nginx: add rate-limit for requests to Pyramid

This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
6 years ago · ce512c5f40
2 changed files with 7 additions and 0 deletions
--- a/salt/salt/nginx/nginx.conf.jinja2
+++ b/salt/salt/nginx/nginx.conf.jinja2
@ -29,6 +29,10 @@ http {
    sendfile on;
    {% endif %}

+    # define a rate-limiting zone to use, and return HTTP 429 if exceeded
+    limit_req_zone $binary_remote_addr zone=tildes_app:10m rate=4r/s;
+    limit_req_status 429;
+
    keepalive_timeout  65;

    # redirect non-https accesses to the https version
--- a/salt/salt/nginx/tildes.conf.jinja2
+++ b/salt/salt/nginx/tildes.conf.jinja2
@ -73,6 +73,9 @@ server {
    }

    location @proxy_to_app {
+        # apply rate-limiting, allowing a burst above the limit
+        limit_req zone=tildes_app burst=5 nodelay;
+
        # Cornice adds the X-Content-Type-Options header, so it will end up
        # being duplicated since nginx is also configured to send it (above).
        # It's better to drop the header coming from Gunicorn here than to