From ce512c5f408f92d8b866ea45022754813d265b35 Mon Sep 17 00:00:00 2001 From: Deimos Date: Tue, 4 Jun 2019 22:16:02 -0600 Subject: [PATCH] nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/ --- salt/salt/nginx/nginx.conf.jinja2 | 4 ++++ salt/salt/nginx/tildes.conf.jinja2 | 3 +++ 2 files changed, 7 insertions(+) diff --git a/salt/salt/nginx/nginx.conf.jinja2 b/salt/salt/nginx/nginx.conf.jinja2 index f938a58..493fd01 100644 --- a/salt/salt/nginx/nginx.conf.jinja2 +++ b/salt/salt/nginx/nginx.conf.jinja2 @@ -29,6 +29,10 @@ http { sendfile on; {% endif %} + # define a rate-limiting zone to use, and return HTTP 429 if exceeded + limit_req_zone $binary_remote_addr zone=tildes_app:10m rate=4r/s; + limit_req_status 429; + keepalive_timeout 65; # redirect non-https accesses to the https version diff --git a/salt/salt/nginx/tildes.conf.jinja2 b/salt/salt/nginx/tildes.conf.jinja2 index e421b6c..5b383a6 100644 --- a/salt/salt/nginx/tildes.conf.jinja2 +++ b/salt/salt/nginx/tildes.conf.jinja2 @@ -73,6 +73,9 @@ server { } location @proxy_to_app { + # apply rate-limiting, allowing a burst above the limit + limit_req zone=tildes_app burst=5 nodelay; + # Cornice adds the X-Content-Type-Options header, so it will end up # being duplicated since nginx is also configured to send it (above). # It's better to drop the header coming from Gunicorn here than to