From ed5d99cf440dfe0394b425d5f685b43f76cac0ca Mon Sep 17 00:00:00 2001 From: gozzy Date: Sun, 26 Mar 2023 21:50:17 +0000 Subject: [PATCH] nginx template ddos mitigation --- tornado-stream.conf | 4 +--- tornado.conf | 23 ++++++++++++++++++++--- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/tornado-stream.conf b/tornado-stream.conf index 4b3ab5c..819debe 100644 --- a/tornado-stream.conf +++ b/tornado-stream.conf @@ -1,7 +1,5 @@ map $ssl_preread_server_name $name { - yourserver.com tornado_mainnet; - - # default + yourdomain.com tornado_mainnet; default tornado_mainnet; } diff --git a/tornado.conf b/tornado.conf index 53a400f..efe418d 100644 --- a/tornado.conf +++ b/tornado.conf @@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; +# Request rate limiting per second, 2Mb zone @ 5 requests per second +limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s; +# Connections per IP limited to 2 +limit_conn_zone $binary_remote_addr zone=two:2m; + server { server_name _; # This is just an invalid value which will never trigger on a real hostname. server_tokens off; @@ -55,16 +60,28 @@ server { server { server_name yourdomain.com; - listen 80 ; + # Connection timeouts + client_body_timeout 10s; + client_header_timeout 10s; + + listen 80; access_log /var/log/nginx/access.log vhost; - # Do not HTTPS redirect Let'sEncrypt ACME challenge + # Do not HTTPS redirect LetsEncrypt ACME challenge location ^~ /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:8000; + limit_req zone=one; + limit_conn two 1; + + proxy_pass http://127.0.0.1:8000; + break; } location / { + limit_req zone=one; + limit_conn two 1; + return 301 https://$host$request_uri; } + } \ No newline at end of file