| #!/usr/bin/env bash | |
| ### Bash Environment Setup | |
| # http://redsymbol.net/articles/unofficial-bash-strict-mode/ | |
| # https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html | |
| # set -o xtrace | |
| set -o errexit | |
| set -o errtrace | |
| set -o nounset | |
| set -o pipefail |
| # | |
| # CORS header support | |
| # | |
| # One way to use this is by placing it into a file called "cors_support" | |
| # under your Nginx configuration directory and placing the following | |
| # statement inside your **location** block(s): | |
| # | |
| # include cors_support; | |
| # | |
| # As of Nginx 1.7.5, add_header supports an "always" parameter which |
| # Those rules protect HTTP/HTTPS services for both IPv4 and IPv6 sources as such: | |
| # 1. Prevent a /32 IPv4 or /64 IPv6 to open more than 10 HTTPS?/TCP connections per second (the limit is high, but this still shield against some attacks) — DROP TCP packets in this case, to avoid generating egress traffic sending a RST | |
| # 2. Limit ingress bandwidth to HTTPS? services to 32KB/sec (adjust to your needs, in my case it is used to shield a WebSocket backend against incoming WebSocket message floods) | |
| # 3. Limit the number of simultaneous ongoing connections to HTTPS? to 40 (also, high limit, adjust to your needs) | |
| # The protections those rules offer: | |
| # 1. Prevent crypto-DOS (ie. a client that proceed too many key exchanges and thus exhaust server CPU) | |
| # 2. Prevent WebSocket floodings (eg. I use this for Socket.IO, which has no efficient way to rate-limit received messages before they get parsed) | |
| # 3. Prevent ephemeral TCP port exhaustion due to a client holding too many TCP connections | |
| # 4. Prevent IPv6 rotation attac |