discours.io/core
5
0
Fork 0
Code Pull Requests Actions Projects Activity

nginx-fix
Some checks failed
Deploy on push / deploy (push) Failing after 4s
Details

Browse Source
This commit is contained in:
Untone
2025-08-01 11:14:34 +03:00
parent 58661f014b
commit b5b968456d
9 changed files with 43 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
nginx.conf.sigil
View File

@@ -1,154 +1,68 @@
# Global cache configuration {{ $proxy_settings := "proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $http_host; proxy_set_header X-Request-Start $msec;" }}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=discoursio_cache:10m max_size=1g inactive=60m use_temp_path=off; {{ $gzip_settings := "gzip on; gzip_min_length 1100; gzip_buffers 4 32k; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_vary on; gzip_comp_level 6;" }}
# Rate limiting zones proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
limit_conn_zone $binary_remote_addr zone=addr:10m; limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s; limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s;
# HTTP to HTTPS redirect {{ range $port_map := .PROXY_PORT_MAP | split " " }}
server { {{ $port_map_list := $port_map | split ":" }}
listen 80; {{ $scheme := index $port_map_list 0 }}
server_name {{ $.NOSSL_SERVER_NAME }}; {{ $listen_port := index $port_map_list 1 }}
return 301 https://$host$request_uri; {{ $upstream_port := index $port_map_list 2 }}
}
# Main HTTPS server
server { server {
listen 443 ssl http2; {{ if eq $scheme "http" }}
listen [::]:{{ $listen_port }};
listen {{ $listen_port }};
server_name {{ $.NOSSL_SERVER_NAME }}; server_name {{ $.NOSSL_SERVER_NAME }};
# SSL configuration # Redirect HTTP to HTTPS
return 301 https://$server_name$request_uri;
{{ else if eq $scheme "https" }}
listen [::]:{{ $listen_port }} ssl http2;
listen {{ $listen_port }} ssl http2;
server_name {{ $.NOSSL_SERVER_NAME }};
ssl_certificate {{ $.APP_SSL_PATH }}/server.crt; ssl_certificate {{ $.APP_SSL_PATH }}/server.crt;
ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key; ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# Gzip configuration keepalive_timeout 70;
gzip on; keepalive_requests 500;
gzip_vary on; proxy_read_timeout 3600;
gzip_min_length 1024; limit_conn addr 10000;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json
application/xml
image/svg+xml
font/ttf
font/otf
font/woff
font/woff2;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Logging
access_log /var/log/nginx/{{ $.APP }}-access.log;
error_log /var/log/nginx/{{ $.APP }}-error.log;
# Performance settings
client_max_body_size 100M; client_max_body_size 100M;
client_header_timeout 60s; {{ end }}
client_body_timeout 60s;
send_timeout 60s;
keepalive_timeout 65s;
keepalive_requests 1000;
# Rate limiting
limit_conn addr 100;
limit_req zone=req_zone burst=20 nodelay;
# Main application proxy
location / { location / {
proxy_pass http://{{ $.APP }}-8000; proxy_pass http://{{ $.APP }}-{{ $upstream_port }};
proxy_http_version 1.1; {{ $proxy_settings }}
proxy_set_header Upgrade $http_upgrade; {{ $gzip_settings }}
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
# Proxy buffering proxy_cache my_cache;
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
# Cache settings for dynamic content
proxy_cache discoursio_cache;
proxy_cache_revalidate on; proxy_cache_revalidate on;
proxy_cache_min_uses 1; proxy_cache_min_uses 2;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on; proxy_cache_background_update on;
proxy_cache_lock on; proxy_cache_lock on;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m; # Connections and request limits increase (bad for DDos)
limit_req zone=req_zone burst=10 nodelay;
} }
# GraphQL endpoint with specific settings location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
location /graphql { proxy_pass http://{{ $.APP }}-{{ $upstream_port }};
proxy_pass http://{{ $.APP }}-8000; expires 30d;
proxy_http_version 1.1; add_header Cache-Control "public, no-transform";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
# Large buffering for GraphQL responses
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 16 8k;
proxy_busy_buffers_size 16k;
# GraphQL specific timeouts
proxy_read_timeout 300s;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
# Disable caching for GraphQL
proxy_cache off;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
} }
# Static assets with aggressive caching
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ {
proxy_pass http://{{ $.APP }}-8000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Aggressive caching for static assets
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary "Accept-Encoding";
}
# Include custom nginx configurations
include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf; include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf;
} }
{{ end }}
{{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }} {{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }}
upstream {{ $.APP }}-{{ $upstream_port }} { upstream {{ $.APP }}-{{ $upstream_port }} {

0
test_delete_api_debug.py → tests/test_delete_api_debug.py
View File

0
test_delete_button_debug.py → tests/test_delete_button_debug.py
View File

0
test_delete_existing_community.py → tests/test_delete_existing_community.py
View File

0
test_delete_new_community.py → tests/test_delete_new_community.py
View File

0
test_e2e_simple.py → tests/test_e2e_simple.py
View File

0
test_login_debug.py → tests/test_login_debug.py
View File

0
test_rbac_debug.py → tests/test_rbac_debug.py
View File

0
test_user_roles_debug.py → tests/test_user_roles_debug.py
View File