feat(nginx): implement rate limiting for both dev and prod setup

[R7rainz]

Changes:

• Rate Limits added: Capped /banners and /banners/preview at 10 requests/min (burst=10 nodelay) to prevent spam from eating up our GitHub token quota.

• 429 Status: Configured Nginx to return 429 Too Many Requests instead of the default 503.

• Prod Environment: Added Cloudflare's trusted IP ranges and set real_ip_header CF-Connecting-IP so Nginx rate-limits the actual user, not the CF proxy.

• Dev Environment: Kept it simple with $binary_remote_addr for local testing.

[R7rainz]

Changes & Rationale

Asymmetric Rate Limiting

• Applied different limits for /banners and /banners/preview

  • /banners: 5 requests/min (burst 3)
  • /banners/preview: 20 requests/min (burst 10)

• Standardized response to 429 Too Many Requests

Why:
Creation is more expensive and tied to GitHub quota, so it is stricter. Previews are interactive and need higher limits.

---

Bot & Connection Mitigation

• Added limit_conn per IP
• Reduced client_body_timeout, client_header_timeout, send_timeout
• Blocked empty and known bot User-Agents

Why:
Prevents connection abuse and reduces load from automated scraping.

---

Cloudflare IP Resolution

• Set real_ip_header CF-Connecting-IP
• Added trusted Cloudflare IP ranges

Why:
Ensures rate limiting is applied per real client instead of Cloudflare proxy.

---

Static Path Isolation

• Excluded ^~ /banners/ from limits and filtering

Why:
Static assets must remain fast and unrestricted for external consumers (e.g., GitHub).

[hurtki]

LGTM