fix(crowdsec): 优化限速相关配置
这个提交包含在:
@@ -76,7 +76,10 @@ spec:
|
|||||||
profiles.yaml: |
|
profiles.yaml: |
|
||||||
name: captcha_remediation
|
name: captcha_remediation
|
||||||
filters:
|
filters:
|
||||||
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http" && GetDecisionsSinceCount(Alert.GetValue(), "24h") <= 3
|
# 规则过滤条件 1.范围为Ip 2.触发场景为http或nginx 3.24小时内决策次数小于等于3
|
||||||
|
- Alert.Remediation == true && Alert.GetScope() == "Ip" &&
|
||||||
|
(Alert.GetScenario() contains "http" || Alert.GetScenario() contains "nginx") &&
|
||||||
|
GetDecisionsSinceCount(Alert.GetValue(), "24h") <= 3
|
||||||
decisions:
|
decisions:
|
||||||
- type: captcha
|
- type: captcha
|
||||||
duration: 4h
|
duration: 4h
|
||||||
|
|||||||
@@ -35,6 +35,8 @@ spec:
|
|||||||
# 自定义错误页面
|
# 自定义错误页面
|
||||||
custom-http-errors: "403,404,502,503"
|
custom-http-errors: "403,404,502,503"
|
||||||
http-snippet: |
|
http-snippet: |
|
||||||
|
# lua插件配置
|
||||||
|
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||||
# 缓存配置
|
# 缓存配置
|
||||||
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
|
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
|
||||||
proxy_cache_key $uri$is_args$args;
|
proxy_cache_key $uri$is_args$args;
|
||||||
@@ -42,12 +44,12 @@ spec:
|
|||||||
proxy_cache_use_stale updating;
|
proxy_cache_use_stale updating;
|
||||||
# 限速配置
|
# 限速配置
|
||||||
limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
|
limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
|
||||||
server-snippet : |
|
server-snippet: |
|
||||||
# dns配置
|
# dns配置 配置在http块下会出现重复配置 所以配置在server块下
|
||||||
resolver 169.254.20.10 10.43.0.10 ipv6=off;
|
resolver 169.254.20.10 10.43.0.10 ipv6=off;
|
||||||
location-snippet: |
|
location-snippet: |
|
||||||
# 限速配置
|
# 限速配置
|
||||||
limit_req zone=global_limit burst=30 nodelay;
|
limit_req zone=global_limit burst=20 nodelay;
|
||||||
# 启用geoip2模块
|
# 启用geoip2模块
|
||||||
use-geoip: "false"
|
use-geoip: "false"
|
||||||
use-geoip2: "true"
|
use-geoip2: "true"
|
||||||
@@ -102,7 +104,7 @@ spec:
|
|||||||
plugins: "crowdsec"
|
plugins: "crowdsec"
|
||||||
lua-shared-dicts: "crowdsec_cache: 50m"
|
lua-shared-dicts: "crowdsec_cache: 50m"
|
||||||
# 启用geoip2模块
|
# 启用geoip2模块
|
||||||
maxmindLicenseKey: "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"
|
maxmindLicenseKey: "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"
|
||||||
extraArgs:
|
extraArgs:
|
||||||
default-ssl-certificate: "infra-net/dev-cm-crt"
|
default-ssl-certificate: "infra-net/dev-cm-crt"
|
||||||
# crowdsec插件配置
|
# crowdsec插件配置
|
||||||
@@ -117,6 +119,8 @@ spec:
|
|||||||
value: "rgILO2mh/t+30LMvzyyMXbfHRmDfBkDDkhEflzHaoQ0"
|
value: "rgILO2mh/t+30LMvzyyMXbfHRmDfBkDDkhEflzHaoQ0"
|
||||||
- name: BOUNCER_CONFIG
|
- name: BOUNCER_CONFIG
|
||||||
value: "/crowdsec/crowdsec-bouncer.conf"
|
value: "/crowdsec/crowdsec-bouncer.conf"
|
||||||
|
- name: MODE
|
||||||
|
value: "stream"
|
||||||
- name: CAPTCHA_PROVIDER
|
- name: CAPTCHA_PROVIDER
|
||||||
value: "turnstile"
|
value: "turnstile"
|
||||||
- name: SITE_KEY
|
- name: SITE_KEY
|
||||||
|
|||||||
在新议题中引用
屏蔽一个用户