From bd23d1ab7b19e291fcccad8baf4dda9b1ccbc6f0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 8 May 2023 12:18:46 -0400 Subject: [PATCH] implement selective rate limiting --- salt/nginx/defaults.yaml | 4 +++- salt/nginx/etc/nginx.conf | 23 ++++++++++++++++++++++- salt/nginx/html/favicon-16x16.png | Bin 948 -> 0 bytes salt/nginx/html/favicon-32x32.png | Bin 3070 -> 0 bytes salt/nginx/html/favicon.ico | Bin 5430 -> 0 bytes salt/nginx/html/index.html | 13 ------------- salt/nginx/init.sls | 1 + salt/nginx/soc_nginx.yaml | 8 ++++++++ 8 files changed, 34 insertions(+), 15 deletions(-) delete mode 100644 salt/nginx/html/favicon-16x16.png delete mode 100644 salt/nginx/html/favicon-32x32.png delete mode 100644 salt/nginx/html/favicon.ico delete mode 100644 salt/nginx/html/index.html diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index cf051274b..0e222c29e 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,3 +1,5 @@ nginx: config: - replace_cert: False \ No newline at end of file + replace_cert: False + throttle_login_burst: 6 + throttle_login_rate: 10 \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 502f6302a..fae7448f2 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -33,6 +33,8 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; + limit_req_zone $binary_remote_addr zone=auth_throttle:10m rate={{ NGMERGED.config.login_throttle_rate }}r/m; + include /etc/nginx/conf.d/*.conf; {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} @@ -143,7 +145,21 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - location ~ ^/auth/.*?(whoami|login|logout|settings) { + location ~ ^/auth/.*?(login) { + rewrite /auth/(.*) /$1 break; + limit_req zone=auth_throttle burst={{ NGMERGED.config.login_throttle_burst }} nodelay; + limit_req_status 429; + proxy_pass http://{{ GLOBALS.manager }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ ^/auth/.*?(whoami|logout|settings) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:4433; proxy_read_timeout 90; @@ -276,6 +292,7 @@ http { error_page 401 = @error401; error_page 403 = @error403; + error_page 429 = @error429; location @error401 { add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; @@ -287,6 +304,10 @@ http { return 302 /auth/self-service/login/browser; } + location @error429 { + return 