From db881c7b071684b6a3667d5ac38a360740116b13 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Mon, 8 Jun 2020 14:58:27 +0200 Subject: [PATCH] Add rate limits to avoid ddos --- templates/gitea.conf | 9 +++++++++ templates/weblate.conf | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/templates/gitea.conf b/templates/gitea.conf index 51989f0..bfe2103 100644 --- a/templates/gitea.conf +++ b/templates/gitea.conf @@ -1,3 +1,6 @@ +limit_req_zone $binary_remote_addr zone=gitea_ratelimit:10m rate=5r/s; +limit_req_zone $binary_remote_addr zone=limit_commit_view:10m rate=2r/m; + server { listen 80; server_name {{ domain }}; @@ -43,7 +46,13 @@ server { gzip_proxied any; gzip_vary on; + location ~ ".*/commit/.*" { + limit_req zone=limit_commit_view burst=5; + proxy_pass http://127.0.0.1:3000; + #return 500; + } location / { + limit_req zone=req_limit_per_ip burst=20 nodelay; proxy_pass http://127.0.0.1:3000; } } diff --git a/templates/weblate.conf b/templates/weblate.conf index ff80989..18aa0bb 100644 --- a/templates/weblate.conf +++ b/templates/weblate.conf @@ -1,5 +1,4 @@ server { - # TODO: http redirect seems broken listen 80; server_name weblate.{{ domain }}; location /.well-known/acme-challenge/ { @@ -45,6 +44,7 @@ server { gzip_vary on; location / { + limit_req zone=gitea_ratelimit burst=30 nodelay; proxy_pass http://127.0.0.1:3001; } }