nginx: prevent ddos main page

nginx.conf: Closing slow connections
nginx: move limits to global
2024-02-15 21:35:56 +03:00 · 2024-02-15 21:07:26 +03:00 · 2024-02-15 15:53:07 +03:00 · 2024-02-15 15:50:01 +03:00 · 2024-02-15 15:46:04 +03:00 · 2024-02-15 15:38:32 +03:00
5 changed files with 76 additions and 15 deletions
--- a/config/http/nginx.conf
+++ b/config/http/nginx.conf
@ -0,0 +1,55 @@
+ user                          nginx;
+ worker_processes              auto;
+
+ error_log                     /var/log/nginx/error.log notice;
+ pid                           /var/run/nginx.pid;
+
+
+events {
+    worker_connections         1024;
+    use                        epoll;
+}
+
+
+http {
+    include                    /etc/nginx/mime.types;
+    default_type               application/octet-stream;
+
+
+    limit_req_zone             $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
+    limit_conn_zone            $binary_remote_addr zone=conn_limit_per_ip:20m;
+    limit_conn_status          429;
+    
+    limit_req_zone             $binary_remote_addr zone=req_limit_page:5m rate=1r/s;
+
+    log_format                 main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status                   $body_bytes_sent "$http_referer" '
+    '"$http_user_agent"        "$http_x_forwarded_for"';
+
+    access_log                 off;
+
+    sendfile                   on;
+    #tcp_nopush                on;
+
+    keepalive_timeout          60s;
+
+    #gzip                      on;
+
+    include                    /etc/nginx/conf.d/*.conf;
+
+    #                          Compression
+    gzip                       on;
+    gzip_min_length            1000;
+    gzip_proxied               any;
+    gzip_comp_level            1;
+    gzip_types                 text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+    gzip_vary                  on;
+    gzip_disable               "msie6";
+
+
+    resolver                   127.0.0.11 ipv6=off;
+
+    client_body_timeout        20s;
+    client_header_timeout      20s;
+
+}
--- a/config/nginx.auth.conf
+++ b/config/nginx.auth.conf
@ -22,13 +22,9 @@ server {
    listen                       80;
    include                      /etc/nginx/mime.types;

-    gzip                         on;
-    gzip_min_length              1000;
-    gzip_proxied                 any;
-    gzip_comp_level              1;
-    gzip_types                   text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
-    gzip_vary                    on;
-    gzip_disable                 "msie6";
+
+    limit_req                    zone=req_limit_per_ip burst=30;
+    limit_conn                   conn_limit_per_ip 30;


    error_page                   401 /login;
@ -54,6 +50,20 @@ server {
        proxy_pass               http://auth_api/$AUTH_MODE/$1;
    }

+    location = / {
+        limit_req                zone=req_limit_page burst=1 nodelay;
+
+        proxy_pass               http://app;
+
+        proxy_http_version       1.1;
+        proxy_set_header         Upgrade $http_upgrade;
+        proxy_set_header         Connection 'upgrade';
+        proxy_set_header         Host $host;
+        proxy_cache_bypass       $http_upgrade;
+
+        include                  /etc/nginx/include/auth.conf;
+    }
+
    location / {
        proxy_pass               http://app;

--- a/config/nginx.off.conf
+++ b/config/nginx.off.conf
@ -9,14 +9,8 @@ server {
    listen                  80;
    include                 /etc/nginx/mime.types;

-    gzip                    on;
-    gzip_min_length         1000;
-    gzip_proxied            any;
-    gzip_comp_level         1;
-    gzip_types              text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
-    gzip_vary               on;
-    gzip_disable            "msie6";
-
+    limit_req               zone=req_limit_per_ip burst=30;
+    limit_conn              conn_limit_per_ip 30;

    location / {
        proxy_pass          http://app;
--- a/docker-compose.auth.yml
+++ b/docker-compose.auth.yml
@ -13,6 +13,7 @@ services:
    volumes:
      - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - auth_network
--- a/docker-compose.off.yml
+++ b/docker-compose.off.yml
@ -11,6 +11,7 @@ services:
    volumes:
      - ./config/nginx.off.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - app_network
Author	SHA1	Message	Date
vchikalkin	570125a7ac	nginx: prevent ddos main page	2024-02-15 21:35:56 +03:00
vchikalkin	738492d96b	nginx.conf: Closing slow connections	2024-02-15 21:07:26 +03:00
vchikalkin	9b317bcf33	nginx: move limits to global	2024-02-15 15:53:07 +03:00
vchikalkin	bc20de9e12	nginx.off.conf: move limits to location /	2024-02-15 15:50:01 +03:00
vchikalkin	940f2915d2	nginx: remove limit_req delay	2024-02-15 15:46:04 +03:00
vchikalkin	1afc6bd316	nginx: optimal limits	2024-02-15 15:38:32 +03:00
vchikalkin	c22564087f	nginx: limit_req & limit_conn configs	2024-02-15 15:24:07 +03:00
vchikalkin	5bc56b4a73	nginx: change keepalive_timeout	2024-02-15 15:19:35 +03:00
vchikalkin	13df7edd52	nginx: limits config	2024-02-15 15:19:24 +03:00
vchikalkin	66b6664317	nginx: disable limit_conn	2024-02-15 15:08:38 +03:00
vchikalkin	f56fafd7e0	nginx: add limit_req delay nginx.conf: add resolver	2024-02-15 14:52:06 +03:00
vchikalkin	3e9e41bdeb	nginx: bump burst value to 10	2024-02-15 14:04:48 +03:00
vchikalkin	7cf341f4e1	nginx: enable request delay, bump up to 30 requests per address	2024-02-15 13:58:59 +03:00
vchikalkin	1884414154	nginx: up connections limit to 30	2024-02-15 13:53:55 +03:00
vchikalkin	18fda4674e	optimize nginx	2024-02-15 13:48:50 +03:00