flights_web

gnezim/flights_web

Fork 0

Commit Graph

Author	SHA1	Message	Date
gnezim	39ade0102a	ci: validate /api dictionary bodies in pre-warm + nginx cache hardening Run 544 failed because the /api/dictionary/* nginx cache had been poisoned with the upstream WAF's HTML block page (HTTP 200 + text/html, "Доступ к сайту временно ограничен"). The previous pre-warm step only checked %{http_code}, so the WAF response looked valid and got cached for the full 6h TTL — every subsequent SSR render then resolved city names via that HTML, breadcrumbs showed raw IATA codes, and 7 schedule e2e specs failed. Three changes that together close this hole: 1. ci-deploy pre-warm: two-step warm with body validation. Step 1 is a cache-bust query (?_=ns timestamp) that proves upstream is healthy independent of nginx cache. Step 2 fetches the canonical URL and validates the response is JSON (starts with [/{ and is >1KB). If the canonical body is HTML, retry once with `Cache-Control: no-cache` to force a fresh upstream fetch (works once the matching nginx config below is deployed); if still HTML, fail loudly with a manual-purge instruction so the operator can rm the cache files. 2. nginx /api/dictionary/ location: add `proxy_cache_bypass $http_cache_control` so the CI workflow can force-refresh on demand, and `proxy_no_cache $no_cache_html` so HTML responses are never stored in the first place. 3. flights-api-cache.conf: add `map $upstream_http_content_type $no_cache_html` that flips to "1" when upstream returns text/html. Drives the `proxy_no_cache` filter above. Note: the nginx changes only take effect after setup-pve201.sh is re-run on pve-201. Until then, any cache poisoning still stays poisoned until the 6h TTL expires (or manual purge).	2026-04-28 11:58:04 +03:00
gnezim	b0e9aafed2	WAF rate-limit mitigation: nginx /api cache + Playwright throttle (A) Add proxy_cache zone for ui-dashboard.gnerim.ru. /api/ caches 200 for 1m, /map/api/ for 24h. proxy_cache_use_stale serves cached content during upstream errors (incl. 403 from WAF rate limit). proxy_cache_lock collapses concurrent fetches for the same URI. Cache zone declared in conf.d/ (must be in http{} context). (B) Playwright workers=2, retries=2 in CI. Cuts the parallel burst that trips the WAF before nginx cache warms up; retries handle the residual flake. setup-pve201.sh now installs the conf.d cache file and pre-creates the cache dir with nginx-user ownership.	2026-04-27 16:40:44 +03:00

Author

SHA1

Message

Date

gnezim

39ade0102a

ci: validate /api dictionary bodies in pre-warm + nginx cache hardening

Run 544 failed because the /api/dictionary/* nginx cache had been
poisoned with the upstream WAF's HTML block page (HTTP 200 + text/html,
"Доступ к сайту временно ограничен"). The previous pre-warm step only
checked %{http_code}, so the WAF response looked valid and got cached
for the full 6h TTL — every subsequent SSR render then resolved city
names via that HTML, breadcrumbs showed raw IATA codes, and 7 schedule
e2e specs failed.

Three changes that together close this hole:

1. ci-deploy pre-warm: two-step warm with body validation. Step 1 is
a cache-bust query (?_=ns timestamp) that proves upstream is healthy
independent of nginx cache. Step 2 fetches the canonical URL and
validates the response is JSON (starts with [/{ and is >1KB). If
the canonical body is HTML, retry once with `Cache-Control:
no-cache` to force a fresh upstream fetch (works once the matching
nginx config below is deployed); if still HTML, fail loudly with a
manual-purge instruction so the operator can rm the cache files.

2. nginx /api/dictionary/ location: add `proxy_cache_bypass
$http_cache_control` so the CI workflow can force-refresh on demand,
and `proxy_no_cache $no_cache_html` so HTML responses are never
stored in the first place.

3. flights-api-cache.conf: add `map $upstream_http_content_type
$no_cache_html` that flips to "1" when upstream returns text/html.
Drives the `proxy_no_cache` filter above.

Note: the nginx changes only take effect after setup-pve201.sh is
re-run on pve-201. Until then, any cache poisoning still stays poisoned
until the 6h TTL expires (or manual purge).

2026-04-28 11:58:04 +03:00

gnezim

b0e9aafed2

WAF rate-limit mitigation: nginx /api cache + Playwright throttle

(A) Add proxy_cache zone for ui-dashboard.gnerim.ru. /api/ caches 200 for
1m, /map/api/ for 24h. proxy_cache_use_stale serves cached content during
upstream errors (incl. 403 from WAF rate limit). proxy_cache_lock collapses
concurrent fetches for the same URI. Cache zone declared in conf.d/ (must
be in http{} context).

(B) Playwright workers=2, retries=2 in CI. Cuts the parallel burst that
trips the WAF before nginx cache warms up; retries handle the residual
flake.

setup-pve201.sh now installs the conf.d cache file and pre-creates the
cache dir with nginx-user ownership.

2026-04-27 16:40:44 +03:00

2 Commits