mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-20 05:26:03 +02:00
Code Issues

security-tracker: cache all json API and feed requests 

This also simplifies the request limit configuration as json API and
feed requests are cached hence a more strict request limit is not really
necessary anymore.

- Configure a uwsgi cache of 1GB for all json API and feed requests
- Cache JSON API and feed requests for 5 minutes
- Use a single global request limit zone

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
Levente Polyak 2023-05-01 23:19:20 +02:00
parent e33791b349
commit 94dc580ee2
No known key found for this signature in database
GPG Key ID: FC1B547C8D8172C8
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
roles/security_tracker/templates/nginx.d.conf.j2
View File

@ -1,9 +1,10 @@
# limit rss requests to 1 r/m
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
# uwsgi caching zone
uwsgi_cache_path /var/lib/nginx/cache/ levels=1:2 keys_zone=sec_cache:5m max_size=1g inactive=60m use_temp_path=off;
# limit general requests to 5 r/s to block DoS attempts with a burst of 10.
limit_req_zone $binary_remote_addr zone=archseclimit:10m rate=5r/s;
# limit requests to 5 r/s to block DoS attempts with a burst of 10.
limit_req_zone $binary_remote_addr zone=sec_req_limit:10m rate=5r/s;
# limit http status: 429 Too Many Requests
limit_req_status 429;
upstream security-tracker {
@ -49,22 +50,28 @@ server {
alias {{ security_tracker_dir }}/tracker/static/;
}
# Rate limit all RSS feeds
# API/RSS endpoint
location ~* .*(atom|json)$ {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
uwsgi_cache sec_cache;
uwsgi_cache_valid 5m;
uwsgi_cache_key "$request_method$request_uri";
limit_req zone=rsslimit burst=5 nodelay;
limit_req zone=sec_req_limit burst=5 nodelay;
}
# Web UI endpoint
location / {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
limit_req zone=archseclimit burst=10 nodelay;
limit_req zone=sec_req_limit burst=10 nodelay;
}
}