nginx template ddos mitigation

tornado-stream.conf

@@ -1,7 +1,5 @@
 map $ssl_preread_server_name $name {
-    yourserver.com tornado_mainnet;
-
-    # default
+    yourdomain.com tornado_mainnet;
 
     default tornado_mainnet;
 }

tornado.conf

@@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri;
 # Mitigate httpoxy attack (see README for details)
 proxy_set_header Proxy "";
 
+# Request rate limiting per second, 2Mb zone @ 5 requests per second
+limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s;
+# Connections per IP limited to 2 
+limit_conn_zone $binary_remote_addr zone=two:2m;
+
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	server_tokens off;
@@ -55,16 +60,28 @@ server {
 server {
 	server_name yourdomain.com;
 
-	listen 80 ;
+	# Connection timeouts
+	client_body_timeout 10s;
+  client_header_timeout 10s;
+
+	listen 80;
 	access_log /var/log/nginx/access.log vhost;
 
-	# Do not HTTPS redirect Let'sEncrypt ACME challenge
+	# Do not HTTPS redirect LetsEncrypt ACME challenge
 	location ^~ /.well-known/acme-challenge/ {
-        proxy_pass  http://127.0.0.1:8000;
+    limit_req zone=one;
+    limit_conn two 1;
+
+    proxy_pass http://127.0.0.1:8000;
+
 		break;
 	}
 
 	location / {
+	  limit_req zone=one;
+    limit_conn two 1;
+
 		return 301 https://$host$request_uri;
 	}
+
 }