feat(enhance): improve strictness of default rate limiting rules

EsadCetiner · Nov 30, 2024 · 4cca243 · 4cca243
1 parent 2beec32
commit 4cca243
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -215,18 +215,20 @@ http
 
     #
     # [ Basic DoS mitigations ]
-    # Default values here are very high so it can work well for everybody without false positives, you can fine tune rate limiting per vhost.
+    # The rate limiting here is intentionally lax, if you want stricter and more granular rate limiting
+    # then you'll have to create your own. It's difficult to craft strict rate limiting rules without knowing
+    # anything about the kind of applications your hosting.
     #
 
-    # Limit concurrent connections to 130, most browsers will open up lots of concurrent connections but will never go above 100.
+    # Limit the number of concurrent connections.
     # CIS NGINX 5.2.4 v2.1.0
-    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
-    limit_conn      limit_per_ip 130;
+    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
+    limit_conn      conn_per_ip 200;
 
-    # Limit requests up to 500 per second per ip
+    # Rate limit very aggressive clients
     # CIS NGINX 5.2.5 v2.1.0
-    limit_req_zone $binary_remote_addr zone=allips:10m rate=500r/s;
-    limit_req      zone=allips burst=400 nodelay;
+    limit_req_zone $binary_remote_addr zone=default_ratelimit:10m rate=7500r/m;
+    limit_req      zone=default_ratelimit burst=10000 nodelay;
 
     # Return 429 when rate limiting instead of 503
     # You can set this to 444 to save a few CPU cycles