From e0e11ca1787e44c64e1d76ae8b102d54b23dbbce Mon Sep 17 00:00:00 2001
From: godog <godog@autistici.org>
Date: Tue, 18 Mar 2025 18:42:38 +0100
Subject: [PATCH] nginx: apply limits to default servers

---
 .../templates/config/sites-available/default       | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/roles/float-infra-nginx/templates/config/sites-available/default b/roles/float-infra-nginx/templates/config/sites-available/default
index 94076a9b..c6eea0c6 100644
--- a/roles/float-infra-nginx/templates/config/sites-available/default
+++ b/roles/float-infra-nginx/templates/config/sites-available/default
@@ -22,9 +22,13 @@ server {
         }
 {% endif %}
 
-	if ($top_level_domain_redirect) {
-		return 301 $top_level_domain_redirect$request_uri;
-	}
+        if ($top_level_domain_redirect) {
+                return 301 $top_level_domain_redirect$request_uri;
+        }
+
+        # Global rate limits for the entire site (to protect backends).
+        limit_req zone=perip burst={{ nginx_limit_perip_burst }};
+        limit_req zone=perserver burst={{ nginx_limit_perserver_burst }};
 
         # Redirect everything else to HTTPS.
         location / {
@@ -42,6 +46,10 @@ server {
         root /var/www/html;
         index index.html;
 
+        # Global rate limits for the entire site (to protect backends).
+        limit_req zone=perip burst={{ nginx_limit_perip_burst }};
+        limit_req zone=perserver burst={{ nginx_limit_perserver_burst }};
+
         location /healthcheck {
                  access_log off;
                  return 200 "OK\n";
-- 
GitLab