feat: add rate limiting to images nginx

openfoodfacts · Sep 12, 2023 · ce06af8 · ce06af8
1 parent ad96ea3
commit ce06af8
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/confs/ovh3/nginx/sites-available/static-off b/confs/ovh3/nginx/sites-available/static-off
@@ -3,6 +3,32 @@ log_format combined_upstream '$remote_addr - $remote_user [$time_local] '
                     '"$request" $status $body_bytes_sent '
                     '"$http_referer" "$http_user_agent" c=$upstream_cache_status u=$upstream_addr t=$request_time';
 
+# mapping to expected image size (approximately)
+# for smart rate limiting
+map $uri $response_size {
+	default small_size;
+	# full image either have full, or ar 1.jpg
+	"~*\.full\.jpg" big_size;
+	"~*/\d+\.jpg" big_size;
+}
+map $response_size $big_rate_key {
+	default $binary_remote_addr;
+	small_size '';  # skipped
+}
+map $response_size $small_rate_key {
+	default $binary_remote_addr;
+	big_size '';  # skipped
+}
+
+# rate limit, differentiate between small an full req
+# small (loading search page: 100 product images + burst for assets)
+limit_req_zone $small_rate_key zone=small_size:10m rate=110r/s;
+# 1 full image per second should be enough
+limit_req_zone $big_rate_key zone=big_size:10m rate=1r/s;
+
+# use a clear status
+limit_req_status 429;
+
 upstream openfoodfacts {
 	server 10.0.0.3:443 weight=100;
 	server off1.openfoodfacts.org:443;
@@ -48,6 +74,10 @@ server {
 	}
 
 	location / {
+		# rate limit based on size
+		limit_req zone=big_size burst=2 nodelay;
+		limit_req zone=small_size burst=100 nodelay;
+
 		# test en local, puis sur off1
 		try_files		$uri @off1;
 		sendfile		on;