From 830deb9b44f261f290ee8248517ae0d885e32006 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Wed, 21 May 2025 16:07:17 +0200 Subject: [PATCH] adjust request limits, log requests limits --- .../nginx/common/limit_requests.conf | 4 +-- .../bare_metal/nginx/conf.d/logging.conf | 4 ++- .../gradido-federation.conf.template | 4 +-- .../sites-available/gradido.conf.ssl.template | 35 +++++++++++-------- .../sites-available/gradido.conf.template | 34 +++++++++++------- 5 files changed, 49 insertions(+), 32 deletions(-) diff --git a/deployment/bare_metal/nginx/common/limit_requests.conf b/deployment/bare_metal/nginx/common/limit_requests.conf index c9501fd64..022a6d3a3 100644 --- a/deployment/bare_metal/nginx/common/limit_requests.conf +++ b/deployment/bare_metal/nginx/common/limit_requests.conf @@ -1,4 +1,4 @@ -limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s; -limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s; +limit_req_zone $binary_remote_addr zone=frontend:20m rate=15r/s; +limit_req_zone $binary_remote_addr zone=backend:25m rate=20r/s; limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; \ No newline at end of file diff --git a/deployment/bare_metal/nginx/conf.d/logging.conf b/deployment/bare_metal/nginx/conf.d/logging.conf index a76e8fae7..b8ed225a8 100644 --- a/deployment/bare_metal/nginx/conf.d/logging.conf +++ b/deployment/bare_metal/nginx/conf.d/logging.conf @@ -1,4 +1,6 @@ log_format gradido_log '$remote_addr - $remote_user [$time_local] ' '"$request_method $status $request_uri"' ' "$http_referer" "$http_user_agent"' - ' $server_protocol $body_bytes_sent $request_time'; \ No newline at end of file + ' $server_protocol $body_bytes_sent $request_time' + ' limit status: $limit_req_status' + ; \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template index cf5f53b25..5123deb5e 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template @@ -1,7 +1,7 @@ location /api/$FEDERATION_APIVERSION { - #limit_req zone=api burst=60 nodelay; - #limit_conn addr 30; + limit_req zone=api burst=60 nodelay; + limit_conn addr 30; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template index 40d93ad9a..c0791f169 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -25,8 +25,9 @@ server { include /etc/nginx/common/protect_add_header.conf; # protect from slow loris - #client_body_timeout 10s; - #client_header_timeout 10s; + client_body_timeout 10s; + client_header_timeout 10s; + send_timeout 10s # protect from range attack (in http header) if ($http_range ~ "d{9,}") { @@ -52,16 +53,22 @@ server { } # caching rules for assets - location ~* \.(?:js|css|woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ { + # static assets + location ~* \.(?:woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ { + # keep assets for a week + add_header Cache-Control "public, max-age=604800"; + try_files $uri =404; + } + # hashed assets + location ~* \.(?:js|css|json)$ { add_header Cache-Control "public, max-age=31536000, immutable"; try_files $uri =404; } # Frontend (default) location / { - - #limit_req zone=frontend burst=40 nodelay; - #limit_conn addr 40; + limit_req zone=frontend burst=150 nodelay; + limit_conn addr 60; root $PROJECT_ROOT/frontend/build/; index index.html; try_files $uri $uri/ /index.html = 404; @@ -77,8 +84,8 @@ server { # Backend location /graphql { - #limit_req zone=backend burst=10 nodelay; - #limit_conn addr 10; + limit_req zone=backend burst=40 nodelay; + limit_conn addr 20; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -95,8 +102,8 @@ server { # Backend webhooks location /hook { - #limit_req zone=backend burst=10; - #limit_conn addr 10; + limit_req zone=backend burst=20 nodelay; + limit_conn addr 20; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -113,8 +120,8 @@ server { # Webhook reverse proxy location /hooks/ { - #limit_req zone=backend burst=10; - #limit_conn addr 10; + limit_req zone=backend burst=20 nodelay; + limit_conn addr 20; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -123,8 +130,8 @@ server { # Admin Frontend location /admin { - #limit_req zone=frontend burst=30 nodelay; - #limit_conn addr 40; + limit_req zone=frontend burst=30 nodelay; + limit_conn addr 20; rewrite ^/admin/(.*)$ /$1 break; root $PROJECT_ROOT/admin/build/; index index.html; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template index ef63c42a4..68fc2edb0 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -10,8 +10,9 @@ server { include /etc/nginx/common/protect_add_header.conf; # protect from slow loris - #client_body_timeout 10s; - #client_header_timeout 10s; + client_body_timeout 10s; + client_header_timeout 10s; + send_timeout 10s # protect from range attack (in http header) if ($http_range ~ "d{9,}") { @@ -37,15 +38,22 @@ server { } # caching rules for assets - location ~* \.(?:js|css|woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ { + # static assets + location ~* \.(?:woff2?|ttf|otf|eot|jpg|jpeg|png|gif|svg|webp|ico)$ { + # keep assets for a week + add_header Cache-Control "public, max-age=604800"; + try_files $uri =404; + } + # hashed assets + location ~* \.(?:js|css|json)$ { add_header Cache-Control "public, max-age=31536000, immutable"; try_files $uri =404; } # Frontend (default) location / { - #limit_req zone=frontend burst=40 nodelay; - #limit_conn addr 40; + limit_req zone=frontend burst=150 nodelay; + limit_conn addr 60; root $PROJECT_ROOT/frontend/build/; index index.html; try_files $uri $uri/ /index.html = 404; @@ -61,8 +69,8 @@ server { # Backend location /graphql { - #limit_req zone=backend burst=10 nodelay; - #limit_conn addr 10; + limit_req zone=backend burst=40 nodelay; + limit_conn addr 20; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -79,8 +87,8 @@ server { # Backend webhooks location /hook { - #limit_req zone=backend burst=10; - #limit_conn addr 10; + limit_req zone=backend burst=20 nodelay; + limit_conn addr 20; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -97,8 +105,8 @@ server { # Webhook reverse proxy location /hooks/ { - #limit_req zone=backend burst=10; - #limit_conn addr 10; + limit_req zone=backend burst=20 nodelay; + limit_conn addr 20; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -107,8 +115,8 @@ server { # Admin Frontend location /admin { - #limit_req zone=frontend burst=30 nodelay; - #limit_conn addr 40; + limit_req zone=frontend burst=30 nodelay; + limit_conn addr 20; rewrite ^/admin/(.*)$ /$1 break; root $PROJECT_ROOT/admin/build/; index index.html;