Last active
April 5, 2024 00:46
-
-
Save ipmb/472da2a9071dd87e24d3 to your computer and use it in GitHub Desktop.
Nginx reverse proxy with rate limiting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream myapp { | |
| server 127.0.0.1:8081; | |
| } | |
| limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; | |
| server { | |
| listen 443 ssl spdy; | |
| server_name _; | |
| ssl on; | |
| ssl_certificate /etc/nginx/ssl/cert.pem; | |
| ssl_certificate_key /etc/nginx/ssl/cert.key; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers AES256+EECDH:AES256+EDH; | |
| ssl_session_cache builtin:1000 shared:SSL:5m; | |
| ssl_prefer_server_ciphers on; | |
| location / { | |
| proxy_pass http://myapp; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| } | |
| location /account/login/ { | |
| # apply rate limiting | |
| limit_req zone=login burst=5; | |
| # boilerplate copied from location / | |
| proxy_pass http://myapp; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| } | |
| } |
All the proxy_set_* boilerplate can be moved to the server or even http blocks as @bitcity suggested:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
Syntax: proxy_set_header field value;
Default: proxy_set_header Host $proxy_host;
proxy_set_header Connection close;
Context: http, server, location
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yes, it helps to prevent DOS attack from single IP. No matter how much traffic is you are getting from different IPs /users.