diff options
| -rw-r--r-- | manifests/site.pp | 10 | ||||
| -rw-r--r-- | manifests/site/config.pp | 5 | ||||
| -rw-r--r-- | templates/site-ssl.erb | 8 |
3 files changed, 23 insertions, 0 deletions
diff --git a/manifests/site.pp b/manifests/site.pp index 4455f45..737a210 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -11,6 +11,11 @@ define nginx::site( $cache_size = '10m', $cache_inactive = '600s', $cache_max_size = '1m', + $rate_limit = false, + $rate_limit_key = '$binary_remote_addr', + $rate_limit_zone = $name, + $rate_limit_size = "10m", + $rate_limit_rate = "20r/s", $x_frame_options = 'DENY', ) { nginx::site::config { $name: @@ -47,6 +52,11 @@ define nginx::site( cache_size => $cache_size, cache_inactive => $cache_inactive, cache_max_size => $cache_max_size, + rate_limit => $rate_limit, + rate_limit_key => $rate_limit_key, + rate_limit_zone => $rate_limit_zone, + rate_limit_size => $rate_limit_size, + rate_limit_rate => $rate_limit_rate, x_frame_options => $x_frame_options, require => $certbot ? { true => $ensure ? { diff --git a/manifests/site/config.pp b/manifests/site/config.pp index 0cdceea..c0e1809 100644 --- a/manifests/site/config.pp +++ b/manifests/site/config.pp @@ -10,6 +10,11 @@ define nginx::site::config( $cache_size = '10m', $cache_inactive = '600s', $cache_max_size = '1m', + $rate_limit = false, + $rate_limit_key = '$binary_remote_addr', + $rate_limit_zone = $server_name, + $rate_limit_size = "10m", + $rate_limit_rate = "20r/s", $x_frame_options = 'DENY', ){ case $source { diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb index c852954..11a69dd 100644 --- a/templates/site-ssl.erb +++ b/templates/site-ssl.erb @@ -1,6 +1,9 @@ <% if @cache == true -%> proxy_cache_path /var/cache/nginx/<%= @name %> levels=<%= @cache_levels %> keys_zone=<%= @name %>:<%= @cache_size %> inactive=<%= @cache_inactive %> max_size=<%= @cache_max_size %>; <% end -%> +<% if @rate_limit == true and @rate_limit_zone == @server_name -%> +limit_req_zone <%= @rate_limit_key %> zone=<%= @rate_limit_zone %>:<%= @rate_limit_size %> rate=<%= @rate_limit_rate %>; +<% end -%> server { listen 443; server_name <%= @server_name %> <%= @aliases %>; @@ -29,5 +32,10 @@ server { # cache config proxy_cache <%= @name %>; <% end -%> +<% if @rate_limit == true -%> + + # rate limiting + limit_req zone=<%= @rate_limit_zone %>; +<% end -%> } } |