From 7daebd6d04c36f29d56602970c2e1389d9e1c7ac Mon Sep 17 00:00:00 2001 From: PJ Date: Thu, 19 Nov 2020 16:10:28 +0100 Subject: [PATCH 1/4] Add ratelimit mechanism on upload --- docker/nginx/conf.d/client.conf | 26 ++++++++++++++++++++++--- docker/nginx/conf.d/include/ratelimited | 6 ++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 docker/nginx/conf.d/include/ratelimited diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index 2ef92c3b..b8d65e22 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -1,6 +1,21 @@ proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off; -limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m; -limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m; + +# ratelimit specified IPs +geo $limit { + default 0; + include /etc/nginx/conf.d/include/ratelimited; +} +map $limit $limit_key { + 0 ""; + 1 $binary_remote_addr; +} + +limit_req_zone $binary_remote_addr zone=upload_req:10m rate=10r/s; +limit_req_zone $limit_key zone=upload_req_rl:10m rate=10r/m; + +limit_conn_zone $binary_remote_addr zone=upload_conn:10m; +limit_conn_zone $limit_key zone=upload_conn_rl:10m; + limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m; limit_req_status 429; limit_conn_status 429; @@ -229,7 +244,12 @@ server { include /etc/nginx/conf.d/include/cors; include /etc/nginx/conf.d/include/sia-auth; - limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time + limit_req zone=upload_req burst=100 nodelay; + limit_req zone=upload_req_rl; + + limit_conn upload_conn 10; + limit_conn upload_conn_rl 1; + client_max_body_size 1000M; # make sure to limit the size of upload to a sane value proxy_read_timeout 600; proxy_request_buffering off; # stream uploaded files through the proxy as it comes in diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited new file mode 100644 index 00000000..38ae88ca --- /dev/null +++ b/docker/nginx/conf.d/include/ratelimited @@ -0,0 +1,6 @@ +# Add a list of IPs here that should be severaly rate limited on upload. +# Note that it is possible to add IP ranges as well as the full IP address. +# +# Examples: +# 192.168.0.0/24 1; +# 79.85.222.247 1; From 5a9b630f7945af16dca5270137512ff80f2e4cc9 Mon Sep 17 00:00:00 2001 From: PJ Date: Thu, 19 Nov 2020 18:27:08 +0100 Subject: [PATCH 2/4] Fix typo --- docker/nginx/conf.d/include/ratelimited | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited index 38ae88ca..3e5b5c00 100644 --- a/docker/nginx/conf.d/include/ratelimited +++ b/docker/nginx/conf.d/include/ratelimited @@ -1,4 +1,4 @@ -# Add a list of IPs here that should be severaly rate limited on upload. +# Add a list of IPs here that should be severely rate limited on upload. # Note that it is possible to add IP ranges as well as the full IP address. # # Examples: From 0040aa5be1492904efe101279b4de00ebe2c40f1 Mon Sep 17 00:00:00 2001 From: PJ Date: Wed, 25 Nov 2020 15:15:23 +0100 Subject: [PATCH 3/4] rename zones --- docker/nginx/conf.d/client.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index b8d65e22..fa3e165e 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -10,8 +10,8 @@ map $limit $limit_key { 1 $binary_remote_addr; } -limit_req_zone $binary_remote_addr zone=upload_req:10m rate=10r/s; -limit_req_zone $limit_key zone=upload_req_rl:10m rate=10r/m; +limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s; +limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m; limit_conn_zone $binary_remote_addr zone=upload_conn:10m; limit_conn_zone $limit_key zone=upload_conn_rl:10m; @@ -244,8 +244,8 @@ server { include /etc/nginx/conf.d/include/cors; include /etc/nginx/conf.d/include/sia-auth; - limit_req zone=upload_req burst=100 nodelay; - limit_req zone=upload_req_rl; + limit_req zone=uploads_by_ip burst=100 nodelay; + limit_req zone=uploads_by_ip_throttled; limit_conn upload_conn 10; limit_conn upload_conn_rl 1; From 0a028dbc1ad638c628a012915c5a8b7270695273 Mon Sep 17 00:00:00 2001 From: PJ Date: Wed, 25 Nov 2020 15:30:29 +0100 Subject: [PATCH 4/4] Move ratelimited --- docker/nginx/conf.d/client.conf | 2 +- .../nginx/conf.d/include/{ratelimited => ratelimited/example} | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) rename docker/nginx/conf.d/include/{ratelimited => ratelimited/example} (79%) diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index fa3e165e..1c76e673 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -3,7 +3,7 @@ proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g # ratelimit specified IPs geo $limit { default 0; - include /etc/nginx/conf.d/include/ratelimited; + include /etc/nginx/conf.d/include/ratelimited/*; } map $limit $limit_key { 0 ""; diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited/example similarity index 79% rename from docker/nginx/conf.d/include/ratelimited rename to docker/nginx/conf.d/include/ratelimited/example index 3e5b5c00..31fc4c5a 100644 --- a/docker/nginx/conf.d/include/ratelimited +++ b/docker/nginx/conf.d/include/ratelimited/example @@ -1,4 +1,6 @@ # Add a list of IPs here that should be severely rate limited on upload. +# Every file in this directory will be included. +# # Note that it is possible to add IP ranges as well as the full IP address. # # Examples: