diff --git a/custom-domain/dstack-ingress/README.md b/custom-domain/dstack-ingress/README.md index 3b2c478..e9eae37 100644 --- a/custom-domain/dstack-ingress/README.md +++ b/custom-domain/dstack-ingress/README.md @@ -180,6 +180,9 @@ configs: - `PROXY_READ_TIMEOUT`: Optional value for nginx `proxy_read_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode - `PROXY_SEND_TIMEOUT`: Optional value for nginx `proxy_send_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode - `PROXY_CONNECT_TIMEOUT`: Optional value for nginx `proxy_connect_timeout` (numeric with optional `s|m|h` suffix, e.g. `10s`) in single-domain mode +- `PROXY_BUFFER_SIZE`: Optional value for nginx `proxy_buffer_size` (numeric with optional `k|m` suffix, e.g. `128k`) in single-domain mode +- `PROXY_BUFFERS`: Optional value for nginx `proxy_buffers` (format: `number size`, e.g. `4 256k`) in single-domain mode +- `PROXY_BUSY_BUFFERS_SIZE`: Optional value for nginx `proxy_busy_buffers_size` (numeric with optional `k|m` suffix, e.g. `256k`) in single-domain mode - `CERTBOT_STAGING`: Optional; set this value to the string `true` to set the `--staging` server option on the [`certbot` cli](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options) **Backward Compatibility:** diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh index cc608c7..25eb559 100644 --- a/custom-domain/dstack-ingress/scripts/entrypoint.sh +++ b/custom-domain/dstack-ingress/scripts/entrypoint.sh @@ -28,6 +28,15 @@ fi if ! PROXY_CONNECT_TIMEOUT=$(sanitize_proxy_timeout "$PROXY_CONNECT_TIMEOUT"); then exit 1 fi +if ! PROXY_BUFFER_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUFFER_SIZE"); then + exit 1 +fi +if ! PROXY_BUFFERS=$(sanitize_proxy_buffers "$PROXY_BUFFERS"); then + exit 1 +fi +if ! PROXY_BUSY_BUFFERS_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUSY_BUFFERS_SIZE"); then + exit 1 +fi if ! TXT_PREFIX=$(sanitize_dns_label "$TXT_PREFIX"); then exit 1 fi @@ -117,6 +126,21 @@ setup_nginx_conf() { proxy_connect_timeout_conf=" ${PROXY_CMD}_connect_timeout ${PROXY_CONNECT_TIMEOUT};" fi + local proxy_buffer_size_conf="" + if [ -n "$PROXY_BUFFER_SIZE" ]; then + proxy_buffer_size_conf=" proxy_buffer_size ${PROXY_BUFFER_SIZE};" + fi + + local proxy_buffers_conf="" + if [ -n "$PROXY_BUFFERS" ]; then + proxy_buffers_conf=" proxy_buffers ${PROXY_BUFFERS};" + fi + + local proxy_busy_buffers_size_conf="" + if [ -n "$PROXY_BUSY_BUFFERS_SIZE" ]; then + proxy_busy_buffers_size_conf=" proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE};" + fi + cat </etc/nginx/conf.d/default.conf server { listen ${PORT} ssl; @@ -153,6 +177,9 @@ server { # SSL buffer size (optimized for TLS 1.3) ssl_buffer_size 4k; +${proxy_buffer_size_conf} +${proxy_buffers_conf} +${proxy_busy_buffers_size_conf} # Disable SSL renegotiation ssl_early_data off; diff --git a/custom-domain/dstack-ingress/scripts/functions.sh b/custom-domain/dstack-ingress/scripts/functions.sh index bf8b80c..1a5a75c 100644 --- a/custom-domain/dstack-ingress/scripts/functions.sh +++ b/custom-domain/dstack-ingress/scripts/functions.sh @@ -83,6 +83,35 @@ sanitize_proxy_timeout() { fi } +sanitize_proxy_buffer_size() { + local candidate="$1" + if [ -z "$candidate" ]; then + echo "" + return 0 + fi + if [[ "$candidate" =~ ^[0-9]+[kKmM]?$ ]]; then + echo "$candidate" + else + echo "Warning: Ignoring invalid proxy buffer size value: $candidate" >&2 + echo "" + fi +} + +sanitize_proxy_buffers() { + local candidate="$1" + if [ -z "$candidate" ]; then + echo "" + return 0 + fi + # Format: number size (e.g., "4 256k") + if [[ "$candidate" =~ ^[0-9]+[[:space:]]+[0-9]+[kKmM]?$ ]]; then + echo "$candidate" + else + echo "Warning: Ignoring invalid proxy buffers value: $candidate (expected format: 'number size', e.g., '4 256k')" >&2 + echo "" + fi +} + get_letsencrypt_account_path() { local base_path="/etc/letsencrypt/accounts" local api_endpoint="acme-v02.api.letsencrypt.org"