[Security] - Improve DDoS resilience #628
Labels
No Label
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
help wanted
Howto
🤔️ Investigate
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
question
Ready
refined
Roundcube
searX
spam-protection
Staging Server
Themes
TOR
Urgent!
Website
windows
wontfix
xmpp
Yearly Report
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Disroot/Disroot-Project#628
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
See https://ddos-test.com/result/disroot.org
an example with A-rating: https://ddos-test.com/result/bundestag.de
Some ideas @muppeth but I'm far from being an expert on that :)
The system keeps idle TCP client connections open for more than 45.0 seconds
In
nginx.conf
,keepalive_timeout {{ nginx_http_keepalive_timeout }};
and in defaults:nginx_http_keepalive_timeout: '30 30'
shouldn't it be just30
?The system answered with a HTTP 2xx or 3xx code instead of disallowing invalid HTTP/1.3 requests
Should we set
nginx_ssl_protocols: 'TLSv1.2'
then, by removingTLSv1.3
?The system keeps idle TCP client connections open for more than 45.0 seconds:
Should we add
in base role template ?
The system answered with a HTTP 2xx or 3xx code instead of disallowing HTTP POST to the / URL.
Should we add
The system does not block malicious user agents like sqlmap
We could create a file with Blocked User Agents, e.g., /etc/nginx/blocked-user-agents, and list the user agents we want to block, one per line:
Then in
nginx.conf
, inhttp
, we could add:and then in vhost:
The system sets a value of 128 MAX_CONCURRENT_STREAMS in HTTP/2, which is larger then the common default of 100 and might be dangerous.
I don't get it coz default seems to be set to 128: https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams