From ca22cb2c4565a113e98ff388dda331a8c136172a Mon Sep 17 00:00:00 2001
From: Karol Wypchlo <kwypchlo@gmail.com>
Date: Tue, 1 Dec 2020 10:59:45 +0100
Subject: [PATCH] limit registry access in nginx

---
 docker/nginx/conf.d/client.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index 3033f54f..74781429 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -13,10 +13,14 @@ map $limit $limit_key {
 limit_req_zone $binary_remote_addr zone=uploads_by_ip:10m rate=10r/s;
 limit_req_zone $limit_key zone=uploads_by_ip_throttled:10m rate=10r/m;
 
+limit_req_zone $binary_remote_addr zone=registry_access_by_ip:10m rate=60r/m;
+limit_req_zone $limit_key zone=registry_access_by_ip_throttled:10m rate=20r/m;
+
 limit_conn_zone $binary_remote_addr zone=upload_conn:10m;
 limit_conn_zone $limit_key zone=upload_conn_rl:10m;
 
 limit_conn_zone $binary_remote_addr zone=downloads_by_ip:10m;
+
 limit_req_status 429;
 limit_conn_status 429;
 
@@ -218,6 +222,9 @@ server {
 		include /etc/nginx/conf.d/include/cors;
 		include /etc/nginx/conf.d/include/sia-auth;
 
+		limit_req zone=registry_access_by_ip burst=600 nodelay;
+		limit_req zone=registry_access_by_ip_throttled burst=200 nodelay;
+
 		proxy_set_header User-Agent: Sia-Agent;
 		proxy_read_timeout 600; # siad should timeout with 404 after 5 minutes
 		proxy_pass http://siad/skynet/registry;