nginx rate limting /login/

[Mouth]

Is anyone rate limiting /login/ access with nginx and limit_req_zone?

My nginx http section contains;

limit_req_zone $binary_remote_addr zone=xf-login:10m rate=3r/m;

And my server section contains;

location = /login/ {
  limit_req zone=xf-login burst=3 nodelay;
}

But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?

 

[rdn]

This is not yet sufficient?

 

[Mouth]

This is not yet sufficient?

No, because I want to retain captcha on my login form. Much better to rate limit at the server instead of the application too.

 

[Xon]

But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?

FYI, but this is a bit too general. Normal users will hit "/login/csrf-token-refresh" fairly often.

For example; I have the following to block

    location = /login/csrf-token-refresh {
        include common.d/blockips.conf;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }

    location /login/login {
        include common.d/blockips_reg.conf;
        limit_req zone=register burst=5;
        limit_req_log_level info;
        limit_req_status 429;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }
...

common.d/blockips_reg.conf includes common.d/blockips.conf, and is a bunch of IP's blacklisted from the site or signing up/registering.

common.d/invoke_index.conf looks like:

include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;

This basically uses XF's index.php to handle the request without requiring a rewrite lookup.

The 429 return code causes nginx to simply hangup and not even return anything.

 

[Mouth]

For example; I have the following to block

Thanks, quite helpful.

What have you used for your register zone definition?

The 429 return code causes nginx to simply hangup and not even return anything.

You've patched nginx? I thought it returned a 'too many requests' respond for 429, as default.

 

[Anthony Parsons]

Not this method, no.... I use mitchell krogza's genius: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

Surpasses just the login form -- robust server wide protection with plenty of custom scope left for the user.

I don't use the DDOS though, as I leave that with CloudFlare, as they do it better.

 

[Xon]

Thanks, quite helpful.

What have you used for your register zone definition?

It is fairly standard stuff, nothing complex compared to the location bits.

You've patched nginx? I thought it returned a 'too many requests' respond for 429, as default.

Derp sorry, confusing it with 444, I've got 429 setup to server a static file.