302 /login?thr={{ (120 / NGMERGED.config.login_throttle_rate) | round | int }}; + } + error_page 500 502 503 504 /50x.html; location = /usr/share/nginx/html/50x.html { } diff --git a/salt/nginx/html/favicon-16x16.png b/salt/nginx/html/favicon-16x16.png deleted file mode 100644 index a0a818d20901837cdd71a7e387140c4b27151e5a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 948 zcmV;l155mgP)x4#)4!)y%9P+(?=Mobx|N;Pp10$2{M z-k@%=rg-p1(k7bJs~Qj0)Oav4F{TIYxh85nco5sDjg}PXV#UNTQ(!2wym_-R+k0Nb zgWvW4zvCzHKW0)1x2CGk4Gs<@HC5}b)~dxqp?DYg@$2t@HqX9%@=}-EwN$Iuue95p z3&No|n@Wn|NZ-<9k3RB2JRS>5qJSt$G@DI!ceZ)Bzkg6Fm9MI*GA~J@|KOlOtJVHN z0GN9=DGm<}U3%g9lgpt{2;1(^>DZWN5lNIdGC0WQpZB?O<5%kS0~(Dc?M~ZP6y*~U zV0dWo;)|yjmfP(X^;!*CR?sw!SS(JcuaDK$n;-}*ES^S^WU93qs;Ykc`Iq0ElTV#^ zdSY&N=6tb`CmM@$@9rHWS;lc3Y}=+(Dlt0xII5zsdUKUCub<)KhaX|vjvqiAiAUe^ z`+S5W18l6XF_sud*EBR$Ll6W~sY$Ap3R~$dj*gA7x%n4!v$K>e>y>veycrT>(b#;Y zS|OX=B{81l`n79BV{yilNsb?XinX;{$clnt7_?d~a=9F-RElb?t~w6$vZiUeuIZFY zCinli$K>QBD=RDb1Aa`?Wa7yQ);Bhoo}OZ50Uu-lQ-2#Vv zFhJ%(21QY*)$8b*PCj2CIy}TkJa${wH1%r9Dm^s1jnHm3OTh2PFbsl$0J=-ZvdW~> zX~N-t6h$GOPSe}li)C4MmtowJe);WoD=`{P`vbv6pU+FlvgqpSB9qBbESlK1O)M5= zXM2Zkj|aEg&EDP~j$^;Q_}cP!62SEvYj=(v9dW!q|BT1uA)n8q>pHS5(dpO}3I&FS zhbWiJn?iG#ZT^kH_;>B+`HR*fXc>!~Z|R WiDZX=O+ys`0000dB-7^(512r}AA#Rgz=9@Wl=9}|8?|a_wdEQsxk6g`5t3+85RRKW}MGORC z?o9uGMZW6%#kZ$bdV9|F31Wz}Lq5H{QG_O`Ut zluD=5;g%&?Gz^_cG^&L|;fdL~x$C;24~l|#8o|7H^vxj+;F)#Jo3b)94ymdWEv_*) zKhOMpXw-zSy>{^Q;QvXWwW+$?YPIfsw4%JTvZ7qf$Vfxib>guY@p%0HUU-g0V|Zs~ zn4b3F_05dNVzJ$#D4r5TVP|$`MwcjvXu5``>1dipEEbOlg3$JR3AC=P5fRL9FDYI8 zVpUb8;;=g~OoLb~hH09}l8nRQK(<-|h(y9nO->RF_>m-ucs$OGKR_rHLQ!m3EEY6P zN7wZQ0=kB-8(3xejP$$UZB5mZAPPTO{#fI8Dl00euCB)EbbjfK`T4&yO%N7hFin%G zsVN2r2DmdmhSe%#5mhu@BNmH41TF{yl121=DFbb*Y80zg{${*PV*KmvHOwV|va|B=60y0n4hrD;gWCS2i{A)~`>Kl$=a!Ya3%@ zW1K$qCU%E|y7~qRi;74~Pp7=Rg68JOsjICcDJhw2*RFEz+$NL6(;S4Kv- zbnz0^H8qr$mMzqhZw5`%ZD}dV!E+Zrcn`qR+1^-~mz(p->eg0aY;25RAV7P22Uo6) zaJK(#N=ui}-qAryN(xCyNu;Hvk&uu;EEdDzbh2pCB5G^v5JZ7v$Bv=J<18*Ip`x;q z;o)H>Cnu<^tRy2njlrSw%!k6HBquF-V)bJ$zdLwYmqbx~E-yD%%*)H;(7_&BR=0BJ z&NxGZ12nCAobvK=#>d7ucI+sAzaK?Wh(@DmnuZ_nU`VWxdE*=~1o2XNd{SG9Q8>Xyf|{WE?vO{2QH zhBr^1ps2W*hK2@)hu`PqiQ^O%74!6lja1jvu&l9>=H_Pd^YgiO?Hc{>_LG~NLtfq^ zloXfn#^GM_a&yVe%OesFbNRQwrM|wNq{Kwd4Gs~F#wd6sH}spcm-}GuY zGm48#xPJXQ;ZTUj9$U`GH*eDa_S>|ywDPBGJ8`*OsH%#?VaG5`3JZ&P?zykixNI4F z_PomN+qcNf%A$SE8jc=2hOX;0H#hUity}p0GvpWK<4#T@8jBH$Mwnm zM@!2h&YU?