IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2026-02-06 09:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3276 from gradido/deloyment_bugfixes

Browse Source 
fix(other): deployment bugfixes
This commit is contained in:
einhornimmond 2024-01-24 21:21:33 +01:00 committed by GitHub
commit 90dae9171a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
deployment/bare_metal/nginx/common/limit_requests.conf
View File

@ -1,3 +1,4 @@
limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s;
limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s;
limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;

3
deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
View File

@ -1,3 +1,5 @@
include /etc/nginx/common/limit_requests.conf;
server {
if ($host = $COMMUNITY_HOST) {
return 301 https://$host$request_uri;
@ -21,7 +23,6 @@ server {
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
include /etc/nginx/common/limit_requests.conf;
# protect from slow loris
client_body_timeout 10s;

3
deployment/bare_metal/nginx/sites-available/gradido.conf.template
View File

@ -1,3 +1,5 @@
include /etc/nginx/common/limit_requests.conf;
server {
server_name $COMMUNITY_HOST;
@ -6,7 +8,6 @@ server {
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
include /etc/nginx/common/limit_requests.conf;
# protect from slow loris
client_body_timeout 10s;

2
deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
View File

@ -1,3 +1,4 @@
include /etc/nginx/common/limit_requests.conf;
server {
if ($host = $COMMUNITY_HOST) {
@ -21,7 +22,6 @@ server {
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
include /etc/nginx/common/limit_requests.conf;
# protect from slow loris
client_body_timeout 10s;

2
deployment/bare_metal/nginx/sites-available/update-page.conf.template
View File

@ -1,3 +1,4 @@
include /etc/nginx/common/limit_requests.conf;
server {
server_name $COMMUNITY_HOST;
@ -6,7 +7,6 @@ server {
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
include /etc/nginx/common/limit_requests.conf;
# protect from slow loris
client_body_timeout 10s;

1
deployment/hetzner_cloud/cloudConfig.yaml
View File

@ -9,6 +9,7 @@ users:
packages:
- fail2ban
- python3-systemd
- ufw
- git
- mariadb-server

8
deployment/hetzner_cloud/install.sh
View File

@ -80,6 +80,14 @@ expect eof
")
echo "$SECURE_MYSQL"
# Configure fail2ban, seems to not run out of the box on Debian 12
echo -e "[sshd]\nbackend = systemd" | tee /etc/fail2ban/jail.d/sshd.conf
# enable nginx-limit-req filter to block also user which exceed nginx request limiter
echo -e "[nginx-limit-req]\nenabled = true\nlogpath = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-limit-req.conf
# enable nginx bad request filter
echo -e "[nginx-bad-request]\nenabled = true\nlogpath = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-bad-request.conf
systemctl restart fail2ban
# Configure nginx
rm /etc/nginx/sites-enabled/default
envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/nginx/sites-available/gradido.conf.template > $SCRIPT_PATH/nginx/sites-available/gradido.conf