From d7d3338d1396367306b214e0555a2cf3f194bd3a Mon Sep 17 00:00:00 2001 From: Mikita Butsko Date: Fri, 20 Oct 2023 17:04:38 +0200 Subject: [PATCH 1/3] fix: fix security issues --- nginx/nginx.conf | 3 +++ nginx/themes.conf.template | 24 ++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 77841cb7..050baa28 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -35,5 +35,8 @@ http { gzip_comp_level 4; server_tokens off; + limit_req_zone $binary_remote_addr zone=slimits:5m rate=5r/s; + limit_conn_zone $binary_remote_addr zone=connlimits:5m; + include /etc/nginx/conf.d/*.conf; } \ No newline at end of file diff --git a/nginx/themes.conf.template b/nginx/themes.conf.template index 62f0bc55..7d66365c 100644 --- a/nginx/themes.conf.template +++ b/nginx/themes.conf.template @@ -5,11 +5,31 @@ server { error_log /var/log/nginx/error.log; root /var/www; + client_body_buffer_size 1K; + client_header_buffer_size 1k; + client_max_body_size 1k; + + # Block download agents + if ($http_user_agent ~ LWP::Simple|BBBike|wget) { + return 403; + } + + # Block some robots + if ($http_user_agent ~ msnbot|scrapbot) { + return 403; + } + location / { - expires 1M; + expires 1w; sendfile on; tcp_nopush on; tcp_nodelay on; add_header Cache-Control "public"; + + # Prevent hot-linking and bandwidth theft + valid_referers none blocked www.example.com example.com; + if ($invalid_referer) { + return 403; + } } -} +} \ No newline at end of file From cb92e091b0e5007e71cbb48581c91e599002715a Mon Sep 17 00:00:00 2001 From: Mikita Butsko Date: Fri, 20 Oct 2023 17:30:32 +0200 Subject: [PATCH 2/3] fix: fix requests limit --- nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 050baa28..0361c23c 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -35,7 +35,7 @@ http { gzip_comp_level 4; server_tokens off; - limit_req_zone $binary_remote_addr zone=slimits:5m rate=5r/s; + limit_req_zone $binary_remote_addr zone=slimits:5m rate=100r/s; limit_conn_zone $binary_remote_addr zone=connlimits:5m; include /etc/nginx/conf.d/*.conf; From 631e4d7bb5254efb17e1f997c9a36d4789495cb3 Mon Sep 17 00:00:00 2001 From: Mikita Butsko Date: Tue, 14 Nov 2023 17:08:53 +0100 Subject: [PATCH 3/3] fix: get rid of addr configs --- nginx/nginx.conf | 3 --- nginx/themes.conf.template | 6 ------ 2 files changed, 9 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 0361c23c..77841cb7 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -35,8 +35,5 @@ http { gzip_comp_level 4; server_tokens off; - limit_req_zone $binary_remote_addr zone=slimits:5m rate=100r/s; - limit_conn_zone $binary_remote_addr zone=connlimits:5m; - include /etc/nginx/conf.d/*.conf; } \ No newline at end of file diff --git a/nginx/themes.conf.template b/nginx/themes.conf.template index 7d66365c..beb743e2 100644 --- a/nginx/themes.conf.template +++ b/nginx/themes.conf.template @@ -25,11 +25,5 @@ server { tcp_nopush on; tcp_nodelay on; add_header Cache-Control "public"; - - # Prevent hot-linking and bandwidth theft - valid_referers none blocked www.example.com example.com; - if ($invalid_referer) { - return 403; - } } } \ No newline at end of file