Commit eba5f628 authored by bunkerity's avatar bunkerity
Browse files

req limit

parent 44155b5d
......@@ -10,9 +10,9 @@ Non-exhaustive list of features :
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Block TOR users, bad user-agents, countries, ...
- Perform automatic DNSBL checks
- Perform automatic DNSBL checks to block known bad IP
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Based on alpine
- Easy to configure with environment variables
# Table of contents
......@@ -308,10 +308,31 @@ Default value : *8.8.8.8 8.8.4.4*
The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
`DNSBL_CACHE`
Values : *\< \>*
Values : *\<size with units k or m\>*
Default value : *10m*
The size of the cache used to keep DNSBL responses.
`USE_REQ_LIMIT`
Values : *yes* | *no*
Default value : *yes*
If set to yes, the amount of HTTP requests made by a user will be limited during a period of time.
More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/).
`REQ_LIMIT_RATE`
Values : *Xr/s* | *Xr/m*
Default value : *10r/s*
The rate limit to apply when `USE_REQ_LIMIT` is set to *yes*. Default is 10 requests per second.
`REQ_LIMIT_BURST`
Values : *<any valid integer\>*
Default value : *20*
The number of of requests to put in queue before rejecting requests.
`REQ_LIMIT_CACHE`
Values : *Xm* | *Xk*
Default value : *10m*
The size of the cache to store information about request limiting.
## PHP
`REMOTE_PHP`
Values : *\<any valid IP/hostname\>*
......
......@@ -69,6 +69,9 @@ http {
lua_package_path "/usr/local/lib/lua/?.lua;;";
%DNSBL_CACHE%
# shared memory zone for limit_req
%LIMIT_REQ_ZONE%
# server config
include /etc/nginx/server.conf;
......
......@@ -11,6 +11,7 @@ server {
{
return 405;
}
%LIMIT_REQ%
%DNSBL%
%AUTH_BASIC%
%USE_PHP%
......
......@@ -125,6 +125,10 @@ USE_DNSBL="${USE_DNSBL-yes}"
DNSBL_CACHE="${DNSBL_CACHE-10m}"
DNSBL_RESOLVERS="${DNSBL_RESOLVERS-8.8.8.8 8.8.4.4}"
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-10r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-20}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
......@@ -395,6 +399,14 @@ else
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
replace_in_file "/etc/nginx/server.conf" "%DNSBL%" ""
fi
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
fi
# fail2ban setup
if [ "$USE_FAIL2BAN" = "yes" ] ; then
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment