How to install rate-limit nginx templates

User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

As root, in SSH run:

Code: Select all

curl -O https://c.myvestacp.com/tools/rate-limit-tpl/install_rate_limit_tpl.sh
bash install_rate_limit_tpl.sh

This installer will install hosting-firewall.tpl (nginx template) that will:
  • allow 1 http request per second per IP address (sent to your server, more precisely to your PHP-FPM)
  • allow 2 parallel http connections per IP address (sent to your PHP-FPM)
  • allow burst for 7 additional http requests (they will enter queue), first 3 will be processed immediately, 4 others will processed each request each second (so this will handle natural peaks that CMS can generate to itself)
  • if client fills allowed queue, additional requests will be denied
Generally, this nginx template will prevent bad bots to run hundreds parallel http requests against your site, which will probably cause denial-of-service on your server.

There are also 3 additional templates, with larger limit values (for example: 2 req/sec, 14 allowed requests in queue, 7 burst, 8 parallel connections).

There are also firewall-wordpress templates adapted for WordPress sites.

If you need different rate-limit for different IP addresses and optionally for different folders - see solution here: viewtopic.php?p=2686#p2686

Tags:
Jpsciolli
Posts: 13
Joined: Sun Feb 21, 2021 6:54 pm

Hello, just got this error while installing it...

install_rate_limit_tpl.sh: line 57: service: command not found

Anything usefull unattended?
User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

Jpsciolli wrote: Thu Aug 05, 2021 10:09 pm Hello, just got this error while installing it...

install_rate_limit_tpl.sh: line 57: service: command not found

Anything usefull unattended?

Code: Select all

apt-get install sysvinit-utils
echo "PATH=$PATH:/usr/sbin" >> ~/.bashrc
source ~/.bashrc
then run rate-limit installer again.
sparkzara
Posts: 22
Joined: Mon Jun 07, 2021 9:15 am

hi,
when i add this rate limit template,
my cdn images are getting lot of denied errors.

so how do i whitelist cdn ip address, so they wont be under rate limit ?
User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

sparkzara wrote: Mon Dec 20, 2021 7:28 pm hi,
when i add this rate limit template,
my cdn images are getting lot of denied errors.

so how do i whitelist cdn ip address, so they wont be under rate limit ?
static files are not limited in any way, except if you serve them though apache/php?

i don't know how to make whitelist.
sparkzara
Posts: 22
Joined: Mon Jun 07, 2021 9:15 am

Thank you for the quick reply.
static files are not limited in anyway (good to know this) - i didn't realize that earlier. just checked once again and found issue with another plugin on site.

regarding whitelist ip, need to set something, so it doesn't limit apache/php served pages for specific users ( even though rate limit nginx template applied for domain ).
can't we add tcp ip under firewall on myvestacp, so those ip address wont have rate limit applied ?
User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

sparkzara wrote: Mon Dec 20, 2021 8:18 pm Thank you for the quick reply.
static files are not limited in anyway (good to know this) - i didn't realize that earlier. just checked once again and found issue with another plugin on site.

regarding whitelist ip, need to set something, so it doesn't limit apache/php served pages for specific users ( even though rate limit nginx template applied for domain ).
can't we add tcp ip under firewall on myvestacp, so those ip address wont have rate limit applied ?
nope, because this is a limit on nginx layer - https://github.com/myvesta/vesta/blob/m ... pl#L10-L11
probably there is a way to exclude those lines for desired IP, but i'm sincerely not sure how.
someone should go deeply in nginx syntax to understand how to do it.
User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

sparkzara
Posts: 22
Joined: Mon Jun 07, 2021 9:15 am

Thank you for the suggestion.
if block idea should help resolve it now.
myVesta wrote: Mon Dec 20, 2021 8:41 pm
sparkzara wrote: Mon Dec 20, 2021 8:18 pm Thank you for the quick reply.
static files are not limited in anyway (good to know this) - i didn't realize that earlier. just checked once again and found issue with another plugin on site.

regarding whitelist ip, need to set something, so it doesn't limit apache/php served pages for specific users ( even though rate limit nginx template applied for domain ).
can't we add tcp ip under firewall on myvestacp, so those ip address wont have rate limit applied ?
nope, because this is a limit on nginx layer - https://github.com/myvesta/vesta/blob/m ... pl#L10-L11
probably there is a way to exclude those lines for desired IP, but i'm sincerely not sure how.
someone should go deeply in nginx syntax to understand how to do it.
User avatar
myVesta
Site Admin
Posts: 946
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 9 times
Been thanked: 6 times

sparkzara wrote: Thu Dec 23, 2021 6:53 pm Thank you for the suggestion.
if block idea should help resolve it now.
Post here solution if you find it :)
Post Reply