diff --git a/roles/nginxplus/files/conf/http/approvals_prod.conf b/roles/nginxplus/files/conf/http/approvals_prod.conf index 2eed3261a..5ccb82bf8 100644 --- a/roles/nginxplus/files/conf/http/approvals_prod.conf +++ b/roles/nginxplus/files/conf/http/approvals_prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/approvals-prod/NGINX_cache/ keys_zone=approvals-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=approvals-prod-ratelimit:10m rate=10r/s; + upstream approvals-prod { zone approvals-prod 64k; server lib-approvals-prod1.princeton.edu resolve; @@ -34,6 +42,7 @@ server { proxy_pass http://approvals-prod; proxy_set_header X-Forwarded-Host $host; proxy_cache approvals-prodcache; + limit_req zone=approvals-prod-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/approvals_staging.conf b/roles/nginxplus/files/conf/http/approvals_staging.conf index d882ad762..692c0dcdc 100644 --- a/roles/nginxplus/files/conf/http/approvals_staging.conf +++ b/roles/nginxplus/files/conf/http/approvals_staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/approvals-staging/NGINX_cache/ keys_zone=approvals-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=approvals-staging-ratelimit:10m rate=10r/s; + upstream approvals-staging { zone approvals-staging 64k; server lib-approvals-staging1.princeton.edu resolve; @@ -36,6 +44,7 @@ server { proxy_pass http://approvals-staging; proxy_set_header X-Forwarded-Host $host; proxy_cache approvals-stagingcache; + limit_req zone=approvals-staging-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/bibdata_prod.conf b/roles/nginxplus/files/conf/http/bibdata_prod.conf index 86bab6b7f..98cb413da 100644 --- a/roles/nginxplus/files/conf/http/bibdata_prod.conf +++ b/roles/nginxplus/files/conf/http/bibdata_prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/bibdata-prod/NGINX_cache/ keys_zone=bibdataprodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=bibdata-prod-ratelimit:10m rate=10r/s; + upstream bibdata-prod { zone bibdata-prod 64k; server bibdata-prod1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache bibdataprodcache; + limit_req zone=bibdata-prod-ratelimit burst=80 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/bibdata_qa.conf b/roles/nginxplus/files/conf/http/bibdata_qa.conf index 12b09109d..9d5107f69 100644 --- a/roles/nginxplus/files/conf/http/bibdata_qa.conf +++ b/roles/nginxplus/files/conf/http/bibdata_qa.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/bibdata-qa/NGINX_cache/ keys_zone=bibdata-qacache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=bibdata-qa-ratelimit:10m rate=10r/s; + upstream bibdata-qa { zone bibdata-qa 64k; server bibdata-qa1.princeton.edu resolve; @@ -37,6 +45,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache bibdata-qacache; + limit_req zone=bibdata-qa-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/catalog-qa.conf b/roles/nginxplus/files/conf/http/catalog-qa.conf index e3d6796ea..02509cb41 100644 --- a/roles/nginxplus/files/conf/http/catalog-qa.conf +++ b/roles/nginxplus/files/conf/http/catalog-qa.conf @@ -2,6 +2,14 @@ # when the role is run again proxy_cache_path /data/nginx/catalog-qa/NGINX_cache/ keys_zone=catalog-qacache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=catalog-qa-ratelimit:10m rate=10r/s; + upstream catalog-qa { zone catalog-qa 64k; server catalog-qa1.princeton.edu resolve; @@ -37,6 +45,7 @@ server { proxy_pass http://catalog-qa; proxy_set_header X-Forwarded-Host $host; proxy_cache catalog-qacache; + limit_req zone=catalog-qa-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/dev/bibdata_staging.conf b/roles/nginxplus/files/conf/http/dev/bibdata_staging.conf index 48304b86b..1161fa2fc 100644 --- a/roles/nginxplus/files/conf/http/dev/bibdata_staging.conf +++ b/roles/nginxplus/files/conf/http/dev/bibdata_staging.conf @@ -1,6 +1,16 @@ # Ansible managed proxy_cache_path /var/cache/nginx/bibdata-staging/ keys_zone=bibdata-stagingcache:10m; +include /etc/nginx/conf.d/templates/rate-limit-allow-list.conf; + +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=bibdata-staging-ratelimit:10m rate=10r/s; + upstream bibdata-staging { zone bibdata-staging 64k; server bibdata-staging1.lib.princeton.edu resolve; @@ -36,6 +46,7 @@ server { proxy_pass http://bibdata-staging; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; + limit_req zone=bibdata-staging-ratelimit burst=20 nodelay; proxy_cache bibdata-stagingcache; proxy_connect_timeout 