Limit request rate to 10/s for all DACS applications (#5380)

* Limit request rate to 10/s for all DACS applications

* No longer use deprecated listen ... http2 directive

* define limit variable

* Import rate-limit-allow-list.conf

* Rate limit prod and qa servers

---------

Co-authored-by: Ryan Laddusaw <[email protected]>

roles/nginxplus/files/conf/http/approvals_prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/approvals-prod/NGINX_cache/ keys_zone=approvals-prodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=approvals-prod-ratelimit:10m rate=10r/s;
+
 upstream approvals-prod {
     zone approvals-prod 64k;
     server lib-approvals-prod1.princeton.edu resolve;
@@ -34,6 +42,7 @@ server {
         proxy_pass http://approvals-prod;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache approvals-prodcache;
+        limit_req zone=approvals-prod-ratelimit burst=20 nodelay;
         # handle errors using errors.conf
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;

roles/nginxplus/files/conf/http/approvals_staging.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/approvals-staging/NGINX_cache/ keys_zone=approvals-stagingcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=approvals-staging-ratelimit:10m rate=10r/s;
+
 upstream approvals-staging {
     zone approvals-staging 64k;
     server lib-approvals-staging1.princeton.edu resolve;
@@ -36,6 +44,7 @@ server {
         proxy_pass http://approvals-staging;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache approvals-stagingcache;
+        limit_req zone=approvals-staging-ratelimit burst=20 nodelay;
         # handle errors using errors.conf
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;

roles/nginxplus/files/conf/http/bibdata_prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/bibdata-prod/NGINX_cache/ keys_zone=bibdataprodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=bibdata-prod-ratelimit:10m rate=10r/s;
+
 upstream bibdata-prod {
     zone bibdata-prod 64k;
     server bibdata-prod1.princeton.edu resolve;
@@ -35,6 +43,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_cache bibdataprodcache;
+        limit_req zone=bibdata-prod-ratelimit burst=80 nodelay;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;
         proxy_read_timeout         2h;

roles/nginxplus/files/conf/http/bibdata_qa.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/bibdata-qa/NGINX_cache/ keys_zone=bibdata-qacache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=bibdata-qa-ratelimit:10m rate=10r/s;
+
 upstream bibdata-qa {
     zone bibdata-qa 64k;
     server bibdata-qa1.princeton.edu resolve;
@@ -37,6 +45,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_cache bibdata-qacache;
+        limit_req zone=bibdata-qa-ratelimit burst=20 nodelay;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;
         proxy_read_timeout         2h;

roles/nginxplus/files/conf/http/catalog-qa.conf

@@ -2,6 +2,14 @@
 # when the role is run again
 proxy_cache_path /data/nginx/catalog-qa/NGINX_cache/ keys_zone=catalog-qacache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=catalog-qa-ratelimit:10m rate=10r/s;
+
 upstream catalog-qa {
     zone catalog-qa 64k;
     server catalog-qa1.princeton.edu resolve;
@@ -37,6 +45,7 @@ server {
         proxy_pass http://catalog-qa;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache catalog-qacache;
+        limit_req zone=catalog-qa-ratelimit burst=20 nodelay;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;
         proxy_read_timeout         2h;

roles/nginxplus/files/conf/http/dev/bibdata_staging.conf

@@ -1,6 +1,16 @@
 # Ansible managed
 proxy_cache_path /var/cache/nginx/bibdata-staging/ keys_zone=bibdata-stagingcache:10m;
 
