From 7a10c7feba8876eb6a40f0bfec8e3ed46989abc4 Mon Sep 17 00:00:00 2001 From: brusnitsyn Date: Tue, 13 Jan 2026 18:55:37 +0900 Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D0=B5=201.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/app.conf | 124 ++-------------------------------------------- docker/nginx.conf | 32 +----------- 2 files changed, 7 insertions(+), 149 deletions(-) diff --git a/docker/app.conf b/docker/app.conf index cf60464..25cb320 100644 --- a/docker/app.conf +++ b/docker/app.conf @@ -4,26 +4,6 @@ map $remote_addr $blocked_ip { include /etc/nginx/blocked_ips.map; } -# Определяем типы запросов -map $request_uri $request_type { - default "general"; - - # API endpoints - ~*^/api/ "api"; - - # Auth endpoints - ~*^/(login|register|password-reset|auth|forgot-password|verify-email) "auth"; - - # Admin endpoints - ~*^/(admin|dashboard|cp|control-panel|manager) "admin"; - - # Static files by extension - ~*\.(jpg|jpeg|png|gif|ico|css|js|woff2?|ttf|eot|svg|pdf|zip|mp4|webm)$ "static"; - - # Static files by directory - ~*^/(storage|uploads|media|images|css|js|fonts)/ "static"; -} - server { listen 80; server_name _; @@ -46,85 +26,11 @@ server { return 444; } - # Блокировка пустых User-Agent - if ($http_user_agent = "") { - return 444; - } - - # Блокировка нестандартных методов - if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) { - return 444; - } - # ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ========== limit_conn conn_limit_per_ip 25; limit_req zone=req_limit_per_ip burst=30 delay=15; - # ========== СТАТИЧЕСКИЕ ФАЙЛЫ ========== - - location ~* \.(jpg|jpeg|png|gif|ico|webp|avif)$ { - limit_req zone=static_limit burst=100 nodelay; - limit_conn conn_limit_per_ip 100; - - expires 1y; - add_header Cache-Control "public, immutable"; - add_header Pragma "public"; - - try_files $uri =404; - - access_log off; - log_not_found off; - } - - location ~* \.(css|js)$ { - limit_req zone=static_limit burst=80 nodelay; - limit_conn conn_limit_per_ip 80; - - expires 1y; - add_header Cache-Control "public, immutable"; - add_header X-Content-Type-Options "nosniff"; - - try_files $uri =404; - - access_log off; - } - - location ~* \.(woff2?|ttf|eot|svg)$ { - limit_req zone=static_limit burst=60 nodelay; - limit_conn conn_limit_per_ip 60; - - expires 1y; - add_header Cache-Control "public, immutable"; - add_header Access-Control-Allow-Origin "*"; - - try_files $uri =404; - - access_log off; - } - - # ========== API ENDPOINTS ========== - - location ~* ^/api/ { - limit_req zone=api_limit burst=30 delay=15; - limit_conn conn_limit_per_ip 30; - - access_log /var/log/nginx/api_access.log main; - - try_files $uri $uri/ /index.php?$query_string; - } - - # ========== АУТЕНТИФИКАЦИЯ ========== - - location ~* ^/(login|register|password-reset|auth|forgot-password|verify-email) { - limit_req zone=auth_limit burst=5 delay=3; - limit_conn conn_limit_per_ip 5; - - access_log /var/log/nginx/auth_access.log main; - - try_files $uri $uri/ /index.php?$query_string; - } - # ========== ОБРАБОТКА PHP ========== location ~ \.php$ { @@ -139,13 +45,13 @@ server { fastcgi_index index.php; # Оптимизация из основного конфига - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - fastcgi_busy_buffers_size 240k; - fastcgi_temp_file_write_size 256k; + fastcgi_buffers 64 64k; + fastcgi_buffer_size 128k; + fastcgi_busy_buffers_size 512k; + fastcgi_temp_file_write_size 612k; # Таймауты - fastcgi_connect_timeout 60s; + fastcgi_connect_timeout 600s; fastcgi_send_timeout 600s; fastcgi_read_timeout 600s; @@ -157,32 +63,12 @@ server { # ========== ОСНОВНОЙ LOCATION ========== location / { - - if ($query_string ~* "(?:^|[^a-z])(?:union|select|insert|update|delete|drop|create|alter|exec)(?:[^a-z]|$)") { - return 444; - } - - if ($request_uri ~ "//") { - return 444; - } - try_files $uri $uri/ /index.php?$query_string; gzip_static on; gzip_vary on; } - # ========== HEALTH CHECK ========== - - location = /health { - access_log off; - - # Прямой прокси в Laravel - try_files $uri /index.php?$query_string; - - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - # ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ========== location ~ /\. { diff --git a/docker/nginx.conf b/docker/nginx.conf index f9a1903..9928b8a 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -13,27 +13,8 @@ events { http { limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; - - limit_req_zone $binary_remote_addr zone=api_limit:10m rate=6r/s; - - limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/s; - - limit_req_zone $binary_remote_addr zone=bot_limit:10m rate=1r/s; - - limit_req_zone $binary_remote_addr zone=static_limit:10m rate=100r/s; - limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s; - map $http_user_agent $limit_bots { - default ""; - ~*(googlebot|bingbot|yandex|baiduspider) $binary_remote_addr; - } - limit_req_zone $limit_bots zone=bots:10m rate=20r/m; - - limit_req_zone $request_method zone=post_limit:10m rate=5r/s; - - proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=40m use_temp_path=off; - include /etc/nginx/mime.types; default_type application/octet-stream; @@ -62,17 +43,8 @@ http { gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" ' - 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; - - log_format ddos_log '$remote_addr - [$time_local] "$request" $status ' - 'rate=$limit_req_status conn=$limit_conn_status ' - 'user_agent="$http_user_agent"'; - - access_log /var/log/nginx/access.log main; - error_log /var/log/nginx/error.log warn; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; limit_req_status 429; limit_conn_status 429;