mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
fail2ban-incremental-ban
infrastructure/roles/security_tracker/templates/nginx.d.conf.j2
Levente Polyak 94dc580ee2
security-tracker: cache all json API and feed requests 
This also simplifies the request limit configuration as json API and
feed requests are cached hence a more strict request limit is not really
necessary anymore.

- Configure a uwsgi cache of 1GB for all json API and feed requests
- Cache JSON API and feed requests for 5 minutes
- Use a single global request limit zone

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2023-05-02 19:43:21 +02:00

78 lines
2.6 KiB
Django/Jinja
Raw Permalink Blame History

# uwsgi caching zone
uwsgi_cache_path /var/lib/nginx/cache/ levels=1:2 keys_zone=sec_cache:5m max_size=1g inactive=60m use_temp_path=off;
# limit requests to 5 r/s to block DoS attempts with a burst of 10.
limit_req_zone $binary_remote_addr zone=sec_req_limit:10m rate=5r/s;
# limit http status: 429 Too Many Requests
limit_req_status 429;
upstream security-tracker {
server unix:///run/uwsgi/security-tracker.sock;
}
server {
listen 80;
listen [::]:80;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ security_tracker_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ security_tracker_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ security_tracker_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ security_tracker_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ security_tracker_domain }}/chain.pem;
location = /google9fb65bdd43709b25.html {
# verification code for anthraxx
return 200 "google-site-verification: google9fb65bdd43709b25.html";
}
location /static/ {
alias {{ security_tracker_dir }}/tracker/static/;
}
# API/RSS endpoint
location ~* .*(atom|json)$ {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
uwsgi_cache sec_cache;
uwsgi_cache_valid 5m;
uwsgi_cache_key "$request_method$request_uri";
limit_req zone=sec_req_limit burst=5 nodelay;
}
# Web UI endpoint
location / {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
limit_req zone=sec_req_limit burst=10 nodelay;
}
}
View Git Blame Copy Permalink