diff --git a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la index 08eecd3..7cc54b6 100644 --- a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la +++ b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la @@ -4,3 +4,8 @@ proxy_redirect off; proxy_connect_timeout 3m; proxy_send_timeout 3m; proxy_read_timeout 3m; + +limit_conn connection_limit 50; +limit_req zone=request_limit nodelay burst=20; + +add_header Retry-After $retry_after always; diff --git a/roles/proxy/files/custom_server_includes/sutty.abyaya.la b/roles/proxy/files/custom_server_includes/sutty.abyaya.la new file mode 100644 index 0000000..beaa8f8 --- /dev/null +++ b/roles/proxy/files/custom_server_includes/sutty.abyaya.la @@ -0,0 +1,4 @@ +add_header X-Frame-Options "sameorigin"; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Content-Type-Options "nosniff"; +add_header Referrer-Policy "strict-origin-when-cross-origin"; diff --git a/roles/proxy/templates/common_ssl.conf b/roles/proxy/templates/common_ssl.conf index 40b81a6..8aefc1b 100644 --- a/roles/proxy/templates/common_ssl.conf +++ b/roles/proxy/templates/common_ssl.conf @@ -6,6 +6,14 @@ # openssl dhparam -outform pem -out dhparam2048.pem 2048 ssl_dhparam /etc/nginx/conf/dhparam2048.pem; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; diff --git a/roles/proxy/templates/nginx.conf b/roles/proxy/templates/nginx.conf index 24b2876..4ba2aaa 100644 --- a/roles/proxy/templates/nginx.conf +++ b/roles/proxy/templates/nginx.conf @@ -20,11 +20,31 @@ http { access_log /var/log/nginx/access.log main; + server_tokens off; + sendfile on; #tcp_nopush on; keepalive_timeout 65; + # Limitar cada dirección IP a 50 peticiones por segundo por IP y + # servidor. + limit_req_zone $server_name$binary_remote_addr zone=request_limit:10m rate=10r/s; + limit_req_status 429; + + # Limita la cantidad de conexiones concurrentes por IP. Según la + # documentación de Nginx, cada request en HTTP/2 se cuenta como una + # conexión separada aunque sean la misma. + limit_conn_zone $binary_remote_addr zone=connection_limit:10m; + limit_conn_status 429; + + # Informar a los navegadores que cuando reciban un error de muchas + # conexiones, esperen un segundo antes de reintentar. + map $status $retry_after { + default ''; + 429 '1'; + } + #gzip on; include /etc/nginx/conf.d/*.conf;