req limit

README.md

@@ -10,9 +10,9 @@ Non-exhaustive list of features :
 - Integrated ModSecurity WAF with the OWASP Core Rule Set
 - Automatic ban of strange behaviors with fail2ban
 - Block TOR users, bad user-agents, countries, ...
-- Perform automatic DNSBL checks
+- Perform automatic DNSBL checks to block known bad IP
+- Prevent bruteforce attacks with rate limiting
 - Detect bad files with ClamAV
-- Based on alpine
 - Easy to configure with environment variables
 
 # Table of contents
@@ -308,10 +308,31 @@ Default value : *8.8.8.8 8.8.4.4*
 The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
 
 `DNSBL_CACHE`  
-Values : *\< \>*  
+Values : *\<size with units k or m\>*  
 Default value : *10m*  
 The size of the cache used to keep DNSBL responses.
 
+`USE_REQ_LIMIT`  
+Values : *yes* | *no*  
+Default value : *yes*  
+If set to yes, the amount of HTTP requests made by a user will be limited during a period of time.  
+More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/).
+
+`REQ_LIMIT_RATE`  
+Values : *Xr/s* | *Xr/m*  
+Default value : *10r/s*  
+The rate limit to apply when `USE_REQ_LIMIT` is set to *yes*. Default is 10 requests per second.
+
+`REQ_LIMIT_BURST`  
+Values : *<any valid integer\>*  
+Default value : *20*  
+The number of of requests to put in queue before rejecting requests.
+
+`REQ_LIMIT_CACHE`  
+Values : *Xm* | *Xk*    
+Default value : *10m*  
+The size of the cache to store information about request limiting.
+
 ## PHP
 `REMOTE_PHP`  
 Values : *\<any valid IP/hostname\>*  

confs/nginx.conf

@@ -69,6 +69,9 @@ http {
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
 	%DNSBL_CACHE%
 
+	# shared memory zone for limit_req
+	%LIMIT_REQ_ZONE%
+
 	# server config
 	include /etc/nginx/server.conf;
 

confs/server.conf

@@ -11,6 +11,7 @@ server {
 	{
 		return 405;
 	}
+	%LIMIT_REQ%
 	%DNSBL%
 	%AUTH_BASIC%
 	%USE_PHP%

entrypoint.sh

@@ -125,6 +125,10 @@ USE_DNSBL="${USE_DNSBL-yes}"
 DNSBL_CACHE="${DNSBL_CACHE-10m}"
 DNSBL_RESOLVERS="${DNSBL_RESOLVERS-8.8.8.8 8.8.4.4}"
 DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
+USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
+LIMIT_REQ_RATE="${LIMIT_REQ_RATE-10r/s}"
+LIMIT_REQ_BURST="${LIMIT_REQ_BURST-20}"
+LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -395,6 +399,14 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
 	replace_in_file "/etc/nginx/server.conf" "%DNSBL%" ""
 fi
+if [ "$USE_LIMIT_REQ" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
+	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
+	replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
+	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
+fi
 
 # fail2ban setup
 if [ "$USE_FAIL2BAN" = "yes" ] ; then