penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat(nginx): add rate limiting with per-domain overrides #3

Merged
ashie merged 1 commit from franz-kafka/nixos-vps:feat/nginx-rate-limiting into main 2026-03-19 20:17:21 +00:00
Conversation 0 Commits 1 Files changed 2 +65 -2
franz-kafka commented 2026-03-19 15:09:40 +00:00
Owner
Copy link

Summary

Adds rate limiting at the Nginx level to catch floods before they reach backend services. CrowdSec handles persistent attackers; this handles the initial burst.

Default limits

  • 10 requests/second per IP with burst of 20
  • 30 concurrent connections per IP
  • Returns 429 Too Many Requests when exceeded

Per-domain overrides

Each domain can customize rateLimit.requests, rateLimit.burst, or disable entirely.

Domain Requests/s Burst Reason
All (default) 10 20 Reasonable baseline
search.ashisgreat.xyz 20 40 Tolerate search bots

Changes

  • modules/nginx.nix: New rateLimit options (global + per-domain), limit_req + limit_conn directives
  • configuration.nix: Rate limiting enabled globally, SearXNG override added

Config reference

myModules.nginx = {
  rateLimit = {
    enable = true;
    requests = 10;  # per second
    burst = 20;
  };
  domains = {
    "example.com" = {
      port = 8080;
      rateLimit.requests = 5;  # stricter for this domain
    };
  };
};
## Summary Adds rate limiting at the Nginx level to catch floods before they reach backend services. CrowdSec handles persistent attackers; this handles the initial burst. ### Default limits - **10 requests/second** per IP with burst of 20 - **30 concurrent connections** per IP - Returns **429 Too Many Requests** when exceeded ### Per-domain overrides Each domain can customize `rateLimit.requests`, `rateLimit.burst`, or disable entirely. | Domain | Requests/s | Burst | Reason | |--------|-----------|-------|--------| | All (default) | 10 | 20 | Reasonable baseline | | search.ashisgreat.xyz | 20 | 40 | Tolerate search bots | ### Changes - `modules/nginx.nix`: New `rateLimit` options (global + per-domain), `limit_req` + `limit_conn` directives - `configuration.nix`: Rate limiting enabled globally, SearXNG override added ### Config reference ```nix myModules.nginx = { rateLimit = { enable = true; requests = 10; # per second burst = 20; }; domains = { "example.com" = { port = 8080; rateLimit.requests = 5; # stricter for this domain }; }; }; ```
franz-kafka added 1 commit 2026-03-19 15:09:40 +00:00 
- Global rate limit: 10 req/s with burst of 20
- Connection limit: 30 concurrent per IP
- Per-domain override support (requests, burst, enable/disable)
- SearXNG gets higher limits (20/40) to tolerate bot traffic
- Returns 429 when rate limited
ashie merged commit ec5ba0f6e9 into main 2026-03-19 20:17:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: penal-colony/nixos-vps#3
No description provided.
Delete branch "franz-kafka/nixos-vps:feat/nginx-rate-limiting"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?