Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-06-26 14:22:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Shared server infrastructure - https://grapheneos.org/articles/grapheneos-servers
393 Commits 1 Branch 0 Tags 1.7 MiB
Shell 93.2%
Python 3.7%
Erlang 3.1%
b38736ca74
Go to file
Daniel Micay b38736ca74 enable nftables-based DDoS protection for all TCP services 
Now that the usage of synproxy is gated behind a SYN packet rate limit,
we can expand this to all our TCP services to have always enabled DDoS
protection instead of needing to deploy a stricter set of rules when the
servers are under attack. This is far better because there isn't always
a system administrator available to handle an ongoing attack.

We already used per-IP connection limits in nginx across the board but
those limits are applied far too late after a TLS connection has been
established and headers are sent rather than before. Using IPv6 /64
blocks means this is much more aggressive for IPv6, but many clients
will fall back to IPv4 due to the happy eyeballs approach. The nginx
limits are still useful due to HTTP/2 multiplexing and we'll need to
think over how to address IPv6 there.
2024-04-10 14:48:10 -04:00
.github add GitHub funding metadata 2021-07-19 23:02:29 -04:00
certbot certbot: add ns2 variant of staging authoritative DNS 2024-04-08 17:06:43 -04:00
guide add nftables dscp counter config to guide 2023-08-19 00:46:21 -04:00
logrotate.d replace certbot log rotation with logrotate 2024-02-13 12:38:14 -05:00
mkinitcpio.d disable mkinitcpio fallback image 2024-03-04 13:13:58 -05:00
modprobe.d blacklist virtio_console module 2023-07-17 02:21:12 -04:00
modules-load.d disable loose TCP connection tracking 2022-07-03 03:50:53 -04:00
packages switch to Java 21 LTS package since Java 22 is out 2024-03-30 02:12:00 -04:00
pacman.d add directory structure for mirrorlist 2023-07-11 11:38:53 -04:00
ssh move IP-based SSH connection limits to nftables 2024-03-28 11:38:03 -04:00
sysconfig enable chronyd seccomp filter 2023-05-07 00:02:51 -04:00
sysctl.d remove redundant vm.max_map_count configuration 2024-04-07 15:11:35 -04:00
systemd set preferred source for static IPv6 configuration 2024-03-26 21:50:12 -04:00
.gitignore add authorized_keys to gitignore 2024-02-03 17:48:56 -05:00
certbot-ocsp-fetcher update certbot-ocsp-fetcher 2024-01-25 01:23:49 -05:00
chrony.conf chrony: raise minsources to 3 2024-03-31 14:03:16 -04:00
connection-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
count count: drop 3rd gen Pixels 2024-02-24 19:19:59 -05:00
crypttab enable discard support for swapfile dm-crypt 2023-07-18 16:41:35 -04:00
deploy-initial lsof replaced with lsfd 2024-03-06 16:53:42 -05:00
deploy.sh explicit set XFS allocation group count 2024-02-24 10:28:10 -05:00
dns-stats dns-stats: show total TCP and UDP queries 2024-03-28 11:38:06 -04:00
environment disable less history by default for login sessions 2022-10-26 04:35:23 -04:00
fetch-info filter irrelevant module output 2024-01-03 10:18:15 -05:00
fstab only discard swapfile at mount time 2023-07-18 16:41:39 -04:00
grub disable sending console output to unused ttyS0 2024-02-01 16:39:33 -05:00
hosts add subset of shared configuration files 2021-07-28 08:23:04 -04:00
hosts.sh split grapheneos.org hosts array 2024-03-18 21:10:47 -04:00
inputrc add basic inputrc 2024-03-14 15:48:53 -04:00
LICENSE update copyright notice 2024-01-25 01:57:18 -05:00
locale.conf switch to C.UTF-8 locale 2023-01-10 14:09:06 -05:00
logrotate.conf use standard log rotation approach for wtmp/btmp 2024-03-20 23:43:48 -04:00
nftables-attestation.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-discuss.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-mail.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-matrix.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-network.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-ns1.conf add rate limited synproxy bypass 2024-04-10 12:15:19 -04:00
nftables-ns2.conf add rate limited synproxy bypass 2024-04-10 12:15:19 -04:00
nftables-social.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nftables-web.conf enable nftables-based DDoS protection for all TCP services 2024-04-10 14:48:10 -04:00
nginx-create-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-rotate-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
ovh-mitigation rename OVH mitigation script 2023-07-03 18:35:43 -04:00
ovh-mitigation.py rename OVH mitigation script 2023-07-03 18:35:43 -04:00
pacman.conf disable unused multilib repository 2023-07-18 16:58:34 -04:00
pacreport.conf add updatedb drop-in unit to pacreport exclusions 2024-02-01 18:01:06 -05:00
README.md Fix readme 2021-12-16 12:43:34 -05:00
requirements.in add OVH mitigation control script 2023-02-22 16:22:47 -05:00
requirements.txt update python dependencies 2024-02-23 13:04:36 -05:00
resolv.conf add resolv.conf 2022-07-03 09:05:41 -04:00
setup specify python3 in setup script 2023-07-06 22:12:26 -04:00
unbound.conf unbound: block dns rebinding 2023-10-04 10:26:16 -04:00

README.md

Information about GrapheneOS servers is available in the GrapheneOS servers article on grapheneos.org.