gru/linuxiarz_vps_angie
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

limit req

Browse Source
This commit is contained in:
Mateusz Gruszczyński
2025-11-17 08:10:58 +01:00
parent 24c11e8810
commit 9e67770ca3
10 changed files with 115 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
angie.conf
View File

@@ -54,6 +54,8 @@ http {
resolver 127.0.0.1 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 valid=10s status_zone=default_resolver; resolver 127.0.0.1 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 valid=10s status_zone=default_resolver;
resolver_timeout 2s; resolver_timeout 2s;
proxy_cache_path /var/lib/angie/cache/public levels=1:2 keys_zone=public-cache:100m max_size=2g inactive=12h use_temp_path=off;
# Brotli compression # Brotli compression
brotli on; brotli on;
brotli_static on; brotli_static on;
@@ -75,6 +77,10 @@ http {
gzip_min_length 1000; gzip_min_length 1000;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javasc gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javasc
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# Load configs # Load configs
include /etc/angie/config/upstreams.conf; include /etc/angie/config/upstreams.conf;

78
sites-available/gitea.linuxiarz.pl.conf
View File

@@ -4,34 +4,94 @@ upstream gitea {
keepalive 16; keepalive 16;
} }
server { # limit req
limit_req_zone $binary_remote_addr zone=gitea_limit:10m rate=10r/s;
server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
http2 on; http2 on;
http3 on; http3 on;
ssl_protocols TLSv1.3; ssl_protocols TLSv1.3;
ssl_early_data on; ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=10000'; add_header Alt-Svc 'h3=":$server_port"; ma=10000';
server_name gitea.linuxiarz.pl; server_name gitea.linuxiarz.pl;
include config/wildcard.conf; include config/wildcard.conf;
# logging # Logging
access_log /var/log/angie/gitea.linuxiarz.pl.access.log; access_log /var/log/angie/gitea.linuxiarz.pl.access.log;
error_log /var/log/angie/gitea.linuxiarz.pl.error.log warn; error_log /var/log/angie/gitea.linuxiarz.pl.error.log warn;
status_zone gitea.linuxiarz.pl; status_zone gitea.linuxiarz.pl;
limit_req zone=gitea_limit burst=20 nodelay;
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://gitea;
include config/proxy.conf;
proxy_cache public-cache;
proxy_cache_valid 200 304 30d;
proxy_cache_valid 301 302 1h;
proxy_cache_valid any 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_revalidate on;
add_header Cache-Control "public, max-age=2592000, immutable";
add_header X-Cache-Status $upstream_cache_status;
expires 30d;
}
location ~ ^/(api|.*\.git) {
limit_req zone=gitea_limit burst=5 nodelay;
proxy_pass http://gitea;
include config/proxy.conf;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
}
location ~ ^/(avatars|attachments|repo-avatars) {
proxy_pass http://gitea;
include config/proxy.conf;
proxy_cache public-cache;
proxy_cache_valid 200 7d;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header Cache-Control "public, max-age=604800";
add_header X-Cache-Status $upstream_cache_status;
}
location / { location / {
proxy_pass http://gitea; proxy_pass http://gitea;
include config/proxy.conf; include config/proxy.conf;
}
proxy_cache public-cache;
proxy_cache_valid 200 5m;
proxy_cache_bypass $cookie_i_like_gitea $arg_nocache;
proxy_no_cache $cookie_i_like_gitea;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
add_header X-Cache-Status $upstream_cache_status;
}
} }
# HTTP redirect # HTTP redirect
server { server {
listen 80; listen 80;
server_name gitea.linuxiarz.pl; server_name gitea.linuxiarz.pl;
location / { location / {

12
sites-available/linuxiarz.pl_new.conf
View File

@@ -10,13 +10,8 @@ upstream redirector_app {
keepalive 16; keepalive 16;
} }
# Cache (jak w oryginale) # limit req
proxy_cache_path /var/cache/angie/redirector limit_req_zone $binary_remote_addr zone=linuxiarz_limit:10m rate=10r/s;
levels=1:2
keys_zone=redirect_cache:10m
max_size=100m
inactive=24h
use_temp_path=off;
# HTTP -> HTTPS + normalizacja do www # HTTP -> HTTPS + normalizacja do www
server { server {
@@ -63,6 +58,9 @@ server {
error_log /var/log/angie/linuxiarz.pl.error.log warn; error_log /var/log/angie/linuxiarz.pl.error.log warn;
status_zone www.linuxiarz.pl_frontend; status_zone www.linuxiarz.pl_frontend;
limit_req zone=linuxiarz_limit burst=20 nodelay;
# Dozwolone metody # Dozwolone metody
if ($request_method !~ ^(GET|HEAD|POST)$) { if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405; return 405;

