From 7daebd6d04c36f29d56602970c2e1389d9e1c7ac Mon Sep 17 00:00:00 2001
From: PJ <peterjan.brone@gmail.com>
Date: Thu, 19 Nov 2020 16:10:28 +0100
Subject: [PATCH 1/4] Add ratelimit mechanism on upload

---
 docker/nginx/conf.d/client.conf         | 26 ++++++++++++++++++++++---
 docker/nginx/conf.d/include/ratelimited |  6 ++++++
 2 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 docker/nginx/conf.d/include/ratelimited

diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index 2ef92c3b..b8d65e22 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -1,6 +1,21 @@
 proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off;
-limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
-limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m;
+
+# ratelimit specified IPs
+geo $limit {
+	default 0;
+	include /etc/nginx/conf.d/include/ratelimited;
+}
+map $limit $limit_key {
+	0 "";
+	1 $binary_remote_addr;
+}
+
+limit_req_zone $binary_remote_addr zone=upload_req:10m rate=10r/s;
+limit_req_zone $limit_key zone=upload_req_rl:10m rate=10r/m;
+
+limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
+limit_conn_zone $limit_key zone=upload_conn_rl:10m;
+
 limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
 limit_req_status 429;
 limit_conn_status 429;
@@ -229,7 +244,12 @@ server {
 		include /etc/nginx/conf.d/include/cors;
 		include /etc/nginx/conf.d/include/sia-auth;
 
-		limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time
+		limit_req zone=upload_req burst=100 nodelay;
+		limit_req zone=upload_req_rl;
+
+		limit_conn upload_conn 10;
+		limit_conn upload_conn_rl 1;
+
 		client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
 		proxy_read_timeout 600;
 		proxy_request_buffering off; # stream uploaded files through the proxy as it comes in
diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited
new file mode 100644
index 00000000..38ae88ca
--- /dev/null
+++ b/docker/nginx/conf.d/include/ratelimited
@@ -0,0 +1,6 @@
+# Add a list of IPs here that should be severaly rate limited on upload.
+# Note that it is possible to add IP ranges as well as the full IP address.
+#
+# Examples:
+# 192.168.0.0/24 1;
+# 79.85.222.247 1;

From 5a9b630f7945af16dca5270137512ff80f2e4cc9 Mon Sep 17 00:00:00 2001
From: PJ <peterjan.brone@gmail.com>
Date: Thu, 19 Nov 2020 18:27:08 +0100
Subject: [PATCH 2/4] Fix typo

---
 docker/nginx/conf.d/include/ratelimited | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited
index 38ae88ca..3e5b5c00 100644
--- a/docker/nginx/conf.d/include/ratelimited
+++ b/docker/nginx/conf.d/include/ratelimited
@@ -1,4 +1,4 @@
-# Add a list of IPs here that should be severaly rate limited on upload.
+# Add a list of IPs here that should be severely rate limited on upload.
 # Note that it is possible to add IP ranges as well as the full IP address.
 #
 # Examples:

From 0040aa5be1492904efe101279b4de00ebe2c40f1 Mon Sep 17 00:00:00 2001
From: PJ <peterjan.brone@gmail.com>
Date: Wed, 25 Nov 2020 15:15:23 +0100
Subject: [PATCH 3/4] rename zones

---
 docker/nginx/conf.d/client.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index b8d65e22..fa3e165e 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -10,8 +10,8 @@ map $limit $limit_key {
 	1 $binary_remote_addr;
 }
 
-limit_req_zone $binary_remote_addr zone=upload_req:10m rate=10r/s;
-limit_req_zone $limit_key zone=upload_req_rl:10m rate=10r/m;
+limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
+limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;
 
 limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
 limit_conn_zone $limit_key zone=upload_conn_rl:10m;
@@ -244,8 +244,8 @@ server {
 		include /etc/nginx/conf.d/include/cors;
 		include /etc/nginx/conf.d/include/sia-auth;
 
-		limit_req zone=upload_req burst=100 nodelay;
-		limit_req zone=upload_req_rl;
+		limit_req zone=uploads_by_ip burst=100 nodelay;
+		limit_req zone=uploads_by_ip_throttled;
 
 		limit_conn upload_conn 10;
 		limit_conn upload_conn_rl 1;

From 0a028dbc1ad638c628a012915c5a8b7270695273 Mon Sep 17 00:00:00 2001
From: PJ <peterjan.brone@gmail.com>
Date: Wed, 25 Nov 2020 15:30:29 +0100
Subject: [PATCH 4/4] Move ratelimited

---
 docker/nginx/conf.d/client.conf                                 | 2 +-
 .../nginx/conf.d/include/{ratelimited => ratelimited/example}   | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 rename docker/nginx/conf.d/include/{ratelimited => ratelimited/example} (79%)

diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index fa3e165e..1c76e673 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -3,7 +3,7 @@ proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g
 # ratelimit specified IPs
 geo $limit {
 	default 0;
-	include /etc/nginx/conf.d/include/ratelimited;
+	include /etc/nginx/conf.d/include/ratelimited/*;
 }
 map $limit $limit_key {
 	0 "";
diff --git a/docker/nginx/conf.d/include/ratelimited b/docker/nginx/conf.d/include/ratelimited/example
similarity index 79%
rename from docker/nginx/conf.d/include/ratelimited
rename to docker/nginx/conf.d/include/ratelimited/example
index 3e5b5c00..31fc4c5a 100644
--- a/docker/nginx/conf.d/include/ratelimited
+++ b/docker/nginx/conf.d/include/ratelimited/example
@@ -1,4 +1,6 @@
 # Add a list of IPs here that should be severely rate limited on upload.
+# Every file in this directory will be included.
+#
 # Note that it is possible to add IP ranges as well as the full IP address.
 #
 # Examples: