include basic ddos protection (#148)

* include basic ddos protection

* more verbose zone names

* set limit http status code to 429
This commit is contained in:
Karol Wypchło 2020-04-07 13:01:38 +02:00 committed by GitHub
parent 5d8286759a
commit 250bbdf9d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 4 deletions

View File

@ -1,3 +1,9 @@
limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
limit_req_status 429;
limit_conn_status 429;
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
@ -10,6 +16,10 @@ server {
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name siasky.net www.siasky.net; # replace with actual server names server_name siasky.net www.siasky.net; # replace with actual server names
# ddos protection: closing slow connections
client_body_timeout 5s;
client_header_timeout 5s;
# Enable the following line if you want to have auto uuid support. This # Enable the following line if you want to have auto uuid support. This
# means users are able to upload Skyfiles without having to provide a uuid # means users are able to upload Skyfiles without having to provide a uuid
# themselves. # themselves.
@ -22,28 +32,33 @@ server {
} }
location /stats { location /stats {
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header Access-Control-Allow-Origin: *;
proxy_set_header User-Agent: Sia-Agent; proxy_set_header User-Agent: Sia-Agent;
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password> # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
# for sia user is empty so it's just :<password> # for sia user is empty so it's just :<password>
# to generate the passcode use https://www.base64encode.org or any other base64 encoder # to generate the passcode use https://www.base64encode.org or any other base64 encoder
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION"; proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
proxy_pass http://127.0.0.1:9970/skynet/stats; proxy_pass http://127.0.0.1:9970/skynet/stats;
} }
location /statsdown { location /statsdown {
limit_req zone=stats_by_ip; # ddos protection: max 10 requests per minute
proxy_set_header Access-Control-Allow-Origin: *; proxy_set_header Access-Control-Allow-Origin: *;
proxy_set_header User-Agent: Sia-Agent; proxy_set_header User-Agent: Sia-Agent;
# replace BASE64_AUTHENTICATION with base64 encoded <user>:<password> # replace BASE64_AUTHENTICATION with base64 encoded <user>:<password>
# for sia user is empty so it's just :<password> # for sia user is empty so it's just :<password>
# to generate the passcode use https://www.base64encode.org or any other base64 encoder # to generate the passcode use https://www.base64encode.org or any other base64 encoder
proxy_set_header Authorization "Basic BASE64_AUTHENTICATION"; proxy_set_header Authorization "Basic BASE64_AUTHENTICATION";
proxy_pass http://127.0.0.1:9980/skynet/stats; proxy_pass http://127.0.0.1:9980/skynet/stats;
} }
location /skynet/skyfile/ { location /skynet/skyfile/ {
limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
client_max_body_size 1000M; # make sure to limit the size of upload to a sane value client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
proxy_read_timeout 600; proxy_read_timeout 600;
@ -70,6 +85,8 @@ server {
} }
location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" { location ~ "^/([a-zA-Z0-9-_]{46}(/.*)?)$" {
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
proxy_read_timeout 600; proxy_read_timeout 600;
# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is # proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is
# correct) # correct)
@ -87,6 +104,8 @@ server {
} }
location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" { location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
limit_conn downloads_by_ip 10; # ddos protection: max 10 downloads at a time
proxy_read_timeout 600; proxy_read_timeout 600;
# proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is # proxy this call to siad /skunet/skylink/ endpoint (make sure the ip is
# correct) this alias also adds attachment=true url param to force # correct) this alias also adds attachment=true url param to force