implement selective rate limiting

salt/nginx/defaults.yaml

@@ -1,3 +1,5 @@
 nginx:
     config:
-        replace_cert: False
+        replace_cert: False
+        throttle_login_burst: 6
+        throttle_login_rate: 10

salt/nginx/etc/nginx.conf

@@ -33,6 +33,8 @@ http {
 	include             /etc/nginx/mime.types;
 	default_type        application/octet-stream;
 
+	limit_req_zone $binary_remote_addr zone=auth_throttle:10m rate={{ NGMERGED.config.login_throttle_rate }}r/m;
+
 	include /etc/nginx/conf.d/*.conf;
 
 	{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
@@ -143,7 +145,21 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
 
-		location ~ ^/auth/.*?(whoami|login|logout|settings) {
+		location ~ ^/auth/.*?(login) {
+			rewrite               /auth/(.*) /$1 break;
+			limit_req             zone=auth_throttle burst={{ NGMERGED.config.login_throttle_burst }} nodelay;
+			limit_req_status      429;
+			proxy_pass            http://{{ GLOBALS.manager }}:4433;
+			proxy_read_timeout    90;
+			proxy_connect_timeout 90;
+			proxy_set_header      Host $host;
+			proxy_set_header      X-Real-IP $remote_addr;
+			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header      Proxy "";
+			proxy_set_header      X-Forwarded-Proto $scheme;
+		}
+
+		location ~ ^/auth/.*?(whoami|logout|settings) {
 			rewrite               /auth/(.*) /$1 break;
 			proxy_pass            http://{{ GLOBALS.manager }}:4433;
 			proxy_read_timeout    90;
@@ -276,6 +292,7 @@ http {
 
 		error_page 401 = @error401;
 		error_page 403 = @error403;
+		error_page 429 = @error429;
 
 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
@@ -287,6 +304,10 @@ http {
 			return        302 /auth/self-service/login/browser;
 		}
 
+		location @error429 {
+			return        302 /login?thr={{ (120 / NGMERGED.config.login_throttle_rate) | round | int }};
+		}
+
 		error_page 500 502 503 504 /50x.html;
 				location = /usr/share/nginx/html/50x.html {
 		}

salt/nginx/html/index.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-</head>
-<body>
-Security Onion
-</body>
-</html>

salt/nginx/init.sls

@@ -2,6 +2,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'nginx/config.map.jinja' import NGMERGED %}
 
 include:
   - ssl

salt/nginx/soc_nginx.yaml

@@ -20,3 +20,11 @@ nginx:
       advanced: True
       global: True
       helpLink: nginx.html
+    throttle_login_burst:
+      description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
+      global: True
+      helpLink: nginx.html
+    throttle_login_rate:
+      description: Number of login requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time.
+      global: True
+      helpLink: nginx.html