diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index 2ef92c3b..1c76e673 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -1,6 +1,21 @@ proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off; -limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m; -limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m; + +# ratelimit specified IPs +geo $limit { + default 0; + include /etc/nginx/conf.d/include/ratelimited/*; +} +map $limit $limit_key { + 0 ""; + 1 $binary_remote_addr; +} + +limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s; +limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m; + +limit_conn_zone $binary_remote_addr zone=upload_conn:10m; +limit_conn_zone $limit_key zone=upload_conn_rl:10m; + limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m; limit_req_status 429; limit_conn_status 429; @@ -229,7 +244,12 @@ server { include /etc/nginx/conf.d/include/cors; include /etc/nginx/conf.d/include/sia-auth; - limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time + limit_req zone=uploads_by_ip burst=100 nodelay; + limit_req zone=uploads_by_ip_throttled; + + limit_conn upload_conn 10; + limit_conn upload_conn_rl 1; + client_max_body_size 1000M; # make sure to limit the size of upload to a sane value proxy_read_timeout 600; proxy_request_buffering off; # stream uploaded files through the proxy as it comes in diff --git a/docker/nginx/conf.d/include/ratelimited/example b/docker/nginx/conf.d/include/ratelimited/example new file mode 100644 index 00000000..31fc4c5a --- /dev/null +++ b/docker/nginx/conf.d/include/ratelimited/example @@ -0,0 +1,8 @@ +# Add a list of IPs here that should be severely rate limited on upload. +# Every file in this directory will be included. +# +# Note that it is possible to add IP ranges as well as the full IP address. +# +# Examples: +# 192.168.0.0/24 1; +# 79.85.222.247 1;