# ограничение методов авторизации по логину пароли и sso на ip-адрес клиента limit_req_zone $binary_remote_addr zone=perip_login:10m rate=1r/s; # ограничение вызова методов восстановления пароля и проверки токена авторизации limit_req_zone $binary_remote_addr zone=perip_pass_recover:10m rate=1r/m; # ограничение методов авторизации, действующее на весь сервер limit_req_zone $server_name zone=perserver_auth:10m rate=10r/s; # поддержка web socket соединений map $http_upgrade $connection_upgrade { default upgrade; "" close; } # для jasperserver разрешить подчеркивания в заголовках запросов underscores_in_headers on; # ограничение на объем тела типичного запроса клиента client_max_body_size 20m; upstream restservices { server restservices:8080; } server { listen 80; gzip on; gzip_min_length 256; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; gzip_proxied any; # ===== BEGIN REDIRECT BLOCK ===== if ($scheme != "http") { return 301 http://$host$request_uri; } # ===== END REDIRECT BLOCK ===== # ===== BEGIN ERROR HANDLING BLOCK ===== error_page 502 503 @503; location @503 { root /var/www/semux-error-pages; try_files /503.html =503; internal; } # ===== END ERROR HANDLING BLOCK ===== # ------------------------------------------------------------ # ===== BEGIN MAIN LOCATION BLOCK ===== root /var/www/semux; index index.html; include /etc/nginx/mime.types; location @semona { proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 15m; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } location /sem-restservices { try_files $uri @semona; } location / { try_files $uri $uri/ /index.html; } # ===== END MAIN LOCATION BLOCK ===== # ===== BEGIN SPECIAL LOCATIONS BLOCK ===== location /sem-restservices/db/expimp { client_max_body_size 32m; try_files $uri @semona; } # ограничение интенсивности запросов авторизации location /sem-restservices/auth/login { limit_req zone=perip_login burst=20 nodelay; limit_req zone=perserver_auth burst=20 nodelay; proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /sem-restservices/auth/sso { limit_req zone=perip_login burst=20 nodelay; limit_req zone=perserver_auth burst=20 nodelay; proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /sem-restservices/auth/recovery_password { limit_req zone=perip_pass_recover burst=5 nodelay; limit_req zone=perserver_auth burst=5 nodelay; proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /sem-restservices/auth/reset_password { limit_req zone=perip_pass_recover burst=5 nodelay; limit_req zone=perserver_auth burst=5 nodelay; proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /sem-restservices/auth/check_code { limit_req zone=perip_pass_recover burst=5 nodelay; limit_req zone=perserver_auth burst=5 nodelay; proxy_pass http://restservices; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ===== END SPECIAL LOCATIONS BLOCK ===== # ------------------------------------------------------------ }