From 35ba0e8d5aa47a077fe42d1549a129fe30685afc Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Wed, 19 May 2021 22:23:17 +0300
Subject: [PATCH] Rate limit requests to the LDAP auth server.

Because of the setup I have with HAProxy in ns1 in front of Nginx, all
of the requests have the same client IP. In essence this is just rate
limiting all requests, regardless of the client IP (unless coming from
the internal network).
---
 conf.d/auth.shore.co.il.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/conf.d/auth.shore.co.il.conf b/conf.d/auth.shore.co.il.conf
index d40375a..014ac07 100644
--- a/conf.d/auth.shore.co.il.conf
+++ b/conf.d/auth.shore.co.il.conf
@@ -1,5 +1,8 @@
 map $host $auth { default auth; }
 
+limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
+limit_req_status 429;
+
 server {
     listen      80;
     listen      [::]:80;
@@ -20,10 +23,12 @@ server {
     include     snippets/security-txt.conf;
     include     snippets/ssl.conf;
 
+
     location / {
         proxy_pass              http://$auth:8080$request_uri;
         proxy_http_version      1.1;
         include                 snippets/proxy-headers.conf;
         include                 snippets/allow-shore-ips.conf;
+        limit_req               zone=ldap_auth burst=10 delay=2;
     }
 }
-- 
GitLab