nginx template ddos mitigation

This commit is contained in:
gozzy 2023-03-26 21:50:17 +00:00
parent 7d10fe2ab9
commit ed5d99cf44
2 changed files with 21 additions and 6 deletions

@ -1,7 +1,5 @@
map $ssl_preread_server_name $name { map $ssl_preread_server_name $name {
yourserver.com tornado_mainnet; yourdomain.com tornado_mainnet;
# default
default tornado_mainnet; default tornado_mainnet;
} }

@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details) # Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy ""; proxy_set_header Proxy "";
# Request rate limiting per second, 2Mb zone @ 5 requests per second
limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s;
# Connections per IP limited to 2
limit_conn_zone $binary_remote_addr zone=two:2m;
server { server {
server_name _; # This is just an invalid value which will never trigger on a real hostname. server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off; server_tokens off;
@ -55,16 +60,28 @@ server {
server { server {
server_name yourdomain.com; server_name yourdomain.com;
listen 80 ; # Connection timeouts
client_body_timeout 10s;
client_header_timeout 10s;
listen 80;
access_log /var/log/nginx/access.log vhost; access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge # Do not HTTPS redirect LetsEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
limit_req zone=one;
limit_conn two 1;
proxy_pass http://127.0.0.1:8000; proxy_pass http://127.0.0.1:8000;
break; break;
} }
location / { location / {
limit_req zone=one;
limit_conn two 1;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }