From c9f2bd40296c827b1ab099df0d16927a40de2069 Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Mon, 22 Feb 2021 20:22:03 +0900
Subject: [PATCH] Update nginx and mempool backend configuration for active
 failover HA

---
 production/mempool-config.bisq.json    |  2 +-
 production/mempool-config.liquid.json  |  2 +-
 production/mempool-config.mainnet.json |  2 +-
 production/mempool-config.signet.json  |  2 +-
 production/mempool-config.testnet.json |  2 +-
 production/nginx-mempool.conf          | 29 +++++++++----
 production/nginx.conf                  | 58 +++++++++++++++-----------
 7 files changed, 60 insertions(+), 37 deletions(-)

diff --git a/production/mempool-config.bisq.json b/production/mempool-config.bisq.json
index cd5473cd1..64ccc64bd 100644
--- a/production/mempool-config.bisq.json
+++ b/production/mempool-config.bisq.json
@@ -13,7 +13,7 @@
     "PASSWORD": "bar"
   },
   "ESPLORA": {
-    "REST_API_URL": "http://[::1]:3000"
+    "REST_API_URL": "http://127.0.0.1:4000"
   },
   "DATABASE": {
     "ENABLED": false,
diff --git a/production/mempool-config.liquid.json b/production/mempool-config.liquid.json
index cdd728f26..e3fb2c454 100644
--- a/production/mempool-config.liquid.json
+++ b/production/mempool-config.liquid.json
@@ -14,7 +14,7 @@
     "PASSWORD": "bar"
   },
   "ESPLORA": {
-    "REST_API_URL": "http://127.0.0.1:2001"
+    "REST_API_URL": "http://127.0.0.1:4001"
   },
   "DATABASE": {
     "ENABLED": true,
diff --git a/production/mempool-config.mainnet.json b/production/mempool-config.mainnet.json
index 039462eac..6b7027143 100644
--- a/production/mempool-config.mainnet.json
+++ b/production/mempool-config.mainnet.json
@@ -13,7 +13,7 @@
     "PASSWORD": "bar"
   },
   "ESPLORA": {
-    "REST_API_URL": "http://127.0.0.1:2000"
+    "REST_API_URL": "http://127.0.0.1:4000"
   },
   "DATABASE": {
     "ENABLED": true,
diff --git a/production/mempool-config.signet.json b/production/mempool-config.signet.json
index 5649b1913..de7e078f4 100644
--- a/production/mempool-config.signet.json
+++ b/production/mempool-config.signet.json
@@ -14,7 +14,7 @@
     "PASSWORD": "bar"
   },
   "ESPLORA": {
-    "REST_API_URL": "http://127.0.0.1:2003"
+    "REST_API_URL": "http://127.0.0.1:4003"
   },
   "DATABASE": {
     "ENABLED": true,
diff --git a/production/mempool-config.testnet.json b/production/mempool-config.testnet.json
index 49bec7e76..f1f81d03c 100644
--- a/production/mempool-config.testnet.json
+++ b/production/mempool-config.testnet.json
@@ -14,7 +14,7 @@
     "PASSWORD": "bar"
   },
   "ESPLORA": {
-    "REST_API_URL": "http://127.0.0.1:2002"
+    "REST_API_URL": "http://127.0.0.1:4002"
   },
   "DATABASE": {
     "ENABLED": true,
diff --git a/production/nginx-mempool.conf b/production/nginx-mempool.conf
index cee3db369..bff7be8a4 100644
--- a/production/nginx-mempool.conf
+++ b/production/nginx-mempool.conf
@@ -33,9 +33,6 @@
 
 		# fallback for all URLs i.e. /address/foo /tx/foo /block/000
 		location / {
-#			if ($http_user_agent ~* "(Google|Bing|Yandex|Slack|Keybase|Twitter)") {
-#				proxy_pass https://node202.mempool.space;
-#			}
 			try_files /$lang/$uri /$lang/$uri/ $uri $uri/ /en-US/$uri @index-redirect;
 		}
 		location @index-redirect {
@@ -60,7 +57,7 @@
 		}
 		# old /explorer redirect from v1 days
 		location /explorer {
-			try_files $uri =410;
+			rewrite /explorer/(.*) https://$host/$1 permanent;
 		}
 
 		# static API docs
@@ -107,11 +104,11 @@
 
 		# mainnet API
 		location /api/v1/donations {
-			proxy_pass http://127.0.0.1:9001;
+			proxy_pass https://node220.bitcoin.wiz.biz;
 			# don't rate limit this API prefix
 		}
 		location /api/v1/donations/images {
-			proxy_pass http://127.0.0.1:9001;
+			proxy_pass https://node220.bitcoin.wiz.biz;
 			proxy_cache cache;
 			proxy_cache_valid 200 1d;
 		}
@@ -125,6 +122,18 @@
 			proxy_pass http://127.0.0.1:8999/api/v1;
 			limit_req burst=50 nodelay zone=api;
 		}
+		location /api/address {
+			proxy_pass http://electrs-mainnet/address;
+			limit_req burst=50 nodelay zone=electrs-address;
+		}
+		location /api/tx {
+			proxy_pass http://electrs-mainnet/tx;
+			limit_req burst=50 nodelay zone=electrs-tx;
+		}
+		location /api/block {
+			proxy_pass http://electrs-mainnet/block;
+			limit_req burst=50 nodelay zone=electrs-block;
+		}
 		location /api/ {
 			proxy_pass http://electrs-mainnet/;
 			limit_req burst=50 nodelay zone=electrs;
@@ -198,7 +207,7 @@
 			limit_req burst=50 nodelay zone=electrs;
 		}
 
