From d27244a7a8086977043ff9112894399a1288ab5a Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Sat, 14 Apr 2018 18:59:50 +0200 Subject: [PATCH] comment requests/connections limitation optional settings, can be uncommented if needed --- etc/nginx/common/ocsp.conf | 3 ++- etc/nginx/nginx-intermediate.conf | 8 ++++---- etc/nginx/nginx-tlsv12.conf | 8 ++++---- etc/nginx/nginx.conf | 11 ++++++----- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/etc/nginx/common/ocsp.conf b/etc/nginx/common/ocsp.conf index f8dddcd..4ff2e4d 100644 --- a/etc/nginx/common/ocsp.conf +++ b/etc/nginx/common/ocsp.conf @@ -1,5 +1,6 @@ ##OCSP settings ssl_stapling on; +resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=300s; ssl_stapling_verify on; -resolver 8.8.4.4 8.8.8.8 valid=300s; +#ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here resolver_timeout 5s; \ No newline at end of file diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf index b7df8b3..fbb8114 100644 --- a/etc/nginx/nginx-intermediate.conf +++ b/etc/nginx/nginx-intermediate.conf @@ -34,12 +34,12 @@ http #Simple DOS mitigation ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; + #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + #limit_conn limit_per_ip 80; ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; + #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; + #limit_req zone=allips burst=400 nodelay; # Proxy Settings # set_real_ip_from proxy-server-ip; diff --git a/etc/nginx/nginx-tlsv12.conf b/etc/nginx/nginx-tlsv12.conf index 96b68b9..21f0b9a 100644 --- a/etc/nginx/nginx-tlsv12.conf +++ b/etc/nginx/nginx-tlsv12.conf @@ -34,12 +34,12 @@ http #Simple DOS mitigation ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; + #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + #limit_conn limit_per_ip 80; ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; + #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; + #limit_req zone=allips burst=400 nodelay; # Proxy Settings # set_real_ip_from proxy-server-ip; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index bc8a362..5ac0ca6 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -34,12 +34,12 @@ http #Simple DOS mitigation ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; + #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + #limit_conn limit_per_ip 80; ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; + #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; + #limit_req zone=allips burst=400 nodelay; # Proxy Settings # set_real_ip_from proxy-server-ip; @@ -71,12 +71,13 @@ http ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:P-521:P-384:P-256; - + ##Common headers for security more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; + ## # Basic Settings ##