req limit
This commit is contained in:
parent
44155b5d62
commit
eba5f6280e
27
README.md
27
README.md
|
@ -10,9 +10,9 @@ Non-exhaustive list of features :
|
|||
- Integrated ModSecurity WAF with the OWASP Core Rule Set
|
||||
- Automatic ban of strange behaviors with fail2ban
|
||||
- Block TOR users, bad user-agents, countries, ...
|
||||
- Perform automatic DNSBL checks
|
||||
- Perform automatic DNSBL checks to block known bad IP
|
||||
- Prevent bruteforce attacks with rate limiting
|
||||
- Detect bad files with ClamAV
|
||||
- Based on alpine
|
||||
- Easy to configure with environment variables
|
||||
|
||||
# Table of contents
|
||||
|
@ -308,10 +308,31 @@ Default value : *8.8.8.8 8.8.4.4*
|
|||
The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
|
||||
|
||||
`DNSBL_CACHE`
|
||||
Values : *\< \>*
|
||||
Values : *\<size with units k or m\>*
|
||||
Default value : *10m*
|
||||
The size of the cache used to keep DNSBL responses.
|
||||
|
||||
`USE_REQ_LIMIT`
|
||||
Values : *yes* | *no*
|
||||
Default value : *yes*
|
||||
If set to yes, the amount of HTTP requests made by a user will be limited during a period of time.
|
||||
More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/).
|
||||
|
||||
`REQ_LIMIT_RATE`
|
||||
Values : *Xr/s* | *Xr/m*
|
||||
Default value : *10r/s*
|
||||
The rate limit to apply when `USE_REQ_LIMIT` is set to *yes*. Default is 10 requests per second.
|
||||
|
||||
`REQ_LIMIT_BURST`
|
||||
Values : *<any valid integer\>*
|
||||
Default value : *20*
|
||||
The number of of requests to put in queue before rejecting requests.
|
||||
|
||||
`REQ_LIMIT_CACHE`
|
||||
Values : *Xm* | *Xk*
|
||||
Default value : *10m*
|
||||
The size of the cache to store information about request limiting.
|
||||
|
||||
## PHP
|
||||
`REMOTE_PHP`
|
||||
Values : *\<any valid IP/hostname\>*
|
||||
|
|
|
@ -69,6 +69,9 @@ http {
|
|||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%DNSBL_CACHE%
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
|
||||
# server config
|
||||
include /etc/nginx/server.conf;
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@ server {
|
|||
{
|
||||
return 405;
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%DNSBL%
|
||||
%AUTH_BASIC%
|
||||
%USE_PHP%
|
||||
|
|
|
@ -125,6 +125,10 @@ USE_DNSBL="${USE_DNSBL-yes}"
|
|||
DNSBL_CACHE="${DNSBL_CACHE-10m}"
|
||||
DNSBL_RESOLVERS="${DNSBL_RESOLVERS-8.8.8.8 8.8.4.4}"
|
||||
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
|
||||
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
|
||||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-10r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-20}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -395,6 +399,14 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%DNSBL%" ""
|
||||
fi
|
||||
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
|
||||
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
|
||||
replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
|
||||
fi
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
|
|
Loading…
Reference in New Issue