-		# mainnet API
+		# websockets
 		location /ws {
 			proxy_pass http://127.0.0.1:8999/;
 			proxy_http_version 1.1;
@@ -223,3 +232,9 @@
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
 		}
+		location /ws/signet {
+			proxy_pass http://127.0.0.1:8995/;
+			proxy_http_version 1.1;
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection "Upgrade";
+		}
diff --git a/production/nginx.conf b/production/nginx.conf
index a83dbc925..3b24c646b 100644
--- a/production/nginx.conf
+++ b/production/nginx.conf
@@ -54,6 +54,9 @@ http {
 	proxy_cache_path /var/cache/nginx keys_zone=cache:20m levels=1:2 inactive=600s max_size=500m;
 	types_hash_max_size 2048;
 
+	# set proxy to use http/1.1
+	proxy_http_version 1.1;
+
 	# exempt localhost from rate limit
 	geo $limited_ip {
 		default		1;
@@ -70,6 +73,9 @@ http {
 
 	# rate limit requests
 	limit_req_zone $limited_ip_key zone=api:5m rate=200r/m;
+	limit_req_zone $limited_ip_key zone=electrs-address:5m rate=100r/m;
+	limit_req_zone $limited_ip_key zone=electrs-block:5m rate=200r/m;
+	limit_req_zone $limited_ip_key zone=electrs-tx:5m rate=300r/m;
 	limit_req_zone $limited_ip_key zone=electrs:5m rate=2000r/m;
 	limit_req_status 429;
 
@@ -132,11 +138,12 @@ http {
 	}
 
 	upstream electrs-mainnet {
-		server [2401:b140:1::100:220]:3000 fail_timeout=0s max_fails=0;
+		server [::1]:3000 fail_timeout=10s max_fails=10;
+		server [2401:b140:1::100:220]:3000 backup;
 		server [2401:b140:1::100:210]:3000 backup;
 	}
 	server {
-		listen 127.0.0.1:2000;
+		listen 127.0.0.1:4000;
 		access_log /dev/null;
 		location / {
 			proxy_pass http://electrs-mainnet;
@@ -144,11 +151,12 @@ http {
 	}
 	
 	upstream electrs-liquid {
-		server [2401:b140:1::100:220]:3001 fail_timeout=0s max_fails=0;
+		server [::1]:3001 fail_timeout=10s max_fails=10;
+		server [2401:b140:1::100:220]:3001 backup;
 		server [2401:b140:1::100:210]:3001 backup;
 	}
 	server {
-		listen 127.0.0.1:2001;
+		listen 127.0.0.1:4001;
 		access_log /dev/null;
 		location / {
 			proxy_pass http://electrs-liquid;
@@ -156,11 +164,12 @@ http {
 	}
 
 	upstream electrs-testnet {
-		server [2401:b140:1::100:220]:3002 fail_timeout=0s max_fails=0;
+		server [::1]:3002 fail_timeout=10s max_fails=10;
+		server [2401:b140:1::100:220]:3002 backup;
 		server [2401:b140:1::100:210]:3002 backup;
 	}
 	server {
-		listen 127.0.0.1:2002;
+		listen 127.0.0.1:4002;
 		access_log /dev/null;
 		location / {
 			proxy_pass http://electrs-testnet;
@@ -168,10 +177,12 @@ http {
 	}
 
 	upstream electrs-signet {
-		server [2401:b140:1::100:220]:3003;
+		server [::1]:3003 fail_timeout=10s max_fails=10;
+		server [2401:b140:1::100:220]:3003 backup;
+		server [2401:b140:1::100:210]:3003 backup;
 	}
 	server {
-		listen 127.0.0.1:2003;
+		listen 127.0.0.1:4003;
 		access_log /dev/null;
 		location / {
 			proxy_pass http://electrs-signet;
@@ -180,28 +191,25 @@ http {
 
 	server {
 		listen 80;
-		server_name mempool.space mempool.ninja node100.bitcoin.wiz.biz;
-		return 301 https://$host$request_uri;
+		server_name mempool.space node100.mempool.space;
+		if ($host = mempool.space)
+		{
+			return 301 https://$host$request_uri;
+		}
+		if ($host = node100.mempool.space)
+		{
+			return 301 https://$host$request_uri;
+		}
+		return 503;
 	}
 
 	server {
+		listen 127.0.0.1:80;
 		listen 443 ssl http2;
 		listen [::]:443 ssl http2;
-		server_name node100.bitcoin.wiz.biz;
-		ssl_certificate /usr/local/etc/letsencrypt/live/node100.bitcoin.wiz.biz/fullchain.pem;
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/node100.bitcoin.wiz.biz/privkey.pem;
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
-
-		include /usr/local/etc/nginx/nginx-mempool.conf;
-	}
-
-	server {
-		listen 443 ssl http2;
-		listen [::]:443 ssl http2;
-		server_name mempool.ninja;
-		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem;
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem;
+		server_name node100.mempool.space;
+		ssl_certificate /usr/local/etc/letsencrypt/live/node100.mempool.space/fullchain.pem;
+		ssl_certificate_key /usr/local/etc/letsencrypt/live/node100.mempool.space/privkey.pem;
 		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
 		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;