diff --git a/config/http/nginx.conf b/config/http/nginx.conf new file mode 100644 index 0000000..c7715ef --- /dev/null +++ b/config/http/nginx.conf @@ -0,0 +1,55 @@ + user nginx; + worker_processes auto; + + error_log /var/log/nginx/error.log notice; + pid /var/run/nginx.pid; + + +events { + worker_connections 1024; + use epoll; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s; + limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:20m; + limit_conn_status 429; + + limit_req_zone $binary_remote_addr zone=req_limit_page:5m rate=1r/s; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log off; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 60s; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + + # Compression + gzip on; + gzip_min_length 1000; + gzip_proxied any; + gzip_comp_level 1; + gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; + gzip_vary on; + gzip_disable "msie6"; + + + resolver 127.0.0.11 ipv6=off; + + client_body_timeout 20s; + client_header_timeout 20s; + +} \ No newline at end of file diff --git a/config/nginx.auth.conf b/config/nginx.auth.conf index 2b15363..8b70cd9 100644 --- a/config/nginx.auth.conf +++ b/config/nginx.auth.conf @@ -22,13 +22,9 @@ server { listen 80; include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied any; - gzip_comp_level 1; - gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; - gzip_vary on; - gzip_disable "msie6"; + + limit_req zone=req_limit_per_ip burst=30; + limit_conn conn_limit_per_ip 30; error_page 401 /login; @@ -54,6 +50,20 @@ server { proxy_pass http://auth_api/$AUTH_MODE/$1; } + location = / { + limit_req zone=req_limit_page burst=1 nodelay; + + proxy_pass http://app; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + + include /etc/nginx/include/auth.conf; + } + location / { proxy_pass http://app; diff --git a/config/nginx.off.conf b/config/nginx.off.conf index 3fe7d9a..4535af1 100644 --- a/config/nginx.off.conf +++ b/config/nginx.off.conf @@ -9,14 +9,8 @@ server { listen 80; include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied any; - gzip_comp_level 1; - gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; - gzip_vary on; - gzip_disable "msie6"; - + limit_req zone=req_limit_per_ip burst=30; + limit_conn conn_limit_per_ip 30; location / { proxy_pass http://app; diff --git a/docker-compose.auth.yml b/docker-compose.auth.yml index b40e317..04224ae 100644 --- a/docker-compose.auth.yml +++ b/docker-compose.auth.yml @@ -13,6 +13,7 @@ services: volumes: - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template - ./config/include:/etc/nginx/include + - ./config/http/nginx.conf:/etc/nginx/nginx.conf restart: always networks: - auth_network diff --git a/docker-compose.off.yml b/docker-compose.off.yml index 55b846e..82ac871 100644 --- a/docker-compose.off.yml +++ b/docker-compose.off.yml @@ -11,6 +11,7 @@ services: volumes: - ./config/nginx.off.conf:/etc/nginx/templates/default.conf.template - ./config/include:/etc/nginx/include + - ./config/http/nginx.conf:/etc/nginx/nginx.conf restart: always networks: - app_network