diff --git a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template index 1148cc9f7..5123deb5e 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template @@ -1,6 +1,7 @@ location /api/$FEDERATION_APIVERSION { limit_req zone=api burst=60 nodelay; + limit_conn addr 30; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template index b130d7374..822c326d0 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -23,6 +23,15 @@ server { include /etc/nginx/common/protect_add_header.conf; include /etc/nginx/common/limit_requests.conf; + # protect from slow loris + client_body_timeout 10s; + client_header_timeout 10s; + + # protect from range attack (in http header) + if ($http_range ~ "d{9,}") { + return 444; + } + #gzip_static on; gzip on; gzip_proxied any; @@ -44,6 +53,7 @@ server { # Frontend (default) location / { limit_req zone=frontend burst=40 nodelay; + limit_conn addr 40; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -61,6 +71,7 @@ server { # Backend location /graphql { limit_req zone=backend burst=10 nodelay; + limit_conn addr 10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -78,6 +89,7 @@ server { # Backend webhooks location /hook { limit_req zone=backend burst=10; + limit_conn addr 10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -95,6 +107,7 @@ server { # Webhook reverse proxy location /hooks/ { limit_req zone=backend burst=10; + limit_conn addr 10; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -104,6 +117,7 @@ server { # Admin Frontend location /admin { limit_req zone=frontend burst=30 nodelay; + limit_conn addr 40; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template index 91ab0d3bc..1f673ee41 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -8,6 +8,15 @@ server { include /etc/nginx/common/protect_add_header.conf; include /etc/nginx/common/limit_requests.conf; + # protect from slow loris + client_body_timeout 10s; + client_header_timeout 10s; + + # protect from range attack (in http header) + if ($http_range ~ "d{9,}") { + return 444; + } + #gzip_static on; gzip on; gzip_proxied any; @@ -29,6 +38,7 @@ server { # Frontend (default) location / { limit_req zone=frontend burst=40 nodelay; + limit_conn addr 40; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -46,6 +56,7 @@ server { # Backend location /graphql { limit_req zone=backend burst=10 nodelay; + limit_conn addr 10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -63,6 +74,7 @@ server { # Backend webhooks location /hook { limit_req zone=backend burst=10; + limit_conn addr 10; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; @@ -80,6 +92,7 @@ server { # Webhook reverse proxy location /hooks/ { limit_req zone=backend burst=10; + limit_conn addr 10; proxy_pass http://127.0.0.1:9000/hooks/; access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; @@ -89,6 +102,7 @@ server { # Admin Frontend location /admin { limit_req zone=frontend burst=30 nodelay; + limit_conn addr 40; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template index 7d30cd273..ee7732230 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template @@ -23,6 +23,15 @@ server { include /etc/nginx/common/protect_add_header.conf; include /etc/nginx/common/limit_requests.conf; + # protect from slow loris + client_body_timeout 10s; + client_header_timeout 10s; + + # protect from range attack (in http header) + if ($http_range ~ "d{9,}") { + return 444; + } + gzip on; root $NGINX_UPDATE_PAGE_ROOT; @@ -30,6 +39,7 @@ server { location / { limit_req zone=frontend; + limit_conn addr 10; try_files /updating.html =404; } diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.template index 6236d88b0..38dfb2d02 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template @@ -8,6 +8,15 @@ server { include /etc/nginx/common/protect_add_header.conf; include /etc/nginx/common/limit_requests.conf; + # protect from slow loris + client_body_timeout 10s; + client_header_timeout 10s; + + # protect from range attack (in http header) + if ($http_range ~ "d{9,}") { + return 444; + } + gzip on; root $NGINX_UPDATE_PAGE_ROOT; @@ -15,6 +24,7 @@ server { location / { limit_req zone=frontend; + limit_conn addr 10; try_files /updating.html =404; }