nginx: set some limits for DDOS protection

Set some reasonable default limits in the nginx configuration.

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>

docker/nginx-ssl.conf

@@ -15,6 +15,12 @@ http {
     default_type application/octet-stream;
     access_log /dev/stdout combined;
     sendfile on;
+    client_max_body_size 1m;
+    large_client_header_buffers 4 2k;
+
+    limit_req_zone $binary_remote_addr zone=login_ip:10m rate=30r/m;
+    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
+    limit_conn conn_per_ip 100;
 
     upstream app_server {
         # For a TCP configuration:
@@ -23,7 +29,6 @@ http {
 
     server {
         listen 80 default;
-        client_max_body_size 4G;
         server_name _;
 
         keepalive_timeout 5;
@@ -36,7 +41,6 @@ http {
 
     server {
         listen 80;
-        client_max_body_size 4G;
         server_name layers.openembedded.org;
 
         keepalive_timeout 5;
@@ -98,6 +102,8 @@ http {
         ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers         HIGH:!aNULL:!MD5;
 
+        keepalive_timeout 20;
+
         # path for static files
         root /usr/share/nginx/html;
 
@@ -109,6 +115,11 @@ http {
             try_files $uri @proxy_to_app;
         }
 
+        location /accounts/login {
+            limit_req zone=login_ip burst=5;
+            try_files $uri @proxy_to_app;
+        }
+
         location @proxy_to_app {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header Host $http_host;

docker/nginx.conf

@@ -23,10 +23,10 @@ http {
 
     server {
         listen 80 default;
-        client_max_body_size 4G;
+        client_max_body_size 1m;
         server_name _;
 
-        keepalive_timeout 5;
+        keepalive_timeout 20;
 
         # path for static files
         root /usr/share/nginx/html;