From 3c690dd1f58384313724b4e80ad011692d54b46d Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 23 Oct 2025 15:01:58 -0300
Subject: [PATCH 1/5] feat: rate limits #39

---
 .../custom_proxy_includes/sutty.abyaya.la      |  5 +++++
 roles/proxy/templates/nginx.conf               | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
index 08eecd3..51f1f1c 100644
--- a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
+++ b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
@@ -4,3 +4,8 @@ proxy_redirect off;
 proxy_connect_timeout 3m;
 proxy_send_timeout 3m;
 proxy_read_timeout 3m;
+
+limit_conn connection_limit 50;
+limit_req zone=request_limit nodelay;
+
+add_header Retry-After $retry_after always;
diff --git a/roles/proxy/templates/nginx.conf b/roles/proxy/templates/nginx.conf
index 24b2876..ebde246 100644
--- a/roles/proxy/templates/nginx.conf
+++ b/roles/proxy/templates/nginx.conf
@@ -25,6 +25,24 @@ http {
 
     keepalive_timeout  65;
 
+    # Limitar cada dirección IP a 50 peticiones por segundo por IP y
+    # servidor.
+    limit_req_zone $server_name$binary_remote_addr zone=request_limit:10m rate=50r/s;
+    limit_req_status 429;
+
+    # Limita la cantidad de conexiones concurrentes por IP. Según la
+    # documentación de Nginx, cada request en HTTP/2 se cuenta como una
+    # conexión separada aunque sean la misma.
+    limit_conn_zone $binary_remote_addr zone=connection_limit:10m;
+    limit_conn_status 429;
+
+    # Informar a los navegadores que cuando reciban un error de muchas
+    # conexiones, esperen un segundo antes de reintentar.
+    map $status $retry_after {
+      default '';
+      429 '1';
+    }
+
     #gzip  on;
 
     include /etc/nginx/conf.d/*.conf;
-- 
2.49.0


From d2569a7e2981d1029832dbc34e397bcfa556effa Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 23 Oct 2025 15:45:16 -0300
Subject: [PATCH 2/5] fix: usar los limites recomendados

---
 roles/proxy/files/custom_proxy_includes/sutty.abyaya.la | 2 +-
 roles/proxy/templates/nginx.conf                        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
index 51f1f1c..7cc54b6 100644
--- a/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
+++ b/roles/proxy/files/custom_proxy_includes/sutty.abyaya.la
@@ -6,6 +6,6 @@ proxy_send_timeout 3m;
 proxy_read_timeout 3m;
 
 limit_conn connection_limit 50;
-limit_req zone=request_limit nodelay;
+limit_req zone=request_limit nodelay burst=20;
 
 add_header Retry-After $retry_after always;
diff --git a/roles/proxy/templates/nginx.conf b/roles/proxy/templates/nginx.conf
index ebde246..85dc593 100644
--- a/roles/proxy/templates/nginx.conf
+++ b/roles/proxy/templates/nginx.conf
@@ -27,7 +27,7 @@ http {
 
     # Limitar cada dirección IP a 50 peticiones por segundo por IP y
     # servidor.
-    limit_req_zone $server_name$binary_remote_addr zone=request_limit:10m rate=50r/s;
+    limit_req_zone $server_name$binary_remote_addr zone=request_limit:10m rate=10r/s;
     limit_req_status 429;
 
     # Limita la cantidad de conexiones concurrentes por IP. Según la
-- 
2.49.0


From 4361acfde1399301001ca1f5fd256dc9f8761a10 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 23 Oct 2025 17:13:10 -0300
Subject: [PATCH 3/5] =?UTF-8?q?fix:=20ocultar=20versi=C3=B3n=20de=20nginx?=
 =?UTF-8?q?=20#67?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/proxy/templates/nginx.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/proxy/templates/nginx.conf b/roles/proxy/templates/nginx.conf
index 85dc593..4ba2aaa 100644
--- a/roles/proxy/templates/nginx.conf
+++ b/roles/proxy/templates/nginx.conf
@@ -20,6 +20,8 @@ http {
 
     access_log  /var/log/nginx/access.log  main;
 
+    server_tokens off;
+
     sendfile        on;
     #tcp_nopush     on;
 
-- 
2.49.0


From 41b30d3a8d2d048030f88a8e40dc27e1980738d6 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 23 Oct 2025 17:17:19 -0300
Subject: [PATCH 4/5] fix: headers de seguridad #68

---
 roles/proxy/files/custom_server_includes/sutty.abyaya.la | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 roles/proxy/files/custom_server_includes/sutty.abyaya.la

diff --git a/roles/proxy/files/custom_server_includes/sutty.abyaya.la b/roles/proxy/files/custom_server_includes/sutty.abyaya.la
new file mode 100644
index 0000000..beaa8f8
--- /dev/null
+++ b/roles/proxy/files/custom_server_includes/sutty.abyaya.la
@@ -0,0 +1,4 @@
+add_header X-Frame-Options "sameorigin";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options "nosniff";
+add_header Referrer-Policy "strict-origin-when-cross-origin";
-- 
2.49.0


From 2aa6ddcc4d8f9f73f820eb858d7975d2820979cc Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 23 Oct 2025 17:18:44 -0300
Subject: [PATCH 5/5] =?UTF-8?q?fix:=20configuraci=C3=B3n=20de=20ssl=20#69?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

adaptado de https://ssl-config.mozilla.org/#server=nginx&version=1.29.2&config=intermediate&openssl=3.5.1&guideline=5.7
---
 roles/proxy/templates/common_ssl.conf | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/roles/proxy/templates/common_ssl.conf b/roles/proxy/templates/common_ssl.conf
index 40b81a6..8aefc1b 100644
--- a/roles/proxy/templates/common_ssl.conf
+++ b/roles/proxy/templates/common_ssl.conf
@@ -6,6 +6,14 @@
     #   openssl dhparam -outform pem -out dhparam2048.pem 2048
     ssl_dhparam /etc/nginx/conf/dhparam2048.pem;
 
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
 
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-- 
2.49.0