feat(nginx): 新增请求速率限制
这个提交包含在:
@@ -33,7 +33,7 @@ spec:
|
||||
type: nginx
|
||||
env:
|
||||
- name: COLLECTIONS
|
||||
value: "crowdsecurity/base-http-scenarios"
|
||||
value: "crowdsecurity/base-http-scenarios crowdsecurity/http-dos"
|
||||
- name: SCENARIOS
|
||||
value: "crowdsecurity/nginx-req-limit-exceeded"
|
||||
persistentVolume:
|
||||
@@ -86,41 +86,47 @@ spec:
|
||||
# nginx access logs
|
||||
- filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "nginx") in ["", nil]
|
||||
statics:
|
||||
- meta: service
|
||||
value: http
|
||||
- meta: log_type
|
||||
value: http_access-log
|
||||
- target: evt.StrTime
|
||||
expression: evt.Parsed.time
|
||||
- meta: service
|
||||
value: http
|
||||
expression: evt.Unmarshaled.nginx.time_local
|
||||
- meta: source_ip
|
||||
expression: evt.Unmarshaled.nginx.remote_addr
|
||||
- meta: http_status
|
||||
expression: evt.Unmarshaled.nginx.status
|
||||
- meta: http_path
|
||||
expression: evt.Unmarshaled.nginx.request
|
||||
expression: evt.Unmarshaled.nginx.request_uri
|
||||
- meta: http_verb
|
||||
expression: evt.Unmarshaled.nginx.request_method
|
||||
- meta: http_user_agent
|
||||
expression: evt.Unmarshaled.nginx.http_user_agent
|
||||
- meta: target_fqdn
|
||||
expression: evt.Unmarshaled.nginx.server_name
|
||||
# nginx error logs
|
||||
- grok:
|
||||
pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{NGCUSTOMURIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
|
||||
apply_on: message
|
||||
statics:
|
||||
- meta: service
|
||||
value: http
|
||||
- meta: log_type
|
||||
value: http_error-log
|
||||
- target: evt.StrTime
|
||||
expression: evt.Parsed.time
|
||||
- meta: service
|
||||
value: http
|
||||
- meta: source_ip
|
||||
expression: "evt.Parsed.remote_addr"
|
||||
expression: evt.Parsed.remote_addr
|
||||
- meta: http_status
|
||||
expression: "evt.Parsed.status"
|
||||
expression: evt.Parsed.status
|
||||
- meta: http_path
|
||||
expression: "evt.Parsed.request"
|
||||
expression: evt.Parsed.request
|
||||
- meta: http_verb
|
||||
expression: evt.Parsed.verb
|
||||
- meta: http_user_agent
|
||||
expression: "evt.Parsed.http_user_agent"
|
||||
expression: evt.Parsed.http_user_agent
|
||||
- meta: target_fqdn
|
||||
expression: "evt.Parsed.target_fqdn"
|
||||
expression: evt.Parsed.target_fqdn
|
||||
pattern_syntax:
|
||||
NO_DOUBLE_QUOTE: '[^"]+'
|
||||
onsuccess: next_stage
|
||||
|
||||
@@ -34,15 +34,20 @@ spec:
|
||||
ssl-redirect: "true"
|
||||
# 自定义错误页面
|
||||
custom-http-errors: "403,404,502,503"
|
||||
# 缓存配置
|
||||
http-snippet: |
|
||||
# 缓存配置
|
||||
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
|
||||
proxy_cache_key $uri$is_args$args;
|
||||
proxy_cache_lock on;
|
||||
proxy_cache_use_stale updating;
|
||||
# dns配置
|
||||
# 限速配置
|
||||
limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
|
||||
server-snippet : |
|
||||
# dns配置
|
||||
resolver 169.254.20.10 10.43.0.10 ipv6=off;
|
||||
location-snippet: |
|
||||
# 限速配置
|
||||
limit_req zone=global_limit burst=30 nodelay;
|
||||
# 启用geoip2模块
|
||||
use-geoip: "false"
|
||||
use-geoip2: "true"
|
||||
|
||||
在新议题中引用
屏蔽一个用户