diff --git a/.env.example b/.env.example index c0ce5d8..b6fd95d 100644 --- a/.env.example +++ b/.env.example @@ -28,7 +28,7 @@ DB_VACUUM_INTERVAL=86400 AUTH_METHODS=basic,digest # Secret key for JWT and session encryption (generate with: python -c "import secrets; print(secrets.token_hex(32))") -JWT_SECRET_KEY=your-secret-key-here-change-this-in-production +JWT_SECRET_KEY=defc76e4175b4d5ca6e156e483495ced # Session timeout in seconds (1 hour default) SESSION_TIMEOUT=3600 diff --git a/.gitignore b/.gitignore index cab78ad..148c868 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ debug_webdav.py test_propfind.sh test_cache.py *.db +webdav-server diff --git a/Dockerfile b/Dockerfile index 904f3f8..16d686f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,7 +51,7 @@ WORKDIR /app COPY --from=builder /install /usr/local # Copy application files -COPY main.py . +COPY main3.py . COPY gunicorn_config.py . COPY .env.example .env @@ -60,7 +60,7 @@ RUN mkdir -p /app/webdav /app/logs /app/backups && \ chown -R webdav:webdav /app # Switch to non-root user -USER webdav +#USER webdav # Expose port EXPOSE 8080 @@ -75,4 +75,4 @@ ENV HOST=0.0.0.0 ENV PORT=8080 # Run application -CMD ["python", "main.py"] +CMD ["python", "main3.py"] diff --git a/docker-compose.yml b/docker-compose.yml index 1e2c338..97d950c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -113,7 +113,7 @@ services: - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./nginx.conf:/etc/nginx/conf.d/webdav.conf:ro - ./nginx/conf.d:/etc/nginx/conf.d:ro - ./nginx/ssl:/etc/nginx/ssl:ro - ./logs/nginx:/var/log/nginx diff --git a/main.py b/main.py index 4dfed8a..f5ee1a5 100644 --- a/main.py +++ b/main.py @@ -1206,7 +1206,7 @@ async def create_default_user(db: Database): print("Please change this password immediately!") -def main(): +def main(**kwargs): """Main entry point""" # Ensure WebDAV root directory exists @@ -1227,7 +1227,8 @@ def main(): app, host=Config.HOST, port=Config.PORT, - access_log_format='%a %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"' + access_log_format='%a %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"', + **kwargs ) diff --git a/main3.py b/main3.py index a3b1d00..7f8e7b0 100644 --- a/main3.py +++ b/main3.py @@ -36,6 +36,25 @@ from dotenv import load_dotenv # Load environment variables load_dotenv() +class Cache: + + def __init__(self): + self.cache = {} + + def set(self, key, value): + self.cache[key] = value + + def get(self, key): + return self.cache.get(key) + + def clear(self): + self.cache.clear() + + def delete(self, key): + try: + del self.cache[key] + except KeyError: + pass # ============================================================================ # Configuration Management # ============================================================================ @@ -80,7 +99,8 @@ class Database: self.db_path = db_path self._connection_lock = asyncio.Lock() self.init_database() - + self.property_cache = Cache() + def get_connection(self) -> sqlite3.Connection: """Get database connection with row factory""" conn = sqlite3.connect(self.db_path, timeout=30.0, check_same_thread=False) @@ -238,18 +258,24 @@ class Database: async def get_properties(self, resource_path: str) -> List[Dict]: def _get(): + result = self.property_cache.get(resource_path) + if result: + return result conn = self.get_connection() try: cursor = conn.cursor() cursor.execute('SELECT * FROM properties WHERE resource_path = ?', (resource_path,)) properties = cursor.fetchall() - return [dict(prop) for prop in properties] + result = [dict(prop) for prop in properties] + self.property_cache.set(resource_path, result) + return result finally: conn.close() return await self.run_in_executor(_get) async def set_property(self, resource_path: str, namespace: str, property_name: str, property_value: str): def _set(): + self.property_cache.delete(resource_path) conn = self.get_connection() try: cursor = conn.cursor() @@ -260,10 +286,12 @@ class Database: conn.commit() finally: conn.close() + await self.run_in_executor(_set) async def remove_property(self, resource_path: str, namespace: str, property_name: str): def _remove(): + self.property_cache.delete(f"{resource_path}") conn = self.get_connection() try: cursor = conn.cursor() @@ -476,6 +504,7 @@ class WebDAVHandler: return "" async def handle_get(self, request: web.Request, user: Dict) -> web.Response: + path = self.get_physical_path(user['username'], request.path) if not await self.run_blocking_io(path.exists): raise web.HTTPNotFound() @@ -713,7 +742,8 @@ async def webdav_handler_func(request: web.Request): app = request.app auth_handler: AuthHandler = app['auth'] webdav_handler: WebDAVHandler = app['webdav'] - + app.shared['counter'] = os.getpid() + print(app.shared['counter'],os.getpid()) # OPTIONS is often unauthenticated (pre-flight) if request.method == 'OPTIONS': return await webdav_handler.handle_options(request, {}) diff --git a/nginx/nginx.conf b/nginx.conf similarity index 87% rename from nginx/nginx.conf rename to nginx.conf index 0eefe86..f92a059 100644 --- a/nginx/nginx.conf +++ b/nginx.conf @@ -2,8 +2,11 @@ # Nginx Configuration for WebDAV Server # Place this in: /etc/nginx/conf.d/webdav.conf # ============================================================================ - # Upstream backend +upstream webdav_backend { + server webdav:8080 