Browse Source

nginx: add rate-limit for requests to Pyramid

This won't affect requests for static files or anything except ones that
get proxied to the app.

The current configuration is based on IP, and allows a rate of 4/sec,
with an additional burst of 5 above the limit permitted, and burst
requests allowed to go through immediately (nodelay). For more info:
https://www.nginx.com/blog/rate-limiting-nginx/
merge-requests/70/head
Deimos 6 years ago
parent
commit
ce512c5f40
  1. 4
      salt/salt/nginx/nginx.conf.jinja2
  2. 3
      salt/salt/nginx/tildes.conf.jinja2

4
salt/salt/nginx/nginx.conf.jinja2

@ -29,6 +29,10 @@ http {
sendfile on; sendfile on;
{% endif %} {% endif %}
# define a rate-limiting zone to use, and return HTTP 429 if exceeded
limit_req_zone $binary_remote_addr zone=tildes_app:10m rate=4r/s;
limit_req_status 429;
keepalive_timeout 65; keepalive_timeout 65;
# redirect non-https accesses to the https version # redirect non-https accesses to the https version

3
salt/salt/nginx/tildes.conf.jinja2

@ -73,6 +73,9 @@ server {
} }
location @proxy_to_app { location @proxy_to_app {
# apply rate-limiting, allowing a burst above the limit
limit_req zone=tildes_app burst=5 nodelay;
# Cornice adds the X-Content-Type-Options header, so it will end up # Cornice adds the X-Content-Type-Options header, so it will end up
# being duplicated since nginx is also configured to send it (above). # being duplicated since nginx is also configured to send it (above).
# It's better to drop the header coming from Gunicorn here than to # It's better to drop the header coming from Gunicorn here than to

Loading…
Cancel
Save