+include /etc/nginx/conf.d/templates/rate-limit-allow-list.conf;
+
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=bibdata-staging-ratelimit:10m rate=10r/s;
+
 upstream bibdata-staging {
     zone bibdata-staging 64k;
     server bibdata-staging1.lib.princeton.edu resolve;
@@ -36,6 +46,7 @@ server {
         proxy_pass http://bibdata-staging;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
+        limit_req zone=bibdata-staging-ratelimit burst=20 nodelay;
         proxy_cache bibdata-stagingcache;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;

roles/nginxplus/files/conf/http/dev/fpul-staging.conf

@@ -21,7 +21,8 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
+    http2 on;
     server_name fpul-staging.lib.princeton.edu;
 
     ssl_certificate            /etc/letsencrypt/live/fpul-staging.lib/fullchain.pem;

roles/nginxplus/files/conf/http/dev/library_staging.conf

@@ -22,7 +22,8 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
+    http2 on;
     server_name library-staging.lib.princeton.edu;
 
     client_max_body_size 8m;

roles/nginxplus/files/conf/http/dev/templates/rate-limit-allow-list.conf

@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+34383861313132666133646466333764383263666135313562346332353163306263653334316336
+3831383465666161323234333162383337323163353034330a303664346162646630343034306230
+32613365656363613531656534383933616430623234303364353464343534343038336637616237
+6230666532393833320a666233633632353739323163363633643633386565326461323432333937
+63643138316132643535356539366162353062346666613936356235653462666233636362626335
+66373535306266323065333630633034313336353037353930636137383632373763303036653764
+32343739626530656665633235363931333534363933613838383166646430656433393534373365
+38393731343530376135666161383566393233626565383738383738663739666664313631393139
+64376365643139613263336437323533663936303063333939643136363935383335303638393134
+32393332393762626137633331663231633464613230633832626339646337383437366266323962
+35666439313439353031643666316563643564326631333161636531653436303438616637653834
+63383239316461383066326464666364613137383565376565306634626264353336356536613561
+66333564346334616530623034633733656236386662356430323536393635633737316465623536
+63316231373030313433333334303231353263376261373364316238653663626332653266346538
+37383866616639646631333531373533626364653231396133396565393863646135333835303332
+34363861313665666235

roles/nginxplus/files/conf/http/dss-prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/dss-prod/NGINX_cache/ keys_zone=dss-prodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=dss-prod-ratelimit:10m rate=10r/s;
+
 upstream dss-prod {
     zone dss-prod 64k;
     server dss-prod1.princeton.edu resolve max_fails=0;
@@ -34,6 +42,7 @@ server {
         proxy_pass http://dss-prod;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache dss-prodcache;
+        limit_req zone=dss-prod-ratelimit burst=20 nodelay;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;
         proxy_read_timeout         2h;

roles/nginxplus/files/conf/http/dss-staging.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/dss-staging/NGINX_cache/ keys_zone=dss-stagingcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=dss-staging-ratelimit:10m rate=10r/s;
+
 upstream dss-staging {
     zone dss-staging 64k;
     server dss-staging1.princeton.edu resolve;
@@ -36,6 +44,7 @@ server {
         proxy_pass http://dss-staging;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache dss-stagingcache;
+        limit_req zone=dss-staging-ratelimit burst=20 nodelay;
         proxy_connect_timeout      2h;
         proxy_send_timeout         2h;
         proxy_read_timeout         2h;

roles/nginxplus/files/conf/http/geaccirc.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/geaccirc-prod/NGINX_cache/ keys_zone=geaccirc-prodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=geaccirc-prod-ratelimit:10m rate=10r/s;
+
 upstream geaccirc-prod {
     zone geaccirc-prod 64k;
     # server geaccirc1.princeton.edu resolve;
@@ -34,6 +42,7 @@ server {
         proxy_pass http://geaccirc-prod;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache geaccirc-prodcache;
+        limit_req zone=geaccirc-prod-ratelimit burst=20 nodelay;
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;
     }

roles/nginxplus/files/conf/http/geaccirc_staging.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/geaccirc-staging/NGINX_cache/ keys_zone=geaccirc-stagingcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=geaccirc-staging-ratelimit:10m rate=10r/s;
+
 upstream geaccirc-staging {
     zone geaccirc-staging 64k;
     # server geaccirc-staging1.princeton.edu resolve;
@@ -35,6 +43,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_intercept_errors on;
         proxy_cache geaccirc-stagingcache;
+        limit_req zone=geaccirc-staging-ratelimit burst=20 nodelay;
     }
 
