Feat: rate limiting: adds $rate_limit_burst and $rate_limit_delayHEAD master

author: Silvio Rhatto <rhatto@riseup.net> 2025-11-15 12:02:47 -0300
committer: Silvio Rhatto <rhatto@riseup.net> 2025-11-15 12:02:47 -0300
commit: b63698a8b3f15c73bdcd6b0940e924018d9711b7 (patch)
tree: 64d218a37167cfd11ada72d977185cb7878488d8
parent: cde58597fdd74ce0990cbff4af5e839b9639b5c2 (diff)
download: puppet-nginx-master.tar.gz
puppet-nginx-master.tar.bz2
3 files changed, 57 insertions, 51 deletions
diff --git a/manifests/site.pp b/manifests/site.pp
index 737a210..a73ca5a 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,22 +1,24 @@
 define nginx::site(
-  $ensure          = present,
-  $ssl             = present,
-  $source          = 'template',
-  $certbot         = true,
-  $template        = 'site',
-  $backend         = 'weblocal',
-  $aliases         = "*.${name}",
-  $cache           = false,
-  $cache_levels    = '1:2',
-  $cache_size      = '10m',
-  $cache_inactive  = '600s',
-  $cache_max_size  = '1m',
-  $rate_limit      = false,
-  $rate_limit_key  = '$binary_remote_addr',
-  $rate_limit_zone = $name,
-  $rate_limit_size = "10m",
-  $rate_limit_rate = "20r/s",
-  $x_frame_options = 'DENY',
+  $ensure           = present,
+  $ssl              = present,
+  $source           = 'template',
+  $certbot          = true,
+  $template         = 'site',
+  $backend          = 'weblocal',
+  $aliases          = "*.${name}",
+  $cache            = false,
+  $cache_levels     = '1:2',
+  $cache_size       = '10m',
+  $cache_inactive   = '600s',
+  $cache_max_size   = '1m',
+  $rate_limit       = false,
+  $rate_limit_key   = '$binary_remote_addr',
+  $rate_limit_zone  = $name,
+  $rate_limit_size  = "10m",
+  $rate_limit_rate  = "20r/s",
+  $rate_limit_burst = '10',
+  $rate_limit_delay = '1',
+  $x_frame_options  = 'DENY',
 ) {
   nginx::site::config { $name:
     ensure   => $ensure,
@@ -43,21 +45,23 @@ define nginx::site(
       'present' => $ssl,
       default   => absent,
     },
-    source          => $source,
-    template        => "${template}-ssl",
-    backend         => $backend,
-    aliases         => $aliases,
-    cache           => $cache,
-    cache_levels    => $cache_levels,
-    cache_size      => $cache_size,
-    cache_inactive  => $cache_inactive,
-    cache_max_size  => $cache_max_size,
-    rate_limit      => $rate_limit,
-    rate_limit_key  => $rate_limit_key,
-    rate_limit_zone => $rate_limit_zone,
-    rate_limit_size => $rate_limit_size,
-    rate_limit_rate => $rate_limit_rate,
-    x_frame_options => $x_frame_options,
+    source           => $source,
+    template         => "${template}-ssl",
+    backend          => $backend,
+    aliases          => $aliases,
+    cache            => $cache,
+    cache_levels     => $cache_levels,
+    cache_size       => $cache_size,
+    cache_inactive   => $cache_inactive,
+    cache_max_size   => $cache_max_size,
+    rate_limit       => $rate_limit,
+    rate_limit_key   => $rate_limit_key,
+    rate_limit_zone  => $rate_limit_zone,
+    rate_limit_size  => $rate_limit_size,
+    rate_limit_rate  => $rate_limit_rate,
+    rate_limit_burst => $rate_limit_burst,
+    rate_limit_delay => $rate_limit_delay,
+    x_frame_options  => $x_frame_options,
     require        => $certbot ? {
       true => $ensure ? {
         'present' => Certbot::Manage[$name],
diff --git a/manifests/site/config.pp b/manifests/site/config.pp
index c0e1809..0d88cb1 100644
--- a/manifests/site/config.pp
+++ b/manifests/site/config.pp
@@ -1,21 +1,23 @@
 define nginx::site::config(
-  $server_name     = $name,
-  $ensure          = present,
-  $source          = 'template',
-  $template        = 'site',
-  $backend         = 'weblocal',
-  $aliases         = "*.${name}",
-  $cache           = false,
-  $cache_levels    = '1:2',
-  $cache_size      = '10m',
-  $cache_inactive  = '600s',
-  $cache_max_size  = '1m',
-  $rate_limit      = false,
-  $rate_limit_key  = '$binary_remote_addr',
-  $rate_limit_zone = $server_name,
-  $rate_limit_size = "10m",
-  $rate_limit_rate = "20r/s",
-  $x_frame_options = 'DENY',
+  $server_name      = $name,
+  $ensure           = present,
+  $source           = 'template',
+  $template         = 'site',
+  $backend          = 'weblocal',
+  $aliases          = "*.${name}",
+  $cache            = false,
+  $cache_levels     = '1:2',
+  $cache_size       = '10m',
+  $cache_inactive   = '600s',
+  $cache_max_size   = '1m',
+  $rate_limit       = false,
+  $rate_limit_key   = '$binary_remote_addr',
+  $rate_limit_zone  = $server_name,
+  $rate_limit_size  = "10m",
+  $rate_limit_rate  = "20r/s",
+  $rate_limit_burst = '10',
+  $rate_limit_delay = '1',
+  $x_frame_options  = 'DENY',
 ){
   case $source {
     'file': {
diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb
index ae146bb..4eece6e 100644
--- a/templates/site-ssl.erb
+++ b/templates/site-ssl.erb
@@ -34,7 +34,7 @@ server {
 <% if @rate_limit == true -%>
 
     # rate limiting
-    limit_req zone=<%= @rate_limit_zone %>;
+    limit_req zone=<%= @rate_limit_zone %> burst=<%= @rate_limit_burst %> delay=<%= @rate_limit_delay %>;
 <% end -%>
   }
 }
author	Silvio Rhatto <rhatto@riseup.net>	2025-11-15 12:02:47 -0300
committer	Silvio Rhatto <rhatto@riseup.net>	2025-11-15 12:02:47 -0300
commit	b63698a8b3f15c73bdcd6b0940e924018d9711b7 (patch)
tree	64d218a37167cfd11ada72d977185cb7878488d8
parent	cde58597fdd74ce0990cbff4af5e839b9639b5c2 (diff)
download	puppet-nginx-master.tar.gz puppet-nginx-master.tar.bz2