From cf231e13cbeedf8b2a20523454215dccb207f23d Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 13:35:18 +0100 Subject: [PATCH 1/7] Add limit-conn.conf --- confs/site/limit-conn.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 confs/site/limit-conn.conf diff --git a/confs/site/limit-conn.conf b/confs/site/limit-conn.conf new file mode 100644 index 0000000..6482ad5 --- /dev/null +++ b/confs/site/limit-conn.conf @@ -0,0 +1 @@ +limit_conn ddos %LIMIT_CONN_MAX%; From fa935eb6e375c663cd7198db936bb51070ff0c9b Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:04:34 +0100 Subject: [PATCH 2/7] edit nginx.conf to add limit_conn --- confs/global/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 4306573..a266cd7 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -88,6 +88,9 @@ http { # shared memory zone for limit_req %LIMIT_REQ_ZONE% + # shared memory zone for limit_conn + %LIMIT_CONN_ZONE% + # whitelist or blacklist country %USE_COUNTRY% From 6ee746236ae25eadd35c26717866984ea528b50f Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:11:36 +0100 Subject: [PATCH 3/7] Add USE_LIMIT_CONN to site-config --- entrypoint/site-config.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 949157e..03d0324 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -547,6 +547,14 @@ else replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "" fi +# connection limiting +if [ "$USE_LIMIT_CONN" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;" + replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "" +fi + # fail2ban if [ "$USE_FAIL2BAN" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;" From 73dbf03c9a7405094cdc5261153121ca5230f6a4 Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:15:18 +0100 Subject: [PATCH 4/7] add USE_LIMIT_CONN zone to global config --- entrypoint/global-config.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index f103252..cbae6b1 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -245,6 +245,13 @@ else replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" fi +# connection limiting +if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};" +else + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "" +fi + # DNSBL if [ "$(has_value USE_DNSBL yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" From b093a47554464c1be0d982679b9858d850208cd0 Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:18:26 +0100 Subject: [PATCH 5/7] Add default values for LIMIT_CONN --- entrypoint/defaults.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 141a9a8..ad2aa37 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -95,6 +95,9 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}" LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" +USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}" +LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}" +LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}" PROXY_REAL_IP="${PROXY_REAL_IP-no}" PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" From 65120a7e977cdbcd059c9a6abba070d8f9a1ff9b Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:25:34 +0100 Subject: [PATCH 6/7] Add USE_CONN_LIMIT info to Readme.md and fix small typo --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index db1e3ae..10bc665 100644 --- a/README.md +++ b/README.md @@ -1085,7 +1085,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ Values : ** Default value : *40* Context : *global*, *multisite* -The number of of requests to put in queue before rejecting requests. +The number of requests to put in queue before rejecting requests. `LIMIT_REQ_CACHE` Values : *Xm* | *Xk* @@ -1093,6 +1093,27 @@ Default value : *10m* Context : *global* The size of the cache to store information about request limiting. +### Connections limiting + +`USE_LIMIT_CONN` +Values : *yes* | *no* +Default value : *yes* +Context : *global*, *multisite* +If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection) +More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html). + +`LIMIT_CONN_MAX` +Values : ** +Default value : *40* +Context : *global*, *multisite* +The maximum number of connections per ip to put in queue before rejecting requests. + +`LIMIT_CONN_CACHE` +Values : *Xm* | *Xk* +Default value : *10m* +Context : *global* +The size of the cache to store information about connection limiting. + ### Countries `BLACKLIST_COUNTRY` From 1a8b8043c82775db3067c70a59951194d6a78b34 Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Sat, 2 Jan 2021 14:26:52 +0100 Subject: [PATCH 7/7] Add LIMIT_CONN var to server.conf --- confs/site/server.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/confs/site/server.conf b/confs/site/server.conf index daf36cc..2a23a4f 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -15,6 +15,7 @@ server { return 405; } %LIMIT_REQ% + %LIMIT_CONN% %AUTH_BASIC% %REMOVE_HEADERS% %X_FRAME_OPTIONS%