Provide sample nginx conf

[jholdstock]

We probably need two things here:

1. Sample of full nginx config for a new vspd deployment
   • cache web resources
   • rate limiting
2. A snippet of nginx conf which can be added to an existing dcrstakepool deployment
   • Handling for the homepage (how to handle this is tbc)
   • Forward /v3/ requests to vspd, leave all other requests going to dcrstakepool

[isuldor]

Here's an example of keeping dcrstakepool on the root path, but implementing all of the expected api endpoints and the admin health-check without prepending. The only url changed is the single public vspd web page, to which you would add a link in the dcrstakepool template files.

# Declare rate limiting in the http directive
limit_req_zone $binary_remote_addr zone=vspd:10m rate=1r/s;
server {
    ...
    ## VSPD
    location /api/v3/ {
        # Rate limiting
        limit_req zone=dcrvsp burst=20 delay=40;
        # Trailing slash is required here.
        proxy_pass http://127.0.0.1:8800/api/v3/;
    }
    location /admin/ {
        # Use an allowlist instead of rate limiting
        allow <your-ip-address>/32;
        allow <monitoring-server-ip>/32;
        deny all;
        proxy_pass http://127.0.0.1:8800/admin/;
    }
    location /vspd/ {
        proxy_pass http://127.0.0.1:8800/;
    }
    location /vspd {
        # trailing slash required here
        return 302 /vspd/;
    }
    # Serve static resources directly.
    location /public/ {
        limit_req zone=dcrvsp burst=40 delay=80;
        alias /opt/vspd/webapi/public/; # change this to the actual folder on disk
        # Set the Cache-Control and Expires headers for the static assets.
        expires 2d;
    }
    ## DCRSTAKEPOOL
    # Serve static resources directly.
    location /assets/ {
        limit_req zone=dcrvsp burst=40 delay=80;
        alias /opt/dcrvsp/public/; # change this to the actual folder on disk
        expires 2d;
    }
    # Everything else is proxied to dcrstakepool.
    location / {
        limit_req zone=dcrvsp burst=20 delay=40;
        proxy_set_header X-Real-IP $realip_remote_addr;
        proxy_pass http://127.0.0.1:8000;
    }
}

[isuldor]

Just a quick note and some additional thoughts to add. I noticed dcrweb bot is using the wrong url to scrape vspinfo:
GET /incognito/api/v3/vspinfo HTTP/2.0" 200 216 "-" "decred/dcrweb bot"
That should be using /api/v3/vspinfo.

I'm touching up my testnet config now and added an /admin/ location so that the /admin/status endpoint works without prepending incognito as well. Actually, the whole incognito page may never even be seen by users who use the VSP. But once people stop using dcrstakepool altogether it can become the new vsp home page. I'd also consider doing just that and keeping dcrstakepool itself under a /legacy/ location directive for lingering users. Smaller pools may want to start doing that straight away. I'll update my config above shortly. There's a lot of unnecessary stuff I should clean up since this is just a sample.

[isuldor]

Here is an example of using vspd in the root path and moving the dcrstakepool homepage to a different path. Once again the aim is to keep all of the routes the same except the home page of the legacy dcrstakepool service. You would want to update your vspd template to include a link to dcrstakepool. I'd probably call it the "Legacy Login" or something like that.

# Declare rate limiting in the http directive
limit_req_zone $binary_remote_addr zone=vspd:10m rate=1r/s;
server {
    ...
    ## DCRSTAKEPOOL
    location /api/v2/ {
        # Rate limiting
        limit_req zone=dcrvsp burst=20 delay=40;
        # Trailing slash is required here.
        proxy_pass http://127.0.0.1:8000/api/v2/;
    }
    location ~* /(stats|login|register|admintickets|status|settings|address|tickets|voting|logout|passwordreset|passwordupdate|verifyhuman|captchas) {
        proxy_pass http://127.0.0.1:8000;
    }
    location /dcrstakepool/ {
        limit_req zone=dcrvsp burst=20 delay=40;
        proxy_pass http://127.0.0.1:8000/;
    }
    location /dcrstakepool {
        # Trailing slash is required here.
        return 302 /dcrstakepool/;
    }
    # Serve static resources directly.
    location /public/ {
        limit_req zone=dcrvsp burst=40 delay=80;
        alias /opt/vspd/webapi/public/; # change this to the actual folder on disk
        # Set the Cache-Control and Expires headers for the static assets.
        expires 2d;
    }
    ## VSPD
    location = /admin/status {
        # Use an allowlist instead of rate limiting
        allow <your-ip-address>/32;
        allow <monitoring-server-ip>/32;
        deny all;
        proxy_pass http://127.0.0.1:8800/admin/status;
    }
    # Serve static resources directly.
    location /assets/ {
        limit_req zone=dcrvsp burst=40 delay=80;
        alias /opt/dcrvsp/public/; # change this to the actual folder on disk
        expires 2d;
    }
    # Everything else is proxied to vspd.
    location / {
        limit_req zone=dcrvsp burst=20 delay=40;
        proxy_pass http://127.0.0.1:8800;
    }
}

[isuldor]

Here's another iteration, this time keeping it very simple and just having two separate "stats" pages for the two VSP daemons.

# Declare rate limiting in the http directive
limit_req_zone $binary_remote_addr zone=vspd:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=dcrstakepool:10m rate=1r/s;
server {
    ...
    ## VSPD
    location /api/v3/ {
        limit_req zone=vspd burst=10 delay=50; # Rate limiting
        # Trailing slash is required here.
        proxy_pass http://127.0.0.1:8800/api/v3/;
    }
    location /admin/ {
        # Restrict network access
        allow x.x.x.x/32; # administrator ip address
        allow x.x.x.x/32; # monitoring server ip address
        deny all;
        proxy_pass http://127.0.0.1:8800/admin/;
    }
    location /vspd-stats/ {
        limit_req zone=vspd burst=10 delay=50;
        proxy_pass http://127.0.0.1:8800/;
    }
    location /vspd-stats {
        # trailing slash is required
        return 302 /vspd-stats/;
    }
    location ~* /vspd-stats/(admin|api)/ {
        # prevent incorrect location usage. e.g. /vspd-stats/api/v3/vspinfo
        return 404;
    }
    # Serve static resources directly.
    location /public/ {
        alias /opt/vspd/webapi/public/; # change this to the actual folder on disk
        expires 2d;
    }
    ## DCRSTAKEPOOL
    # Serve static resources directly.
    location /assets/ {
        alias /opt/dcrstakepool/public/; # change this to the actual folder on disk
        expires 2d;
    }
    # Everything else is proxied to dcrstakepool.
    location / {
        limit_req zone=dcrstakepool burst=10 delay=50;
        proxy_set_header X-Real-IP $realip_remote_addr;
        proxy_pass http://127.0.0.1:8000;
    }
    # relocate /stats to more descriptive location
    location /dcrstakepool-stats/ {
        limit_req zone=dcrstakepool burst=10 delay=50;
        proxy_pass http://127.0.0.1:8000/stats;
    }
}

[jholdstock]

Closing this as all existing VSP operators are now updated to vspd. I don't want to include an nginx config in the vspd repo itself because the precise details of web server config remains a sysadmin decision, not something which is mandated by vspd.