15
sites-available/listapp.linuxiarz.pl.conf
View File

@@ -1,3 +1,12 @@
upstream lists_app {
zone lists_app 1m;
server 127.0.0.1:8283;
keepalive 16;
}
# limit req
limit_req_zone $binary_remote_addr zone=lists_app_limit:10m rate=30r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -24,8 +33,10 @@ server {
return 301 https://listapp.linuxiarz.pl$request_uri; return 301 https://listapp.linuxiarz.pl$request_uri;
} }
limit_req zone=lists_app_limit burst=40 nodelay;
location / { location / {
proxy_pass http://127.0.0.1:6081/; proxy_pass http://varnish;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade; proxy_cache_bypass $http_upgrade;
@@ -51,7 +62,7 @@ server {
server_name listapp.linuxiarz.pl; server_name listapp.linuxiarz.pl;
location / { location / {
proxy_pass http://127.0.0.1:8283; proxy_pass http://lists_app;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

3
sites-available/pa.linuxiarz.pl.conf
View File

@@ -1,3 +1,5 @@
limit_req_zone $binary_remote_addr zone=pa_limit:10m rate=10r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -18,6 +20,7 @@ server {
include config/security.conf; include config/security.conf;
status_zone pa.linuxiarz.pl; status_zone pa.linuxiarz.pl;
limit_req zone=pa_limit burst=20 nodelay;
# restrict methods # restrict methods
if ($request_method !~ ^(GET|POST)$) { if ($request_method !~ ^(GET|POST)$) {

4
sites-available/paste.linuxiarz.pl_varnish.conf
View File

@@ -1,4 +1,7 @@
limit_req_zone $binary_remote_addr zone=paste_limit:10m rate=10r/s;
server { server {
listen 8080; listen 8080;
server_name paste.linuxiarz.pl; server_name paste.linuxiarz.pl;
set $base /var/www/paste.linuxiarz.pl; set $base /var/www/paste.linuxiarz.pl;
@@ -52,6 +55,7 @@ server {
error_log /var/log/angie/paste.linuxiarz.pl.error.log warn; error_log /var/log/angie/paste.linuxiarz.pl.error.log warn;
status_zone paste.linuxiarz.pl_frontend; status_zone paste.linuxiarz.pl_frontend;
limit_req zone=paste_limit burst=20 nodelay;
location / { location / {
proxy_pass http://varnish/; proxy_pass http://varnish/;

5
sites-available/rspamd.linuxiarz.pl.conf
View File

@@ -1,3 +1,5 @@
limit_req_zone $binary_remote_addr zone=rspamd_limit:10m rate=10r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -15,7 +17,8 @@ server {
include config/security.conf; include config/security.conf;
status_zone rspamd.linuxiarz.pl; status_zone rspamd.linuxiarz.pl;
limit_req zone=rspamd_limit burst=20 nodelay;
# restrict methods # restrict methods
if ($request_method !~ ^(GET|POST)$) { if ($request_method !~ ^(GET|POST)$) {
return '405'; return '405';

3
sites-available/sk.linuxiarz.pl.conf
View File

@@ -1,3 +1,5 @@
limit_req_zone $binary_remote_addr zone=sk_limit:10m rate=10r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -17,6 +19,7 @@ server {
include config/security.conf; include config/security.conf;
status_zone sk.linuxiarz.pl; status_zone sk.linuxiarz.pl;
limit_req zone=sk_limit burst=20 nodelay;
# restrict methods # restrict methods
if ($request_method !~ ^(GET|POST)$) { if ($request_method !~ ^(GET|POST)$) {

3
sites-available/ts3stats.linuxiarz.pl.conf
View File

@@ -1,3 +1,5 @@
limit_req_zone $binary_remote_addr zone=ts3stats_limit:10m rate=10r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -17,6 +19,7 @@ server {
include config/security.conf; include config/security.conf;
status_zone ts3stats.linuxiarz.pl; status_zone ts3stats.linuxiarz.pl;
limit_req zone=ts3stats_limit burst=20 nodelay;
# restrict methods # restrict methods
if ($request_method !~ ^(GET)$) { if ($request_method !~ ^(GET)$) {

5
sites-available/webmail.linuxiarz.pl.conf
View File

@@ -1,3 +1,7 @@
# limit req
limit_req_zone $binary_remote_addr zone=webmail_limit:10m rate=10r/s;
server { server {
listen 443 quic; listen 443 quic;
listen 443 ssl; listen 443 ssl;
@@ -24,6 +28,7 @@ server {
error_log /var/log/angie/webmail.linuxiarz.pl.error.log warn; error_log /var/log/angie/webmail.linuxiarz.pl.error.log warn;
status_zone webmail.linuxiarz.pl; status_zone webmail.linuxiarz.pl;
limit_req zone=webmail_limit burst=20 nodelay;
# index.php # index.php
index index.php; index index.php;