IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2026-02-06 09:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

adjust request limits, log requests limits

Browse Source
This commit is contained in:
einhornimmond 2025-05-21 16:07:17 +02:00
parent 686d1749e9
commit 830deb9b44
5 changed files with 49 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deployment/bare_metal/nginx/common/limit_requests.conf
View File

@ -1,4 +1,4 @@
limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s;
limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s;
limit_req_zone $binary_remote_addr zone=frontend:20m rate=15r/s;
limit_req_zone $binary_remote_addr zone=backend:25m rate=20r/s;
limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;

4
deployment/bare_metal/nginx/conf.d/logging.conf
View File

@ -1,4 +1,6 @@
log_format gradido_log '$remote_addr - $remote_user [$time_local] '
'"$request_method $status $request_uri"'
' "$http_referer" "$http_user_agent"'
' $server_protocol $body_bytes_sent $request_time';
' $server_protocol $body_bytes_sent $request_time'
' limit status: $limit_req_status'
;

4
deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template
View File

@ -1,7 +1,7 @@
location /api/$FEDERATION_APIVERSION {
#limit_req zone=api burst=60 nodelay;
#limit_conn addr 30;
limit_req zone=api burst=60 nodelay;
limit_conn addr 30;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;

35
deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
View File

@ -25,8 +25,9 @@ server {
include /etc/nginx/common/protect_add_header.conf;
# protect from slow loris
#client_body_timeout 10s;
#client_header_timeout 10s;
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s
# protect from range attack (in http header)
if ($http_range ~ "d{9,}") {
@ -52,16 +53,22 @@ server {
}
# caching rules for assets
location ~* \.(?:js|css|woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ {
# static assets
location ~* \.(?:woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ {
# keep assets for a week
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# hashed assets
location ~* \.(?:js|css|json)$ {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri =404;
}
# Frontend (default)
location / {
#limit_req zone=frontend burst=40 nodelay;
#limit_conn addr 40;
limit_req zone=frontend burst=150 nodelay;
limit_conn addr 60;
root $PROJECT_ROOT/frontend/build/;
index index.html;
try_files $uri $uri/ /index.html = 404;
@ -77,8 +84,8 @@ server {
# Backend
location /graphql {
#limit_req zone=backend burst=10 nodelay;
#limit_conn addr 10;
limit_req zone=backend burst=40 nodelay;
limit_conn addr 20;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
@ -95,8 +102,8 @@ server {
# Backend webhooks
location /hook {
#limit_req zone=backend burst=10;
#limit_conn addr 10;
limit_req zone=backend burst=20 nodelay;
limit_conn addr 20;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
@ -113,8 +120,8 @@ server {
# Webhook reverse proxy
location /hooks/ {
#limit_req zone=backend burst=10;
#limit_conn addr 10;
limit_req zone=backend burst=20 nodelay;
limit_conn addr 20;
proxy_pass http://127.0.0.1:9000/hooks/;
access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -123,8 +130,8 @@ server {
# Admin Frontend
location /admin {
#limit_req zone=frontend burst=30 nodelay;
#limit_conn addr 40;
limit_req zone=frontend burst=30 nodelay;
limit_conn addr 20;
rewrite ^/admin/(.*)$ /$1 break;
root $PROJECT_ROOT/admin/build/;
index index.html;

34
deployment/bare_metal/nginx/sites-available/gradido.conf.template
View File

@ -10,8 +10,9 @@ server {
include /etc/nginx/common/protect_add_header.conf;
# protect from slow loris
#client_body_timeout 10s;
#client_header_timeout 10s;
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s
# protect from range attack (in http header)
if ($http_range ~ "d{9,}") {
@ -37,15 +38,22 @@ server {
}
# caching rules for assets
location ~* \.(?:js|css|woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ {
# static assets
location ~* \.(?:woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ {
# keep assets for a week
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# hashed assets
location ~* \.(?:js|css|json)$ {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri =404;
}
# Frontend (default)
location / {
#limit_req zone=frontend burst=40 nodelay;
#limit_conn addr 40;
limit_req zone=frontend burst=150 nodelay;
limit_conn addr 60;
root $PROJECT_ROOT/frontend/build/;
index index.html;
try_files $uri $uri/ /index.html = 404;
@ -61,8 +69,8 @@ server {
# Backend
location /graphql {
#limit_req zone=backend burst=10 nodelay;
#limit_conn addr 10;
limit_req zone=backend burst=40 nodelay;
limit_conn addr 20;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
@ -79,8 +87,8 @@ server {
# Backend webhooks
location /hook {
#limit_req zone=backend burst=10;
#limit_conn addr 10;
limit_req zone=backend burst=20 nodelay;
limit_conn addr 20;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
@ -97,8 +105,8 @@ server {
# Webhook reverse proxy
location /hooks/ {
#limit_req zone=backend burst=10;
#limit_conn addr 10;
limit_req zone=backend burst=20 nodelay;
limit_conn addr 20;
proxy_pass http://127.0.0.1:9000/hooks/;
access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -107,8 +115,8 @@ server {
# Admin Frontend
location /admin {
#limit_req zone=frontend burst=30 nodelay;
#limit_conn addr 40;
limit_req zone=frontend burst=30 nodelay;
limit_conn addr 20;
rewrite ^/admin/(.*)$ /$1 break;
root $PROJECT_ROOT/admin/build/;
index index.html;