-MdhOig1}pE{hFG(I_m1{86O|#jn@wmoSg+A9*F-_>{ zImq_y+gZMR1#iF8&*q4^N6{QE0J zA`w1x5J*T&00CrK z285Vsku1Y^?%p9YBa_LANis9Dn3%XnT6#J@uMfj8$j;8j=kwim1a&vN+nw~}wAn%bpCMPEW$ji+I6I7?uu!t7FC|N9LCnqLINloSM zy}RV*sH&>w()*Xl$jGF$w3OEm9l~LEuzvk|a&mI<`MmV@9_BB;@eO2ICK&MJ@%jjd zLnw;E{QNxg^K+=K1cJdJnx>JNnT4V#WTdBk2q5lx?WiHk^1+dhKBBy$f{~FC>gww` zfBro6_4R!6$t^}lN9pS7LN^S4ylWSG_wHr)?%llj;!mipsiB~-kg3T@_8;hB+tw|( zTnWs~`0)A`3`-CMW@qP!#iH13Hd0gEIGxUs2W}`ymRE1zzP+PuO}p6FcZ_Y@{)~$k zFW~Wb=rf@ou#oihbR146U=r}paICM7a5zGHdk22MpMCrG@znbDEG{d< z=ks#-@KLsH-9kcQBBxHBA!kw6oIAz+m-`MJnSaob{O$Iy=Y%8C57xAIxF;tkNlQ&7 zBQulU-d?)9yYWmb;bF?k%1~96 zGiT1QapOjuPA7(;1HuDw`CMQ$O=DnSfR9E-`1ZHH#cVLhvA#aGZrut%-|^$+>-H5i7$fu0^RGcw4^TBu^fFo;AV zghC-gp)i4fAFIvA*3Fx7B_we2FDb~+^W^2_bg$~zdg_aK54Gij zB>hWjN^;84BZt5D)YBWdaN#_qrKRlHz8$aELm&`9({vVrB6$Ec6pzxx7U_dk74lqAbeuP^XIS63H*>1v0#`6k#K~$`FUpN=9moz`SjCIS+ZmaEiEm~&CPM(Ko3to(SD$* z{h4jQ59=#OvpqlkfhdZ?PLFryg_6akl$Vz?8w}#{dhhr91{RBm-EPO}bfT&%s;XkO zS`h?+YuB#v{`L%O`X9%iooaVS9^9n8Hq%H=$r93SZy{GML|_vIGqk; z*@~{~M59r{;V_X%x_UduN>5X>3aJalUiz`QH6~-uFG4 zwo0?oo_}7$b)6RRw5GkRY1+DV=KDT8ufnre@C;kLVSbLw6a5t$+HJC{8vCl+dT%!L z4Bu<)J@U1oXZU(`Tkmx1;8^h3;zw3LM<}iIfK^ISO+jt@VL8}0BJD>eq~qvG>BQ<7 znUF)nC#2{2v{bd3j6ZiiDzhNl&@-got!^_3_f4QfTHKE=Tm;Q=sqY>XL+^<9qcr^E z)7*Kc4LoYw`=smGq*S%`NPX9U;yZrsBWdU!lHLf)y|eCn*!9O{+6iCJkI8iNj}lpcAt2Ul8$$Jgx%iSe#z>4uy~ z#WXgfc$PM`gWrIZ9qf?Wj>FP5I;Hd|YG{>(Prgv}vMU>;wsX+gJ1VK$IB*>22Bi*i z9ho_&-rZkOFMZ>uCA-ofvmf11bm0RfQz!Hbj7yOOeQDO-ys{gukc;O_!LJ>*CcjGP za^mbIA)UdgGtxae4S711ZTQ?~kGBNGr`6SJ1eHOR(v3~fc8E4jEzZr{o^jrQK`cGRmm_}Y}>^qj+Jb0q}K-b`WWt-_Lu?V)f ze(>~K!(zCyYH!(Z2vauv4 zvjDOFiR9KaNo1N{3X!wKYv%s&sYMx_Hsc4exYF1qzzhkDPZi=E7oTWsBBPa?3Qw1 zNj_qMd=j#Yl-}X{_Cx1uiZ5+OoS+@(hYDlQy}ro>yI+zaB0YbXe_ZMc@shS=T_R@2 z;yiJa`kV(ni;sD~{KZ#l(LR(bC?Qq(fBNE8iHBUY2UliUt)v!Jt@Mu1CG?C=K31!P zllH&p6P^4G@3`4t{ZIrp)pKsFkNwjX8xH5tNXo z>I?nu8=a)+E?)b)(x2DUunF>A67?lQIcblnrB5UvZXa;^JnV8uCJ;lqy&0$h7u4^W z$W49C!GEl}TWH)0&&KXARQ3voUi1TF&?78PS2`hqJ0 z`O!N*t9-#22mw#xJY`~>ItPTQ7^OU}!I5Gd8rNC)yNAV>>?^8PbeZeyCx|8FN4=Tf z zhTh29#Z&Pl2D$2DWCp%xYzD%YyiP5BDsQ32SG4w?Ab-@WKkp8XR``~bU#{c}OUYI| zb-)hxTkP>Dzs2Y5U5=pUk|%pf)GOsPVkCJo-nnOdQjSURjDzj?e&?