@@ -110,7 +110,16 @@ echo " wrote ${PROJECT}-deploy.path and ${PROJECT}-deploy.service"
110110touch /run/p2p-deploy.trigger
111111chmod 777 /run/p2p-deploy.trigger # world-writable sentinel (no sensitive content)
112112
113- # ── Nginx config ──────────────────────────────────────────────────────────────
113+ # ── Nginx rate-limit zone ─────────────────────────────────────────────────────
114+ # limit_req_zone must live in the http{} context → /etc/nginx/conf.d/
115+ cat > " /etc/nginx/conf.d/${PROJECT} -rate-limits.conf" << 'RLCONF '
116+ # 60 req/min per IP on /share/* (token-guessing mitigation)
117+ # 10m shared memory ≈ 160k tracked IPs
118+ limit_req_zone $binary_remote_addr zone=p2p_share_rl:10m rate=1r/s;
119+ RLCONF
120+ echo " wrote /etc/nginx/conf.d/${PROJECT} -rate-limits.conf"
121+
122+ # ── Nginx site config ─────────────────────────────────────────────────────────
114123# Single-quoted NGINX heredoc prevents shell expansion — nginx vars ($host etc.) preserved.
115124# sed substitutes only $DOMAIN.
116125nginx_template=$( cat << 'NGINX '
@@ -126,6 +135,19 @@ server {
126135 proxy_read_timeout 10s;
127136 }
128137
138+ # Rate-limited: 60 req/min per IP, burst of 10
139+ location /share/ {
140+ limit_req zone=p2p_share_rl burst=10 nodelay;
141+ limit_req_status 429;
142+
143+ proxy_pass http://[::1]:3000;
144+ proxy_set_header Host $host;
145+ proxy_set_header X-Real-IP $remote_addr;
146+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
147+ proxy_set_header X-Forwarded-Proto $scheme;
148+ proxy_read_timeout 60s;
149+ }
150+
129151 location / {
130152 proxy_pass http://[::1]:3000;
131153 proxy_set_header Host $host;
0 commit comments