From 2c3c7b2221ccc9bd45b36851a0eceb1119c81433 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Fri, 9 Feb 2024 19:34:47 +0100 Subject: [PATCH 1/2] chore: tweak nginx conf --- Resources/nginx/nginx.conf | 52 +++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/Resources/nginx/nginx.conf b/Resources/nginx/nginx.conf index 19797b04..0ce02689 100644 --- a/Resources/nginx/nginx.conf +++ b/Resources/nginx/nginx.conf @@ -2,26 +2,32 @@ worker_processes 1; events { worker_connections 1024; - multi_accept on; # accept each connection as soon as you can + multi_accept on; accept_mutex off; use epoll; } http { - include mime.types; - default_type application/octet-stream; + access_log off; + log_format pokeapilogformat + '$remote_addr ' + '"$request" $status cs:$upstream_cache_status s:$bytes_sent ' + 'r:"$http_referer"'; + error_log /dev/stdout warn; + include mime.types; + default_type application/octet-stream; - server_tokens off; # dont send unnecessary server info (like version) + server_tokens off; - add_header X-XSS-Protection "1; mode=block"; # prevent XSS + add_header X-XSS-Protection "1; mode=block"; - client_body_buffer_size 10K; # raise the threshold by which requests are written to HDD instead of RAM - client_header_buffer_size 2k; - client_max_body_size 8m; # we dont accept requests larger that 8mb + client_body_buffer_size 10K; + client_header_buffer_size 1k; + client_max_body_size 8m; - sendfile on; - tcp_nopush on; - tcp_nodelay on; + sendfile on; + tcp_nopush on; + tcp_nodelay on; keepalive_timeout 5; @@ -47,6 +53,16 @@ http { 192.168.0.0/24 0; } + map $http_user_agent $exclude_ua { + "~*monitoring*" 0; + default 1; + } + + map $request_method $only_post { + default 0; + POST $exclude_ua; + } + map $limit $limit_key { 0 ""; 1 $binary_remote_addr; @@ -69,7 +85,7 @@ http { # Admin console location /graphql/admin/ { - expires 1m; # client-side caching, one minute for each API resource + expires 1m; add_header Cache-Control "public"; add_header Pragma public; proxy_http_version 1.1; @@ -89,21 +105,15 @@ http { } location /graphql/v1beta { + access_log /dev/stdout pokeapilogformat if=$only_post; include /ssl/cache.conf*; - # proxy_cache small; - # proxy_cache_valid 200 10d; - # proxy_cache_valid any 0; - # proxy_cache_methods POST; - # proxy_cache_key "$request_method$request_uri$request_body"; limit_req zone=graphqlDefaultLimit burst=100 nodelay; limit_req_status 429; - expires 30m; # client-side caching, one minute for each API resource + expires 30m; add_header Cache-Control "public"; add_header Pragma public; - # add_header X-Proxy-Cache $upstream_cache_status; proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Allow-Origin *; - # add_header X-Cache-Date $upstream_http_date; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -115,7 +125,7 @@ http { } location /api/ { - expires 1m; # client-side caching, one minute for each API resource + expires 1m; add_header Cache-Control "public"; add_header Pragma public; proxy_set_header X-Real-IP $remote_addr; From 16f5cd4d7559b035ac1aee35ca1df508ab8b15c5 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Fri, 9 Feb 2024 19:48:52 +0100 Subject: [PATCH 2/2] chore: add logging --- Resources/compose/docker-compose-prod-graphql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Resources/compose/docker-compose-prod-graphql.yml b/Resources/compose/docker-compose-prod-graphql.yml index a4670a12..9e868228 100644 --- a/Resources/compose/docker-compose-prod-graphql.yml +++ b/Resources/compose/docker-compose-prod-graphql.yml @@ -13,6 +13,8 @@ services: web: volumes: - graphiql:/public-console:ro + logging: + driver: gcplogs graphql-engine: cpus: 0.7