Merge pull request #72 from thelittlefireman/patch-3
Fix #71 - limit connection by IP
This commit is contained in:
commit
9142afdb54
23
README.md
23
README.md
|
@ -1085,7 +1085,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ
|
|||
Values : *<any valid integer\>*
|
||||
Default value : *40*
|
||||
Context : *global*, *multisite*
|
||||
The number of of requests to put in queue before rejecting requests.
|
||||
The number of requests to put in queue before rejecting requests.
|
||||
|
||||
`LIMIT_REQ_CACHE`
|
||||
Values : *Xm* | *Xk*
|
||||
|
@ -1093,6 +1093,27 @@ Default value : *10m*
|
|||
Context : *global*
|
||||
The size of the cache to store information about request limiting.
|
||||
|
||||
### Connections limiting
|
||||
|
||||
`USE_LIMIT_CONN`
|
||||
Values : *yes* | *no*
|
||||
Default value : *yes*
|
||||
Context : *global*, *multisite*
|
||||
If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection)
|
||||
More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
|
||||
|
||||
`LIMIT_CONN_MAX`
|
||||
Values : *<any valid integer\>*
|
||||
Default value : *40*
|
||||
Context : *global*, *multisite*
|
||||
The maximum number of connections per ip to put in queue before rejecting requests.
|
||||
|
||||
`LIMIT_CONN_CACHE`
|
||||
Values : *Xm* | *Xk*
|
||||
Default value : *10m*
|
||||
Context : *global*
|
||||
The size of the cache to store information about connection limiting.
|
||||
|
||||
### Countries
|
||||
|
||||
`BLACKLIST_COUNTRY`
|
||||
|
|
|
@ -88,6 +88,9 @@ http {
|
|||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
%LIMIT_CONN_ZONE%
|
||||
|
||||
# whitelist or blacklist country
|
||||
%USE_COUNTRY%
|
||||
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
limit_conn ddos %LIMIT_CONN_MAX%;
|
|
@ -15,6 +15,7 @@ server {
|
|||
return 405;
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%LIMIT_CONN%
|
||||
%AUTH_BASIC%
|
||||
%REMOVE_HEADERS%
|
||||
%X_FRAME_OPTIONS%
|
||||
|
|
|
@ -95,6 +95,9 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
|
|||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
|
||||
LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
|
||||
LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
|
||||
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
||||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
|
||||
|
|
|
@ -245,6 +245,13 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
fi
|
||||
|
||||
# connection limiting
|
||||
if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
|
||||
fi
|
||||
|
||||
# DNSBL
|
||||
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
|
|
|
@ -547,6 +547,14 @@ else
|
|||
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
|
||||
fi
|
||||
|
||||
# connection limiting
|
||||
if [ "$USE_LIMIT_CONN" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
|
||||
fi
|
||||
|
||||
# fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
|
||||
|
|
Loading…
Reference in New Issue