mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-20 05:26:03 +02:00
security-tracker: cache all json API and feed requests
This also simplifies the request limit configuration as json API and feed requests are cached hence a more strict request limit is not really necessary anymore. - Configure a uwsgi cache of 1GB for all json API and feed requests - Cache JSON API and feed requests for 5 minutes - Use a single global request limit zone Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
parent
e33791b349
commit
94dc580ee2
|
@ -1,9 +1,10 @@
|
|||
# limit rss requests to 1 r/m
|
||||
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
|
||||
# uwsgi caching zone
|
||||
uwsgi_cache_path /var/lib/nginx/cache/ levels=1:2 keys_zone=sec_cache:5m max_size=1g inactive=60m use_temp_path=off;
|
||||
|
||||
# limit general requests to 5 r/s to block DoS attempts with a burst of 10.
|
||||
limit_req_zone $binary_remote_addr zone=archseclimit:10m rate=5r/s;
|
||||
# limit requests to 5 r/s to block DoS attempts with a burst of 10.
|
||||
limit_req_zone $binary_remote_addr zone=sec_req_limit:10m rate=5r/s;
|
||||
|
||||
# limit http status: 429 Too Many Requests
|
||||
limit_req_status 429;
|
||||
|
||||
upstream security-tracker {
|
||||
|
@ -49,22 +50,28 @@ server {
|
|||
alias {{ security_tracker_dir }}/tracker/static/;
|
||||
}
|
||||
|
||||
# Rate limit all RSS feeds
|
||||
# API/RSS endpoint
|
||||
location ~* .*(atom|json)$ {
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
|
||||
|
||||
include uwsgi_params;
|
||||
uwsgi_pass security-tracker;
|
||||
uwsgi_cache sec_cache;
|
||||
uwsgi_cache_valid 5m;
|
||||
uwsgi_cache_key "$request_method$request_uri";
|
||||
|
||||
limit_req zone=rsslimit burst=5 nodelay;
|
||||
limit_req zone=sec_req_limit burst=5 nodelay;
|
||||
}
|
||||
|
||||
# Web UI endpoint
|
||||
location / {
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
|
||||
|
||||
include uwsgi_params;
|
||||
uwsgi_pass security-tracker;
|
||||
|
||||
limit_req zone=archseclimit burst=10 nodelay;
|
||||
limit_req zone=sec_req_limit burst=10 nodelay;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue