diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2025-11-15 10:19:23 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2025-11-15 10:19:23 -0300 |
| commit | b7958c76c28d89e90f38c1d37f8328d3ee9ee8da (patch) | |
| tree | 0ece9a4d0223014f00bb074d78d19dfbacdf886f | |
| parent | 1e03648387cf5efb9b7fdf99366b2d8a1f8d8ea0 (diff) | |
| download | puppet-nginx-b7958c76c28d89e90f38c1d37f8328d3ee9ee8da.tar.gz puppet-nginx-b7958c76c28d89e90f38c1d37f8328d3ee9ee8da.tar.bz2 | |
Feat: configurable per-site rate limiting
| -rw-r--r-- | manifests/site.pp | 10 | ||||
| -rw-r--r-- | manifests/site/config.pp | 5 | ||||
| -rw-r--r-- | templates/site-ssl.erb | 8 |
3 files changed, 23 insertions, 0 deletions
diff --git a/manifests/site.pp b/manifests/site.pp index 4455f45..737a210 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -11,6 +11,11 @@ define nginx::site( $cache_size = '10m', $cache_inactive = '600s', $cache_max_size = '1m', + $rate_limit = false, + $rate_limit_key = '$binary_remote_addr', + $rate_limit_zone = $name, + $rate_limit_size = "10m", + $rate_limit_rate = "20r/s", $x_frame_options = 'DENY', ) { nginx::site::config { $name: @@ -47,6 +52,11 @@ define nginx::site( cache_size => $cache_size, cache_inactive => $cache_inactive, cache_max_size => $cache_max_size, + rate_limit => $rate_limit, + rate_limit_key => $rate_limit_key, + rate_limit_zone => $rate_limit_zone, + rate_limit_size => $rate_limit_size, + rate_limit_rate => $rate_limit_rate, x_frame_options => $x_frame_options, require => $certbot ? { true => $ensure ? { diff --git a/manifests/site/config.pp b/manifests/site/config.pp index 0cdceea..c0e1809 100644 --- a/manifests/site/config.pp +++ b/manifests/site/config.pp @@ -10,6 +10,11 @@ define nginx::site::config( $cache_size = '10m', $cache_inactive = '600s', $cache_max_size = '1m', + $rate_limit = false, + $rate_limit_key = '$binary_remote_addr', + $rate_limit_zone = $server_name, + $rate_limit_size = "10m", + $rate_limit_rate = "20r/s", $x_frame_options = 'DENY', ){ case $source { diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb index c852954..11a69dd 100644 --- a/templates/site-ssl.erb +++ b/templates/site-ssl.erb @@ -1,6 +1,9 @@ <% if @cache == true -%> proxy_cache_path /var/cache/nginx/<%= @name %> levels=<%= @cache_levels %> keys_zone=<%= @name %>:<%= @cache_size %> inactive=<%= @cache_inactive %> max_size=<%= @cache_max_size %>; <% end -%> +<% if @rate_limit == true and @rate_limit_zone == @server_name -%> +limit_req_zone <%= @rate_limit_key %> zone=<%= @rate_limit_zone %>:<%= @rate_limit_size %> rate=<%= @rate_limit_rate %>; +<% end -%> server { listen 443; server_name <%= @server_name %> <%= @aliases %>; @@ -29,5 +32,10 @@ server { # cache config proxy_cache <%= @name %>; <% end -%> +<% if @rate_limit == true -%> + + # rate limiting + limit_req zone=<%= @rate_limit_zone %>; +<% end -%> } } |