Labs/kartoteka
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Обновление 1.0
Some checks failed
Build and Push Docker Image / test (push) Has been cancelled
Details
Build and Push Docker Image / build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
brusnitsyn
2026-01-13 18:55:37 +09:00
parent 76c5f6705e
commit 7a10c7feba
2 changed files with 7 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
docker/app.conf
View File

@@ -4,26 +4,6 @@ map $remote_addr $blocked_ip {
include /etc/nginx/blocked_ips.map;
}
# Определяем типы запросов
map $request_uri $request_type {
default "general";
# API endpoints
~*^/api/ "api";
# Auth endpoints
~*^/(login|register|password-reset|auth|forgot-password|verify-email) "auth";
# Admin endpoints
~*^/(admin|dashboard|cp|control-panel|manager) "admin";
# Static files by extension
~*\.(jpg|jpeg|png|gif|ico|css|js|woff2?|ttf|eot|svg|pdf|zip|mp4|webm)$ "static";
# Static files by directory
~*^/(storage|uploads|media|images|css|js|fonts)/ "static";
}
server {
listen 80;
server_name _;
@@ -46,85 +26,11 @@ server {
return 444;
}
# Блокировка пустых User-Agent
if ($http_user_agent = "") {
return 444;
}
# Блокировка нестандартных методов
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
return 444;
}
# ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ==========
limit_conn conn_limit_per_ip 25;
limit_req zone=req_limit_per_ip burst=30 delay=15;
# ========== СТАТИЧЕСКИЕ ФАЙЛЫ ==========
location ~* \.(jpg|jpeg|png|gif|ico|webp|avif)$ {
limit_req zone=static_limit burst=100 nodelay;
limit_conn conn_limit_per_ip 100;
expires 1y;
add_header Cache-Control "public, immutable";
add_header Pragma "public";
try_files $uri =404;
access_log off;
log_not_found off;
}
location ~* \.(css|js)$ {
limit_req zone=static_limit burst=80 nodelay;
limit_conn conn_limit_per_ip 80;
expires 1y;
add_header Cache-Control "public, immutable";
add_header X-Content-Type-Options "nosniff";
try_files $uri =404;
access_log off;
}
location ~* \.(woff2?|ttf|eot|svg)$ {
limit_req zone=static_limit burst=60 nodelay;
limit_conn conn_limit_per_ip 60;
expires 1y;
add_header Cache-Control "public, immutable";
add_header Access-Control-Allow-Origin "*";
try_files $uri =404;
access_log off;
}
# ========== API ENDPOINTS ==========
location ~* ^/api/ {
limit_req zone=api_limit burst=30 delay=15;
limit_conn conn_limit_per_ip 30;
access_log /var/log/nginx/api_access.log main;
try_files $uri $uri/ /index.php?$query_string;
}
# ========== АУТЕНТИФИКАЦИЯ ==========
location ~* ^/(login|register|password-reset|auth|forgot-password|verify-email) {
limit_req zone=auth_limit burst=5 delay=3;
limit_conn conn_limit_per_ip 5;
access_log /var/log/nginx/auth_access.log main;
try_files $uri $uri/ /index.php?$query_string;
}
# ========== ОБРАБОТКА PHP ==========
location ~ \.php$ {
@@ -139,13 +45,13 @@ server {
fastcgi_index index.php;
# Оптимизация из основного конфига
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 240k;
fastcgi_temp_file_write_size 256k;
fastcgi_buffers 64 64k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 612k;
# Таймауты
fastcgi_connect_timeout 60s;
fastcgi_connect_timeout 600s;
fastcgi_send_timeout 600s;
fastcgi_read_timeout 600s;
@@ -157,32 +63,12 @@ server {
# ========== ОСНОВНОЙ LOCATION ==========
location / {
if ($query_string ~* "(?:^|[^a-z])(?:union|select|insert|update|delete|drop|create|alter|exec)(?:[^a-z]|$)") {
return 444;
}
if ($request_uri ~ "//") {
return 444;
}
try_files $uri $uri/ /index.php?$query_string;
gzip_static on;
gzip_vary on;
}
# ========== HEALTH CHECK ==========
location = /health {
access_log off;
# Прямой прокси в Laravel
try_files $uri /index.php?$query_string;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ==========
location ~ /\. {

32
docker/nginx.conf
View File

@@ -13,27 +13,8 @@ events {
http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=6r/s;
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/s;
limit_req_zone $binary_remote_addr zone=bot_limit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=static_limit:10m rate=100r/s;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
map $http_user_agent $limit_bots {
default "";
~*(googlebot|bingbot|yandex|baiduspider) $binary_remote_addr;
}
limit_req_zone $limit_bots zone=bots:10m rate=20r/m;
limit_req_zone $request_method zone=post_limit:10m rate=5r/s;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=40m use_temp_path=off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
@@ -62,17 +43,8 @@ http {
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss
application/atom+xml image/svg+xml;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
log_format ddos_log '$remote_addr - [$time_local] "$request" $status '
'rate=$limit_req_status conn=$limit_conn_status '
'user_agent="$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
limit_req_status 429;
limit_conn_status 429;