обновление конфигов nginx и docker

2025-12-19 17:01:47 +09:00
parent 9057d3e8ad
commit 2bafa7f073
5 changed files with 431 additions and 141 deletions
--- a/docker/app.conf
+++ b/docker/app.conf
@@ -0,0 +1,208 @@
+# Определяем переменную для блокировки
+map $remote_addr $blocked_ip {
+    default 0;
+    include /etc/nginx/blocked_ips.map;
+}
+
+# Определяем типы запросов
+map $request_uri $request_type {
+    default "general";
+
+    # API endpoints
+    ~*^/api/ "api";
+
+    # Auth endpoints
+    ~*^/(login|register|password-reset|auth|forgot-password|verify-email) "auth";
+
+    # Admin endpoints
+    ~*^/(admin|dashboard|cp|control-panel|manager) "admin";
+
+    # Static files by extension
+    ~*\.(jpg|jpeg|png|gif|ico|css|js|woff2?|ttf|eot|svg|pdf|zip|mp4|webm)$ "static";
+
+    # Static files by directory
+    ~*^/(storage|uploads|media|images|css|js|fonts)/ "static";
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    root /var/www/public;
+    index index.php index.html;
+
+    # ========== ОСНОВНЫЕ НАСТРОЙКИ БЕЗОПАСНОСТИ ==========
+
+    # Защитные заголовки
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # ========== ПРЕДВАРИТЕЛЬНЫЕ ПРОВЕРКИ ==========
+
+    # Если IP в черном списке
+    if ($blocked_ip) {
+        return 444;
+    }
+
+    # Блокировка пустых User-Agent
+    if ($http_user_agent = "") {
+        return 444;
+    }
+
+    # Блокировка нестандартных методов
+    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
+        return 444;
+    }
+
+    # ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ==========
+
+    limit_conn conn_limit_per_ip 25;
+    limit_req zone=req_limit_per_ip burst=30 delay=15;
+
+    # ========== СТАТИЧЕСКИЕ ФАЙЛЫ ==========
+
+    location ~* \.(jpg|jpeg|png|gif|ico|webp|avif)$ {
+        limit_req zone=static_limit burst=100 nodelay;
+        limit_conn conn_limit_per_ip 100;
+
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header Pragma "public";
+
+        try_files $uri =404;
+
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~* \.(css|js)$ {
+        limit_req zone=static_limit burst=80 nodelay;
+        limit_conn conn_limit_per_ip 80;
+
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header X-Content-Type-Options "nosniff";
+
+        try_files $uri =404;
+
+        access_log off;
+    }
+
+    location ~* \.(woff2?|ttf|eot|svg)$ {
+        limit_req zone=static_limit burst=60 nodelay;
+        limit_conn conn_limit_per_ip 60;
+
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header Access-Control-Allow-Origin "*";
+
+        try_files $uri =404;
+
+        access_log off;
+    }
+
+    # ========== API ENDPOINTS ==========
+
+    location ~* ^/api/ {
+        limit_req zone=api_limit burst=15 delay=8;
+        limit_conn conn_limit_per_ip 15;
+
+        access_log /var/log/nginx/api_access.log main;
+
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # ========== АУТЕНТИФИКАЦИЯ ==========
+
+    location ~* ^/(login|register|password-reset|auth|forgot-password|verify-email) {
+        limit_req zone=auth_limit burst=5 delay=3;
+        limit_conn conn_limit_per_ip 5;
+
+        access_log /var/log/nginx/auth_access.log main;
+
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # ========== ОБРАБОТКА PHP ==========
+
+    location ~ \.php$ {
+        # Дефолтные лимиты для всех PHP запросов
+        limit_req zone=req_limit_per_ip burst=20 delay=10;
+        limit_conn conn_limit_per_ip 20;
+
+        try_files $uri =404;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass app:9000;
+        fastcgi_index index.php;
+
+        # Оптимизация из основного конфига
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
+        fastcgi_busy_buffers_size 240k;
+        fastcgi_temp_file_write_size 256k;
+
+        # Таймауты
+        fastcgi_connect_timeout 10s;
+        fastcgi_send_timeout 30s;
+        fastcgi_read_timeout 30s;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # ========== ОСНОВНОЙ LOCATION ==========
+
+    location / {
+        # Блокировка сканирования
+        if ($request_uri ~* "(%0|%A|%0A|%0D|%0a|%0d)") {
+            return 444;
+        }
+
+        if ($query_string ~* "(union|select|insert|update|delete|drop|create|alter|exec)") {
+            return 444;
+        }
+
+        if ($request_uri ~ "//") {
+            return 444;
+        }
+
+        try_files $uri $uri/ /index.php?$query_string;
+
+        gzip_static on;
+        gzip_vary on;
+    }
+
+    # ========== HEALTH CHECK ==========
+
+    location = /health {
+        access_log off;
+
+        # Прямой прокси в Laravel
+        try_files $uri /index.php?$query_string;
+
+        add_header Cache-Control "no-store, no-cache, must-revalidate";
+    }
+
+    # ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ==========
+
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~* (\.env|\.git|\.svn|\.htaccess|composer\.json|composer\.lock) {
+        deny all;
+        return 404;
+    }
+
+    location ~* (eval|base64_encode|system\(|shell_exec|passthru|exec|phpinfo) {
+        deny all;
+        return 444;
+    }
+}
--- a/docker/blocked_ips.map
+++ b/docker/blocked_ips.map
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -1,20 +1,82 @@
-server {
-    listen 80;
-    index index.php index.html;
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /var/www/public;
-    location ~ \.php$ {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass app:9000;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-    }
-    location / {
-        try_files $uri $uri/ /index.php?$query_string;
-        gzip_static on;
-    }
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 4096;
+    use epoll;
+    multi_accept on;
+    accept_mutex_delay 100ms;
+}
+
+http {
+    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
+
+    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=6r/s;
+
+    limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/s;
+
+    limit_req_zone $binary_remote_addr zone=bot_limit:10m rate=1r/s;
+
+    limit_req_zone $binary_remote_addr zone=static_limit:10m rate=100r/s;
+
+    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
+
+    map $http_user_agent $limit_bots {
+        default "";
+        ~*(googlebot|bingbot|yandex|baiduspider) $binary_remote_addr;
+    }
+    limit_req_zone $limit_bots zone=bots:10m rate=20r/m;
+
+    limit_req_zone $request_method zone=post_limit:10m rate=5r/s;
+
+    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=40m use_temp_path=off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    keepalive_requests 100;
+    types_hash_max_size 2048;
+    server_tokens off;
+    client_max_body_size 10m;
+    client_body_buffer_size 128k;
+
+    client_body_timeout 12;
+    client_header_timeout 12;
+    send_timeout 10;
+    reset_timedout_connection on;
+
+    client_header_buffer_size 1k;
+    large_client_header_buffers 4 8k;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss
+               application/atom+xml image/svg+xml;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+
+    log_format ddos_log '$remote_addr - [$time_local] "$request" $status '
+                        'rate=$limit_req_status conn=$limit_conn_status '
+                        'user_agent="$http_user_agent"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log warn;
+
+    limit_req_status 429;
+    limit_conn_status 429;
+
+    include /etc/nginx/conf.d/*.conf;
 }