Преглед изворни кода

Improve nginx settings for DDoS resistance

Bob Mottram пре 10 година
родитељ
комит
4685d95c0f
1 измењених фајлова са 105 додато и 3 уклоњено
  1. 105
    3
      install-freedombone.sh

+ 105
- 3
install-freedombone.sh Прегледај датотеку

@@ -3003,9 +3003,82 @@ function install_web_server {
3003 3003
       exit 51
3004 3004
   fi
3005 3005
 
3006
-  sed -i "s/worker_processes 4;/worker_processes $CPU_CORES;/g" /etc/nginx/nginx.conf
3007
-  sed -i 's/worker_connections 768;/worker_connections 50;/g' /etc/nginx/nginx.conf
3008
-  sed -i 's/# server_tokens off;/server_tokens off;/g' /etc/nginx/nginx.conf
3006
+  # Nginx settings
3007
+  echo 'user www-data;' > /etc/nginx/nginx.conf
3008
+  echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
3009
+  echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
3010
+  echo '' >> /etc/nginx/nginx.conf
3011
+  echo 'events {' >> /etc/nginx/nginx.conf
3012
+  echo '        worker_connections 50;' >> /etc/nginx/nginx.conf
3013
+  echo '        # multi_accept on;' >> /etc/nginx/nginx.conf
3014
+  echo '}' >> /etc/nginx/nginx.conf
3015
+  echo '' >> /etc/nginx/nginx.conf
3016
+  echo 'http {' >> /etc/nginx/nginx.conf
3017
+  echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
3018
+  echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
3019
+  echo '' >> /etc/nginx/nginx.conf
3020
+  echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
3021
+  echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;' >> /etc/nginx/nginx.conf
3022
+  echo '' >> /etc/nginx/nginx.conf
3023
+  echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
3024
+  echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf
3025
+  echo '' >> /etc/nginx/nginx.conf
3026
+  echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
3027
+  echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
3028
+  echo '' >> /etc/nginx/nginx.conf
3029
+  echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
3030
+  echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
3031
+  echo '' >> /etc/nginx/nginx.conf
3032
+  echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
3033
+  echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf
3034
+  echo '' >> /etc/nginx/nginx.conf
3035
+  echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
3036
+  echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf
3037
+  echo '' >> /etc/nginx/nginx.conf
3038
+  echo '        ##' >> /etc/nginx/nginx.conf
3039
+  echo '        # Basic Settings' >> /etc/nginx/nginx.conf
3040
+  echo '        ##' >> /etc/nginx/nginx.conf
3041
+  echo '' >> /etc/nginx/nginx.conf
3042
+  echo '        sendfile on;' >> /etc/nginx/nginx.conf
3043
+  echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf
3044
+  echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf
3045
+  echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf
3046
+  echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
3047
+  echo '        server_tokens off;' >> /etc/nginx/nginx.conf
3048
+  echo '' >> /etc/nginx/nginx.conf
3049
+  echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
3050
+  echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
3051
+  echo '' >> /etc/nginx/nginx.conf
3052
+  echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
3053
+  echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf
3054
+  echo '' >> /etc/nginx/nginx.conf
3055
+  echo '        ##' >> /etc/nginx/nginx.conf
3056
+  echo '        # Logging Settings' >> /etc/nginx/nginx.conf
3057
+  echo '        ##' >> /etc/nginx/nginx.conf
3058
+  echo '' >> /etc/nginx/nginx.conf
3059
+  echo '        access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf
3060
+  echo '        error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf
3061
+  echo '' >> /etc/nginx/nginx.conf
3062
+  echo '        ###' >> /etc/nginx/nginx.conf
3063
+  echo '        # Gzip Settings' >> /etc/nginx/nginx.conf
3064
+  echo '        ##' >> /etc/nginx/nginx.conf
3065
+  echo '        gzip on;' >> /etc/nginx/nginx.conf
3066
+  echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf
3067
+  echo '' >> /etc/nginx/nginx.conf
3068
+  echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf
3069
+  echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf
3070
+  echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
3071
+  echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
3072
+  echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
3073
+  echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
3074
+  echo '' >> /etc/nginx/nginx.conf
3075
+  echo '        ##' >> /etc/nginx/nginx.conf
3076
+  echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf
3077
+  echo '        ##' >> /etc/nginx/nginx.conf
3078
+  echo '' >> /etc/nginx/nginx.conf
3079
+  echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
3080
+  echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
3081
+  echo '}' >> /etc/nginx/nginx.conf
3009 3082
 
