From 25af756a14a3db3fa8a234f066c11595ca6194bc Mon Sep 17 00:00:00 2001
From: Ivaylo Novakov <inovakov@gmail.com>
Date: Wed, 8 Dec 2021 18:00:46 +0100
Subject: [PATCH] Add download rate limits.

---
 docker/nginx/conf.d/server/server.api | 20 +++++++++++++++++++-
 docker/nginx/nginx.conf               |  8 +++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/docker/nginx/conf.d/server/server.api b/docker/nginx/conf.d/server/server.api
index 878569db..09a62356 100644
--- a/docker/nginx/conf.d/server/server.api
+++ b/docker/nginx/conf.d/server/server.api
@@ -76,7 +76,7 @@ location /serverload {
     # Define root directory in the nginx container to load file from
     root /usr/local/share;
 
-    # including this because of peer pressure from the other routes 
+    # including this because of peer pressure from the other routes
     include /etc/nginx/conf.d/include/cors;
 
     # tell nginx to expect json
@@ -177,9 +177,15 @@ location /skynet/skyfile {
     limit_req zone=uploads_by_ip burst=10 nodelay;
     limit_req zone=uploads_by_ip_throttled;
 
+    limit_req zone=downloads_by_ip burst=5 nodelay;
+    limit_req zone=downloads_by_ip_throttled;
+
     limit_conn upload_conn 5;
     limit_conn upload_conn_rl 1;
 
+    limit_conn download_conn 5;
+    limit_conn download_conn_rl 1;
+
     client_max_body_size 1000M; # make sure to limit the size of upload to a sane value
 
     # increase request timeouts
@@ -215,9 +221,15 @@ location /skynet/tus {
     limit_req zone=uploads_by_ip burst=10 nodelay;
     limit_req zone=uploads_by_ip_throttled;
 
+    limit_req zone=downloads_by_ip burst=5 nodelay;
+    limit_req zone=downloads_by_ip_throttled;
+
     limit_conn upload_conn 5;
     limit_conn upload_conn_rl 1;
 
+    limit_conn download_conn 5;
+    limit_conn download_conn_rl 1;
+
     # TUS chunks size is 40M + leaving 10M of breathing room
     client_max_body_size 50M;
 
@@ -286,9 +298,15 @@ location /skynet/pin {
     limit_req zone=uploads_by_ip burst=10 nodelay;
     limit_req zone=uploads_by_ip_throttled;
 
+    limit_req zone=downloads_by_ip burst=5 nodelay;
+    limit_req zone=downloads_by_ip_throttled;
+
     limit_conn upload_conn 5;
     limit_conn upload_conn_rl 1;
 
+    limit_conn download_conn 5;
+    limit_conn download_conn_rl 1;
+
     proxy_set_header User-Agent: Sia-Agent;
     proxy_pass http://sia:9980$uri?siapath=$dir1/$dir2/$dir3&$args;
 }
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
index c8da6b0f..c5de597f 100644
--- a/docker/nginx/nginx.conf
+++ b/docker/nginx/nginx.conf
@@ -73,7 +73,7 @@ http {
     proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=50g min_free=100g inactive=48h use_temp_path=off;
 
     # this runs before forking out nginx worker processes
-    init_by_lua_block { 
+    init_by_lua_block {
         require "cjson"
         require "resty.http"
         require "skynet.skylink"
@@ -99,12 +99,18 @@ http {
     limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
     limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;
 
+    limit_req_zone $binary_remote_addr zone=downloads_by_ip:10m rate=5r/s;
+    limit_req_zone $limit_key zone=downloads_by_ip_throttled:10m rate=5r/m;
+
     limit_req_zone $binary_remote_addr zone=registry_access_by_ip:10m rate=60r/m;
     limit_req_zone $limit_key zone=registry_access_by_ip_throttled:10m rate=20r/m;
 
     limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
     limit_conn_zone $limit_key zone=upload_conn_rl:10m;
 
+    limit_conn_zone $binary_remote_addr zone=download_conn:10m;
+    limit_conn_zone $limit_key zone=download_conn_rl:10m;
+
     limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
 
     limit_req_status 429;