Add information about request limits

README.md

@@ -13,3 +13,24 @@ Role to install Nginx.
 | `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
 | `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
 | `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |
+
+## Rate limiting
+### Limiting the Request Rate
+
+You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow | down brute force attacks.
+The following zones are available:
+
+| Zone name | Filter | Limit |
+|--|--|--|
+| `req_ip_one` | IP address | 30r/m |
+| `req_ip_two` | IP address | 15r/m |
+| `req_server_one` | Domain | 30r/m |
+| `req_server_two` | Domain | 15r/m |
+
+### Limiting the Number of Connections
+
+You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):
+
+| Zone name | Filter | Limit |
+|--|--|--|
+| `con_ip_one` | IP address | No default limit |

files/request_limits.conf

@@ -1,7 +1,8 @@
 # Managed by Ansible
 
-limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
-limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m;
-limit_req_zone $server_name zone=perserver:10m rate=20r/m;
+limit_req_zone $binary_remote_addr zone=req_ip_one:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=req_ip_two:10m rate=15r/m;
+limit_req_zone $server_name zone=req_server_one:10m rate=30r/m;
+limit_req_zone $server_name zone=req_server_two:10m rate=15r/m;
+limit_conn_zone $binary_remote_addr zone=con_ip_one :10m;
 limit_req_status 444;
-limit_conn_zone $binary_remote_addr zone=addr:10m;