Merge pull request #529 from NebulousLabs/pj/rate-limit-ips

Ratelimit
This commit is contained in:
Christopher Schinnerl 2020-11-25 15:42:06 +01:00 committed by GitHub
commit 991d2a076e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 3 deletions

View File

@ -1,6 +1,21 @@
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off; proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g use_temp_path=off;
limit_req_zone $binary_remote_addr zone=stats_by_ip:10m rate=10r/m;
limit_conn_zone $binary_remote_addr zone=uploads_by_ip:10m; # ratelimit specified IPs
geo $limit {
default 0;
include /etc/nginx/conf.d/include/ratelimited/*;
}
map $limit $limit_key {
0 "";
1 $binary_remote_addr;
}
limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;
limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
limit_conn_zone $limit_key zone=upload_conn_rl:10m;
limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m; limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
limit_req_status 429; limit_req_status 429;
limit_conn_status 429; limit_conn_status 429;
@ -229,7 +244,12 @@ server {
include /etc/nginx/conf.d/include/cors; include /etc/nginx/conf.d/include/cors;
include /etc/nginx/conf.d/include/sia-auth; include /etc/nginx/conf.d/include/sia-auth;
limit_conn uploads_by_ip 10; # ddos protection: max 10 uploads at a time limit_req zone=uploads_by_ip burst=100 nodelay;
limit_req zone=uploads_by_ip_throttled;
limit_conn upload_conn 10;
limit_conn upload_conn_rl 1;
client_max_body_size 1000M; # make sure to limit the size of upload to a sane value client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
proxy_read_timeout 600; proxy_read_timeout 600;
proxy_request_buffering off; # stream uploaded files through the proxy as it comes in proxy_request_buffering off; # stream uploaded files through the proxy as it comes in

View File

@ -0,0 +1,8 @@
# Add a list of IPs here that should be severely rate limited on upload.
# Every file in this directory will be included.
#
# Note that it is possible to add IP ranges as well as the full IP address.
#
# Examples:
# 192.168.0.0/24 1;
# 79.85.222.247 1;