Add information about request limits

This commit is contained in:
phil 2023-03-11 18:46:49 +01:00
parent 5af26c7ccf
commit 8d9c6b62d4
2 changed files with 26 additions and 4 deletions

View file

@ -13,3 +13,24 @@ Role to install Nginx.
| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) | | `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file | | `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
| `dhparam_size` | `4096` | Size (in bits) of the generated DH-params | | `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |
## Rate limiting
### Limiting the Request Rate
You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow | down brute force attacks.
The following zones are available:
| Zone name | Filter | Limit |
|--|--|--|
| `req_ip_one` | IP address | 30r/m |
| `req_ip_two` | IP address | 15r/m |
| `req_server_one` | Domain | 30r/m |
| `req_server_two` | Domain | 15r/m |
### Limiting the Number of Connections
You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):
| Zone name | Filter | Limit |
|--|--|--|
| `con_ip_one` | IP address | No default limit |

View file

@ -1,7 +1,8 @@
# Managed by Ansible # Managed by Ansible
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=req_ip_one:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m; limit_req_zone $binary_remote_addr zone=req_ip_two:10m rate=15r/m;
limit_req_zone $server_name zone=perserver:10m rate=20r/m; limit_req_zone $server_name zone=req_server_one:10m rate=30r/m;
limit_req_zone $server_name zone=req_server_two:10m rate=15r/m;
limit_conn_zone $binary_remote_addr zone=con_ip_one :10m;
limit_req_status 444; limit_req_status 444;
limit_conn_zone $binary_remote_addr zone=addr:10m;