From 8d9c6b62d4d28a72ec93c53ced70e6aaa59f087e Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 11 Mar 2023 18:46:49 +0100
Subject: [PATCH] Add information about request limits

---
 README.md                 | 21 +++++++++++++++++++++
 files/request_limits.conf |  9 +++++----
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index e018ea4..702846b 100644
--- a/README.md
+++ b/README.md
@@ -13,3 +13,24 @@ Role to install Nginx.
 | `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
 | `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
 | `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |
+
+## Rate limiting
+### Limiting the Request Rate
+
+You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow | down brute force attacks.
+The following zones are available:
+
+| Zone name | Filter | Limit |
+|--|--|--|
+| `req_ip_one` | IP address | 30r/m |
+| `req_ip_two` | IP address | 15r/m |
+| `req_server_one` | Domain | 30r/m |
+| `req_server_two` | Domain | 15r/m |
+
+### Limiting the Number of Connections
+
+You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):
+
+| Zone name | Filter | Limit |
+|--|--|--|
+| `con_ip_one` | IP address | No default limit |
diff --git a/files/request_limits.conf b/files/request_limits.conf
index 851d05a..464e182 100644
--- a/files/request_limits.conf
+++ b/files/request_limits.conf
@@ -1,7 +1,8 @@
 # Managed by Ansible
 
-limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
-limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m;
-limit_req_zone $server_name zone=perserver:10m rate=20r/m;
+limit_req_zone $binary_remote_addr zone=req_ip_one:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=req_ip_two:10m rate=15r/m;
+limit_req_zone $server_name zone=req_server_one:10m rate=30r/m;
+limit_req_zone $server_name zone=req_server_two:10m rate=15r/m;
+limit_conn_zone $binary_remote_addr zone=con_ip_one :10m;
 limit_req_status 444;
-limit_conn_zone $binary_remote_addr zone=addr:10m;