ddidderr
c072b93726
Completed uploads used to copy every staged chunk into a second file before renaming the result into data/complete. That doubled write volume and required peak disk space for both the chunk set and the final file. Write each chunk directly into one private temp upload file at its final offset instead. After a chunk write succeeds, record a tiny durable completion marker for progress and resume scans. Completion now verifies the temp file length and all markers, then renames the temp file into the completed upload directory. Add UPL_TEMP_DIR and --temp-dir so operators can choose where upload metadata, markers, and temp files live. The default remains data/staging, and docs call out that the temp directory must be on the same filesystem as data/complete for atomic promotion. The nginx example now aliases only the completed upload directory, and the smoke test verifies that final-file alias. This keeps the existing length-based validation model; it does not add per-chunk hashing. Test Plan: - just check - just nginx-smoke - cargo clippy && cargo clippy --benches && cargo clippy --tests - cargo +nightly fmt --all - cargo clippy && cargo clippy --benches && cargo clippy --tests Refs: none
46 lines
1.4 KiB
Plaintext
46 lines
1.4 KiB
Plaintext
# Production shape for browser -> nginx -> upl -> local filesystem.
|
|
#
|
|
# Replace server_name, certificate paths, and access control before exposing
|
|
# this app. Keep upl itself bound to 127.0.0.1.
|
|
|
|
upstream upl_backend {
|
|
server 127.0.0.1:3000;
|
|
keepalive 16;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name uploads.example.com;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/uploads.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/uploads.example.com/privkey.pem;
|
|
|
|
client_max_body_size 64m;
|
|
|
|
# Add HTTP basic auth, an IP allowlist, VPN-only access, or another
|
|
# protection layer before exposing this personal upload tool publicly.
|
|
# auth_basic "upl";
|
|
# auth_basic_user_file /etc/nginx/upl.htpasswd;
|
|
|
|
# Expose only completed uploads. Keep UPL_TEMP_DIR outside every nginx
|
|
# alias/root so in-progress temp files and progress markers are private.
|
|
location /files/ {
|
|
alias /srv/upl/data/complete/;
|
|
autoindex on;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://upl_backend;
|
|
proxy_http_version 1.1;
|
|
proxy_request_buffering off;
|
|
proxy_buffering off;
|
|
proxy_read_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
}
|