3010 3083
   # install a script to easily enable and disable nginx virtual hosts
3011 3084
   if [ ! -d $INSTALL_DIR ]; then
@@ -3303,6 +3376,8 @@ quit" > $INSTALL_DIR/batch.sql
3303 3376
   echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3304 3377
   echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3305 3378
   echo "    error_log /var/www/$OWNCLOUD_DOMAIN_NAME/error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3379
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3380
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3306 3381
   echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3307 3382
   echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3308 3383
   echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
@@ -3313,6 +3388,10 @@ quit" > $INSTALL_DIR/batch.sql
3313 3388
   echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3314 3389
   echo "    error_log /var/www/$OWNCLOUD_DOMAIN_NAME/error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3315 3390
   echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3391
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3392
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3393
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3394
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3316 3395
   echo '    ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3317 3396
   echo "    ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
3318 3397
   echo "    ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
@@ -3721,6 +3800,9 @@ function install_wiki {
3721 3800
   echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3722 3801
   echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3723 3802
   echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3803
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3804
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3805
+  echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3724 3806
   echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3725 3807
   echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3726 3808
   echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
@@ -3796,6 +3878,9 @@ function install_wiki {
3796 3878
   echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3797 3879
   echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3798 3880
   echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3881
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3882
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3883
+  echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3799 3884
   echo '    ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3800 3885
   echo "    ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
3801 3886
   echo "    ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
@@ -3952,6 +4037,9 @@ function install_blog {
3952 4037
   echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
3953 4038
   echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
3954 4039
   echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4040
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4041
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4042
+  echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
3955 4043
   echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
3956 4044
   echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
3957 4045
   echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@@ -4027,6 +4115,9 @@ function install_blog {
4027 4115
   echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4028 4116
   echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4029 4117
   echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4118
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4119
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4120
+  echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4030 4121
   echo '    ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4031 4122
   echo "    ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4032 4123
   echo "    ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@@ -4243,6 +4334,9 @@ quit" > $INSTALL_DIR/batch.sql
4243 4334
   echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4244 4335
   echo "    error_log /var/www/$MICROBLOG_DOMAIN_NAME/error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4245 4336
   echo '    index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4337
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4338
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4339
+  echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
4246 4340
   echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4247 4341
   echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4248 4342
   echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
@@ -4254,6 +4348,9 @@ quit" > $INSTALL_DIR/batch.sql
4254 4348
   echo '    index index.php index.html index.htm;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4255 4349
   echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4256 4350
   echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4351
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4352
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4353
+  echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4257 4354
   echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4258 4355
   echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
4259 4356
   echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
@@ -4481,6 +4578,8 @@ quit" > $INSTALL_DIR/batch.sql
4481 4578
   echo "    root /var/www/$REDMATRIX_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4482 4579
   echo '    access_log off;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4483 4580
   echo "    error_log /var/www/$REDMATRIX_DOMAIN_NAME/error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4581
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4582
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4484 4583
   echo '    index index.php;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4485 4584
   echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4486 4585
   echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
@@ -4497,6 +4596,9 @@ quit" > $INSTALL_DIR/batch.sql
4497 4596
   echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4498 4597
   echo '    access_log off;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4499 4598
   echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4599
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4600
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4601
+  echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4500 4602
   echo '    ssl on;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4501 4603
   echo "    ssl_certificate /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME
4502 4604
   echo "    ssl_certificate_key /etc/ssl/private/$REDMATRIX_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME