From 5e64abf31c46bc720f27f8bf42d7b262e976da13 Mon Sep 17 00:00:00 2001 From: Egor Savkin Date: Thu, 15 Aug 2024 13:09:00 +0800 Subject: [PATCH] Limit connections and redirect www to canonical Signed-off-by: Egor Savkin --- m-labs-intl/m-labs-intl.com | 34 ++++++++++++++++++++++++++++------ m-labs-intl/nginx.conf | 33 +++++++++++++++++++++++++++++++++ m-labs-intl/setup.md | 25 ++++++++++++++----------- 3 files changed, 75 insertions(+), 17 deletions(-) diff --git a/m-labs-intl/m-labs-intl.com b/m-labs-intl/m-labs-intl.com index b0373e5..1beb125 100644 --- a/m-labs-intl/m-labs-intl.com +++ b/m-labs-intl/m-labs-intl.com @@ -3,13 +3,15 @@ upstream rfq_server { } server { + limit_conn addr 5; + root /var/www/m-labs-intl.com/html; index index.html index.htm index.nginx-debian.html; - server_name m-labs-intl.com www.m-labs-intl.com; + server_name m-labs-intl.com; location / { - try_files $uri $uri/ =404; + try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot @@ -20,8 +22,22 @@ server { ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } +server { + server_name www.m-labs-intl.com; + return 301 https://m-labs-intl.com$request_uri; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + server { server_name hooks.m-labs-intl.com; + limit_conn addr 1; + limit_req zone=rfq; location /rfq { proxy_pass http://rfq_server/rfq; @@ -35,9 +51,10 @@ server { } location / { - return 404; + return 418; } + listen [::]:443 ssl; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot @@ -46,15 +63,20 @@ server { } server { - if ($host = www.m-labs-intl.com) { + limit_conn addr 1; + if ($host = m-labs-intl.com) { return 301 https://$host$request_uri; } # managed by Certbot + if ($host = www.m-labs-intl.com) { + return 301 https://m-labs-intl.com$request_uri; + } # managed by Certbot + + listen 80; listen [::]:80; - server_name m-labs-intl.com www.m-labs-intl.com; + server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com; return 301 https://$host$request_uri; - #return 404; # managed by Certbot } \ No newline at end of file diff --git a/m-labs-intl/nginx.conf b/m-labs-intl/nginx.conf index 01fb137..a015061 100644 --- a/m-labs-intl/nginx.conf +++ b/m-labs-intl/nginx.conf @@ -33,6 +33,10 @@ http { ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; + # Rate limiting + limit_conn_zone $binary_remote_addr zone=addr:10m; + limit_req_zone $binary_remote_addr zone=rfq:10m rate=5r/m; + ## # Logging Settings ## @@ -59,3 +63,32 @@ http { include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } + + +stream { + limit_conn_zone $binary_remote_addr zone=mail:10m; + # Upstream mail servers + upstream smtp_backend { + server mail.m-labs.hk:25; + } + + upstream submission_backend { + server mail.m-labs.hk:587; + } + + # SMTP + server { + listen 25; + proxy_pass smtp_backend; + proxy_protocol on; + limit_conn mail 5; + } + + # Submission (Authenticated SMTP) + server { + listen 587; + proxy_pass submission_backend; + proxy_protocol on; + limit_conn mail 5; + } +} \ No newline at end of file diff --git a/m-labs-intl/setup.md b/m-labs-intl/setup.md index c38ac09..21429f5 100644 --- a/m-labs-intl/setup.md +++ b/m-labs-intl/setup.md @@ -1,7 +1,7 @@ # Setup m-labs-intl.com server ```shell -apt install git nginx-full python3 python3.12-venv python3-pip postfix opendkim opendkim-tools +apt install git nginx-full python3 python3.12-venv python3-pip snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot useradd -m rfqserver @@ -51,14 +51,17 @@ certbot --nginx service nginx restart -cp main.cf /etc/postfix/main.cf -cp virtual /etc/postfix/virtual -postmap /etc/postfix/virtual - -cp opendkim /etc/default/opendkim -cp opendkim.conf /etc/opendkim.conf -opendkim-genkey -t -s mail -d m-labs-intl.com -cp mail.private /etc/postfix/dkim.key -service opendkim restart -service postfix restart +ufw default deny +ufw allow from 94.190.212.123 +ufw allow from 2001:470:f891:1:5999:5529:5d:f71d +ufw allow from 202.77.7.238 +ufw allow from 2001:470:18:390::2 +ufw allow "Nginx HTTP" +ufw allow "Nginx HTTPS" +ufw limit OpenSSH +ufw default allow outgoing +ufw limit 25/tcp +ufw limit 587/tcp +ufw show added +ufw enable ``` \ No newline at end of file