Advanced Nginx Configuration

Warning: you have to setup your own nginx for this. Don’t use the inlcuded nginx, the Grape setup script will automatically overwrite the config file.

rate limiting

We recommend that you add rate limiting to your nginx config to protect against simple DDoS attacks and prevent bruteforcing login information.

More information:

  1. in your main nginx conf, usually /etc/nginx/nginx.conf:

    
    http {
    
    ...
    
        # rate limits
        geo $limited_ip {
            default 1;
            212.186.192.212 0;
            212.186.192.217 0;
        }
    
        map $limited_ip $limited_ip_key {
           0 '';
           1 $binary_remote_addr;
        }
    
        limit_req_zone $limited_ip_key zone=one:10m rate=1r/s;
        limit_req_zone $binary_remote_addr zone=two:10m rate=2r/s;
    
        # important: inlcude needs to be after the rate limiting lines
    
        include /etc/nginx/sites-enabled/*;
    
    }
    
  2. in your site config, e.g. /etc/nginx/sites-enabled/grape.example.com:

    location /accounts/login/ {
        limit_req zone=one burst=5;
        proxy_pass http://chatgrape-rr ;
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
        proxy_set_header Host $http_host ;
        proxy_set_header X-NginX-Proxy true ;
        proxy_redirect off ;
        proxy_http_version 1.1 ;
        proxy_set_header Upgrade $http_upgrade ;
        proxy_set_header Connection "Upgrade" ;
    
        proxy_set_header X-Forwarded-Proto https ;
        proxy_set_header X-Forwarded-Protocol https ;
    
        proxy_read_timeout 24h ;
    }