diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.stpl index df269ad4..8435a72b 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.stpl @@ -7,7 +7,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 8; + limit_conn addr 9; + limit_conn zone_site 25; limit_req zone=two burst=14 delay=7; proxy_pass https://%ip%:%web_ssl_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.tpl index 13657bd3..2cc5c781 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.tpl @@ -4,7 +4,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 8; + limit_conn addr 9; + limit_conn zone_site 25; limit_req zone=two burst=14 delay=7; proxy_pass http://%ip%:%web_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.stpl index 8e0a0f5a..856ebd56 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.stpl @@ -7,7 +7,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 4; + limit_conn addr 7; + limit_conn zone_site 20; limit_req zone=two burst=14 delay=7; proxy_pass https://%ip%:%web_ssl_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.tpl index a4035844..5bf3fbf8 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.tpl @@ -4,7 +4,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 4; + limit_conn addr 7; + limit_conn zone_site 20; limit_req zone=two burst=14 delay=7; proxy_pass http://%ip%:%web_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl index 9649671d..5d42830f 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl @@ -7,7 +7,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 3; + limit_conn addr 5; + limit_conn zone_site 15; limit_req zone=one burst=14 delay=7; proxy_pass https://%ip%:%web_ssl_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl index 9e0edcf8..e57dbd1a 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl @@ -4,7 +4,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 3; + limit_conn addr 5; + limit_conn zone_site 15; limit_req zone=one burst=14 delay=7; proxy_pass http://%ip%:%web_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl new file mode 100644 index 00000000..7fcad160 --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl @@ -0,0 +1,93 @@ +server { + listen %ip%:%proxy_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + # ssl on; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + error_page 418 = @wordfence_lh; + error_page 419 = @wordfence_route; + error_page 420 = @wordfence_sync; + + if ($request_uri ~ "^/\?wordfence_lh") { return 418; } + if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; } + if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; } + + limit_conn addr 5; + limit_conn zone_site 15; + limit_req zone=one burst=14 delay=7; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-admin/ { + limit_conn addr 24; + limit_conn zone_site 30; + limit_req zone=one burst=40 delay=7; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/ { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=one burst=40 delay=7; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_lh { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_route { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_sync { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/wordfence/ { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl new file mode 100644 index 00000000..0e196744 --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl @@ -0,0 +1,90 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + error_page 418 = @wordfence_lh; + error_page 419 = @wordfence_route; + error_page 420 = @wordfence_sync; + + if ($request_uri ~ "^/\?wordfence_lh") { return 418; } + if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; } + if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; } + + limit_conn addr 5; + limit_conn zone_site 15; + limit_req zone=one burst=14 delay=7; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-admin/ { + limit_conn addr 24; + limit_conn zone_site 30; + limit_req zone=one burst=40 delay=7; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-json/ { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=one burst=40 delay=7; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_lh { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_route { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_sync { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-json/wordfence/ { + limit_conn addr 8; + limit_conn zone_site 15; + limit_req zone=wfone burst=120; + proxy_pass http://%ip%:%web_port%; + } + + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} + diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.stpl index 21acb34b..42bc195b 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.stpl @@ -7,7 +7,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 2; + limit_conn addr 3; + limit_conn zone_site 10; limit_req zone=one burst=7 delay=3; proxy_pass https://%ip%:%web_ssl_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.tpl index 9438e532..177a71c6 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.tpl @@ -4,7 +4,8 @@ server { error_log /var/log/%web_system%/domains/%domain%.error.log error; location / { - limit_conn addr 2; + limit_conn addr 3; + limit_conn zone_site 10; limit_req zone=one burst=7 delay=3; proxy_pass http://%ip%:%web_port%; } diff --git a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh index 91384b58..4a910d0f 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh +++ b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh @@ -68,5 +68,7 @@ wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-burst-2-s wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl systemctl restart nginx