mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
dbscripts-git-repo
infrastructure/roles/security_tracker/templates/nginx.d.conf.j2
Leonidas Spyropoulos d49f74d4a2
security_tracker: rate limit RSS feeds 
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
2023-04-06 16:19:09 +03:00

71 lines
2.4 KiB
Django/Jinja
Raw Permalink Blame History

# limit rss requests to 1 r/m
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
# limit general requests to 5 r/s to block DoS attempts with a burst of 10.
limit_req_zone $binary_remote_addr zone=archseclimit:10m rate=5r/s;
limit_req_status 429;
upstream security-tracker {
server unix:///run/uwsgi/security-tracker.sock;
}
server {
listen 80;
listen [::]:80;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ security_tracker_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ security_tracker_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ security_tracker_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ security_tracker_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ security_tracker_domain }}/chain.pem;
location = /google9fb65bdd43709b25.html {
# verification code for anthraxx
return 200 "google-site-verification: google9fb65bdd43709b25.html";
}
location /static/ {
alias {{ security_tracker_dir }}/tracker/static/;
}
# Rate limit all RSS feeds
location ~* .*(atom|json)$ {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
limit_req zone=rsslimit burst=5 nodelay;
}
location / {
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log main;
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
include uwsgi_params;
uwsgi_pass security-tracker;
limit_req zone=archseclimit burst=10 nodelay;
}
}
View Git Blame Copy Permalink