LP1913610 Evergreen needs a way to mitigate DOS

Offering an idea for limiting certain URL's

Signed-off-by: blake <blake@mobiusconsortium.org>

diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy
index e539013..6722db0 100644 (file)
--- a/examples/nginx/osrf-ws-http-proxy
+++ b/examples/nginx/osrf-ws-http-proxy
@@ -10,6 +10,8 @@
 # error_log  syslog:server=unix:/dev/log,nohostname;
 # access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
 
+limit_req_zone $binary_remote_addr zone=unapilimit:10m rate=10r/s;
+
 server { 
     listen 80;
 
@@ -24,6 +26,17 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_read_timeout 300s;
     }
+
+    location /opac/extras/unapi {
+        limit_req zone=unapilimit;
+        proxy_pass https://localhost:7443;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
+
+    }
 }
 
 server {
@@ -83,6 +96,17 @@ server {
         proxy_send_timeout 3m;
         proxy_read_timeout 3m;
     }
+
+    location /opac/extras/unapi {
+        limit_req zone=unapilimit;
+        proxy_pass https://localhost:7443;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
+
+    }
 }