NEW: foreign referrer limits

andvgal · andvgal · commit 87f61a6258e1 · 2020-01-04T02:31:09.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 - CHANGED: CID deployment to set env based on .env file
 - FIXED: pattern-based static file serving config with no apps (try_files)
 - NEW: docker::custom_args support
+- NEW: foreign referrer limits
 
 # 1.3.2 (2019-11-13)
 - CHANGED: /www/empty permission to 0755 for CID v0.8.29+ support
diff --git a/README.md b/README.md
@@ -50,6 +50,7 @@ This module is also a reference implementation of [FutoIn CID](https://github.co
         * Apps cannot access each other, nginx service has aux group of each app
         * HTTP_PROXY and other known attack mitigation
         * Automatic systemd-based restart
+        * Basic protection against DDoS through victim browsers
     * Misc:
         * HTTP/2
         * Multiple IP/interface aware
@@ -302,8 +303,9 @@ Main resource type to define virtualhost with related apps.
     * `verify = on` - override verification mode
 * `$hsts = 'max-age=15768000; includeSubDomains; preload'` - HSTS, optional
     * enabled only at TLS termination
-* `$xfo = 'deny' - X-Frame-Options, optional
+* `$xfo = 'deny'` - X-Frame-Options, optional
     * enabled only at TLS termination
+* `$frl = true` - foreign referrer limit, 50kps after 100kb if Referrer mismatch by default
 * `$deploy = undef` - optional deployment strategy parameters
 
 ### Deploy strategy
diff --git a/lib/puppet/provider/cfweb_nginx/cfweb.rb b/lib/puppet/provider/cfweb_nginx/cfweb.rb
@@ -175,6 +175,19 @@ def self.on_config_change(newconf)
             'default' => '$server_name',
             '0'       => "''",
         }
+
+        cf_invalid_referer_rate = cfweb_tune.fetch('cf_invalid_referer_rate', '50k')
+        cf_invalid_referer_rate_after = cfweb_tune.fetch('cf_invalid_referer_rate_after', '100k')
+        http_conf["map $invalid_referer $cf_invalid_referer_rate"] = {
+            'default' => '0',
+            '1'       => cf_invalid_referer_rate,
+        }
+        http_conf["map $invalid_referer $cf_invalid_referer_rate_after"] = {
+            'default' => '0',
+            '1'       => cf_invalid_referer_rate_after,
+        }
+        http_conf["# variables are supported only since v1.17"] = ''
+        http_conf["limit_rate_after"] = cf_invalid_referer_rate_after
         
         if stress_hosts && stress_hosts.size then
             stress_hosts.each { |shost|
diff --git a/manifests/site.pp b/manifests/site.pp
@@ -37,6 +37,7 @@
     Optional[CfWeb::ClientX509] $require_x509 = undef,
     Optional[String[1]] $hsts = 'max-age=15768000; includeSubDomains; preload',
     Optional[String[1]] $xfo = 'deny',
+    Boolean $frl = true,
 
     Boolean $backup_persistent = true,
 ) {
@@ -430,6 +431,7 @@
             require_x509       => $require_x509,
             hsts               => $hsts,
             xfo                => $xfo,
+            frl                => $frl,
         }),
         notify  => $cfg_notify,
         before  => Anchor['cfnginx-ready'],
diff --git a/templates/app_vhost.epp b/templates/app_vhost.epp
@@ -22,6 +22,7 @@
     Optional[CfWeb::ClientX509] $require_x509,
     Optional[String[1]] $hsts,
     Optional[String[1]] $xfo,
+    Optional[Boolean] $frl,
 |
 
 if size($plain_ports) == 0 and size($tls_ports) == 0 {
@@ -97,6 +98,15 @@ $tls_snippet = inline_epp('
     add_header X-Frame-Options \'<%= $xfo %>\';
 <% } -%>
 
+<% if $frl { -%>
+    valid_referers server_names;
+
+    # Only since nginx 1.17
+    #limit_rate $cf_invalid_referer_rate;
+    #limit_rate_after $cf_invalid_referer_rate_after;
+    set $limit_rate $cf_invalid_referer_rate;
+<% } -%>
+
 <% } -%>
 ', {
 })
