Rate limit our securit tracker

Some people love to do 48 req/s to our tracker which causes ~100% cpu. For now we allow 5req/sec with a burst of 10 requests.

Rate limit our securit tracker
f078db32 · Jelle van der Waa · 1d6ce928 · f078db32
Verified Commit f078db32 authored 3 years ago by Jelle van der Waa
--- a/roles/security_tracker/templates/nginx.d.conf.j2
+++ b/roles/security_tracker/templates/nginx.d.conf.j2
+# limit general requests to 5 r/s to block DoS attempts with a burst of 10.
+limit_req_zone $binary_remote_addr zone=archseclimit:10m rate=5r/s;
+
+limit_req_status 429;
+
 upstream security-tracker {
    server unix:///run/uwsgi/security-tracker.sock;
 }
@@ -46,5 +51,7 @@ server {
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;
        include uwsgi_params;
        uwsgi_pass security-tracker;
+
+        limit_req zone=archseclimit burst=10 nodelay;
    }
 }