configure rate limiting for nginx

author: Franck Cuny <franck@fcuny.net> 2025-11-27 11:08:20 -0800
committer: Franck Cuny <franck@fcuny.net> 2025-11-27 11:11:34 -0800
commit: dfa0964be0dffd2369fe65c80896c371e30a625f (patch)
tree: 5646ad5ec4a0059ac34ddf2d66b6b6dca40014ad /profiles
parent: rename synology-vm to bree (diff)
download: infra-dfa0964be0dffd2369fe65c80896c371e30a625f.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/profiles/reverse-proxy.nix b/profiles/reverse-proxy.nix
index dd98ff2..f136ba0 100644
--- a/profiles/reverse-proxy.nix
+++ b/profiles/reverse-proxy.nix
@@ -41,6 +41,14 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedTlsSettings = true;
+    commonHttpConfig = ''
+      # limit clients doing too many requests
+      # can be tested with ab -n 20 -c 10 <host>
+      limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
+
+      # limit clients opening too many connections
+      limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
+    '';
     virtualHosts = {
       "code.fcuny.net" = {
         enableACME = true;
author	Franck Cuny <franck@fcuny.net>	2025-11-27 11:08:20 -0800
committer	Franck Cuny <franck@fcuny.net>	2025-11-27 11:11:34 -0800
commit	dfa0964be0dffd2369fe65c80896c371e30a625f (patch)
tree	5646ad5ec4a0059ac34ddf2d66b6b6dca40014ad /profiles
parent	rename synology-vm to bree (diff)
download	infra-dfa0964be0dffd2369fe65c80896c371e30a625f.tar.gz