From 56231b564b0ed4dfbe23faf22029dd39e928a9f2 Mon Sep 17 00:00:00 2001
From: Ravachol Yang <ravachol.yang@gmail.com>
Date: Wed, 3 Apr 2024 03:21:17 +0800
Subject: [PATCH] UDS reverse proxy (#18)

* add unix domain socket support

* fixed nginx configuration
---
 .env.toml        |  3 ++-
 README.md        | 14 +++++++++++++-
 configs/env.py   |  4 ++++
 example.com.conf | 34 ++++++++++++++++++++++++++++++++++
 nginx.conf       | 29 +++++------------------------
 server.py        | 29 ++++++++++++++++++++---------
 6 files changed, 78 insertions(+), 35 deletions(-)
 create mode 100644 example.com.conf

diff --git a/.env.toml b/.env.toml
index d738f3c..024f9a9 100644
--- a/.env.toml
+++ b/.env.toml
@@ -18,5 +18,6 @@ port = 443
 
 # telegram webhook requires ssl
 [ssl]
+enabled = false # a reverse proxy is recommended
 cert = "" # path to your fullchain.pem
-priv = "" # path to your priv.pem
+priv = "" # path to your priv.pem
\ No newline at end of file
diff --git a/README.md b/README.md
index 2135a20..1b5d94d 100644
--- a/README.md
+++ b/README.md
@@ -65,10 +65,22 @@ Static resources are hosted in `public/` and the bot-generated contents are unde
 ```
 copy and change the config file to configure Nginx:
 ``` shell
-cp nginx.conf /etc/nginx/sites-available/example.com
+cp example.conf /etc/nginx/sites-available/example.com
 # don't forget to change it !!
 ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled
 ```
+add `map` block in `nginx.conf` into your system `nginx.conf`'s `http` block
+
+``` nginx
+http {
+	# other stuff ...
+    map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+    }
+}
+```
+
 restart `nginx.service`
 ### Running
 In the project directory, run `python3`
diff --git a/configs/env.py b/configs/env.py
index 1550d25..eb270ca 100644
--- a/configs/env.py
+++ b/configs/env.py
@@ -41,6 +41,10 @@
                    key = "port",
                    default = SERVER_PORT)
 
+SSL_ENABLED = env(section = "ssl",
+                  key = "enabled",
+                  default = False)
+
 # path to your ssl cert file
 SSL_CERT = env(section = "ssl",
                key = "cert",
diff --git a/example.com.conf b/example.com.conf
new file mode 100644
index 0000000..c6cd800
--- /dev/null
+++ b/example.com.conf
@@ -0,0 +1,34 @@
+# Nginx config template
+# Don't forget to change it to meet your own env
+upstream uvicorn {
+    server unix:/tmp/randomology/uvicorn.sock;
+}
+
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    client_max_body_size 4G;
+
+    server_name example.com;
+
+    ssl_certificate /path/to/fullchain.pem;
+    ssl_certificate_key /path/to/privkey.pem;
+
+    location / {
+        root /var/www/example.com/public;
+    }
+
+    # your webhook
+    location /your-webhook-uri {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect off;
+            proxy_buffering off;
+            proxy_pass http://uvicorn/your-webhook-uri;
+    }
+}
diff --git a/nginx.conf b/nginx.conf
index 01e2d8a..79946b7 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,27 +1,8 @@
 # Nginx config template
-# Don't forget to change it to meet your own env
-
-server {
-    listen 80;
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name example.com;
-
-    ssl_certificate /path/to/fullchain.pem;
-    ssl_certificate_key /path/to/privkey.pem;
-
-    # redirect to https
-    if ($scheme = http) {
-        return 301 https://$server_name$request_uri;
-    }
-
-    location / {
-        root /var/www/example.com/public;
-    }
-
-    # your webhook
-    location /your-webhook-uri {
-        proxy_pass http://127.0.0.1:8443/your-webhook-uri/;
+# move map block to system nginx.conf
+http {
+    map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
     }
 }
diff --git a/server.py b/server.py
index 59712e4..718f507 100644
--- a/server.py
+++ b/server.py
@@ -17,11 +17,13 @@
 WEBHOOK_HOST = env.WEBHOOK_HOST
 WEBHOOK_PORT = env.WEBHOOK_PORT
 
+SSL_ENABLED = env.SSL_ENABLED
 SSL_CERT = env.SSL_CERT
 SSL_PRIV = env.SSL_PRIV
 
 URL_BASE = "https://{}:{}".format(WEBHOOK_HOST, WEBHOOK_PORT)
 URL_PATH = "/{}/".format(BOT_NAME)
+UDS_PATH = "/tmp/randomology/uvicorn.sock"
 
 # when in production
 def run(bot:TeleBot):
@@ -43,15 +45,24 @@ def process_webhook(update:dict):
     bot.set_webhook(
         url=URL_BASE+URL_PATH
     )
-    
-    # run the server
-    uvicorn.run(
-        app,
-        host=SERVER_LISTEN,
-        port=SERVER_PORT,
-        ssl_certfile=SSL_CERT,
-        ssl_keyfile=SSL_PRIV
-    )
+
+    if SSL_ENABLED :
+        # run the server
+        uvicorn.run(
+            app,
+            host=SERVER_LISTEN,
+            port=SERVER_PORT,
+            ssl_certfile=SSL_CERT,
+            ssl_keyfile=SSL_PRIV,
+            uds=UDS_PATH
+        )
+    else:
+        uvicorn.run(
+            app,
+            host=SERVER_LISTEN,
+            port=SERVER_PORT,
+            uds=UDS_PATH
+        )
 
 # when in dev environment 
 def run_dev(bot:TeleBot):