github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta.git synced 2025-03-12 04:35:23 -07:00
Code Issues Packages Projects Releases Wiki Activity

nginx rate-limit improvements

Browse Source
This commit is contained in:
myvesta 2023-11-02 10:47:51 +01:00 committed by GitHub
parent 2f0807e8ee
commit bfdefc50e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 110 additions and 5 deletions

3
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2-conn-4.stpl

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
limit_conn addr 8;
limit_conn addr 9;
limit_conn zone_site 25;
limit_req zone=two burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}

3
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2.stpl

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
limit_conn addr 4;
limit_conn addr 7;
limit_conn zone_site 20;
limit_req zone=two burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}

3
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
limit_conn addr 3;
limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}

87
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl Normal file

@ -0,0 +1,87 @@
server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
# ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
error_page 418 = @wordfence_lh;
error_page 419 = @wordfence_route;
error_page 420 = @wordfence_sync;
if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-admin/ {
limit_conn addr 24;
limit_req zone=one burst=40 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-json/ {
limit_conn addr 8;
limit_req zone=one burst=40 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_lh {
limit_conn addr 8;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_route {
limit_conn addr 8;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_sync {
limit_conn addr 8;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-json/wordfence/ {
limit_conn addr 8;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
# try_files $uri @fallback;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.env {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=%docroot%;
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

8
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl Normal file

@ -0,0 +1,8 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
location / {
rewrite ^(.*) https://$host$1 permanent;
}
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
}

3
src/deb/for-download/tools/rate-limit-tpl/force-https-firewall.stpl

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
limit_conn addr 2;
limit_conn addr 3;
limit_conn zone_site 10;
limit_req zone=one burst=7 delay=3;
proxy_pass https://%ip%:%web_ssl_port%;
}

8
src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh

@ -12,7 +12,7 @@
grepc=$(grep -c 'limit_conn_zone' /etc/nginx/nginx.conf)
if [ "$grepc" -eq 0 ]; then
sed -i 's|server_names_hash_bucket_size 512;|server_names_hash_bucket_size 512;\n limit_conn_zone $binary_remote_addr zone=addr:1m;\n limit_conn_zone $server_name zone=zone_site:1m;\n limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;\n limit_req_zone $binary_remote_addr zone=two:1m rate=2r/s;\n limit_conn_log_level error;\n limit_req_log_level error;\n limit_conn_status 429;\n limit_req_status 429;|g' /etc/nginx/nginx.conf
sed -i 's|server_names_hash_bucket_size 512;|server_names_hash_bucket_size 512;\n limit_conn_zone $binary_remote_addr zone=addr:1m;\n limit_req_zone $scheme zone=wfone:1m rate=1r/s;\n limit_conn_zone $server_name zone=zone_site:1m;\n limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;\n limit_req_zone $binary_remote_addr zone=two:1m rate=2r/s;\n limit_conn_log_level error;\n limit_req_log_level error;\n limit_conn_status 429;\n limit_req_status 429;|g' /etc/nginx/nginx.conf
echo "=== Added rate_limit to nginx.conf"
fi
@ -28,6 +28,12 @@ if [ "$grepc" -eq 0 ]; then
echo "=== Added rate_limit 'zone_site' to nginx.conf"
fi
grepc=$(grep -c 'zone=wfone:1m' /etc/nginx/nginx.conf)
if [ "$grepc" -eq 0 ]; then
sed -i 's| zone=addr:1m;| zone=addr:1m;\n limit_req_zone $scheme zone=wfone:1m rate=1r/s;|g' /etc/nginx/nginx.conf
echo "=== Added rate_limit 'zone_site' to nginx.conf"
fi
grepc=$(grep -c 'zone=one:10m' /etc/nginx/nginx.conf)
if [ "$grepc" -eq 1 ]; then
sed -i 's|zone=one:10m|zone=one:1m|g' /etc/nginx/nginx.conf