From bfdefc50e31b77af475f69043493ddcd48c03c23 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Thu, 2 Nov 2023 10:47:51 +0100
Subject: [PATCH] nginx rate-limit improvements

---
 ...https-firewall-burst-2-speed-2-conn-4.stpl |  3 +-
 .../force-https-firewall-burst-2-speed-2.stpl |  3 +-
 .../force-https-firewall-burst-2.stpl         |  3 +-
 .../force-https-firewall-wordpress.stpl       | 87 +++++++++++++++++++
 .../force-https-firewall-wordpress.tpl        |  8 ++
 .../rate-limit-tpl/force-https-firewall.stpl  |  3 +-
 .../rate-limit-tpl/install_rate_limit_tpl.sh  |  8 +-
 7 files changed, 110 insertions(+), 5 deletions(-)
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl

diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2-conn-4.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2-conn-4.stpl
index d770ac6a1..1f67154e3 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2-conn-4.stpl
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2-conn-4.stpl
@@ -7,7 +7,8 @@ server {
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
-        limit_conn addr 8;
+        limit_conn addr 9;
+        limit_conn zone_site 25;
         limit_req zone=two burst=14 delay=7;
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2.stpl
index a2f7f9f23..dfd002702 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2.stpl
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2-speed-2.stpl
@@ -7,7 +7,8 @@ server {
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
-        limit_conn addr 4;
+        limit_conn addr 7;
+        limit_conn zone_site 20;
         limit_req zone=two burst=14 delay=7;
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
index 6118fa82d..6d6327131 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-burst-2.stpl
@@ -7,7 +7,8 @@ server {
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
-        limit_conn addr 3;
+        limit_conn addr 5;
+        limit_conn zone_site 15;
         limit_req zone=one burst=14 delay=7;
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl
new file mode 100644
index 000000000..3b2c23b97
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl
@@ -0,0 +1,87 @@
+server {
+    listen      %ip%:%proxy_ssl_port% ssl http2;
+    server_name %domain_idn% %alias_idn%;
+    # ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        error_page 418 = @wordfence_lh;
+        error_page 419 = @wordfence_route;
+        error_page 420 = @wordfence_sync;
+
+        if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
+        if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
+        if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
+
+        limit_conn addr 5;
+        limit_conn zone_site 15;
+        limit_req zone=one burst=14 delay=7;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-admin/ {
+        limit_conn addr 24;
+        limit_req zone=one burst=40 delay=7;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/ {
+        limit_conn addr 8;
+        limit_req zone=one burst=40 delay=7;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_lh {
+        limit_conn addr 8;
+        limit_req zone=wfone burst=120;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_route {
+        limit_conn addr 8;
+        limit_req zone=wfone burst=120;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_sync {
+        limit_conn addr 8;
+        limit_req zone=wfone burst=120;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/wordfence/ {
+        limit_conn addr 8;
+        limit_req zone=wfone burst=120;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %sdocroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~ /\.ht    {return 404;}
+    location ~ /\.env   {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl
new file mode 100644
index 000000000..c9cf11899
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl
@@ -0,0 +1,8 @@
+server {
+    listen      %ip%:%proxy_port%;
+    server_name %domain_idn% %alias_idn%;
+    location / {
+        rewrite ^(.*) https://$host$1 permanent;
+    }
+include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall.stpl
index b4468a6ab..db6ab623b 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall.stpl
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall.stpl
@@ -7,7 +7,8 @@ server {
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
-        limit_conn addr 2;
+        limit_conn addr 3;
+        limit_conn zone_site 10;
         limit_req zone=one burst=7 delay=3;
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
diff --git a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
index 1d128f7a0..ce5f6d932 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
+++ b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
@@ -12,7 +12,7 @@
 
 grepc=$(grep -c 'limit_conn_zone' /etc/nginx/nginx.conf)
 if [ "$grepc" -eq 0 ]; then
-    sed -i 's|server_names_hash_bucket_size   512;|server_names_hash_bucket_size   512;\n    limit_conn_zone $binary_remote_addr zone=addr:1m;\n    limit_conn_zone $server_name zone=zone_site:1m;\n    limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;\n    limit_req_zone $binary_remote_addr zone=two:1m rate=2r/s;\n    limit_conn_log_level error;\n    limit_req_log_level error;\n    limit_conn_status 429;\n    limit_req_status 429;|g' /etc/nginx/nginx.conf
+    sed -i 's|server_names_hash_bucket_size   512;|server_names_hash_bucket_size   512;\n    limit_conn_zone $binary_remote_addr zone=addr:1m;\n    limit_req_zone $scheme zone=wfone:1m rate=1r/s;\n    limit_conn_zone $server_name zone=zone_site:1m;\n    limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;\n    limit_req_zone $binary_remote_addr zone=two:1m rate=2r/s;\n    limit_conn_log_level error;\n    limit_req_log_level error;\n    limit_conn_status 429;\n    limit_req_status 429;|g' /etc/nginx/nginx.conf
     echo "=== Added rate_limit to nginx.conf"
 fi
 
@@ -28,6 +28,12 @@ if [ "$grepc" -eq 0 ]; then
     echo "=== Added rate_limit 'zone_site' to nginx.conf"
 fi
 
+grepc=$(grep -c 'zone=wfone:1m' /etc/nginx/nginx.conf)
+if [ "$grepc" -eq 0 ]; then
+    sed -i 's| zone=addr:1m;| zone=addr:1m;\n    limit_req_zone $scheme zone=wfone:1m rate=1r/s;|g' /etc/nginx/nginx.conf
+    echo "=== Added rate_limit 'zone_site' to nginx.conf"
+fi
+
 grepc=$(grep -c 'zone=one:10m' /etc/nginx/nginx.conf)
 if [ "$grepc" -eq 1 ]; then
     sed -i 's|zone=one:10m|zone=one:1m|g' /etc/nginx/nginx.conf