Merge pull request #72 from thelittlefireman/patch-3

Fix #71 - limit connection by IP

README.md

@@ -1085,7 +1085,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ
 Values : *<any valid integer\>*  
 Default value : *40*  
 Context : *global*, *multisite*  
-The number of of requests to put in queue before rejecting requests.
+The number of requests to put in queue before rejecting requests.
 
 `LIMIT_REQ_CACHE`  
 Values : *Xm* | *Xk*    
@@ -1093,6 +1093,27 @@ Default value : *10m*
 Context : *global*  
 The size of the cache to store information about request limiting.
 
+### Connections limiting
+
+`USE_LIMIT_CONN`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection)  
+More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
+
+`LIMIT_CONN_MAX`  
+Values : *<any valid integer\>*  
+Default value : *40*  
+Context : *global*, *multisite*  
+The maximum number of connections per ip to put in queue before rejecting requests.
+
+`LIMIT_CONN_CACHE`  
+Values : *Xm* | *Xk*    
+Default value : *10m*  
+Context : *global*  
+The size of the cache to store information about connection limiting.
+
 ### Countries
 
 `BLACKLIST_COUNTRY`  

confs/global/nginx.conf

@@ -88,6 +88,9 @@ http {
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 
+	# shared memory zone for limit_conn
+	%LIMIT_CONN_ZONE%
+
 	# whitelist or blacklist country
 	%USE_COUNTRY%
 

confs/site/limit-conn.conf

@@ -0,0 +1 @@
+limit_conn ddos %LIMIT_CONN_MAX%;

confs/site/server.conf

@@ -15,6 +15,7 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
+	%LIMIT_CONN%
 	%AUTH_BASIC%
 	%REMOVE_HEADERS%
 	%X_FRAME_OPTIONS%

entrypoint/defaults.sh

@@ -95,6 +95,9 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
+USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
+LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
+LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"

entrypoint/global-config.sh

@@ -245,6 +245,13 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi
 
+# connection limiting
+if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
+fi
+
 # DNSBL
 if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"

entrypoint/site-config.sh

@@ -547,6 +547,14 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
 fi
 
+# connection limiting
+if [ "$USE_LIMIT_CONN" = "yes" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
+	replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
+else
+	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
+fi
+
 # fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"