nginx template ddos mitigation
This commit is contained in:
parent
7d10fe2ab9
commit
ed5d99cf44
@ -1,7 +1,5 @@
|
||||
map $ssl_preread_server_name $name {
|
||||
yourserver.com tornado_mainnet;
|
||||
|
||||
# default
|
||||
yourdomain.com tornado_mainnet;
|
||||
|
||||
default tornado_mainnet;
|
||||
}
|
||||
|
21
tornado.conf
21
tornado.conf
@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri;
|
||||
# Mitigate httpoxy attack (see README for details)
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
# Request rate limiting per second, 2Mb zone @ 5 requests per second
|
||||
limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s;
|
||||
# Connections per IP limited to 2
|
||||
limit_conn_zone $binary_remote_addr zone=two:2m;
|
||||
|
||||
server {
|
||||
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
||||
server_tokens off;
|
||||
@ -55,16 +60,28 @@ server {
|
||||
server {
|
||||
server_name yourdomain.com;
|
||||
|
||||
listen 80 ;
|
||||
# Connection timeouts
|
||||
client_body_timeout 10s;
|
||||
client_header_timeout 10s;
|
||||
|
||||
listen 80;
|
||||
access_log /var/log/nginx/access.log vhost;
|
||||
|
||||
# Do not HTTPS redirect Let'sEncrypt ACME challenge
|
||||
# Do not HTTPS redirect LetsEncrypt ACME challenge
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
limit_req zone=one;
|
||||
limit_conn two 1;
|
||||
|
||||
proxy_pass http://127.0.0.1:8000;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
location / {
|
||||
limit_req zone=one;
|
||||
limit_conn two 1;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user