add nginx request limit within nginx config

2026-02-06 09:56:05 +00:00 · 2024-01-22 13:32:01 +01:00 · 2024-01-22 13:32:01 +01:00 · c7d4997ecc
commit c7d4997ecc
parent 6ea73b4d1a
6 changed files with 22 additions and 2 deletions
--- a/deployment/bare_metal/nginx/common/limit_requests.conf
+++ b/deployment/bare_metal/nginx/common/limit_requests.conf
@ -0,0 +1,3 @@
+limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s;
+limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s;
+limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
--- a/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido-federation.conf.template
@ -1,5 +1,7 @@

    location /api/$FEDERATION_APIVERSION {
+        limit_req zone=api burst=60 nodelay;
+
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
@ -21,6 +21,7 @@ server {

    include /etc/nginx/common/protect.conf;
    include /etc/nginx/common/protect_add_header.conf;
+    include /etc/nginx/common/limit_requests.conf;

    #gzip_static  on;
    gzip on;
@ -42,6 +43,7 @@ server {

    # Frontend (default)
    location / {
+        limit_req zone=frontend burst=40 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -58,6 +60,7 @@ server {

    # Backend
    location /graphql {
+        limit_req zone=backend burst=10 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -74,6 +77,7 @@ server {

    # Backend webhooks
    location /hook {
+        limit_req zone=backend burst=10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -90,6 +94,7 @@ server {

    # Webhook reverse proxy
    location /hooks/ {
+        limit_req zone=backend burst=10;
        proxy_pass http://127.0.0.1:9000/hooks/;

        access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -98,6 +103,7 @@ server {

    # Admin Frontend
    location /admin {
+        limit_req zone=frontend burst=30 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
@ -6,6 +6,7 @@ server {

    include /etc/nginx/common/protect.conf;
    include /etc/nginx/common/protect_add_header.conf;
+    include /etc/nginx/common/limit_requests.conf;

    #gzip_static  on;
    gzip on;
@ -27,6 +28,7 @@ server {

    # Frontend (default)
    location / {
+        limit_req zone=frontend burst=40 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -43,6 +45,7 @@ server {

    # Backend
    location /graphql {
+        limit_req zone=backend burst=10 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -59,6 +62,7 @@ server {

    # Backend webhooks
    location /hook {
+        limit_req zone=backend burst=10;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -66,7 +70,6 @@ server {
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   Host $host;
        
-        # no trailing slash to keep the hook/ prefix
        proxy_pass         http://127.0.0.1:4000/hook;
        proxy_redirect     off;

@ -76,6 +79,7 @@ server {

    # Webhook reverse proxy
    location /hooks/ {
+        limit_req zone=backend burst=10;
        proxy_pass http://127.0.0.1:9000/hooks/;

        access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
@ -84,6 +88,7 @@ server {

    # Admin Frontend
    location /admin {
+        limit_req zone=frontend burst=30 nodelay;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
@ -97,7 +102,7 @@ server {
        access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log;
        error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn;
    }
-
+    
    # Federation
    $FEDERATION_NGINX_CONF

--- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
+++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
@ -21,6 +21,7 @@ server {

    include /etc/nginx/common/protect.conf;
    include /etc/nginx/common/protect_add_header.conf;
+    include /etc/nginx/common/limit_requests.conf;

    gzip on;

@ -28,6 +29,7 @@ server {
    index updating.html;

    location / {
+        limit_req zone=frontend;
        try_files /updating.html =404;
    }

--- a/deployment/bare_metal/nginx/sites-available/update-page.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template
@ -6,6 +6,7 @@ server {

    include /etc/nginx/common/protect.conf;
    include /etc/nginx/common/protect_add_header.conf;
+    include /etc/nginx/common/limit_requests.conf;

    gzip on;

@ -13,6 +14,7 @@ server {
    index updating.html;

    location / {
+      limit_req zone=frontend;
      try_files /updating.html =404;
    }