mesa/docs/ci/uri-caching.conf

set $proxy_authorization '';

set_by_lua $proxyuri '
        local unescaped =  ngx.unescape_uri(ngx.var.arg_uri);
        local it, err = ngx.re.match(unescaped, "(https?://)(.*@)?([^/]*)(/.*)?");
        if not it then
                -- Hack to cause nginx to return 404
                return "http://localhost/404"
        end

        local scheme = it[1];
        local authstring = it[2];
        local host = it[3];
        local query = it[4];

        if ngx.var.http_authorization and ngx.var.http_authorization ~= "" then
                ngx.var.proxy_authorization = ngx.var.http_authorization;
        elseif authstring then
                auth = string.sub(authstring, 0, -2);
                auth64 = ngx.encode_base64(auth);
                ngx.var.proxy_authorization = "Basic " .. auth64;
        end

        -- Default to / if none is set to avoid using the request_uri query
        if not query then
                query = "/";
        end

        return scheme .. host .. query;
';

# Rewrite the location header to redirect back to this server. Do
# this using lua header filtering to allow for url encoding the original
# location header for use as a query parameter.
header_filter_by_lua_block {
        if ngx.header.location then
                ngx.header.location = "/cache?uri=" .. ngx.escape_uri(ngx.header.location);
        end
}

proxy_set_header Authorization $proxy_authorization;

proxy_pass $proxyuri;

proxy_cache_path /var/cache/nginx/ levels=1:2 keys_zone=my_cache:10m max_size=50g inactive=2w use_temp_path=off;

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	add_header X-GG-Cache-Status $upstream_cache_status;
	proxy_cache my_cache;
	# dnsmasq should be running on all dispatchers; listening on 127.0.0.1/8 for
	# those running in docker 127.0.0.11 is the default resolver so this address
	# covers both use-cases
	resolver 127.0.0.11;

	# Wait for the cache creation when multiple query are done for the same file
	proxy_cache_lock on;
	proxy_cache_lock_age 30m;
	proxy_cache_lock_timeout 1h;

	location /force_cache {
		internal;
		# On some setups the cache headers will indicate to nginx that the
		# artifacts shouldn't be cached, however if we know that that is not valid
		# for lava usage this endpoint allows caching to be forced instead
		proxy_cache_valid 200 48h;
		proxy_ignore_headers Cache-Control Set-Cookie expires;
		include snippets/uri-caching.conf;
	}

	location /fdo_cache {
		internal;
		# As the auth information in the query is being dropped, use
		# the minimal possible cache validity, such that in practise
		# every requests gets revalidated. This avoids
		# unauthenticated downloads from our cache as the cache key doesn't
		# include auth info
		proxy_cache_valid 200 1s;
		proxy_cache_revalidate on;
		proxy_ignore_headers Cache-Control Set-Cookie expires;
		set_by_lua_block $cache_key {
			-- Set the cache key to the uri with the query stripped
			local unescaped =  ngx.unescape_uri(ngx.var.arg_uri);
			local it,err = ngx.re.match(unescaped, "([^?]*).*")
			if not it then
				-- Fallback on the full uri as key if the regexp fails
				return ngx.var.arg_uri;
			end
			return it[1]
		}
		proxy_cache_key $cache_key;
		include snippets/uri-caching.conf;
	}

	location /cache {
		# Gitlabs http server puts everything as no-cache even though
		# the artifacts URLS don't change.
		if ($arg_uri ~*  /.*gitlab.*artifacts(\/|%2F)raw/ ) {
			rewrite ^ /force_cache;
		}

		# fd.o's object storage has an embedded signature for
		# authentication as part of its query. So use an adjusted cache key
		# without the query
		if ($arg_uri ~*  .*your-objectstorage.com(\/|%2F)fdo-opa(\/|%2F)) {
			rewrite ^ /fdo_cache;
		}

