rate limit login pages for grafana and gitea

This commit is contained in:
Ryan Cavicchioni 2020-09-20 22:45:35 -05:00
parent dadbca219e
commit 32c79b486a
Signed by: ryanc
GPG Key ID: 877EEDAF9245103D
2 changed files with 47 additions and 7 deletions

View File

@ -1,3 +1,16 @@
# {{ ansible_managed }}
limit_req_zone $binary_remote_addr zone=req_gitea_login:10m rate=10r/m;
upstream gitea_backend {
{% if gitea_config.server.protocol is defined and
gitea_config.server.protocol == 'unix' %}
server unix:{{ gitea_config.server.http_addr }};
{% else %}
server 127.0.0.1:{{ gitea_port }};
{% endif %}
}
server { server {
listen 80; listen 80;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
@ -5,6 +18,9 @@ server {
{% endif %} {% endif %}
server_name {{ gitea_domain }}; server_name {{ gitea_domain }};
access_log /var/log/nginx/gitea.access.log main;
error_log /var/log/nginx/gitea.error.log warn;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/html; root /var/www/html;
try_files $uri =404; try_files $uri =404;
@ -27,6 +43,9 @@ server {
{% endif %} {% endif %}
server_name {{ gitea_domain }}; server_name {{ gitea_domain }};
access_log /var/log/nginx/gitea.access.log main;
error_log /var/log/nginx/gitea.error.log warn;
{% if gitea_ssl_certificate is defined %} {% if gitea_ssl_certificate is defined %}
ssl_certificate {{ gitea_ssl_certificate }}; ssl_certificate {{ gitea_ssl_certificate }};
{% endif %} {% endif %}
@ -37,13 +56,14 @@ server {
ssl_dhparam {{ gitea_ssl_dhparam }}; ssl_dhparam {{ gitea_ssl_dhparam }};
{% endif %} {% endif %}
location ~ /user\/login {
limit_req zone=req_gitea_login burst=10;
proxy_pass http://gitea_backend;
}
location / { location / {
{% if gitea_config.server.protocol is defined and limit_req zone=req_bad_actors burst=10 nodelay;
gitea_config.server.protocol == 'unix' %} proxy_pass http://gitea_backend;
proxy_pass http://unix:{{ gitea_config.server.http_addr }};
{% else %}
proxy_pass http://localhost:{{ gitea_port }};
{% endif %}
} }
} }
{% endif %} {% endif %}

View File

@ -1,3 +1,11 @@
# {{ ansible_managed }}
limit_req_zone $binary_remote_addr zone=req_grafana_login:10m rate=10r/m;
upstream grafana_backend {
server 127.0.0.1:{{ grafana_port }};
}
server { server {
listen 80; listen 80;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
@ -5,6 +13,9 @@ server {
{% endif %} {% endif %}
server_name {{ grafana_domain }}; server_name {{ grafana_domain }};
access_log /var/log/nginx/grafana.access.log main;
error_log /var/log/nginx/grafana.error.log warn;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/html; root /var/www/html;
try_files $uri =404; try_files $uri =404;
@ -27,6 +38,9 @@ server {
{% endif %} {% endif %}
server_name {{ grafana_domain }}; server_name {{ grafana_domain }};
access_log /var/log/nginx/grafana.access.log main;
error_log /var/log/nginx/grafana.error.log warn;
{% if grafana_ssl_certificate is defined %} {% if grafana_ssl_certificate is defined %}
ssl_certificate {{ grafana_ssl_certificate }}; ssl_certificate {{ grafana_ssl_certificate }};
{% endif %} {% endif %}
@ -37,8 +51,14 @@ server {
ssl_dhparam {{ grafana_ssl_dhparam }}; ssl_dhparam {{ grafana_ssl_dhparam }};
{% endif %} {% endif %}
location /login {
limit_req zone=req_grafana_login burst=10;
proxy_pass http://grafana_backend;
}
location / { location / {
proxy_pass http://localhost:{{ grafana_port }}; limit_req zone=req_bad_actors burst=10 nodelay;
proxy_pass http://grafana_backend;
} }
} }
{% endif %} {% endif %}