diff --git a/README.md b/README.md index db1e3ae..10bc665 100644 --- a/README.md +++ b/README.md @@ -1085,7 +1085,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ Values : ** Default value : *40* Context : *global*, *multisite* -The number of of requests to put in queue before rejecting requests. +The number of requests to put in queue before rejecting requests. `LIMIT_REQ_CACHE` Values : *Xm* | *Xk* @@ -1093,6 +1093,27 @@ Default value : *10m* Context : *global* The size of the cache to store information about request limiting. +### Connections limiting + +`USE_LIMIT_CONN` +Values : *yes* | *no* +Default value : *yes* +Context : *global*, *multisite* +If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection) +More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html). + +`LIMIT_CONN_MAX` +Values : ** +Default value : *40* +Context : *global*, *multisite* +The maximum number of connections per ip to put in queue before rejecting requests. + +`LIMIT_CONN_CACHE` +Values : *Xm* | *Xk* +Default value : *10m* +Context : *global* +The size of the cache to store information about connection limiting. + ### Countries `BLACKLIST_COUNTRY` diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 4306573..a266cd7 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -88,6 +88,9 @@ http { # shared memory zone for limit_req %LIMIT_REQ_ZONE% + # shared memory zone for limit_conn + %LIMIT_CONN_ZONE% + # whitelist or blacklist country %USE_COUNTRY% diff --git a/confs/site/limit-conn.conf b/confs/site/limit-conn.conf new file mode 100644 index 0000000..6482ad5 --- /dev/null +++ b/confs/site/limit-conn.conf @@ -0,0 +1 @@ +limit_conn ddos %LIMIT_CONN_MAX%; diff --git a/confs/site/server.conf b/confs/site/server.conf index daf36cc..2a23a4f 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -15,6 +15,7 @@ server { return 405; } %LIMIT_REQ% + %LIMIT_CONN% %AUTH_BASIC% %REMOVE_HEADERS% %X_FRAME_OPTIONS% diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 141a9a8..ad2aa37 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -95,6 +95,9 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}" LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" +USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}" +LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}" +LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}" PROXY_REAL_IP="${PROXY_REAL_IP-no}" PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index f103252..cbae6b1 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -245,6 +245,13 @@ else replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" fi +# connection limiting +if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};" +else + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "" +fi + # DNSBL if [ "$(has_value USE_DNSBL yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 949157e..03d0324 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -547,6 +547,14 @@ else replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "" fi +# connection limiting +if [ "$USE_LIMIT_CONN" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;" + replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "" +fi + # fail2ban if [ "$USE_FAIL2BAN" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"