		# Set a really low validity together with cache revalidation; Our goal
		# for caching isn't to lower the number of http requests but to
		# lower the amount of data transfer. Also for some test
		# scenarios (typical manual tests) the file at a given url
		# might get modified so avoid confusion by ensuring
		# revalidations happens often.
		proxy_cache_valid 200 10s;
		proxy_cache_revalidate on;
		include snippets/uri-caching.conf;
	}
}
docs/ci: Update http cache config to let Authorization headers pass through When downloading traces from a restricted repository, the Authorization header will be set. Previous to this change, the http proxy would drop it. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Reviewed-by: Emma Anholt <emma@anholt.net> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6441> 2021-04-14 15:16:14 +02:00			`set $proxy_authorization '';`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00
			`set_by_lua $proxyuri '`
docs/ci: Fix nginx caching instructions The new s3-proxy we have on fd.o is just a redirecting agent: it queries the policy and, if allowed, returns a URL with temporary credentials where the client can pull the real data from. This means that nginx would see /fdo-opa/mesa-rootfs/misc?key=foo and /fdo-opa/mesa-rootfs/misc?key=bar as distinct objects, not knowing that it could cache only on the base URL. Strip the query params from the nginx cache key so we can actually do caching. Signed-off-by: Daniel Stone <daniels@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34244> 2025-03-27 16:58:29 +00:00			`local unescaped = ngx.unescape_uri(ngx.var.arg_uri);`
			`local it, err = ngx.re.match(unescaped, "(https?://)(.@)?([^/])(/.*)?");`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00			`if not it then`
			`-- Hack to cause nginx to return 404`
			`return "http://localhost/404"`
			`end`

docs/ci: Fix nginx caching instructions The new s3-proxy we have on fd.o is just a redirecting agent: it queries the policy and, if allowed, returns a URL with temporary credentials where the client can pull the real data from. This means that nginx would see /fdo-opa/mesa-rootfs/misc?key=foo and /fdo-opa/mesa-rootfs/misc?key=bar as distinct objects, not knowing that it could cache only on the base URL. Strip the query params from the nginx cache key so we can actually do caching. Signed-off-by: Daniel Stone <daniels@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34244> 2025-03-27 16:58:29 +00:00			`local scheme = it[1];`
			`local authstring = it[2];`
			`local host = it[3];`
			`local query = it[4];`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00
docs/ci: Update http cache config to let Authorization headers pass through When downloading traces from a restricted repository, the Authorization header will be set. Previous to this change, the http proxy would drop it. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Reviewed-by: Emma Anholt <emma@anholt.net> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6441> 2021-04-14 15:16:14 +02:00			`if ngx.var.http_authorization and ngx.var.http_authorization ~= "" then`
			`ngx.var.proxy_authorization = ngx.var.http_authorization;`
			`elseif authstring then`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00			`auth = string.sub(authstring, 0, -2);`
			`auth64 = ngx.encode_base64(auth);`
docs/ci: Update http cache config to let Authorization headers pass through When downloading traces from a restricted repository, the Authorization header will be set. Previous to this change, the http proxy would drop it. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Reviewed-by: Emma Anholt <emma@anholt.net> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6441> 2021-04-14 15:16:14 +02:00			`ngx.var.proxy_authorization = "Basic " .. auth64;`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00			`end`

			`-- Default to / if none is set to avoid using the request_uri query`
			`if not query then`
			`query = "/";`
			`end`

			`return scheme .. host .. query;`
			`';`

docs/ci: Fix nginx caching instructions The new s3-proxy we have on fd.o is just a redirecting agent: it queries the policy and, if allowed, returns a URL with temporary credentials where the client can pull the real data from. This means that nginx would see /fdo-opa/mesa-rootfs/misc?key=foo and /fdo-opa/mesa-rootfs/misc?key=bar as distinct objects, not knowing that it could cache only on the base URL. Strip the query params from the nginx cache key so we can actually do caching. Signed-off-by: Daniel Stone <daniels@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34244> 2025-03-27 16:58:29 +00:00			`# Rewrite the location header to redirect back to this server. Do`
			`# this using lua header filtering to allow for url encoding the original`
			`# location header for use as a query parameter.`
			`header_filter_by_lua_block {`
			`if ngx.header.location then`
			`ngx.header.location = "/cache?uri=" .. ngx.escape_uri(ngx.header.location);`
			`end`
			`}`

