added the uri to limit_req_zone key to limit bruteforce attack on a specific resource instead of the whole service
This commit is contained in:
bunkerity
parent
aa614f82f9
commit
e44a1f3e14
|
|
@ -102,11 +102,11 @@ BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
|
|||
USE_DNSBL="${USE_DNSBL-yes}"
|
||||
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
|
||||
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
|
||||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
|
||||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
|
||||
LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
|
||||
LIMIT_CONN_MAX="${LIMIT_CONN_MAX-10}"
|
||||
LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
|
||||
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
||||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
|
|
|
|||
|
|
@ -171,7 +171,7 @@ fi
|
|||
|
||||
# request limiting
|
||||
if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
fi
|
||||
|
|
|
|||
Loading…
Reference in New Issue