2h; proxy_send_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/dev/fpul-staging.conf b/roles/nginxplus/files/conf/http/dev/fpul-staging.conf index babafe7bc..b320206c5 100644 --- a/roles/nginxplus/files/conf/http/dev/fpul-staging.conf +++ b/roles/nginxplus/files/conf/http/dev/fpul-staging.conf @@ -21,7 +21,8 @@ server { } server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name fpul-staging.lib.princeton.edu; ssl_certificate /etc/letsencrypt/live/fpul-staging.lib/fullchain.pem; diff --git a/roles/nginxplus/files/conf/http/dev/library_staging.conf b/roles/nginxplus/files/conf/http/dev/library_staging.conf index 3a5fe7fc3..07729bbf1 100644 --- a/roles/nginxplus/files/conf/http/dev/library_staging.conf +++ b/roles/nginxplus/files/conf/http/dev/library_staging.conf @@ -22,7 +22,8 @@ server { } server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name library-staging.lib.princeton.edu; client_max_body_size 8m; diff --git a/roles/nginxplus/files/conf/http/dev/templates/rate-limit-allow-list.conf b/roles/nginxplus/files/conf/http/dev/templates/rate-limit-allow-list.conf new file mode 100644 index 000000000..37ebc17e4 --- /dev/null +++ b/roles/nginxplus/files/conf/http/dev/templates/rate-limit-allow-list.conf @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +34383861313132666133646466333764383263666135313562346332353163306263653334316336 +3831383465666161323234333162383337323163353034330a303664346162646630343034306230 +32613365656363613531656534383933616430623234303364353464343534343038336637616237 +6230666532393833320a666233633632353739323163363633643633386565326461323432333937 +63643138316132643535356539366162353062346666613936356235653462666233636362626335 +66373535306266323065333630633034313336353037353930636137383632373763303036653764 +32343739626530656665633235363931333534363933613838383166646430656433393534373365 +38393731343530376135666161383566393233626565383738383738663739666664313631393139 +64376365643139613263336437323533663936303063333939643136363935383335303638393134 +32393332393762626137633331663231633464613230633832626339646337383437366266323962 +35666439313439353031643666316563643564326631333161636531653436303438616637653834 +63383239316461383066326464666364613137383565376565306634626264353336356536613561 +66333564346334616530623034633733656236386662356430323536393635633737316465623536 +63316231373030313433333334303231353263376261373364316238653663626332653266346538 +37383866616639646631333531373533626364653231396133396565393863646135333835303332 +34363861313665666235 diff --git a/roles/nginxplus/files/conf/http/dss-prod.conf b/roles/nginxplus/files/conf/http/dss-prod.conf index 4f73aa9b7..805155d3c 100644 --- a/roles/nginxplus/files/conf/http/dss-prod.conf +++ b/roles/nginxplus/files/conf/http/dss-prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/dss-prod/NGINX_cache/ keys_zone=dss-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=dss-prod-ratelimit:10m rate=10r/s; + upstream dss-prod { zone dss-prod 64k; server dss-prod1.princeton.edu resolve max_fails=0; @@ -34,6 +42,7 @@ server { proxy_pass http://dss-prod; proxy_set_header X-Forwarded-Host $host; proxy_cache dss-prodcache; + limit_req zone=dss-prod-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/dss-staging.conf b/roles/nginxplus/files/conf/http/dss-staging.conf index 463f17062..da52cc8c8 100644 --- a/roles/nginxplus/files/conf/http/dss-staging.conf +++ b/roles/nginxplus/files/conf/http/dss-staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/dss-staging/NGINX_cache/ keys_zone=dss-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=dss-staging-ratelimit:10m rate=10r/s; + upstream dss-staging { zone dss-staging 64k; server dss-staging1.princeton.edu resolve; @@ -36,6 +44,7 @@ server { proxy_pass http://dss-staging; proxy_set_header X-Forwarded-Host $host; proxy_cache dss-stagingcache; + limit_req zone=dss-staging-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/geaccirc.conf b/roles/nginxplus/files/conf/http/geaccirc.conf index 521649bf3..66038f359 100644 --- a/roles/nginxplus/files/conf/http/geaccirc.conf +++ b/roles/nginxplus/files/conf/http/geaccirc.