Add rate limiting to Nginx conf

usegalaxy-au · Oct 17, 2024 · 45e5fe7 · 45e5fe7
1 parent 733d6f3
commit 45e5fe7
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/ansible/roles/galaxy_labs_engine/defaults/main.yml b/ansible/roles/galaxy_labs_engine/defaults/main.yml
@@ -4,6 +4,10 @@ labs_engine_repo: https://github.com/usegalaxy-au/galaxy-labs-engine.git
 labs_engine_branch: main
 labs_engine_docker_image: neoformit/galaxy-labs-engine:latest
 
+# Rate limit requests by IP address to stop bot attacks
+# 10 r/min allows a user to reload a labs page every 6 seconds
+nginx_limit_requests_per_minute: 10
+
 project_root: /home/ubuntu/labs-engine
 config_root: /home/ubuntu/config
 django_root: "{{ project_root }}/app"

diff --git a/ansible/roles/galaxy_labs_engine/templates/nginx.conf.j2 b/ansible/roles/galaxy_labs_engine/templates/nginx.conf.j2
@@ -4,6 +4,13 @@ upstream {{ docker_container_name }} {
     server {{ docker_container_name }}:8000;
 }
 
+{% if nginx_limit_requests_per_minute %}
+http {
+    # Define a zone to store client IP rate data, 1MB can store data for about 16,000 IPs
+    limit_req_zone $binary_remote_addr zone=one:10m rate={{ nginx_limit_requests_per_minute }}r/m;
+}
+{% endif %}
+
 server {
     # redirect www to non-www
     server_name www.{{ inventory_hostname }};
@@ -51,6 +58,7 @@ server {
         proxy_hide_header     X-Frame-Options;
         proxy_read_timeout    600;  # seconds
         client_max_body_size  1000m;
+        limit_req zone=one burst=5 nodelay;
     }
 
     listen 443 ssl;
@@ -74,6 +82,7 @@ server {
 
     # Redirect all other traffic to HTTPS, but not the challenge
     location / {
+        limit_req zone=one burst=5 nodelay;
         if ($host = {{ inventory_hostname }}) {
             return 301 https://$host$request_uri;
         }