Friday, January 23, 2015

http basic authentication - Nginx how to use limit_req_zone on auth_basic to protect against brute force attack?

I have an Nginx server that works as an SSL proxy for a service running on a localhost that doesn't support SSL authentication.



I would like to use Nginx's limit_req_zone function to protect the Basic_Auth against brute force attacks. There is a similar question with the answer to use Fail2ban, but I would like to use limit_req_zone if possible.



I've got it working - It is done using these two lines of code:




http {
  limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; # only one login in 2 seconds allowed
  ...

  location / {
    limit_req zone=one burst=5 nodelay; # only five connections allowed for the whole / root
    ...
    proxy_pass      http://127.0.0.1:2222/myapp/www/; # redirections to my unauthenticated service
  }
}



The problem is it also blocks number of requests when user is authenticated which results in fact, that http://127.0.0.1:2222/myapp/www/ is not fully loaded.



What location directive should I use to block only number of attempts to use Basic_Auth?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...