max_fails=3 fail_timeout=30s; + keepalive 32; +} # HTTP Server - Redirect to HTTPS @@ -16,10 +19,6 @@ server { location /.well-known/acme-challenge/ { root /var/www/certbot; } -upstream webdav_backend { - server webdav:8080 max_fails=3 fail_timeout=30s; - keepalive 32; -} # Redirect all other traffic to HTTPS location / { return 301 https://$server_name$request_uri; @@ -28,22 +27,6 @@ upstream webdav_backend { # HTTPS Server - Main WebDAV server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name webdav.example.com; # Change to your domain - - # SSL Configuration - ssl_certificate /etc/nginx/ssl/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/privkey.pem; - - # SSL Security Settings - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_stapling on; - ssl_stapling_verify on; # Security Headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; @@ -115,7 +98,6 @@ server { access_log off; log_not_found off; } -} # ============================================================================ # HTTP Configuration without SSL (for development only) @@ -151,3 +133,4 @@ server { # proxy_buffering off; # } # } +} diff --git a/nginx/conf.d/webdav.conf b/nginx/conf.d/webdav.conf new file mode 100644 index 0000000..f92a059 --- /dev/null +++ b/nginx/conf.d/webdav.conf @@ -0,0 +1,136 @@ +# ============================================================================ +# Nginx Configuration for WebDAV Server +# Place this in: /etc/nginx/conf.d/webdav.conf +# ============================================================================ +# Upstream backend +upstream webdav_backend { + server webdav:8080 max_fails=3 fail_timeout=30s; + keepalive 32; +} + + +# HTTP Server - Redirect to HTTPS +server { + listen 80; + listen [::]:80; + server_name webdav.example.com; # Change to your domain + + # Let's Encrypt ACME challenge + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + # Redirect all other traffic to HTTPS + location / { + return 301 https://$server_name$request_uri; + } +} + +# HTTPS Server - Main WebDAV +server { + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + + # WebDAV Specific Settings + client_max_body_size 1G; # Maximum file size + client_body_buffer_size 128k; + client_body_timeout 300s; # Timeout for client body + client_header_timeout 60s; + send_timeout 300s; # Timeout for sending response + + # Proxy buffering (disable for large files) + proxy_buffering off; + proxy_request_buffering off; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + + # Logging + access_log /var/log/nginx/webdav_access.log combined; + error_log /var/log/nginx/webdav_error.log warn; + + # Root location - WebDAV + location / { + # Proxy to backend + proxy_pass http://webdav_backend; + + # Standard proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebDAV specific headers + proxy_set_header Destination $http_destination; + proxy_set_header Depth $http_depth; + proxy_set_header Overwrite $http_overwrite; + proxy_set_header Lock-Token $http_lock_token; + proxy_set_header Timeout $http_timeout; + proxy_set_header If $http_if; + + # HTTP 1.1 support + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Disable redirects + proxy_redirect off; + + # Handle errors + proxy_intercept_errors off; + } + + # Health check endpoint + location /health { + proxy_pass http://webdav_backend/health; + access_log off; + } + + # Deny access to hidden files + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + +# ============================================================================ +# HTTP Configuration without SSL (for development only) +# ============================================================================ + +# Uncomment this section for development without SSL +# server { +# listen 80; +# listen [::]:80; +# server_name webdav.example.com; +# +# client_max_body_size 1G; +# client_body_buffer_size 128k; +# client_body_timeout 300s; +# send_timeout 300s; +# +# location / { +# proxy_pass http://webdav_backend; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# +# # WebDAV headers +# proxy_set_header Destination $http_destination; +# proxy_set_header Depth $http_depth; +# proxy_set_header Overwrite $http_overwrite; +# proxy_set_header Lock-Token $http_lock_token; +# +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_redirect off; +# proxy_buffering off; +# } +# } +} diff --git a/prod.py b/prod.py new file mode 100644 index 0000000..297154c --- /dev/null +++ b/prod.py @@ -0,0 +1,40 @@ +from multiprocessing import Process, Manager +from socket import SOL_SOCKET, SO_REUSEADDR, socket +from aiohttp import web +import logging + +logging.basicConfig(level=logging.DEBUG) + +from main3 import init_app +import asyncio + +def serve_multiple(app,workers): + sock = socket() + sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + sock.bind(('0.0.0.0', 8080)) + sock.set_inheritable(True) + setattr(app,"shared",Manager().dict()) + app.shared['counter'] = 0 + processes = [] + for i in range(workers): + process = Process( + target=web.run_app, + name=f'worker-{i}', + kwargs=dict(app=app, sock=sock) + ) + process.daemon = True + process.start() + processes.append(process) + + try: + for process in processes: + process.join() + except KeyboardInterrupt: + pass + finally: + for process in processes: + process.terminate() + sock.close() + +app = asyncio.run(init_app()) +serve_multiple(app, 3)