From 493c5528ce1be34d23bdaa20ffe3181dcce93c94 Mon Sep 17 00:00:00 2001
From: Roberto Alsina <roberto.alsina@gmail.com>
Date: Fri, 3 Oct 2025 09:23:20 -0300
Subject: [PATCH] Add rate limiting to protect against bot traffic

- Add global rate limiting zones (10r/s, 3r/s for POST)
- Add API service limits (5r/s) for faas/gotify
- Add unknown user agent detection with strict limits (2r/s)
- Skip rate limiting for WebSocket connections
- Add 429 error pages for rate limit exceeded
- Enhance existing AI bot blocking with additional protection

Co-Authored-By: z.ai model <noreply@z.ai>
---
 reverse_proxy/nginx.conf | 88 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/reverse_proxy/nginx.conf b/reverse_proxy/nginx.conf
index 4880a6a..8759d20 100644
--- a/reverse_proxy/nginx.conf
+++ b/reverse_proxy/nginx.conf
@@ -2,6 +2,26 @@ map $upstream_http_access_control_allow_origin $allow_origin {
     '' "*";
 }
 
+# Rate limiting zones for bot protection
+limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=post_requests:10m rate=3r/s;
+limit_req_zone $binary_remote_addr zone=api_services:10m rate=5r/s;
+limit_req_zone $binary_remote_addr zone=unknown_ua:10m rate=2r/s;
+
+# Map for unknown user agents (empty or generic ones)
+map $http_user_agent $is_unknown_ua {
+    default 0;
+    ~*^$ 1;
+    ~*^curl 1;
+    ~*^wget 1;
+    ~*^python-requests 1;
+    ~*^java 1;
+    ~*^Go-http-client 1;
+    ~*^okhttp 1;
+    ~*^PostmanRuntime 1;
+    ~*^insomnia 1;
+}
+
 
 server {
     listen 8080;
@@ -19,11 +39,36 @@ server {
     }
 
     location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:8888;
         proxy_set_header X-Forwarded-Host $http_host;
     }
 }
 
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name tocry-demo.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
+        proxy_pass http://rocky.tail20c16.ts.net:8182;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
 server {
     listen 8080;
     listen [::]:8080;
@@ -40,6 +85,8 @@ server {
     }
 
     location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:1112;
         proxy_set_header X-Forwarded-Host $http_host;
     }
@@ -52,6 +99,8 @@ server {
     server_name code.ralsina.me;
 
     location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://mindy.tail20c16.ts.net:8088;
         proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header Host $host;
@@ -60,10 +109,15 @@ server {
         proxy_set_header Accept-Encoding gzip;
     }
     error_page 500 502 503 504 /custom_50x.html;
+    error_page 429 /429.html;
     location = /custom_50x.html {
         root /usr/share/nginx/html;
         internal;
     }
+    location = /429.html {
+        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
+        add_header Content-Type text/html;
+    }
 }
 server {
     listen 8080;
@@ -84,15 +138,24 @@ server {
     }
 
     location / {
+        # Apply stricter limits for unknown user agents
+        limit_req zone=unknown_ua burst=3 nodelay;
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:8080;
         proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header Host $host;
     }
     error_page 500 502 503 504 /custom_50x.html;
+    error_page 429 /429.html;
     location = /custom_50x.html {
         root /usr/share/nginx/html;
         internal;
     }
+    location = /429.html {
+        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
+        add_header Content-Type text/html;
+    }
 }
 
 server {
@@ -102,15 +165,22 @@ server {
     server_name links.ralsina.me;
 
     location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:8086;
         proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header Host $host;
     }
     error_page 500 502 503 504 /custom_50x.html;
+    error_page 429 /429.html;
     location = /custom_50x.html {
         root /usr/share/nginx/html;
         internal;
     }
+    location = /429.html {
+        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
+        add_header Content-Type text/html;
+    }
 }
 
 server {
@@ -120,15 +190,22 @@ server {
     server_name git.ralsina.me;
 
     location / {
+        limit_req zone=global burst=20 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:3000;
         proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header Host $host;
     }
     error_page 403 404 500 502 503 504 /custom_50x.html;
+    error_page 429 /429.html;
     location = /custom_50x.html {
         root /usr/share/nginx/html;
         internal;
     }
+    location = /429.html {
+        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
+        add_header Content-Type text/html;
+    }
 }
 
 server {
@@ -147,12 +224,15 @@ server {
     }
 
     location / {
+        limit_req zone=api_services burst=10 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:7777;
         proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header Host $host;
     }
 
     location /stream {
+        # No rate limiting for WebSocket connections
         proxy_pass http://rocky.tail20c16.ts.net:7777;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -161,10 +241,15 @@ server {
     }
 
     error_page 403 404 500 502 503 504 /custom_50x.html;
+    error_page 429 /429.html;
     location = /custom_50x.html {
         root /usr/share/nginx/html;
         internal;
     }
+    location = /429.html {
+        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
+        add_header Content-Type text/html;
+    }
 }
 
 server {
@@ -183,6 +268,8 @@ server {
     }
 
     location / {
+        limit_req zone=api_services burst=10 nodelay;
+        limit_req zone=post_requests burst=5 nodelay;
         proxy_pass http://rocky.tail20c16.ts.net:8082;
         proxy_set_header X-Forwarded-Host $http_host;
     }
@@ -195,6 +282,7 @@ server {
     server_name snips.ralsina.me;
 
     location / {
+        # No rate limiting for WebSocket connections
         proxy_pass http://rocky.tail20c16.ts.net:8091	;
         proxy_set_header X-Forwarded-Host $http_host;