SPDT/sapl - sapl - Gitea: Git with a cup of tea

Commit Graph

Author	SHA1	Message	Date
Edward Ribeiro	de405161d9	fix: load ngx_http_lua_module.so dynamic module in nginx.conf continuous-integration/drone/push Build is passing Details libnginx-mod-http-lua is a dynamic module in Debian nginx; it must be explicitly loaded with load_module or Lua directives are unrecognized. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	6 days ago
Edward Ribeiro	b61bcdf496	fix: vendor lua-resty-redis; lua-resty-redis package absent from Debian Bookworm continuous-integration/drone/push Build is passing Details lua-resty-redis is an OpenResty library not packaged in Debian repos. Download resty_redis.lua from upstream and install it to /usr/lib/lua/resty/redis.lua at image build time. Update lua_package_path to match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	6 days ago
Edward Ribeiro	af9c38f1ce	Fix: replace OpenResty with nginx + libnginx-mod-http-lua (arm64 compat) continuous-integration/drone/push Build is passing Details OpenResty has no arm64 packages for Debian Bookworm; the official repo only publishes amd64. Switch to Debian's own packages which support both architectures and avoid any external repo setup: nginx libnginx-mod-http-geoip2 libnginx-mod-http-lua lua-resty-redis GeoIP2 C module returns (same nginx version → compatible). ASN/UA blocking goes back to nginx if() blocks. blocklist.lua handles only the Redis checks (prefix shared dict + pipelined GET for global/API block keys). lua_package_path set to /usr/share/lua/5.1/ where Debian installs resty.*. All paths revert to /etc/nginx/; start.sh reverts to /usr/sbin/nginx. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	6 days ago
Edward Ribeiro	27c098acfd	Add OpenResty nginx layer for Redis-backed early IP rejection continuous-integration/drone/push Build is passing Details Replace nginx + libnginx-mod-http-geoip2 with OpenResty so that blocked IPs are rejected before reaching Gunicorn, saving worker CPU on DDoS. nginx layer (read-only, DB 1): - blocklist.lua: UA check (nginx map var), ASN check (lua-resty-maxminddb, replaces geoip2 C module), IP-prefix check (shared dict refreshed every 60s, 4-candidate O(1) lookup), pipelined GET for global IP block and per-tenant API block. Parses REDIS_URL. Fail-open on Redis error. - lua_shared_dict ip_prefix_blocked 1m: in-process prefix cache. - init_by_lua_block: opens MaxMind ASN DB once in master process. - init_worker_by_lua_block: refreshes prefix SET from Redis every 60s. Django (ratelimit.py): - _refresh_ip_prefix_blocklist: normalises entries to trailing-dot form on load so per-request checks are O(1) set membership, not iteration. - _is_ip_prefix_blocked: 4-candidate check (p1., p1.p2., p1.p2.p3., ip) against the local set; same 60s refresh cadence as before. Capacity (1,200 tenants, single Redis): - Django pool: max_connections 6 → 3 (7,200 peak connections). - nginx keepalive pool: 1 connection/worker (4,800 peak connections). - Total: ~12,200 connections — 39% headroom under maxclients 20,000. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	6 days ago
Edward Ribeiro	d0b8ff3544	Align nginx rate limit zones with Django rate limiter thresholds - sapl_general: 90 → 120r/m (matches RATE_LIMITER_RATE anon 120/m) - sapl_media: 180 → 240r/m (matches RATE_LIMITER_RATE_AUTHENTICATED 240/m) - sapl_api: 60 → 120r/m (matches API_RATE_LIMIT_THRESHOLD 120/m) - Set limit_req_log_level warn to reduce error log noise from burst rejections Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	1 month ago
