From b5b968456dcb9082a7f07e4235581394ad0a8ff0 Mon Sep 17 00:00:00 2001 From: Untone Date: Fri, 1 Aug 2025 11:14:34 +0300 Subject: [PATCH] nginx-fix --- nginx.conf.sigil | 172 +++++------------- .../test_delete_api_debug.py | 0 .../test_delete_button_debug.py | 0 .../test_delete_existing_community.py | 0 .../test_delete_new_community.py | 0 .../test_e2e_simple.py | 0 .../test_login_debug.py | 0 .../test_rbac_debug.py | 0 .../test_user_roles_debug.py | 0 9 files changed, 43 insertions(+), 129 deletions(-) rename test_delete_api_debug.py => tests/test_delete_api_debug.py (100%) rename test_delete_button_debug.py => tests/test_delete_button_debug.py (100%) rename test_delete_existing_community.py => tests/test_delete_existing_community.py (100%) rename test_delete_new_community.py => tests/test_delete_new_community.py (100%) rename test_e2e_simple.py => tests/test_e2e_simple.py (100%) rename test_login_debug.py => tests/test_login_debug.py (100%) rename test_rbac_debug.py => tests/test_rbac_debug.py (100%) rename test_user_roles_debug.py => tests/test_user_roles_debug.py (100%) diff --git a/nginx.conf.sigil b/nginx.conf.sigil index 78cf459d..9517ba41 100644 --- a/nginx.conf.sigil +++ b/nginx.conf.sigil @@ -1,154 +1,68 @@ -# Global cache configuration -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=discoursio_cache:10m max_size=1g inactive=60m use_temp_path=off; +{{ $proxy_settings := "proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $http_host; proxy_set_header X-Request-Start $msec;" }} +{{ $gzip_settings := "gzip on; gzip_min_length 1100; gzip_buffers 4 32k; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_vary on; gzip_comp_level 6;" }} -# Rate limiting zones +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off; limit_conn_zone $binary_remote_addr zone=addr:10m; limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s; -# HTTP to HTTPS redirect +{{ range $port_map := .PROXY_PORT_MAP | split " " }} +{{ $port_map_list := $port_map | split ":" }} +{{ $scheme := index $port_map_list 0 }} +{{ $listen_port := index $port_map_list 1 }} +{{ $upstream_port := index $port_map_list 2 }} + server { - listen 80; - server_name {{ $.NOSSL_SERVER_NAME }}; - return 301 https://$host$request_uri; -} + {{ if eq $scheme "http" }} + listen [::]:{{ $listen_port }}; + listen {{ $listen_port }}; + server_name {{ $.NOSSL_SERVER_NAME }}; -# Main HTTPS server -server { - listen 443 ssl http2; - server_name {{ $.NOSSL_SERVER_NAME }}; + # Redirect HTTP to HTTPS + return 301 https://$server_name$request_uri; - # SSL configuration - ssl_certificate {{ $.APP_SSL_PATH }}/server.crt; - ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers off; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_session_tickets off; + {{ else if eq $scheme "https" }} + listen [::]:{{ $listen_port }} ssl http2; + listen {{ $listen_port }} ssl http2; + server_name {{ $.NOSSL_SERVER_NAME }}; + ssl_certificate {{ $.APP_SSL_PATH }}/server.crt; + ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; - # Gzip configuration - gzip on; - gzip_vary on; - gzip_min_length 1024; - gzip_proxied any; - gzip_comp_level 6; - gzip_types - text/plain - text/css - text/xml - text/javascript - application/javascript - application/xml+rss - application/json - application/xml - image/svg+xml - font/ttf - font/otf - font/woff - font/woff2; + keepalive_timeout 70; + keepalive_requests 500; + proxy_read_timeout 3600; + limit_conn addr 10000; + client_max_body_size 100M; + {{ end }} - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-Content-Type-Options nosniff always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - # Logging - access_log /var/log/nginx/{{ $.APP }}-access.log; - error_log /var/log/nginx/{{ $.APP }}-error.log; - - # Performance settings - client_max_body_size 100M; - client_header_timeout 60s; - client_body_timeout 60s; - send_timeout 60s; - keepalive_timeout 65s; - keepalive_requests 1000; - - # Rate limiting - limit_conn addr 100; - limit_req zone=req_zone burst=20 nodelay; - - # Main application proxy location / { - proxy_pass http://{{ $.APP }}-8000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Request-Start $msec; + proxy_pass http://{{ $.APP }}-{{ $upstream_port }}; + {{ $proxy_settings }} + {{ $gzip_settings }} - # Proxy buffering - proxy_buffering on; - proxy_buffer_size 4k; - proxy_buffers 8 4k; - proxy_busy_buffers_size 8k; - - # Cache settings for dynamic content - proxy_cache discoursio_cache; + proxy_cache my_cache; proxy_cache_revalidate on; - proxy_cache_min_uses 1; + proxy_cache_min_uses 2; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_cache_lock on; - proxy_cache_valid 200 302 10m; - proxy_cache_valid 404 1m; + + # Connections and request limits increase (bad for DDos) + limit_req zone=req_zone burst=10 nodelay; } - # GraphQL endpoint with specific settings - location /graphql { - proxy_pass http://{{ $.APP }}-8000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Request-Start $msec; - - # Large buffering for GraphQL responses - proxy_buffering on; - proxy_buffer_size 8k; - proxy_buffers 16 8k; - proxy_busy_buffers_size 16k; - - # GraphQL specific timeouts - proxy_read_timeout 300s; - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - - # Disable caching for GraphQL - proxy_cache off; - add_header Cache-Control "no-cache, no-store, must-revalidate"; - add_header Pragma "no-cache"; - add_header Expires "0"; + location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { + proxy_pass http://{{ $.APP }}-{{ $upstream_port }}; + expires 30d; + add_header Cache-Control "public, no-transform"; } - # Static assets with aggressive caching - location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ { - proxy_pass http://{{ $.APP }}-8000; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Aggressive caching for static assets - expires 1y; - add_header Cache-Control "public, immutable"; - add_header Vary "Accept-Encoding"; - } - - # Include custom nginx configurations include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf; } +{{ end }} + {{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }} upstream {{ $.APP }}-{{ $upstream_port }} { diff --git a/test_delete_api_debug.py b/tests/test_delete_api_debug.py similarity index 100% rename from test_delete_api_debug.py rename to tests/test_delete_api_debug.py diff --git a/test_delete_button_debug.py b/tests/test_delete_button_debug.py similarity index 100% rename from test_delete_button_debug.py rename to tests/test_delete_button_debug.py diff --git a/test_delete_existing_community.py b/tests/test_delete_existing_community.py similarity index 100% rename from test_delete_existing_community.py rename to tests/test_delete_existing_community.py diff --git a/test_delete_new_community.py b/tests/test_delete_new_community.py similarity index 100% rename from test_delete_new_community.py rename to tests/test_delete_new_community.py diff --git a/test_e2e_simple.py b/tests/test_e2e_simple.py similarity index 100% rename from test_e2e_simple.py rename to tests/test_e2e_simple.py diff --git a/test_login_debug.py b/tests/test_login_debug.py similarity index 100% rename from test_login_debug.py rename to tests/test_login_debug.py diff --git a/test_rbac_debug.py b/tests/test_rbac_debug.py similarity index 100% rename from test_rbac_debug.py rename to tests/test_rbac_debug.py diff --git a/test_user_roles_debug.py b/tests/test_user_roles_debug.py similarity index 100% rename from test_user_roles_debug.py rename to tests/test_user_roles_debug.py