From c793bd0c7bc8c05089da19f23f079258c078caf1 Mon Sep 17 00:00:00 2001
From: Alicia Cozine <acozine@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:48:10 -0500
Subject: [PATCH] adds rate limiting option, tidies formatting

---
 .../nginxplus/templates/http/library.conf.j2  | 39 +++++++++++++------
 roles/nginxplus/vars/main.yml                 |  4 ++
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/roles/nginxplus/templates/http/library.conf.j2 b/roles/nginxplus/templates/http/library.conf.j2
index 6ccab1f828..57924a8f4e 100644
--- a/roles/nginxplus/templates/http/library.conf.j2
+++ b/roles/nginxplus/templates/http/library.conf.j2
@@ -3,6 +3,18 @@
 #
 proxy_cache_path /data/nginx/{{ item.short_name }}/NGINX_cache/ keys_zone={{ item.short_name }}cache:10m;
 
+{% if item.rate_limit is defined %}
+  include /etc/nginx/conf.d/templates/rate-limit-allow-list.conf;
+
+  map $limit $external_traffic {
+      0 "";
+      1 $binary_remote_addr;
+  }
+
+  # zone: 10mb can hold 160K IP addresses in memory
+  limit_req_zone $external_traffic zone={{ item.name }}-ratelimit:{{ item.rate_limit_mb }}m rate={{ item.rate_limit_per_sec }}r/s;
+{% endif %}
+
 upstream {{ item.short_name }} {
   {% if item.lbtechnique is defined %}
     {{ item.lbtechnique }};
@@ -40,21 +52,24 @@ server {
 
   {% if item.visibility == "public" %}
     location {{ item.location }} {
-    {% if item.app_protect == "enabled" %}
+      {% if item.app_protect == "enabled" %}
         app_protect_enable on;
         app_protect_security_log_enable on;
-    {% endif %}
+      {% endif %}
         proxy_pass http://{{ item.short_name }};
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_cache {{ item.short_name }}cache;
         proxy_intercept_errors on;
         # TODO don't do a health check if there's only one server
-        {% if item.health_check_URI is defined %}
-          health_check interval=10 fails=3 passes=2 uri={{ item.health_check_URI }};
-          {% else %}
-          health_check interval=10 fails=3 passes=2;
-        {% endif %}
+      {% if item.health_check_URI is defined %}
+        health_check interval=10 fails=3 passes=2 uri={{ item.health_check_URI }};
+      {% else %}
+        health_check interval=10 fails=3 passes=2;
+      {% endif %}
+      {% if item.rate_limit is defined %}
+        limit_req zone={{ item.name }}-ratelimit burst={{ item.rate_limit_burst_rate }} nodelay;
+      {% endif %}
     }
   {% else %}
     location {{ item.location }} {
@@ -66,11 +81,11 @@ server {
         health_check interval=10 fails=3 passes=2;
         # allow princeton network
         include /etc/nginx/conf.d/templates/restrict.conf;
-        {% if item.added_restrictions is defined %}
-        {% for name in item.added_restrictions %}
-          include /etc/nginx/conf.d/templates/{{ name }};
-        {% endfor %}
-        {% endif %}
+      {% if item.added_restrictions is defined %}
+      {% for name in item.added_restrictions %}
+        include /etc/nginx/conf.d/templates/{{ name }};
+      {% endfor %}
+      {% endif %}
         # block non-princeton traffic
         deny all;
     }
diff --git a/roles/nginxplus/vars/main.yml b/roles/nginxplus/vars/main.yml
index 6c07c10348..d1d7f99d9d 100644
--- a/roles/nginxplus/vars/main.yml
+++ b/roles/nginxplus/vars/main.yml
@@ -50,6 +50,10 @@ sites:
     location: "/"
     visibility: public
     app_protect: disabled
+    rate_limit: enabled
+    rate_limit_mb: 10
+    rate_limit_per_sec: 10
+    rate_limit_burst_rate: 20
   - name: allsearch-api-staging
     servers:
       - allsearch-api-staging1