implement selective rate limiting

salt/nginx/etc/nginx.conf

@@ -33,6 +33,8 @@ http {
 	include             /etc/nginx/mime.types;
 	default_type        application/octet-stream;
 
+	limit_req_zone $binary_remote_addr zone=auth_throttle:10m rate={{ NGMERGED.config.login_throttle_rate }}r/m;
+
 	include /etc/nginx/conf.d/*.conf;
 
 	{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
@@ -143,7 +145,21 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
 
-		location ~ ^/auth/.*?(whoami|login|logout|settings) {
+		location ~ ^/auth/.*?(login) {
+			rewrite               /auth/(.*) /$1 break;
+			limit_req             zone=auth_throttle burst={{ NGMERGED.config.login_throttle_burst }} nodelay;
+			limit_req_status      429;
+			proxy_pass            http://{{ GLOBALS.manager }}:4433;
+			proxy_read_timeout    90;
+			proxy_connect_timeout 90;
+			proxy_set_header      Host $host;
+			proxy_set_header      X-Real-IP $remote_addr;
+			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header      Proxy "";
+			proxy_set_header      X-Forwarded-Proto $scheme;
+		}
+
+		location ~ ^/auth/.*?(whoami|logout|settings) {
 			rewrite               /auth/(.*) /$1 break;
 			proxy_pass            http://{{ GLOBALS.manager }}:4433;
 			proxy_read_timeout    90;
@@ -276,6 +292,7 @@ http {
 
 		error_page 401 = @error401;
 		error_page 403 = @error403;
+		error_page 429 = @error429;
 
 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
@@ -287,6 +304,10 @@ http {
 			return        302 /auth/self-service/login/browser;
 		}
 
+		location @error429 {
+			return        302 /login?thr={{ (120 / NGMERGED.config.login_throttle_rate) | round | int }};
+		}
+
 		error_page 500 502 503 504 /50x.html;
 				location = /usr/share/nginx/html/50x.html {
 		}