From ce06af8562194e11cb7da3dad6039dea2ac30094 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Tue, 12 Sep 2023 13:14:48 +0200 Subject: [PATCH] =?UTF-8?q?feat:=C2=A0add=20rate=20limiting=20to=20images?= =?UTF-8?q?=20nginx?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- confs/ovh3/nginx/sites-available/static-off | 30 +++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/confs/ovh3/nginx/sites-available/static-off b/confs/ovh3/nginx/sites-available/static-off index 9caf8a28..800d1cad 100644 --- a/confs/ovh3/nginx/sites-available/static-off +++ b/confs/ovh3/nginx/sites-available/static-off @@ -3,6 +3,32 @@ log_format combined_upstream '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" c=$upstream_cache_status u=$upstream_addr t=$request_time'; +# mapping to expected image size (approximately) +# for smart rate limiting +map $uri $response_size { + default small_size; + # full image either have full, or ar 1.jpg + "~*\.full\.jpg" big_size; + "~*/\d+\.jpg" big_size; +} +map $response_size $big_rate_key { + default $binary_remote_addr; + small_size ''; # skipped +} +map $response_size $small_rate_key { + default $binary_remote_addr; + big_size ''; # skipped +} + +# rate limit, differentiate between small an full req +# small (loading search page: 100 product images + burst for assets) +limit_req_zone $small_rate_key zone=small_size:10m rate=110r/s; +# 1 full image per second should be enough +limit_req_zone $big_rate_key zone=big_size:10m rate=1r/s; + +# use a clear status +limit_req_status 429; + upstream openfoodfacts { server 10.0.0.3:443 weight=100; server off1.openfoodfacts.org:443; @@ -48,6 +74,10 @@ server { } location / { + # rate limit based on size + limit_req zone=big_size burst=2 nodelay; + limit_req zone=small_size burst=100 nodelay; + # test en local, puis sur off1 try_files $uri @off1; sendfile on;