new api endpoint and api rate limit
This commit is contained in:
Georgiy Syralev
@@ -3,10 +3,14 @@
|
||||
|
||||
# Upstream для бэкенда
|
||||
upstream backend_api {
|
||||
server 127.0.0.1:3001;
|
||||
server 127.0.0.1:5000;
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
# Rate limiting zones
|
||||
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
||||
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
|
||||
|
||||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
@@ -30,8 +34,8 @@ server {
|
||||
server_name ospab.host www.ospab.host;
|
||||
|
||||
# SSL Configuration
|
||||
ssl_certificate /etc/letsencrypt/live/ospab.host/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ospab.host/privkey.pem;
|
||||
ssl_certificate /etc/apache2/ssl/ospab.host.fullchain.crt;
|
||||
ssl_certificate_key /etc/apache2/ssl/ospab.host.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
@@ -51,7 +55,7 @@ server {
|
||||
resolver_timeout 5s;
|
||||
|
||||
# Root directory for frontend build
|
||||
root /var/www/ospab.host/frontend/dist;
|
||||
root /var/www/ospab-host/frontend/dist;
|
||||
index index.html;
|
||||
|
||||
# Gzip compression
|
||||
@@ -68,15 +72,11 @@ server {
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
||||
|
||||
# Rate limiting zone
|
||||
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
||||
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
|
||||
|
||||
# API proxy to backend
|
||||
location /api/ {
|
||||
limit_req zone=api_limit burst=20 nodelay;
|
||||
|
||||
proxy_pass http://backend_api;
|
||||
proxy_pass https://backend_api;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
@@ -97,7 +97,7 @@ server {
|
||||
location /api/auth/login {
|
||||
limit_req zone=login_limit burst=5 nodelay;
|
||||
|
||||
proxy_pass http://backend_api;
|
||||
proxy_pass https://backend_api;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
@@ -111,7 +111,7 @@ server {
|
||||
location /api/auth/register {
|
||||
limit_req zone=login_limit burst=3 nodelay;
|
||||
|
||||
proxy_pass http://backend_api;
|
||||
proxy_pass https://backend_api;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
@@ -124,7 +124,7 @@ server {
|
||||
|
||||
# WebSocket support for real-time features
|
||||
location /ws {
|
||||
proxy_pass http://backend_api;
|
||||
proxy_pass https://backend_api;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
@@ -136,7 +136,7 @@ server {
|
||||
|
||||
# Uploaded files (checks images)
|
||||
location /uploads/ {
|
||||
alias /var/www/ospab.host/backend/uploads/;
|
||||
alias /var/www/ospab-host/backend/uploads/;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
try_files $uri =404;
|
||||
@@ -221,8 +221,51 @@ server {
|
||||
listen [::]:443 ssl http2;
|
||||
server_name www.ospab.host;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ospab.host/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ospab.host/privkey.pem;
|
||||
ssl_certificate /etc/apache2/ssl/ospab.host.fullchain.crt;
|
||||
ssl_certificate_key /etc/apache2/ssl/ospab.host.key;
|
||||
|
||||
return 301 https://ospab.host$request_uri;
|
||||
}
|
||||
|
||||
# API server
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name api.ospab.host;
|
||||
|
||||
# SSL Configuration
|
||||
ssl_certificate /etc/letsencrypt/live/api.ospab.host/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/api.ospab.host/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Modern SSL configuration
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# HSTS
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# OCSP Stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
||||
resolver_timeout 5s;
|
||||
|
||||
# Proxy to backend
|
||||
location / {
|
||||
proxy_pass https://backend_api;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
proxy_read_timeout 60s;
|
||||
proxy_connect_timeout 60s;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user