nginx template ddos mitigation
This commit is contained in:
parent
7d10fe2ab9
commit
ed5d99cf44
@ -1,7 +1,5 @@
|
|||||||
map $ssl_preread_server_name $name {
|
map $ssl_preread_server_name $name {
|
||||||
yourserver.com tornado_mainnet;
|
yourdomain.com tornado_mainnet;
|
||||||
|
|
||||||
# default
|
|
||||||
|
|
||||||
default tornado_mainnet;
|
default tornado_mainnet;
|
||||||
}
|
}
|
||||||
|
21
tornado.conf
21
tornado.conf
@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri;
|
|||||||
# Mitigate httpoxy attack (see README for details)
|
# Mitigate httpoxy attack (see README for details)
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
|
|
||||||
|
# Request rate limiting per second, 2Mb zone @ 5 requests per second
|
||||||
|
limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s;
|
||||||
|
# Connections per IP limited to 2
|
||||||
|
limit_conn_zone $binary_remote_addr zone=two:2m;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
@ -55,16 +60,28 @@ server {
|
|||||||
server {
|
server {
|
||||||
server_name yourdomain.com;
|
server_name yourdomain.com;
|
||||||
|
|
||||||
listen 80 ;
|
# Connection timeouts
|
||||||
|
client_body_timeout 10s;
|
||||||
|
client_header_timeout 10s;
|
||||||
|
|
||||||
|
listen 80;
|
||||||
access_log /var/log/nginx/access.log vhost;
|
access_log /var/log/nginx/access.log vhost;
|
||||||
|
|
||||||
# Do not HTTPS redirect Let'sEncrypt ACME challenge
|
# Do not HTTPS redirect LetsEncrypt ACME challenge
|
||||||
location ^~ /.well-known/acme-challenge/ {
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
|
limit_req zone=one;
|
||||||
|
limit_conn two 1;
|
||||||
|
|
||||||
proxy_pass http://127.0.0.1:8000;
|
proxy_pass http://127.0.0.1:8000;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
limit_req zone=one;
|
||||||
|
limit_conn two 1;
|
||||||
|
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
Loading…
Reference in New Issue
Block a user