sure to override user agent header - spd requirement
		proxy_set_header User-Agent: ScPrime-Agent;
		
		# make sure the Skynet-File-Metadata header gets exposed in the response
		add_header Access-Control-Expose-Headers skynet-file-metadata;

		# if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs
		#proxy_buffer_size 128k;
		#proxy_buffers 4 128k;
	}

	location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
		limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
		
		set $publink $1;
		proxy_read_timeout 600;
		# proxy this call to spd /pubaccess/publink/ endpoint (make sure the ip is
		# correct) this alias also adds attachment=true url param to force
		# download the file
		proxy_pass http://127.0.0.1:4280/pubaccess/publink/$publink?attachment=true&$args;
		proxy_set_header Access-Control-Allow-Origin: *;
		# make sure to override user agent header - spd requirement
		proxy_set_header User-Agent: ScPrime-Agent;

		# make sure the Skynet-File-Metadata header gets exposed in the response
		add_header Access-Control-Expose-Headers skynet-file-metadata;

		# if you are expecting large headers (ie. Skynet-Skyfile-Metadata), tune these values to your needs
		#proxy_buffer_size 128k;
		#proxy_buffers 4 128k;
	}

	# SLL CERTIFICATES BELOW THIS LINE
}