diff --git a/setup-scripts/skynet-nginx.conf b/setup-scripts/skynet-nginx.conf
index f4d7c970..7d085f48 100644
--- a/setup-scripts/skynet-nginx.conf
+++ b/setup-scripts/skynet-nginx.conf
@@ -1,3 +1,9 @@
+limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
+limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
+limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
+limit_req_status 429;
+limit_conn_status 429;
+
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
@@ -10,6 +16,10 @@ server {
 	listen [::]:443 ssl http2;
 	server_name siasky.net www.siasky.net; # replace with actual server names
 
+	# ddos protection: closing slow connections
+	client_body_timeout 5s;
+	client_header_timeout 5s;
+
 	# Enable the following line if you want to have auto uuid support. This
 	# means users are able to upload Skyfiles without having to provide a uuid
 	# themselves.
@@ -22,28 +32,33 @@ server {
 	}
 
 	location /stats {
+		limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
+
 		proxy_set_header Access-Control-Allow-Origin: *;
 		proxy_set_header User-Agent: Sia-Agent;
 
-    # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
+		# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
 		# for sia user is empty so it's just :<password>
 		# to generate the passcode use https://www.base64encode.org or any other base64 encoder
 		proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
 		proxy_pass http://127.0.0.1:9970/skynet/stats;
-  }
+	}
 
 	location /statsdown {
+		limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
+
 		proxy_set_header Access-Control-Allow-Origin: *;
 		proxy_set_header User-Agent: Sia-Agent;
 
-    # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
+		# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
 		# for sia user is empty so it's just :<password>
 		# to generate the passcode use https://www.base64encode.org or any other base64 encoder
 		proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
 		proxy_pass http://127.0.0.1:9980/skynet/stats;
-  }
+	}
 
 	location /skynet/skyfile/ {
+		limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
 		client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
 		proxy_read_timeout 600;
 
@@ -70,6 +85,8 @@ server {
 	}
 
 	location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
+		limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
+
 		proxy_read_timeout 600;
 		# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is
 		# correct)
@@ -87,6 +104,8 @@ server {
 	}
 
 	location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
+		limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
+
 		proxy_read_timeout 600;
 		# proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is
 		# correct) this alias also adds attachment=true url param to force