include basic ddos protection (#148)
* include basic ddos protection * more verbose zone names * set limit http status code to 429
This commit is contained in:
parent
5d8286759a
commit
250bbdf9d8
|
@ -1,3 +1,9 @@
|
||||||
|
limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
|
||||||
|
limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
|
||||||
|
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
|
||||||
|
limit_req_status 429;
|
||||||
|
limit_conn_status 429;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
@ -10,6 +16,10 @@ server {
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name siasky.net www.siasky.net; # replace with actual server names
|
server_name siasky.net www.siasky.net; # replace with actual server names
|
||||||
|
|
||||||
|
# ddos protection: closing slow connections
|
||||||
|
client_body_timeout 5s;
|
||||||
|
client_header_timeout 5s;
|
||||||
|
|
||||||
# Enable the following line if you want to have auto uuid support. This
|
# Enable the following line if you want to have auto uuid support. This
|
||||||
# means users are able to upload Skyfiles without having to provide a uuid
|
# means users are able to upload Skyfiles without having to provide a uuid
|
||||||
# themselves.
|
# themselves.
|
||||||
|
@ -22,28 +32,33 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location /stats {
|
location /stats {
|
||||||
|
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
|
||||||
|
|
||||||
proxy_set_header Access-Control-Allow-Origin: *;
|
proxy_set_header Access-Control-Allow-Origin: *;
|
||||||
proxy_set_header User-Agent: Sia-Agent;
|
proxy_set_header User-Agent: Sia-Agent;
|
||||||
|
|
||||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||||
# for sia user is empty so it's just :<password>
|
# for sia user is empty so it's just :<password>
|
||||||
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
||||||
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
||||||
proxy_pass http://127.0.0.1:9970/skynet/stats;
|
proxy_pass http://127.0.0.1:9970/skynet/stats;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /statsdown {
|
location /statsdown {
|
||||||
|
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
|
||||||
|
|
||||||
proxy_set_header Access-Control-Allow-Origin: *;
|
proxy_set_header Access-Control-Allow-Origin: *;
|
||||||
proxy_set_header User-Agent: Sia-Agent;
|
proxy_set_header User-Agent: Sia-Agent;
|
||||||
|
|
||||||
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
|
||||||
# for sia user is empty so it's just :<password>
|
# for sia user is empty so it's just :<password>
|
||||||
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
# to generate the passcode use https://www.base64encode.org or any other base64 encoder
|
||||||
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
|
||||||
proxy_pass http://127.0.0.1:9980/skynet/stats;
|
proxy_pass http://127.0.0.1:9980/skynet/stats;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /skynet/skyfile/ {
|
location /skynet/skyfile/ {
|
||||||
|
limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
|
||||||
client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
|
client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
|
||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
|
|
||||||
|
@ -70,6 +85,8 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
||||||
|
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
|
||||||
|
|
||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is
|
# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is
|
||||||
# correct)
|
# correct)
|
||||||
|
@ -87,6 +104,8 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
|
||||||
|
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
|
||||||
|
|
||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
# proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is
|
# proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is
|
||||||
# correct) this alias also adds attachment=true url param to force
|
# correct) this alias also adds attachment=true url param to force
|
||||||
|
|
Reference in New Issue