a couple more nginx confs to make script kiddies struggle

papko26 · Nov 24, 2024 · 9510ca6 · 9510ca6
1 parent 1d95e12
commit 9510ca6
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -12,6 +12,8 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
     limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;
+    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+
 
     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
@@ -25,6 +27,10 @@ http {
     server {
     listen 80;
     server_name waze.papko.org;
+    server_tokens off;
+    limit_req zone=mylimit burst=5 nodelay;
+    limit_conn conn_limit 3;
+
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
     }
@@ -36,12 +42,14 @@ http {
 server {
     listen 443 ssl;
     server_name waze.papko.org;
+    server_tokens off;
+    limit_req zone=mylimit burst=5 nodelay;
+    limit_conn conn_limit 3;
 
     ssl_certificate /etc/letsencrypt/live/waze.papko.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/waze.papko.org/privkey.pem;
 
     location / {
-        limit_req zone=mylimit burst=3 nodelay;
         proxy_pass http://gtw:5000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;