diff --git a/deployment/bare_metal/nginx/common/limit_requests.conf b/deployment/bare_metal/nginx/common/limit_requests.conf new file mode 100644 index 000000000..e9026ee81 --- /dev/null +++ b/deployment/bare_metal/nginx/common/limit_requests.conf @@ -0,0 +1,3 @@ +limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s; +limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s; +limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s; \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template index 2192b7dbb..1148cc9f7 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template @@ -1,5 +1,7 @@ location /api/$FEDERATION_APIVERSION { + limit_req zone=api burst=60 nodelay; + proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template index b8559a0fb..b130d7374 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -21,6 +21,7 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; + include /etc/nginx/common/limit_requests.conf; #gzip_static on; gzip on; @@ -42,6 +43,7 @@ server { # Frontend (default) location / { + limit_req zone=frontend burst=40 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -58,6 +60,7 @@ server { # Backend location /graphql { + limit_req zone=backend burst=10 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -74,6 +77,7 @@ server { # Backend webhooks location /hook { + limit_req zone=backend burst=10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -90,6 +94,7 @@ server { # Webhook reverse proxy location /hooks/ { + limit_req zone=backend burst=10; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -98,6 +103,7 @@ server { # Admin Frontend location /admin { + limit_req zone=frontend burst=30 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template index 6b885a26a..91ab0d3bc 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -6,6 +6,7 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; + include /etc/nginx/common/limit_requests.conf; #gzip_static on; gzip on; @@ -27,6 +28,7 @@ server { # Frontend (default) location / { + limit_req zone=frontend burst=40 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -43,6 +45,7 @@ server { # Backend location /graphql { + limit_req zone=backend burst=10 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -59,6 +62,7 @@ server { # Backend webhooks location /hook { + limit_req zone=backend burst=10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -66,7 +70,6 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; - # no trailing slash to keep the hook/ prefix proxy_pass http://127.0.0.1:4000/hook; proxy_redirect off; @@ -76,6 +79,7 @@ server { # Webhook reverse proxy location /hooks/ { + limit_req zone=backend burst=10; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -84,6 +88,7 @@ server { # Admin Frontend location /admin { + limit_req zone=frontend burst=30 nodelay; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -97,7 +102,7 @@ server { access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log; error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn; } - + # Federation $FEDERATION_NGINX_CONF diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template index 06bc5bbc0..7d30cd273 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template @@ -21,6 +21,7 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; + include /etc/nginx/common/limit_requests.conf; gzip on; @@ -28,6 +29,7 @@ server { index updating.html; location / { + limit_req zone=frontend; try_files /updating.html =404; } diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.template index e6cb51c7c..6236d88b0 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template @@ -6,6 +6,7 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; + include /etc/nginx/common/limit_requests.conf; gzip on; @@ -13,6 +14,7 @@ server { index updating.html; location / { + limit_req zone=frontend; try_files /updating.html =404; }