nginx template ddos mitigation

This commit is contained in:
gozzy 2023-03-26 21:50:17 +00:00
parent 7d10fe2ab9
commit ed5d99cf44
2 changed files with 21 additions and 6 deletions

View File

@ -1,7 +1,5 @@
map $ssl_preread_server_name $name {
yourserver.com tornado_mainnet;
# default
yourdomain.com tornado_mainnet;
default tornado_mainnet;
}

View File

@ -44,6 +44,11 @@ proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
# Request rate limiting per second, 2Mb zone @ 5 requests per second
limit_req_zone $binary_remote_addr zone=one:2m rate=5r/s;
# Connections per IP limited to 2
limit_conn_zone $binary_remote_addr zone=two:2m;
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
@ -55,16 +60,28 @@ server {
server {
server_name yourdomain.com;
listen 80 ;
# Connection timeouts
client_body_timeout 10s;
client_header_timeout 10s;
listen 80;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
# Do not HTTPS redirect LetsEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:8000;
limit_req zone=one;
limit_conn two 1;
proxy_pass http://127.0.0.1:8000;
break;
}
location / {
limit_req zone=one;
limit_conn two 1;
return 301 https://$host$request_uri;
}
}