diff --git a/README.md b/README.md index c4f945b..a5fdf1a 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,9 @@ Non-exhaustive list of features : - Integrated ModSecurity WAF with the OWASP Core Rule Set - Automatic ban of strange behaviors with fail2ban - Block TOR users, bad user-agents, countries, ... -- Perform automatic DNSBL checks +- Perform automatic DNSBL checks to block known bad IP +- Prevent bruteforce attacks with rate limiting - Detect bad files with ClamAV -- Based on alpine - Easy to configure with environment variables # Table of contents @@ -308,10 +308,31 @@ Default value : *8.8.8.8 8.8.4.4* The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*. `DNSBL_CACHE` -Values : *\< \>* +Values : *\* Default value : *10m* The size of the cache used to keep DNSBL responses. +`USE_REQ_LIMIT` +Values : *yes* | *no* +Default value : *yes* +If set to yes, the amount of HTTP requests made by a user will be limited during a period of time. +More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/). + +`REQ_LIMIT_RATE` +Values : *Xr/s* | *Xr/m* +Default value : *10r/s* +The rate limit to apply when `USE_REQ_LIMIT` is set to *yes*. Default is 10 requests per second. + +`REQ_LIMIT_BURST` +Values : ** +Default value : *20* +The number of of requests to put in queue before rejecting requests. + +`REQ_LIMIT_CACHE` +Values : *Xm* | *Xk* +Default value : *10m* +The size of the cache to store information about request limiting. + ## PHP `REMOTE_PHP` Values : *\* diff --git a/confs/nginx.conf b/confs/nginx.conf index fc3bc8d..33d033d 100644 --- a/confs/nginx.conf +++ b/confs/nginx.conf @@ -69,6 +69,9 @@ http { lua_package_path "/usr/local/lib/lua/?.lua;;"; %DNSBL_CACHE% + # shared memory zone for limit_req + %LIMIT_REQ_ZONE% + # server config include /etc/nginx/server.conf; diff --git a/confs/server.conf b/confs/server.conf index b401d29..176647a 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -11,6 +11,7 @@ server { { return 405; } + %LIMIT_REQ% %DNSBL% %AUTH_BASIC% %USE_PHP% diff --git a/entrypoint.sh b/entrypoint.sh index 4f1dbbd..769595b 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -125,6 +125,10 @@ USE_DNSBL="${USE_DNSBL-yes}" DNSBL_CACHE="${DNSBL_CACHE-10m}" DNSBL_RESOLVERS="${DNSBL_RESOLVERS-8.8.8.8 8.8.4.4}" DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}" +USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" +LIMIT_REQ_RATE="${LIMIT_REQ_RATE-10r/s}" +LIMIT_REQ_BURST="${LIMIT_REQ_BURST-20}" +LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then @@ -395,6 +399,14 @@ else replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "" replace_in_file "/etc/nginx/server.conf" "%DNSBL%" "" fi +if [ "$USE_LIMIT_REQ" = "yes" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};" + replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;" + replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST" +else + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" + replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "" +fi # fail2ban setup if [ "$USE_FAIL2BAN" = "yes" ] ; then