|%K`lfNQ*)R6 z?R`R`qB8Q7KP!zrD*o7SoW1%t#Ce=L&*$v7cs>EKX5;3E_)k+f5m zM@x|cL;D|gcm|$t1`X=W{*C8}cj)Przj=oJUIg%%wj|Cnrnsj+nQP^!edJ$cXajCF zDn9IKt6EKpe@a1x!fo0Jy@%4@Ga^Cq4eft&@X_6+tyo{_U)DQfZWsLI1&pB|*rz)M zM5vyPSi(9thF&!)Jr6OTq+*t`>Hq zdZ&l%594!6R1cnoUXVRA=>;WbsQ!}l*!KY+(O-qBwZkh&lA+f;Wa01Zp&6r$J<5#! zO4Y54_$@dwUCjXGzdI;G#UF6~`+X&~YaD%b-?D$rh5h@0AM7{7Q*#v^&JFHi32KJm zSqts6uoE$v&*+D;<}QIBr5`v!S?CYX@OYK?#AO>dUo{^rLbfgFajCy9CFeTh-`d4% zsR=U*d+q!KMn#W4z&xgC5yLzp5+w&Q#Ck?NBsNfQ)@8;hbB?_Lc{5*aJ^Yovyl3pO zMsQDk)^FM-8?1LobXIXQ`M+zsD=z`Ir*4>A6y_2yLz4F^TksrnAuu6boC71p6SA;Z zcJ!kk!c|YkImq&!OHd?aZB({lPsCicU_bpp-DwZhS_krfd%MFQ5jQLB%h}8AN1oHB z%-N9SZ1j4)iWY6nMLxVT4kR9qkq7fI3RrBZi@aw|Wqy!9doyB1DDVnwSo(iOMLD zn5;tOBlbs_6@<9WoG3utFdoVKC~Br(ObT!?SJfNp!CC8l``z-cofGmn{65b7{!#wi z|8=uXHtX6D;)t{uH<_>r^(0;95wB_wnv2)W7*E^t8GXTdn=%n=&wpmF%dB79_V~zV zClA@=;7T01yE`=YvHoZMrmauIKf{=tRo}&$S=!XWI-&Y~ersSoFhiLWIJj#a!rUEyF+4B?ETaRm=~YH{5u$jbBsmOVSi7($fE+7 z&Rox}ZC1X(oGpRiN$lh-KpXH3v5vpdN6Z;V-%!Pub#fczaPSTN4mnif5*+>5T=4q) zTc1Xb*07hYLrh!zYO%ffYRQBD^$G34y5tv|D!$dJh?1-C%7u5)hlR!dPg-H=q{OMa-g7(=j0BMw1ja zc8I>tC>iAjiA1iVk7T^v+T`fA7cuwh78lPEPt-B*sAO@6O!NtDff@Y)V&lC>`Tf5= z`jwX!`;(|K7VhobaX3{0BK) zDHG$wH)fx*fvtPME!h8wcw6XLuCHy_WQ90=cKrw2)~^51=7qm(w)w^R_5=GpYw=y= zGV0UAt-HOKv5&)bjfI}vUoE27S=0ZB1J}t7%Vh>G2ui(WR*` k5B&P@*y6ifJiGe#j|=oxfwl%dnrKh0lH1Sai%9jq0koW!qyPW_ diff --git a/salt/nginx/html/index.html b/salt/nginx/html/index.html deleted file mode 100644 index 70d1ddfb0..000000000 --- a/salt/nginx/html/index.html +++ /dev/null @@ -1,13 +0,0 @@ - - - -Security Onion - Hybrid Hunter - - - - - - -Security Onion - - diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 833bda98a..8fac33daf 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -2,6 +2,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'nginx/config.map.jinja' import NGMERGED %} include: - ssl diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index b78550c2b..6170982bf 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -20,3 +20,11 @@ nginx: advanced: True global: True helpLink: nginx.html + throttle_login_burst: + description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. + global: True + helpLink: nginx.html + throttle_login_rate: + description: Number of login requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. + global: True + helpLink: nginx.html