github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 21:04:07 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

nginx rate limit fixes for http:// templates

Browse source
This commit is contained in:
myvesta 2023-11-02 14:27:15 +01:00 committed by GitHub
commit 5e525f8898
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 201 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.stpl
View file

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 8; limit_conn addr 9;
limit_conn zone_site 25;
limit_req zone=two burst=14 delay=7; limit_req zone=two burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%; proxy_pass https://%ip%:%web_ssl_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2-conn-4.tpl
View file

@ -4,7 +4,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 8; limit_conn addr 9;
limit_conn zone_site 25;
limit_req zone=two burst=14 delay=7; limit_req zone=two burst=14 delay=7;
proxy_pass http://%ip%:%web_port%; proxy_pass http://%ip%:%web_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.stpl
View file

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 4; limit_conn addr 7;
limit_conn zone_site 20;
limit_req zone=two burst=14 delay=7; limit_req zone=two burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%; proxy_pass https://%ip%:%web_ssl_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2-speed-2.tpl
View file

@ -4,7 +4,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 4; limit_conn addr 7;
limit_conn zone_site 20;
limit_req zone=two burst=14 delay=7; limit_req zone=two burst=14 delay=7;
proxy_pass http://%ip%:%web_port%; proxy_pass http://%ip%:%web_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl
View file

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 3; limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7; limit_req zone=one burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%; proxy_pass https://%ip%:%web_ssl_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl
View file

@ -4,7 +4,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 3; limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7; limit_req zone=one burst=14 delay=7;
proxy_pass http://%ip%:%web_port%; proxy_pass http://%ip%:%web_port%;
} }

93
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl Normal file
View file

@ -0,0 +1,93 @@
server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
# ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
error_page 418 = @wordfence_lh;
error_page 419 = @wordfence_route;
error_page 420 = @wordfence_sync;
if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-admin/ {
limit_conn addr 24;
limit_conn zone_site 30;
limit_req zone=one burst=40 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-json/ {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=one burst=40 delay=7;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_lh {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_route {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location @wordfence_sync {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location /wp-json/wordfence/ {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
# try_files $uri @fallback;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.env {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=%docroot%;
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

90
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl Normal file
View file

@ -0,0 +1,90 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
error_page 418 = @wordfence_lh;
error_page 419 = @wordfence_route;
error_page 420 = @wordfence_sync;
if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
limit_conn addr 5;
limit_conn zone_site 15;
limit_req zone=one burst=14 delay=7;
proxy_pass http://%ip%:%web_port%;
}
location /wp-admin/ {
limit_conn addr 24;
limit_conn zone_site 30;
limit_req zone=one burst=40 delay=7;
proxy_pass http://%ip%:%web_port%;
}
location /wp-json/ {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=one burst=40 delay=7;
proxy_pass http://%ip%:%web_port%;
}
location @wordfence_lh {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass http://%ip%:%web_port%;
}
location @wordfence_route {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass http://%ip%:%web_port%;
}
location @wordfence_sync {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass http://%ip%:%web_port%;
}
location /wp-json/wordfence/ {
limit_conn addr 8;
limit_conn zone_site 15;
limit_req zone=wfone burst=120;
proxy_pass http://%ip%:%web_port%;
}
location ~* ^.+\.(%proxy_extentions%)$ {
root %docroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
# try_files $uri @fallback;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.env {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=%docroot%;
include %home%/%user%/conf/web/nginx.%domain%.conf*;
}

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.stpl
View file

@ -7,7 +7,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 2; limit_conn addr 3;
limit_conn zone_site 10;
limit_req zone=one burst=7 delay=3; limit_req zone=one burst=7 delay=3;
proxy_pass https://%ip%:%web_ssl_port%; proxy_pass https://%ip%:%web_ssl_port%;
} }

3
src/deb/for-download/tools/rate-limit-tpl/hosting-firewall.tpl
View file

@ -4,7 +4,8 @@ server {
error_log /var/log/%web_system%/domains/%domain%.error.log error; error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / { location / {
limit_conn addr 2; limit_conn addr 3;
limit_conn zone_site 10;
limit_req zone=one burst=7 delay=3; limit_req zone=one burst=7 delay=3;
proxy_pass http://%ip%:%web_port%; proxy_pass http://%ip%:%web_port%;
} }

2
src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
View file

@ -68,5 +68,7 @@ wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-burst-2-s
wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl
wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl
wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl
wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl
systemctl restart nginx systemctl restart nginx