GitLab-Mirror/hagrid
1
0
Fork 0
mirror of https://gitlab.com/keys.openpgp.org/hagrid.git synced 2025-10-06 00:23:08 +02:00
Code Issues Projects Releases Wiki Activity

nginx: add option for loose rate limiting

Browse Source
This commit is contained in:
Vincent Breitmoser
2021-03-05 13:23:51 +01:00
parent 3462a335dd
commit 53270cfb04
2 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hagrid-routes.conf
View File

@@ -59,6 +59,7 @@ location /vks {
location /vks/v1/by-email/ {
limit_req zone=search_email burst=50 nodelay;
limit_req zone=search_email_loose burst=200 nodelay;
error_page 429 /errors-static/429-rate-limit-vks-email.htm;
set $args "";
@@ -105,6 +106,7 @@ location /pks/lookup {
location /.well-known/openpgpkey {
location ~ "^/.well-known/openpgpkey/([^/]+)/hu/([^/][^/])([^/][^/])(.*)" {
limit_req zone=search_email burst=50 nodelay;
limit_req zone=search_email_loose burst=200 nodelay;
error_page 429 /errors-static/429-rate-limit-vks-email.htm;
error_page 404 /errors-static/404-wkd.htm;
@@ -187,6 +189,7 @@ location /pks/internal {
# gpg --search-keys <QUERY>
location ~ ^/pks/internal/index/(.+(?:%40|@).+)$ {
limit_req zone=search_email burst=50 nodelay;
limit_req zone=search_email_loose burst=200 nodelay;
limit_req_status 429;
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
@@ -219,6 +222,7 @@ location /errors {
location /search {
limit_req zone=search_email burst=50 nodelay;
limit_req zone=search_email_loose burst=200 nodelay;
error_page 429 /errors/429/rate-limit-web;
proxy_pass http://127.0.0.1:8080;
}

21
nginx-site.conf
View File

@@ -1,6 +1,23 @@
geo $allowlist {
default 0;
# CIDR in the list below are using a more lenient limiter
1.2.3.4/32 1;
}
map $allowlist $limit {
0 $binary_remote_addr;
1 "";
}
map $allowlist $limit_loose {
1 $binary_remote_addr;
0 "";
}
# allow 6 requests per min -> one each 10s on avg.
limit_req_zone $binary_remote_addr zone=search_email:10m rate=1r/m;
limit_req_zone $binary_remote_addr zone=search_fpr_keyid:10m rate=5r/s;
limit_req_zone $limit zone=search_email:10m rate=1r/s;
limit_req_zone $limit_loose zone=search_email_loose:10m rate=1r/m;
limit_req_zone $limit zone=search_fpr_keyid:10m rate=5r/s;
proxy_cache_path /tmp/nginx_cache use_temp_path=off keys_zone=static_cache:10m;
proxy_cache_valid 200 5m;