Edward Ribeiro	d4738a20a9	Raise rate limits and split nginx zones for legitimate traffic SAPL pages fire 12-45 parallel requests; the old 30r/m nginx zone and 35/m Django threshold blocked normal navigation. Key changes: nginx (nginx.conf / sapl.conf / start.sh): - Split sapl_general (30r/m) into four dedicated zones: sapl_general 90r/m burst=180 (HTML pages) sapl_media 180r/m burst=180 (/media/ — own bucket, no longer drains general) sapl_api 60r/m burst=120 (/api/ — quota layer is the real constraint) sapl_heavy 10r/m burst=20 (/relatorios/ — unchanged, nodelay kept) - /media/ and /api/ location blocks now reference their own zones Django (settings.py): - RATE_LIMITER_RATE: 35/m → 120/m - RATE_LIMITER_RATE_AUTHENTICATED: 120/m → 240/m - RATE_LIMIT_404_THRESHOLD: 10 → 20 - API_QUOTA_ANON_DAILY: 50 → 500 / weekly 350 → 3500 - API_QUOTA_AUTH_DAILY: 1000 → 5000 / weekly 7000 → 35000 Middleware (ratelimit.py): - Authenticated users no longer receive a persistent 300s block key on rate breach — they get 429 for the over-limit request and the window resets naturally after 60s. A 5-minute lockout is wrong for a logged-in user who clicked too fast. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2 months ago
Edward Ribeiro	8386bef3fc	Phase 4: anonymous page caching via AnonCachePageMixin Add AnonCachePageMixin (sapl/middleware/page_cache.py) that stores full view responses in the default Redis cache for anonymous (unauthenticated) GET requests only. Authenticated users always bypass the cache so CSRF tokens and user-specific UI controls are never served stale. Applied to: - ParlamentarCrud.ListView / DetailView — TTL 600 s (changes each term) - AudienciaCrud.ListView — TTL 120 s (hearings added infrequently) - ComissaoCrud.ListView — TTL 300 s (committees change rarely) Also: - Add PAGE_CACHE_TTL_LIST/DETAIL/STABLE settings (env-configurable) - Add bingbot + SERankingBacklinksBot to nginx UA blocklist (were already in BOT_UA_FRAGMENTS / robots.txt; nginx map was the only gap) - Remove unused ratelimit/method_decorator/RATE_LIMITER_RATE imports from audiencia/views.py that crept in during Phase 2 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2 months ago
Edward Ribeiro	8df2861799	Phase 0 hardening: nginx GeoIP2, rate limits, Gunicorn tuning, N+1 fix - nginx: sendfile on, tcp_nopush, reduced keepalive/proxy timeouts - nginx: GeoIP2 ASN-based bot blocking (cloud providers + known scrapers) - nginx: UA blocklist (GPTBot, ClaudeBot, Chrome/98.0.4758 impersonator, etc.) - nginx: rate-limit zones (30r/m general, 10r/m heavy/relatorios), 429/500 error pages - nginx: proper ETags + Cache-Control on /media/ to stop 30GB logo re-transfers - Dockerfile: install libnginx-mod-http-geoip2; download GeoLite2-ASN.mmdb via BuildKit secret (key never baked into image layers); ARG GEOIP_CACHE_BUST for forced re-download without --no-cache - Gunicorn: workers 3->2, threads 8->4, timeout 300->120, max_memory 300->400MB - Django: FILE_UPLOAD_MAX_MEMORY_SIZE=2MB, FILE_UPLOAD_TEMP_DIR for large uploads - relatorios/views.py: fix N+1 in get_etiqueta_protocolos with bulk-fetch MateriaLegislativa + DocumentoAdministrativo using select_related + dict lookups - Add robots.txt, 429.html, 500.html static pages - docker-compose.yaml: use sapl:local for local dev - docker/README.md: build instructions with MAXMIND_LICENSE_KEY - rate-limiter-v2.md: canonical planning document (Architecture through Phase 5) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2 months ago
Edward	6ac5e419e3	Atualização da imagem base Docker (#3787 ) Update de imagem based Docker and libs Python Co-authored-by: Edward <9326037+edwardoliveira@users.noreply.github.com>	10 months ago
Leandro Roberto	c8a24c11b6	HOT-FIX: Corrige constr de contexto na anex de mat - Remove a analise de vínculos cíclicos na construção inicial do form do filterset. - O item anterior deve resolver o timeout causado na abertura da anexação em lote, no entanto os timeouts do nginx e gunicorn foram aumentados.	5 years ago
Vinícius Cantuária	6c757b2dfe	Ativa compressão gzip (#3283 ) Corrige MIME type de arquivos Compacta as imagens mantendo as qualidades	6 years ago
Edward	f704795a7e	Refatora arquivos Docker (#3264 ) * Refatora arquivos Docker * Conserta runtime * Retorna CI antigo Co-authored-by: eribeiro <edwardr@senado.leg.br>	6 years ago
Fábio Kaiser Rauber	ba8bc9ea75	Nginx is now part of SAPL container	9 years ago

12 Commits (de405161d9d7fcb99bc4c49ab68ee9dd5135be8b)