Merge pull request #17 from ls1intum/bugfix/fix-nginx-config-for-auth…

…-endpoint Improve authentication protection
ls1intum · Jun 24, 2022 · c561124 · c561124
2 parents e2c914d + f2bbde1
commit c561124
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/roles/proxy/templates/nginx_artemis.conf.j2 b/roles/proxy/templates/nginx_artemis.conf.j2
@@ -10,8 +10,8 @@ upstream artemis {
 {% endfor %}
 }
 
-# rate limit for the login REST call, at most 2 requests per second
-limit_req_zone $binary_remote_addr zone=loginlimit:10m rate=5r/s;
+# Rate limit for the login REST call, at most one requests per two seconds
+limit_req_zone $binary_remote_addr zone=loginlimit:10m rate=30r/m;
 
 server {
     listen 80 default_server;
@@ -86,7 +86,13 @@ server {
 
     location /api/authenticate {
         proxy_pass http://artemis/api/authenticate;
-        limit_req zone=loginlimit burst=5 nodelay;
+		# For a given violation of the rate limit defined in the zone
+		# * the first 2 (delay) requests will be allowed without delay
+		# * the next (burst - delay) request waits until it fits in the rate limit
+		# * the rest will be denied
+		# If an attacker spams this endpoint, only the first three requests will come through.
+		# This only resets if the violation of the rate limit stops.
+        limit_req zone=loginlimit burst=3 delay=2;
     }
 
     location /favicon.ico {