include basic ddos protection (#148)
* include basic ddos protection * more verbose zone names * set limit http status code to 429
This commit is contained in:
Karol Wypchło
GitHub
parent
5d8286759a
commit
250bbdf9d8
|
|
@ -1,3 +1,9 @@
|
|||
limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
|
||||
limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
|
||||
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
|
||||
limit_req_status 429;
|
||||
limit_conn_status 429;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
|
@ -10,6 +16,10 @@ server {
|
|||
listen [::]:443 ssl http2;
|
||||
server_name siasky.net www.siasky.net; # replace with actual server names
|
||||
|
||||
# ddos protection: closing slow connections
|
||||
client_body_timeout 5s;
|
||||
client_header_timeout 5s;
|
||||
|
||||
# Enable the following line if you want to have auto uuid support. This
|
||||
# means users are able to upload Skyfiles without having to provide a uuid
|
||||
# themselves.
|
||||
|
|
@ -22,28 +32,33 @@ server {
|
|||
}
|
||||
|
||||
location /stats {
|
||||
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
|
||||
|
||||
proxy_set_header Access-Control-Allow-Origin: *;
|
||||
proxy_set_header User-Agent: Sia-Agent;
|
||||
|
||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||
# for sia user is empty so it's just :<password>
|
||||
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
||||
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
||||
proxy_pass http://127.0.0.1:9970/skynet/stats;
|
||||
}
|
||||
}
|
||||
|
||||
location /statsdown {
|
||||
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
|
||||
|
||||
proxy_set_header Access-Control-Allow-Origin: *;
|
||||
proxy_set_header User-Agent: Sia-Agent;
|
||||
|
||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||
# for sia user is empty so it's just :<password>
|
||||
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
||||
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
||||
proxy_pass http://127.0.0.1:9980/skynet/stats;
|
||||
}
|
||||
}
|
||||
|
||||
location /skynet/skyfile/ {
|
||||
limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
|
||||
client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
|
||||
proxy_read_timeout 600;
|
||||
|
||||
|
|
@ -70,6 +85,8 @@ server {
|
|||
}
|
||||
|
||||
location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
||||
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
|
||||
|
||||
proxy_read_timeout 600;
|
||||
# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is
|
||||
# correct)
|
||||
|
|
@ -87,6 +104,8 @@ server {
|
|||
}
|
||||
|
||||
location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
||||
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
|
||||
|
||||
proxy_read_timeout 600;
|
||||
# proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is
|
||||
# correct) this alias also adds attachment=true url param to force
|
||||
|
|
|
|||
Reference in New Issue