From e44a1f3e14b7280fbc61c43ea9db34b3fe39c269 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Fri, 9 Apr 2021 15:54:26 +0200
Subject: [PATCH] added the uri to limit_req_zone key to limit bruteforce
 attack on a specific resource instead of the whole service

---
 entrypoint/defaults.sh      | 6 +++---
 entrypoint/global-config.sh | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh
index 7df0a80..f850f19 100644
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -102,11 +102,11 @@ BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
 USE_DNSBL="${USE_DNSBL-yes}"
 DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
 USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
-LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
-LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
+LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}"
+LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
-LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
+LIMIT_CONN_MAX="${LIMIT_CONN_MAX-10}"
 LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh
index fae987e..741c600 100644
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -171,7 +171,7 @@ fi
 
 # request limiting
 if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi