ArcticFoxes-net/Synapse-Ubuntu-ZFS
1
0
Fork 0
mirror of https://github.com/ArcticFoxes-net/Synapse-Ubuntu-ZFS synced 2025-02-20 19:31:33 -05:00
Code
4a46def68d
Synapse-Ubuntu-ZFS/etc/nginx/conf.d/matrix-client.conf
wj25czxj47bu6q 4a46def68d
Implement NGINX ratelimiting
2025-02-09 03:40:22 -07:00

74 lines
2.4 KiB
Plaintext
Raw Blame History

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.arcticfoxes.net;
include /etc/nginx/ssl.conf;
include /etc/nginx/proxy.conf;
include /etc/nginx/headers.conf;
client_max_body_size 0;
# CORS
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin "*" always;
proxy_hide_header Access-Control-Allow-Methods;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_hide_header Access-Control-Allow-Headers;
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" always;
if ($request_method = OPTIONS) {
return 204;
}
access_log off;
# https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
location ~ ^/_matrix/(?:client|media|static)/ {
proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
access_log /var/log/nginx/access_client.log main;
limit_req zone=accesstoken burst=50;
limit_req zone=accesstoken_write burst=5 nodelay;
limit_req zone=ip burst=250;
limit_req zone=ip_write burst=25 nodelay;
limit_req_status 429;
error_page 429 /ratelimited.json;
limit_req_log_level info;
}
location ^~ /_synapse/admin {
proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
access_log /var/log/nginx/access_client.log main;
}
location = /health {
proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
access_log /var/log/nginx/access_client.log main;
}
location / {
return 404;
access_log /var/log/nginx/access_client_invalid.log main;
}
location = /ratelimited.json {
internal;
root /usr/share/nginx/html;
access_log /var/log/nginx/access_client_ratelimited.log main;
}
}
map $request_method $limit_key_accesstoken_write {
GET "";
default $http_authorization;
}
limit_req_zone $http_authorization zone=accesstoken:100m rate=25r/s;
limit_req_zone $limit_key_accesstoken_write zone=accesstoken_write:100m rate=3r/s;
map $request_method $limit_key_ip_write {
GET "";
default $binary_remote_addr;
}
limit_req_zone $binary_remote_addr zone=ip:10m rate=125r/s;
limit_req_zone $limit_key_ip_write zone=ip_write:10m rate=15r/s;
View Git Blame Copy Permalink