Rate limit requests to the LDAP auth server.

Because of the setup I have with HAProxy in ns1 in front of Nginx, all of the requests have the same client IP. In essence this is just rate limiting all requests, regardless of the client IP (unless coming from the internal network).

Rate limit requests to the LDAP auth server.
35ba0e8d · nimrod · 6f376e2a · 35ba0e8d
Commit 35ba0e8d authored 3 years ago by nimrod
--- a/conf.d/auth.shore.co.il.conf
+++ b/conf.d/auth.shore.co.il.conf
 map $host $auth { default auth; }
+limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
+limit_req_status 429;
 server {
    listen      80;
    listen      [::]:80;
@@ -20,10 +23,12 @@ server {
    include     snippets/security-txt.conf;
    include     snippets/ssl.conf;
    location / {
        proxy_pass              http://$auth:8080$request_uri;
        proxy_http_version      1.1;
        include                 snippets/proxy-headers.conf;
        include                 snippets/allow-shore-ips.conf;
+        limit_req               zone=ldap_auth burst=10 delay=2;
    }
 }