From 9411e2f1df302631aa18422fa66bcb1886c4cc26 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Thu, 21 May 2020 23:48:01 +0200
Subject: [PATCH] nginx rate limit burst x2

---
 .../force-https-firewall-burst-2.stpl         | 41 +++++++++++++++++++
 .../force-https-firewall-burst-2.tpl          |  8 ++++
 .../hosting-firewall-burst-2.stpl             | 41 +++++++++++++++++++
 .../hosting-firewall-burst-2.tpl              | 38 +++++++++++++++++
 4 files changed, 128 insertions(+)
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.tpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl

diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
new file mode 100644
index 000000000..ab5273721
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
@@ -0,0 +1,41 @@
+server {
+    listen      %ip%:%proxy_ssl_port% ssl http2;
+    server_name %domain_idn% %alias_idn%;
+    # ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        limit_conn addr 3;
+        limit_req zone=one burst=14 delay=7;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %sdocroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~ /\.ht    {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.tpl
new file mode 100644
index 000000000..851ac0dcc
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.tpl
@@ -0,0 +1,8 @@
+server {
+    listen      %ip%:%proxy_port%;
+    server_name %domain_idn% %alias_idn%;
+    location / {
+        rewrite ^(.*) https://%domain_idn%$1 permanent;
+    }
+include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl
new file mode 100644
index 000000000..24bf0c1f4
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.stpl
@@ -0,0 +1,41 @@
+server {
+    listen      %ip%:%proxy_ssl_port% ssl http2;
+    server_name %domain_idn% %alias_idn%;
+    # ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        limit_conn addr 3;
+        limit_req zone=one burst=14 delay=7;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %sdocroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~ /\.ht    {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/snginx.%domain%.conf*;
+}
+
diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl
new file mode 100644
index 000000000..3b382c154
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-burst-2.tpl
@@ -0,0 +1,38 @@
+server {
+    listen      %ip%:%proxy_port%;
+    server_name %domain_idn% %alias_idn%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        limit_conn addr 3;
+        limit_req zone=one burst=14 delay=7;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %docroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location ~ /\.ht    {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/nginx.%domain%.conf*;
+}
+