Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable nginx bot blocker #28

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

enable nginx bot blocker #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5dcb07f
enable nginx bot blocker
bkiahstroud Dec 6, 2023
f228018
match deployment name in r2
bkiahstroud Dec 6, 2023
37ce9cd
Updates the hyku submodule to fix to downgrade the json-canonicalizat…
aprilrieger Dec 6, 2023
2323f8e
Merge branch 'update-hyku-submodule-json-canonicalization-gem-pinned-…
aprilrieger Dec 7, 2023
cf42687
Updates to add service type to be ClusterIP, so we do not make a new …
aprilrieger Dec 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion hyrax-webapp
Open in desktop
Submodule hyrax-webapp updated 7 files
+0 −1 .env
+2 −0 Gemfile
+2 −1 Gemfile.lock
+18 −0 app/controllers/hyrax/my/works_controller_decorator.rb
+5 −3 app/models/generic_work.rb
+5 −3 app/models/image.rb
+1 −1 config/initializers/version.rb
103 changes: 101 additions & 2 deletions ops/production-deploy.tmpl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ ingress:
- secretName: wildcard-tls-secret
hosts:
- '*.hykuup.com'

extraEnvVars: &envVars
- name: BUNDLE_LOCAL__HYKU_KNAPSACK
value: /app/samvera
Expand Down Expand Up @@ -269,7 +269,106 @@ externalSolrHost: solr.solr.svc.cluster.local
externalSolrUser: admin
externalSolrCollection: "hykuup-hyku"

global:
hyraxName: hykuup-knapsack-production-hyrax

nginx:
enabled: false
service:
port: 80
type: ClusterIP
enabled: true
image:
registry: registry.gitlab.com
repository: notch8/scripts/bitnami-nginx
tag: 1.21.5-debian-10-r7
serverBlock: |-
upstream rails_app {
server {{ .Values.global.hyraxName }};
}
map ${DOLLAR}status ${DOLLAR}loggable {
~^444 0;
default 1;
}
log_format loki 'host=${DOLLAR}host ip=${DOLLAR}http_x_forwarded_for remote_user=${DOLLAR}remote_user [${DOLLAR}time_local] '
'request="${DOLLAR}request" status=${DOLLAR}status bytes=${DOLLAR}body_bytes_sent '
'referer="${DOLLAR}http_referer" agent="${DOLLAR}http_user_agent" request_time=${DOLLAR}request_time upstream_response_time=${DOLLAR}upstream_response_time upstream_response_length=${DOLLAR}upstream_response_length';
error_log /opt/bitnami/nginx/logs/error.log warn;
#tcp_nopush on;
# Cloudflare ips see for refresh
# https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-logging-visitor-IP-addresses
# update list https://www.cloudflare.com/ips/
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /opt/bitnami/nginx/conf/conf.d/*.conf;
server {
listen 8080;
server_name _;
root /app/samvera/hyrax-webapp/public;
index index.html;
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 0;
access_log /opt/bitnami/nginx/logs/access.log loki;
# if=${DOLLAR}loggable;
sendfile on;
send_timeout 300s;
include /opt/bitnami/nginx/conf/bots.d/ddos.conf;
include /opt/bitnami/nginx/conf/bots.d/blockbots.conf;
location ~ (\.php|\.aspx|\.asp) {
return 404;
}
# deny requests for files that should never be accessed
location ~ /\. {
deny all;
}
location ~* ^.+\.(rb|log)${DOLLAR} {
deny all;
}
# serve static (compiled) assets directly if they exist (for rails production)
location ~ ^/(assets|packs|fonts|images|javascripts|stylesheets|swfs|system)/ {
try_files ${DOLLAR}uri @rails;
# access_log off;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
# Some browsers still send conditional-GET requests if there's a
# Last-Modified header or an ETag header even if they haven't
# reached the expiry date sent in the Expires header.
add_header Last-Modified "";
add_header ETag "";
break;
}
# send non-static file requests to the app server
location / {
try_files ${DOLLAR}uri @rails;
}
location @rails {
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
proxy_set_header Host ${DOLLAR}http_host;
proxy_redirect off;
proxy_pass http://rails_app;
}
}
Loading