security-tracker: cache all json API and feed requests

This also simplifies the request limit configuration as json API and feed requests are cached hence a more strict request limit is not really necessary anymore. - Configure a uwsgi cache of 1GB for all json API and feed requests - Cache JSON API and feed requests for 5 minutes - Use a single global request limit zone Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

security-tracker: cache all json API and feed requests
94dc580e · Levente Polyak · e33791b3 · 94dc580e
Verified Commit 94dc580e authored 1 year ago by Levente Polyak
--- a/roles/security_tracker/templates/nginx.d.conf.j2
+++ b/roles/security_tracker/templates/nginx.d.conf.j2
-# limit rss requests to 1 r/m
-limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
+# uwsgi caching zone
+uwsgi_cache_path /var/lib/nginx/cache/ levels=1:2 keys_zone=sec_cache:5m max_size=1g inactive=60m use_temp_path=off;

-# limit general requests to 5 r/s to block DoS attempts with a burst of 10.
-limit_req_zone $binary_remote_addr zone=archseclimit:10m rate=5r/s;
+# limit requests to 5 r/s to block DoS attempts with a burst of 10.
+limit_req_zone $binary_remote_addr zone=sec_req_limit:10m rate=5r/s;

+# limit http status: 429 Too Many Requests
 limit_req_status 429;

 upstream security-tracker {
@@ -49,22 +50,28 @@ server {
        alias {{ security_tracker_dir }}/tracker/static/;
    }

-    # Rate limit all RSS feeds
+    # API/RSS endpoint
    location ~* .*(atom|json)$ {
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
+
        include uwsgi_params;
        uwsgi_pass security-tracker;
+        uwsgi_cache sec_cache;
+        uwsgi_cache_valid 5m;
+        uwsgi_cache_key "$request_method$request_uri";

-        limit_req zone=rsslimit burst=5 nodelay;
+        limit_req zone=sec_req_limit burst=5 nodelay;
    }

+    # Web UI endpoint
    location / {
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
+
        include uwsgi_params;
        uwsgi_pass security-tracker;

-        limit_req zone=archseclimit burst=10 nodelay;
+        limit_req zone=sec_req_limit burst=10 nodelay;
    }
 }