docs/ci: Update http cache config to let Authorization headers pass through When downloading traces from a restricted repository, the Authorization header will be set. Previous to this change, the http proxy would drop it. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Reviewed-by: Emma Anholt <emma@anholt.net> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6441> 2021-04-14 15:16:14 +02:00			`proxy_set_header Authorization $proxy_authorization;`
docs/ci: Document setting up the http cache for traces. Reviewed-by: Daniel Stone <daniel@fooishbar.org> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8727> 2021-01-21 13:55:02 -08:00
			`proxy_pass $proxyuri;`
docs/ci: Fix nginx caching instructions The new s3-proxy we have on fd.o is just a redirecting agent: it queries the policy and, if allowed, returns a URL with temporary credentials where the client can pull the real data from. This means that nginx would see /fdo-opa/mesa-rootfs/misc?key=foo and /fdo-opa/mesa-rootfs/misc?key=bar as distinct objects, not knowing that it could cache only on the base URL. Strip the query params from the nginx cache key so we can actually do caching. Signed-off-by: Daniel Stone <daniels@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34244> 2025-03-27 16:58:29 +00:00
			`proxy_cache_path /var/cache/nginx/ levels=1:2 keys_zone=my_cache:10m max_size=50g inactive=2w use_temp_path=off;`

			`server {`
			`listen 80 default_server;`
			`listen [::]:80 default_server;`

			`root /var/www/html;`

			`server_name _;`

			`location / {`
			`# First attempt to serve request as file, then`
			`# as directory, then fall back to displaying a 404.`
			`try_files $uri $uri/ =404;`
			`}`

			`add_header X-GG-Cache-Status $upstream_cache_status;`
			`proxy_cache my_cache;`
			`# dnsmasq should be running on all dispatchers; listening on 127.0.0.1/8 for`
			`# those running in docker 127.0.0.11 is the default resolver so this address`
			`# covers both use-cases`
			`resolver 127.0.0.11;`

			`# Wait for the cache creation when multiple query are done for the same file`
			`proxy_cache_lock on;`
			`proxy_cache_lock_age 30m;`
			`proxy_cache_lock_timeout 1h;`

			`location /force_cache {`
			`internal;`
			`# On some setups the cache headers will indicate to nginx that the`
			`# artifacts shouldn't be cached, however if we know that that is not valid`
			`# for lava usage this endpoint allows caching to be forced instead`
			`proxy_cache_valid 200 48h;`
			`proxy_ignore_headers Cache-Control Set-Cookie expires;`
			`include snippets/uri-caching.conf;`
			`}`

			`location /fdo_cache {`
			`internal;`
			`# As the auth information in the query is being dropped, use`
			`# the minimal possible cache validity, such that in practise`
			`# every requests gets revalidated. This avoids`
			`# unauthenticated downloads from our cache as the cache key doesn't`
			`# include auth info`
			`proxy_cache_valid 200 1s;`
			`proxy_cache_revalidate on;`
			`proxy_ignore_headers Cache-Control Set-Cookie expires;`
			`set_by_lua_block $cache_key {`
			`-- Set the cache key to the uri with the query stripped`
			`local unescaped = ngx.unescape_uri(ngx.var.arg_uri);`
			`local it,err = ngx.re.match(unescaped, "([^?]).")`
			`if not it then`
			`-- Fallback on the full uri as key if the regexp fails`
			`return ngx.var.arg_uri;`
			`end`
			`return it[1]`
			`}`
			`proxy_cache_key $cache_key;`
			`include snippets/uri-caching.conf;`
			`}`

			`location /cache {`
			`# Gitlabs http server puts everything as no-cache even though`
			`# the artifacts URLS don't change.`
			`if ($arg_uri ~* /.gitlab.artifacts(\/\|%2F)raw/ ) {`
			`rewrite ^ /force_cache;`
			`}`

			`# fd.o's object storage has an embedded signature for`
			`# authentication as part of its query. So use an adjusted cache key`
			`# without the query`
			`if ($arg_uri ~* .*your-objectstorage.com(\/\|%2F)fdo-opa(\/\|%2F)) {`
			`rewrite ^ /fdo_cache;`
			`}`

			`# Set a really low validity together with cache revalidation; Our goal`
			`# for caching isn't to lower the number of http requests but to`
			`# lower the amount of data transfer. Also for some test`
			`# scenarios (typical manual tests) the file at a given url`
			`# might get modified so avoid confusion by ensuring`
			`# revalidations happens often.`
			`proxy_cache_valid 200 10s;`
			`proxy_cache_revalidate on;`
			`include snippets/uri-caching.conf;`
			`}`
			`}`