IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2026-02-06 09:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
gradido/deployment/bare_metal
History
einhornimmond 9c85b7829f change PORT env variable to BACKEND_PORT to prevent mix-ups with native PORT env from nginx in Docker
2025-10-28 10:03:53 +01:00
..
backup
backup and log folders
2022-01-14 09:32:36 +01:00
doc
add hetzner_cloud deployment folder, simplify config
2024-01-04 17:36:44 +01:00
log
backup and log folders
2022-01-14 09:32:36 +01:00
logrotate
only rotate logfiles
2022-03-12 02:10:04 +01:00
nginx
first draft
2025-10-25 16:27:49 +02:00
old
corrected paths in scripts
2023-05-08 11:46:37 +02:00
webhook
parameterize hooks template
2022-01-14 09:24:12 +01:00
.env.dist
change PORT env variable to BACKEND_PORT to prevent mix-ups with native PORT env from nginx in Docker
2025-10-28 10:03:53 +01:00
backup.sh
add eof
2023-11-14 23:22:36 +01:00
Dockerfile
add gcc to deploy test docker
2025-05-20 12:55:31 +02:00
import_old_production.sh
minor changes + console logs for sending to debug the stage2 instance
2022-01-25 00:49:54 +01:00
install-missing-deps.sh
maybe now...
2025-10-22 10:28:34 +02:00
install.sh
add dht-node to deployment scripts
2023-02-21 22:29:44 +01:00
maintenance.sh
make maintenance script executable
2022-01-12 21:19:48 +01:00
Readme.md
add readme, start direct in production, less process count, more stable production
2025-05-23 19:36:46 +02:00
removeLogFiles.sh
change name pattern for pm2.frontend-files, change time-pattern for
2023-08-08 00:20:50 +02:00
restore.sh
remove yarn in favor of bun
2025-10-08 12:56:58 +02:00
setup.md
setup description for new logfile clearance cronjob
2023-08-03 22:30:11 +02:00
start.sh
correct path
2025-10-25 17:24:26 +02:00

Readme.md

Deployment for bare metal servers

This setup is designed for bare metal servers, offering maximum performance and reliability for Gradido deployments. However, it can also work on virtual servers (VPS) if properly configured.

🧠 Memory Considerations on VServers

We have observed that some VServer providers apply aggressive virtual memory constraints or overcommit strategies that may cause random crashes of Node.js processes even when total RAM appears sufficient.

Important Notes:

  • A single Node.js process may allocate 1012 GB of virtual memory (VIRT), even if real memory usage (RES) stays below 200 MB.
  • Some VPS environments panic or kill processes when virtual memory allocation exceeds certain invisible thresholds.

🛡️ Rate Limiting (API Protection)

This deployment includes built-in rate limiting for public-facing endpoints to prevent abuse and denial-of-service attacks.

🔒 NGINX Rate & Connection Limits Overview

Path Zone Rate Limit Burst Max Connections Notes
/ frontend 15 requests/s 150 60 Public frontend
/admin frontend 15 requests/s 30 20 Admin frontend
/graphql backend 20 requests/s 40 20 Main backend GraphQL API
/hook backend 20 requests/s 20 20 Internal backend webhooks
/hooks/ backend 20 requests/s 20 20 Reverse proxy for webhooks
/api/<version> api 30 requests/s 60 30 Federation GraphQL API
  • <version>: placeholder for federation api version
  • All zones use $binary_remote_addr for client identification.
  • nodelay ensures burst requests are not delayed (they are either accepted or rejected).
  • Global connection zone: limit_conn_zone $binary_remote_addr zone=addr:10m;

This setup helps protect public and internal interfaces from abuse, while ensuring smooth parallel access during high load periods (e.g., UI builds or cluster sync).

These limits work like a traffic cop at each route:

  • Rate limits (limit_req) define how many requests per second a single client can send.
  • Burst values allow short spikes without blocking like a temporary buffer.
  • Connection limits (limit_conn) cap how many concurrent connections a single IP can keep open.

Each route (frontend, backend, API, etc.) has its own configuration depending on its expected traffic pattern and sensitivity. For example:

  • The public frontend allows higher bursts (many assets load at once).
  • The GraphQL backend and admin interfaces are more tightly controlled.

This ensures fairness, avoids accidental DoS scenarios, and keeps overall latency low, even under high usage.