Merge pull request #2230 from bookwyrm-social/nginx-rate-limit

Adds rate limiting to some views in nginx

nginx/development

@@ -7,6 +7,15 @@ upstream web {
 server {
     listen 80;
 
+    location ~ ^/(login|password-reset|resend-link) {
+        limit_req zone=loginlimit;
+
+        proxy_pass http://web;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+    }
+
     location / {
         proxy_pass http://web;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

nginx/production

@@ -41,6 +41,15 @@ server {
 #         root /var/www/certbot;
 #     }
 #
+#     location ~ ^/(login|password-reset|resend-link) {
+#         limit_req zone=loginlimit;
+#
+#         proxy_pass http://web;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header Host $host;
+#         proxy_redirect off;
+#     }
+#
 #     location / {
 #         proxy_pass http://web;
 #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

nginx/server_config

@@ -1 +1,2 @@
 client_max_body_size 10m;
+limit_req_zone $binary_remote_addr zone=loginlimit:10m rate=1r/s;