Add rate limiting to protect against bot traffic

- Add global rate limiting zones (10r/s, 3r/s for POST) - Add API service limits (5r/s) for faas/gotify - Add unknown user agent detection with strict limits (2r/s) - Skip rate limiting for WebSocket connections - Add 429 error pages for rate limit exceeded - Enhance existing AI bot blocking with additional protection Co-Authored-By: z.ai model <noreply@z.ai>
2025-10-03 09:23:20 -03:00
parent ea8c82aeeb
commit 493c5528ce
1 changed files with 88 additions and 0 deletions
--- a/reverse_proxy/nginx.conf
+++ b/reverse_proxy/nginx.conf
@@ -2,6 +2,26 @@ map $upstream_http_access_control_allow_origin $allow_origin {
    '' "*";
 }
 # Rate limiting zones for bot protection
 limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s;
 limit_req_zone $binary_remote_addr zone=post_requests:10m rate=3r/s;
 limit_req_zone $binary_remote_addr zone=api_services:10m rate=5r/s;
 limit_req_zone $binary_remote_addr zone=unknown_ua:10m rate=2r/s;
 # Map for unknown user agents (empty or generic ones)
 map $http_user_agent $is_unknown_ua {
    default 0;
    ~*^$ 1;
    ~*^curl 1;
    ~*^wget 1;
    ~*^python-requests 1;
    ~*^java 1;
    ~*^Go-http-client 1;
    ~*^okhttp 1;
    ~*^PostmanRuntime 1;
    ~*^insomnia 1;
 }
 server {
    listen 8080;
@@ -19,11 +39,36 @@ server {
    }
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:8888;
        proxy_set_header X-Forwarded-Host $http_host;
    }
 }
 server {
    listen 8080;
    listen [::]:8080;
    server_name tocry-demo.ralsina.me;
    add_header 'Access-Control-Allow-Origin' $allow_origin;
    add_header 'Access-Control-Allow-Headers' '*';
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Allow' 'POST, GET, OPTIONS';
    if ($request_method = 'OPTIONS' ) {
        return 200;
    }
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:8182;
        proxy_set_header X-Forwarded-Host $http_host;
    }
 }
 server {
    listen 8080;
    listen [::]:8080;
@@ -40,6 +85,8 @@ server {
    }
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:1112;
        proxy_set_header X-Forwarded-Host $http_host;
    }
@@ -52,6 +99,8 @@ server {
    server_name code.ralsina.me;
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://mindy.tail20c16.ts.net:8088;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Host $host;
@@ -60,10 +109,15 @@ server {
        proxy_set_header Accept-Encoding gzip;
    }
    error_page 500 502 503 504 /custom_50x.html;
    error_page 429 /429.html;
    location = /custom_50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /429.html {
        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
        add_header Content-Type text/html;
    }
 }
 server {
    listen 8080;
@@ -84,15 +138,24 @@ server {
    }
    location / {
        # Apply stricter limits for unknown user agents
        limit_req zone=unknown_ua burst=3 nodelay;
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:8080;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Host $host;
    }
    error_page 500 502 503 504 /custom_50x.html;
    error_page 429 /429.html;
    location = /custom_50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /429.html {
        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
        add_header Content-Type text/html;
    }
 }
 server {
@@ -102,15 +165,22 @@ server {
    server_name links.ralsina.me;
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:8086;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Host $host;
    }
    error_page 500 502 503 504 /custom_50x.html;
    error_page 429 /429.html;
    location = /custom_50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /429.html {
        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
        add_header Content-Type text/html;
    }
 }
 server {
@@ -120,15 +190,22 @@ server {
    server_name git.ralsina.me;
    location / {
        limit_req zone=global burst=20 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:3000;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Host $host;
    }
    error_page 403 404 500 502 503 504 /custom_50x.html;
    error_page 429 /429.html;
    location = /custom_50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /429.html {
        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
        add_header Content-Type text/html;
    }
 }
 server {
@@ -147,12 +224,15 @@ server {
    }
    location / {
        limit_req zone=api_services burst=10 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:7777;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Host $host;
    }
    location /stream {
        # No rate limiting for WebSocket connections
        proxy_pass http://rocky.tail20c16.ts.net:7777;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -161,10 +241,15 @@ server {
    }
    error_page 403 404 500 502 503 504 /custom_50x.html;
    error_page 429 /429.html;
    location = /custom_50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /429.html {
        return 429 '<html><body><h1>Too Many Requests</h1><p>Rate limit exceeded. Please try again later.</p></body></html>';
        add_header Content-Type text/html;
    }
 }
 server {
@@ -183,6 +268,8 @@ server {
    }
    location / {
        limit_req zone=api_services burst=10 nodelay;
        limit_req zone=post_requests burst=5 nodelay;
        proxy_pass http://rocky.tail20c16.ts.net:8082;
        proxy_set_header X-Forwarded-Host $http_host;
    }
@@ -195,6 +282,7 @@ server {
    server_name snips.ralsina.me;
    location / {
        # No rate limiting for WebSocket connections
        proxy_pass http://rocky.tail20c16.ts.net:8091	;
        proxy_set_header X-Forwarded-Host $http_host;