evo/Evo.Gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: evo:main
Branches Tags
evo:main
evo:dev
evo:feature/anti-ddos
evo:feature/refresh-token
..
compare: evo:feature/anti-ddos
Branches Tags
evo:dev
evo:main
evo:feature/anti-ddos
evo:feature/refresh-token

15 Commits
main ... feature/an

Author SHA1 Message Date
vchikalkin
570125a7ac nginx: prevent ddos main page 2024-02-15 21:35:56 +03:00
vchikalkin
738492d96b nginx.conf: Closing slow connections 2024-02-15 21:07:26 +03:00
vchikalkin
9b317bcf33 nginx: move limits to global 2024-02-15 15:53:07 +03:00
vchikalkin
bc20de9e12 nginx.off.conf: move limits to location / 2024-02-15 15:50:01 +03:00
vchikalkin
940f2915d2 nginx: remove limit_req delay 2024-02-15 15:46:04 +03:00
vchikalkin
1afc6bd316 nginx: optimal limits 2024-02-15 15:38:32 +03:00
vchikalkin
c22564087f nginx: limit_req & limit_conn configs 2024-02-15 15:24:07 +03:00
vchikalkin
5bc56b4a73 nginx: change keepalive_timeout 2024-02-15 15:19:35 +03:00
vchikalkin
13df7edd52 nginx: limits config 2024-02-15 15:19:24 +03:00
vchikalkin
66b6664317 nginx: disable limit_conn 2024-02-15 15:08:38 +03:00
vchikalkin
f56fafd7e0 nginx: add limit_req delay 
nginx.conf: add resolver
 2024-02-15 14:52:06 +03:00
vchikalkin
3e9e41bdeb nginx: bump burst value to 10 2024-02-15 14:04:48 +03:00
vchikalkin
7cf341f4e1 nginx: enable request delay, bump up to 30 requests per address 2024-02-15 13:58:59 +03:00
vchikalkin
1884414154 nginx: up connections limit to 30 2024-02-15 13:53:55 +03:00
vchikalkin
18fda4674e optimize nginx 2024-02-15 13:48:50 +03:00
10 changed files with 39 additions and 121 deletions
Show Stats Expand all files Collapse all files

7
config/http/nginx.conf
View File

@ -15,6 +15,13 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:20m;
limit_conn_status 429;
limit_req_zone $binary_remote_addr zone=req_limit_page:5m rate=1r/s;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

10
config/include/csp.conf
View File

@ -1,10 +0,0 @@
set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
set $CSP_BASE_URI "base-uri 'self';";
set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
set $CSP_WORKER_SRC "worker-src 'self' blob:;";
set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
set $CSP_SCRIPT_SRC "script-src 'self';";
set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
set $CSP_OBJECT_SRC "object-src 'none';";
set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";

5
config/include/headers.conf
View File

@ -1,5 +0,0 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;

4
config/include/robots.conf
View File

@ -1,4 +0,0 @@
location /robots.txt {
default_type text/plain;
return 200 "User-agent: *\nDisallow: /";
}

5
config/include/security-headers.conf
View File

@ -1,5 +0,0 @@
add_header Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer-when-downgrade;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";

51
config/nginx.auth.conf
View File

@ -21,11 +21,13 @@ upstream app {
server {
listen 80;
include /etc/nginx/mime.types;
include /etc/nginx/include/csp.conf;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
error_page 401 /login/$AUTH_MODE;
limit_req zone=req_limit_per_ip burst=30;
limit_conn conn_limit_per_ip 30;
error_page 401 /login;
location = /auth {
@ -35,39 +37,44 @@ server {
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_intercept_errors on;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
proxy_set_header auth-mode $AUTH_MODE;
proxy_intercept_errors on;
}
location /login {
proxy_pass $login_proxy;
include /etc/nginx/include/security-headers.conf;
}
location ~ ^/(logout|get-user|login-telegram|login-confirm|refresh-token)$ {
location ~ ^/(logout|get-user)$ {
proxy_pass http://auth_api/$AUTH_MODE/$1;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
}
location = / {
limit_req zone=req_limit_page burst=1 nodelay;
proxy_pass http://app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
include /etc/nginx/include/auth.conf;
}
location / {
proxy_pass http://app;
include /etc/nginx/include/headers.conf;
include /etc/nginx/include/auth.conf;
include /etc/nginx/include/security-headers.conf;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
location /socket.io/ {
proxy_pass http://auth_api/socket.io/;
include /etc/nginx/include/headers.conf;
include /etc/nginx/include/auth.conf;
include /etc/nginx/include/security-headers.conf;
}
location = /health {

26
config/nginx.exposed.conf
View File

@ -1,26 +0,0 @@
include /etc/nginx/include/upstream.conf;
server {
listen 80;
include /etc/nginx/mime.types;
location / {
proxy_pass $APPLICATION;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location = /health {
access_log off;
add_header 'Content-Type' 'application/json';
return 200 'UP';
}
include /etc/nginx/include/location.conf;
include /etc/nginx/include/robots.conf;
}

6
config/nginx.off.conf
View File

@ -8,7 +8,9 @@ upstream app {
server {
listen 80;
include /etc/nginx/mime.types;
include /etc/nginx/include/csp.conf;
limit_req zone=req_limit_per_ip burst=30;
limit_conn conn_limit_per_ip 30;
location / {
proxy_pass http://app;
@ -18,8 +20,6 @@ server {
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
include /etc/nginx/include/security-headers.conf;
}
location = /health {

27
docker-compose.auth.expose.yml
View File

@ -1,27 +0,0 @@
version: '3'
services:
server:
ports:
- '${PORT_EXPOSE}:80'
image: nginx:alpine
environment:
- APPLICATION=${APPLICATION}
- AUTH_MODE=${AUTH_MODE}
- REFRESH_TOKEN=${REFRESH_TOKEN}
volumes:
- ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
- auth_network
- app_network
networks:
auth_network:
external:
name: auth_network
app_network:
external:
name: ${NETWORK_NAME}

19
docker-compose.exposed.yml
View File

@ -1,19 +0,0 @@
version: '3'
services:
server:
extends:
file: docker-compose.traefik.yml
service: server
image: nginx:alpine
environment:
- APPLICATION=${APPLICATION}
volumes:
- ./config/nginx.exposed.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
web:
external: true