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/geaccirc-prod/NGINX_cache/ keys_zone=geaccirc-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=geaccirc-prod-ratelimit:10m rate=10r/s; + upstream geaccirc-prod { zone geaccirc-prod 64k; # server geaccirc1.princeton.edu resolve; @@ -34,6 +42,7 @@ server { proxy_pass http://geaccirc-prod; proxy_set_header X-Forwarded-Host $host; proxy_cache geaccirc-prodcache; + limit_req zone=geaccirc-prod-ratelimit burst=20 nodelay; proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; } diff --git a/roles/nginxplus/files/conf/http/geaccirc_staging.conf b/roles/nginxplus/files/conf/http/geaccirc_staging.conf index 2962871c1..3a2d46d37 100644 --- a/roles/nginxplus/files/conf/http/geaccirc_staging.conf +++ b/roles/nginxplus/files/conf/http/geaccirc_staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/geaccirc-staging/NGINX_cache/ keys_zone=geaccirc-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=geaccirc-staging-ratelimit:10m rate=10r/s; + upstream geaccirc-staging { zone geaccirc-staging 64k; # server geaccirc-staging1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_intercept_errors on; proxy_cache geaccirc-stagingcache; + limit_req zone=geaccirc-staging-ratelimit burst=20 nodelay; } include /etc/nginx/conf.d/templates/errors.conf; diff --git a/roles/nginxplus/files/conf/http/lib-jobs-prod.conf b/roles/nginxplus/files/conf/http/lib-jobs-prod.conf index 4485b0e77..c989bb74b 100644 --- a/roles/nginxplus/files/conf/http/lib-jobs-prod.conf +++ b/roles/nginxplus/files/conf/http/lib-jobs-prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/libjobs-prod/NGINX_cache/ keys_zone=libjobs-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=libjobs-prod-ratelimit:10m rate=10r/s; + upstream libjobs-prod { zone libjobs-prod 64k; server lib-jobs-prod1.princeton.edu resolve; @@ -34,6 +42,7 @@ server { proxy_pass http://libjobs-prod; proxy_set_header X-Forwarded-Host $host; proxy_cache libjobs-prodcache; + limit_req zone=libjobs-prod-ratelimit burst=20 nodelay; proxy_intercept_errors on; # health_check; } diff --git a/roles/nginxplus/files/conf/http/lib-jobs-staging.conf b/roles/nginxplus/files/conf/http/lib-jobs-staging.conf index 0d1b48de9..cc1b59c65 100644 --- a/roles/nginxplus/files/conf/http/lib-jobs-staging.conf +++ b/roles/nginxplus/files/conf/http/lib-jobs-staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/libjobs-staging/NGINX_cache/ keys_zone=libjobs-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=libjobs-staging-ratelimit:10m rate=10r/s; + upstream libjobs-staging { zone libjobs-staging 64k; server lib-jobs-staging1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_pass http://libjobs-staging; proxy_set_header X-Forwarded-Host $host; proxy_cache libjobs-stagingcache; + limit_req zone=libjobs-staging-ratelimit burst=20 nodelay; # health_check; # allow princeton network # allow 128.112.0.0/16; diff --git a/roles/nginxplus/files/conf/http/lockers-and-study-spaces-prod.conf b/roles/nginxplus/files/conf/http/lockers-and-study-spaces-prod.conf index 176e14a4a..01c13db15 100644 --- a/roles/nginxplus/files/conf/http/lockers-and-study-spaces-prod.conf +++ b/roles/nginxplus/files/conf/http/lockers-and-study-spaces-prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/lockers-and-study-spaces/NGINX_cache/ keys_zone=lockers-and-study-spacescache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=lockers-prod-ratelimit:10m rate=10r/s; + upstream lockers-and-study-spaces-prod { zone lockers-and-study-spaces-prod 64k; server lockers-and-study-spaces-prod1.princeton.edu resolve; @@ -34,6 +42,7 @@ server { proxy_pass http://lockers-and-study-spaces-prod; proxy_set_header X-Forwarded-Host $host; proxy_cache lockers-and-study-spacescache; + limit_req zone=lockers-prod-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/lockers-and-study-spaces-staging.conf b/roles/nginxplus/files/conf/http/lockers-and-study-spaces-staging.conf index dabb6846d..146afeffd 100644 --- a/roles/nginxplus/files/conf/http/lockers-and-study-spaces-staging.conf +++ b/roles/nginxplus/files/conf/http/lockers-and-study-spaces-staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/lockers-and-study-spaces-staging/NGINX_cache/ keys_zone=lockers-and-study-spaces-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=lockers-staging-ratelimit:10m rate=10r/s; + upstream lockers-and-study-spaces-staging { zone lockers-and-study-spaces-staging 64k; server lockers-and-study-spaces-staging1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_pass http://lockers-and-study-spaces-staging; proxy_set_header X-Forwarded-Host $host; proxy_cache lockers-and-study-spaces-stagingcache; + limit_req zone=lockers-staging-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/repec-prod.conf b/roles/nginxplus/files/conf/http/repec-prod.conf