protection for slow lowris and range attack

2026-02-06 09:56:05 +00:00 · 2024-01-22 17:35:47 +01:00 · 2024-01-22 17:35:47 +01:00 · 5fc176de0b
commit 5fc176de0b
parent b63faab3fb
5 changed files with 49 additions and 0 deletions
--- a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template
@ -1,6 +1,7 @@

    location /api/$FEDERATION_APIVERSION {
        limit_req zone=api burst=60 nodelay;
+        limit_conn addr 30;

        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
@ -23,6 +23,15 @@ server {
    include /etc/nginx/common/protect_add_header.conf;
    include /etc/nginx/common/limit_requests.conf;

+    # protect from slow loris
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    
+    # protect from range attack (in http header)
+    if ($http_range ~ "d{9,}") {
+        return 444;
+    }
+
    #gzip_static  on;
    gzip on;
    gzip_proxied any;
@ -44,6 +53,7 @@ server {
    # Frontend (default)
    location / {
        limit_req zone=frontend burst=40 nodelay;
+        limit_conn addr 40;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -61,6 +71,7 @@ server {
    # Backend
    location /graphql {
        limit_req zone=backend burst=10 nodelay;
+        limit_conn addr 10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -78,6 +89,7 @@ server {
    # Backend webhooks
    location /hook {
        limit_req zone=backend burst=10;
+        limit_conn addr 10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -95,6 +107,7 @@ server {
    # Webhook reverse proxy
    location /hooks/ {
        limit_req zone=backend burst=10;
+        limit_conn addr 10;
        proxy_pass http://127.0.0.1:9000/hooks/;

        access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -104,6 +117,7 @@ server {
    # Admin Frontend
    location /admin {
        limit_req zone=frontend burst=30 nodelay;
+        limit_conn addr 40;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
@ -8,6 +8,15 @@ server {
    include /etc/nginx/common/protect_add_header.conf;
    include /etc/nginx/common/limit_requests.conf;

+    # protect from slow loris
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    
+    # protect from range attack (in http header)
+    if ($http_range ~ "d{9,}") {
+        return 444;
+    }
+
    #gzip_static  on;
    gzip on;
    gzip_proxied any;
@ -29,6 +38,7 @@ server {
    # Frontend (default)
    location / {
        limit_req zone=frontend burst=40 nodelay;
+        limit_conn addr 40;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -46,6 +56,7 @@ server {
    # Backend
    location /graphql {
        limit_req zone=backend burst=10 nodelay;
+        limit_conn addr 10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -63,6 +74,7 @@ server {
    # Backend webhooks
    location /hook {
        limit_req zone=backend burst=10;
+        limit_conn addr 10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -80,6 +92,7 @@ server {
    # Webhook reverse proxy
    location /hooks/ {
        limit_req zone=backend burst=10;
+        limit_conn addr 10;
        proxy_pass http://127.0.0.1:9000/hooks/;

        access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -89,6 +102,7 @@ server {
    # Admin Frontend
    location /admin {
        limit_req zone=frontend burst=30 nodelay;
+        limit_conn addr 40;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
--- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
+++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
@ -23,6 +23,15 @@ server {
    include /etc/nginx/common/protect_add_header.conf;
    include /etc/nginx/common/limit_requests.conf;

+    # protect from slow loris
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    
+    # protect from range attack (in http header)
+    if ($http_range ~ "d{9,}") {
+        return 444;
+    }
+
    gzip on;

    root $NGINX_UPDATE_PAGE_ROOT;
@ -30,6 +39,7 @@ server {

    location / {
        limit_req zone=frontend;
+        limit_conn addr 10;
        try_files /updating.html =404;
    }

--- a/deployment/bare_metal/nginx/sites-available/update-page.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template
@ -8,6 +8,15 @@ server {
    include /etc/nginx/common/protect_add_header.conf;
    include /etc/nginx/common/limit_requests.conf;

+    # protect from slow loris
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    
+    # protect from range attack (in http header)
+    if ($http_range ~ "d{9,}") {
+        return 444;
+    }
+
    gzip on;

    root $NGINX_UPDATE_PAGE_ROOT;
@ -15,6 +24,7 @@ server {

    location / {
      limit_req zone=frontend;
+      limit_conn addr 10;
      try_files /updating.html =404;
    }