-
Notifications
You must be signed in to change notification settings - Fork 7
/
nginx-dos.conf
184 lines (138 loc) · 6.67 KB
/
nginx-dos.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 30000;
pcre_jit on;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 8192;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
keepalive_timeout 300;
keepalive_requests 10000;
send_timeout 1200;
client_body_timeout 30;
client_header_timeout 30;
types_hash_max_size 2048;
server_names_hash_max_size 4096;
# Common limits
client_max_body_size 10m;
client_body_temp_path /var/nginx/client_body_temp;
proxy_connect_timeout 5;
proxy_send_timeout 10;
proxy_read_timeout 10;
proxy_temp_file_write_size 64k;
proxy_temp_path /var/nginx/proxy_temp;
proxy_buffer_size 4k;
proxy_buffers 32 16k;
proxy_busy_buffers_size 32k;
charset_types text/xml text/plain text/css text/vnd.wap.wml application/javascript application/rss+xml;
gzip on;
gzip_static on;
gzip_types text/plain text/css text/xml application/javascript application/json application/msword application/rtf application/pdf application/vnd.ms-excel image/x-icon image/svg+xml application/font-ttf application/font-woff;
gzip_comp_level 7;
gzip_proxied any;
gzip_min_length 1000;
gzip_disable "msie6";
gzip_vary on;
etag off;
brotli_static on;
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml application/javascript application/json image/x-icon image/svg+xml;
open_file_cache max=10000 inactive=60s;
open_file_cache_valid 30s;
open_file_cache_errors on;
open_file_cache_min_uses 2;
proxy_cache_valid 1h;
proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
proxy_cache_path /usr/local/nginx/cache levels=1:2 inactive=2h keys_zone=one:10m max_size=100m;
fastcgi_cache_path /usr/local/nginx/cache2 levels=1:2 inactive=2h keys_zone=two:10m max_size=100m;
limit_conn_zone $binary_remote_addr$host zone=lone:10m;
limit_req_zone $binary_remote_addr$host zone=ltwo:10m rate=3r/s;
limit_req_zone $binary_remote_addr$host zone=highspeed:10m rate=20r/s;
log_format postdata '$remote_addr - $time_local - $request_body';
# Nginx Amplify format
log_format main_ext '$remote_addr - $host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time ua="$upstream_addr" '
'us="$upstream_status" ut="$upstream_response_time" '
'ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
log_format crypto '$remote_addr - $host - [$time_local] - $ssl_protocol - $ssl_cipher'
' "$http_user_agent" $ssl_early_data';
access_log /var/log/nginx/access.log main_ext;
access_log /var/log/nginx/ssl.log crypto;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
#ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_session_timeout 28h;
ssl_dhparam /etc/nginx/dhparams.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
ssl_early_data on;
ssl_buffer_size 16k;
http2_chunk_size 8k;
http2_idle_timeout 5m;
#http2_max_concurrent_streams 32;
resolver 77.88.8.8 valid=300s ipv6=off;
resolver_timeout 5s;
map $http_accept $webp_suffix {
"~*webp" ".webp";
}
map $msie $cache_control {
default "max-age=31536000, public, no-transform, immutable";
"1" "max-age=31536000, private, no-transform, immutable";
}
map $msie $vary_header {
default "Accept";
"1" "";
}
map $http_user_agent $limit_bots {
default 0;
~*(google|bing|yandex|msnbot) 1;
~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
}
include /etc/nginx/sites-enabled/*;
}
server {
listen 80;
server_name example.ru;
charset utf-8;
location / {
proxy_pass http://127.0.0.1:9090/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
client_body_buffer_size 128k;
limit_conn lone 5;
limit_req zone=ltwo burst=10 nodelay;
}
# Static files location
location ~* \.(ttf|eot|svg|woff|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|docx|xlsx|pptx|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|avi|swf)$ {
root /home/www;
add_header Cache-Control "max-age=31536000, public, no-transform, immutable";
}
if ($limit_bots = 1) {
return 404;
}
}
error_log
2019/01/11 12:11:43 [error] 24926#24926: *2351 limiting requests, excess: 3.440 by zone "ltwo", client: 85.236.12.17, server: metodlab.ru, request: "GET / HTTP/2.0", host: "metodlab.ru"