index 551bf0438..0458423b7 100644 --- a/roles/nginxplus/files/conf/http/repec-prod.conf +++ b/roles/nginxplus/files/conf/http/repec-prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/repec-prod/NGINX_cache/ keys_zone=repec-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=repec-prod-ratelimit:10m rate=10r/s; + upstream repec-prod { zone repec-prod 64k; # server repec-prod1.princeton.edu resolve; @@ -34,6 +42,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache repec-prodcache; + limit_req zone=repec-prod-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/repec-staging.conf b/roles/nginxplus/files/conf/http/repec-staging.conf index 5e839c15f..fbaaa150e 100644 --- a/roles/nginxplus/files/conf/http/repec-staging.conf +++ b/roles/nginxplus/files/conf/http/repec-staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/repec-staging/NGINX_cache/ keys_zone=repec-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=repec-staging-ratelimit:10m rate=10r/s; + upstream repec-staging { zone repec-staging 64k; server repec-staging1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache repec-stagingcache; + limit_req zone=repec-staging-ratelimit burst=20 nodelay; # handle errors using errors.conf proxy_intercept_errors on; health_check interval=10 fails=3 passes=2; diff --git a/roles/nginxplus/files/conf/http/slavery-prod.conf b/roles/nginxplus/files/conf/http/slavery-prod.conf index d4b55e238..62759213b 100644 --- a/roles/nginxplus/files/conf/http/slavery-prod.conf +++ b/roles/nginxplus/files/conf/http/slavery-prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/slavery-prod/NGINX_cache/ keys_zone=slavery-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=slavery-prod-ratelimit:10m rate=10r/s; + upstream slavery-prod { zone slavery-prod 64k; server slavery-prod1.princeton.edu resolve; @@ -33,6 +41,7 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_cache slavery-prodcache; + limit_req zone=slavery-prod-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/slavery-staging.conf b/roles/nginxplus/files/conf/http/slavery-staging.conf index d0232040e..11f8342fc 100644 --- a/roles/nginxplus/files/conf/http/slavery-staging.conf +++ b/roles/nginxplus/files/conf/http/slavery-staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/slavery-staging/NGINX_cache/ keys_zone=slavery-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=slavery-staging-ratelimit:10m rate=10r/s; + upstream slavery-staging { zone slavery-staging 64k; server slavery-staging1.princeton.edu resolve; @@ -35,6 +43,7 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_cache slavery-stagingcache; + limit_req zone=slavery-staging-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/videoreserves_prod.conf b/roles/nginxplus/files/conf/http/videoreserves_prod.conf index 12c95e53b..8c31223a0 100644 --- a/roles/nginxplus/files/conf/http/videoreserves_prod.conf +++ b/roles/nginxplus/files/conf/http/videoreserves_prod.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/videoreserves-prod/NGINX_cache/ keys_zone=videoreserves-prodcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=videoreserves-prod-ratelimit:10m rate=10r/s; + upstream videoreserves-prod { zone videoreserves-prod 64k; server lib-vr-prod1.princeton.edu resolve; @@ -36,6 +44,7 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_cache videoreserves-prodcache; + limit_req zone=videoreserves-prod-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h; diff --git a/roles/nginxplus/files/conf/http/videoreserves_staging.conf b/roles/nginxplus/files/conf/http/videoreserves_staging.conf index d7125b443..0f5a56c33 100644 --- a/roles/nginxplus/files/conf/http/videoreserves_staging.conf +++ b/roles/nginxplus/files/conf/http/videoreserves_staging.conf @@ -1,6 +1,14 @@ # Ansible managed proxy_cache_path /data/nginx/videoreserves-staging/NGINX_cache/ keys_zone=videoreserves-stagingcache:10m; +map $limit $external_traffic { + 0 ""; + 1 $binary_remote_addr; +} + +# zone: 10mb can hold 160K IP addresses in memory +limit_req_zone $external_traffic zone=videoreserves-staging-ratelimit:10m rate=10r/s; + upstream videoreserves-staging { zone videoreserves-staging 64k; server lib-vr-staging1.princeton.edu resolve; @@ -36,6 +44,7 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_cache videoreserves-stagingcache; + limit_req zone=videoreserves-staging-ratelimit burst=20 nodelay; proxy_connect_timeout 2h; proxy_send_timeout 2h; proxy_read_timeout 2h;