     include /etc/nginx/conf.d/templates/errors.conf;

roles/nginxplus/files/conf/http/lib-jobs-prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/libjobs-prod/NGINX_cache/ keys_zone=libjobs-prodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=libjobs-prod-ratelimit:10m rate=10r/s;
+
 upstream libjobs-prod {
     zone libjobs-prod 64k;
     server lib-jobs-prod1.princeton.edu resolve;
@@ -34,6 +42,7 @@ server {
         proxy_pass http://libjobs-prod;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache libjobs-prodcache;
+        limit_req zone=libjobs-prod-ratelimit burst=20 nodelay;
         proxy_intercept_errors on;
         # health_check;
     }

roles/nginxplus/files/conf/http/lib-jobs-staging.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/libjobs-staging/NGINX_cache/ keys_zone=libjobs-stagingcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=libjobs-staging-ratelimit:10m rate=10r/s;
+
 upstream libjobs-staging {
     zone libjobs-staging 64k;
     server lib-jobs-staging1.princeton.edu resolve;
@@ -35,6 +43,7 @@ server {
         proxy_pass http://libjobs-staging;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache libjobs-stagingcache;
+        limit_req zone=libjobs-staging-ratelimit burst=20 nodelay;
         # health_check;
         # allow princeton network
         # allow 128.112.0.0/16;

roles/nginxplus/files/conf/http/lockers-and-study-spaces-prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/lockers-and-study-spaces/NGINX_cache/ keys_zone=lockers-and-study-spacescache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=lockers-prod-ratelimit:10m rate=10r/s;
+
 upstream lockers-and-study-spaces-prod {
     zone lockers-and-study-spaces-prod 64k;
     server lockers-and-study-spaces-prod1.princeton.edu resolve;
@@ -34,6 +42,7 @@ server {
         proxy_pass http://lockers-and-study-spaces-prod;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache lockers-and-study-spacescache;
+        limit_req zone=lockers-prod-ratelimit burst=20 nodelay;
         # handle errors using errors.conf
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;

roles/nginxplus/files/conf/http/lockers-and-study-spaces-staging.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/lockers-and-study-spaces-staging/NGINX_cache/ keys_zone=lockers-and-study-spaces-stagingcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=lockers-staging-ratelimit:10m rate=10r/s;
+
 upstream lockers-and-study-spaces-staging {
     zone lockers-and-study-spaces-staging 64k;
     server lockers-and-study-spaces-staging1.princeton.edu resolve;
@@ -35,6 +43,7 @@ server {
         proxy_pass http://lockers-and-study-spaces-staging;
         proxy_set_header X-Forwarded-Host $host;
         proxy_cache lockers-and-study-spaces-stagingcache;
+        limit_req zone=lockers-staging-ratelimit burst=20 nodelay;
         # handle errors using errors.conf
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;

roles/nginxplus/files/conf/http/repec-prod.conf

@@ -1,6 +1,14 @@
 # Ansible managed
 proxy_cache_path /data/nginx/repec-prod/NGINX_cache/ keys_zone=repec-prodcache:10m;
 
+map $limit $external_traffic {
+    0 "";
+    1 $binary_remote_addr;
+}
+
+# zone: 10mb can hold 160K IP addresses in memory
+limit_req_zone $external_traffic zone=repec-prod-ratelimit:10m rate=10r/s;
+
 upstream repec-prod {
     zone repec-prod 64k;
     # server repec-prod1.princeton.edu resolve;
@@ -34,6 +42,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_cache repec-prodcache;
+        limit_req zone=repec-prod-ratelimit burst=20 nodelay;
         # handle errors using errors.conf
         proxy_intercept_errors on;
         health_check interval=10 fails=3 passes=2;