Add information about request limits
This commit is contained in:
parent
5af26c7ccf
commit
8d9c6b62d4
2 changed files with 26 additions and 4 deletions
21
README.md
21
README.md
|
@ -13,3 +13,24 @@ Role to install Nginx.
|
||||||
| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
|
| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
|
||||||
| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
|
| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
|
||||||
| `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |
|
| `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |
|
||||||
|
|
||||||
|
## Rate limiting
|
||||||
|
### Limiting the Request Rate
|
||||||
|
|
||||||
|
You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow | down brute force attacks.
|
||||||
|
The following zones are available:
|
||||||
|
|
||||||
|
| Zone name | Filter | Limit |
|
||||||
|
|--|--|--|
|
||||||
|
| `req_ip_one` | IP address | 30r/m |
|
||||||
|
| `req_ip_two` | IP address | 15r/m |
|
||||||
|
| `req_server_one` | Domain | 30r/m |
|
||||||
|
| `req_server_two` | Domain | 15r/m |
|
||||||
|
|
||||||
|
### Limiting the Number of Connections
|
||||||
|
|
||||||
|
You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):
|
||||||
|
|
||||||
|
| Zone name | Filter | Limit |
|
||||||
|
|--|--|--|
|
||||||
|
| `con_ip_one` | IP address | No default limit |
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
# Managed by Ansible
|
# Managed by Ansible
|
||||||
|
|
||||||
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
|
limit_req_zone $binary_remote_addr zone=req_ip_one:10m rate=30r/m;
|
||||||
limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m;
|
limit_req_zone $binary_remote_addr zone=req_ip_two:10m rate=15r/m;
|
||||||
limit_req_zone $server_name zone=perserver:10m rate=20r/m;
|
limit_req_zone $server_name zone=req_server_one:10m rate=30r/m;
|
||||||
|
limit_req_zone $server_name zone=req_server_two:10m rate=15r/m;
|
||||||
|
limit_conn_zone $binary_remote_addr zone=con_ip_one :10m;
|
||||||
limit_req_status 444;
|
limit_req_status 444;
|
||||||
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
|
||||||
|
|
Loading…
Reference in a new issue