feat(nginx): implement rate limiting for both dev and prod setup

nginx/nginx.prod.conf

@@ -1,3 +1,51 @@
+# --- CLOUDFLARE REAL IP SETUP ---
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+# Set the header to the real client IP provided by Cloudflare
+real_ip_header CF-Connecting-IP;
+
+# --- API rate limiting ---
+#limit how many simultaneous connections a single IP can hold open
+limit_conn_zone $binary_remote_addr zone=limit_conn_per_ip:10m;
+
+limit_req_zone $binary_remote_addr zone=create_limit:10m rate=5r/m;
+limit_req_zone $binary_remote_addr zone=preview_limit:10m rate=20r/m;
+limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
+limit_req_zone $binary_remote_addr zone=create_hourly:10m rate=50r/h;
+limit_req_zone $binary_remote_addr zone=preview_hourly:10m rate=200r/h;
+
+limit_req_status 429;
+limit_conn_status 429;
+limit_req_log_level warn;
+
+#Auto blocking known scraping tools
+map $http_user_agent $bad_bot {
+    default 0;
+    "" 1;
+    ~*(wget|curl|scrapy|python-requests|postman|insomnia) 1;
+}
+
 # --- HTTPS thorugh Cloudflare Origin Certificate ---
 server {
     listen 443 ssl;
@@ -7,14 +55,56 @@ server {
     ssl_certificate_key /etc/nginx/ssl/key.pem;
 
     root /var/www/;
+    allow 173.245.48.0/20;
+    allow 103.21.244.0/22;
+    allow 103.22.200.0/22;
+    allow 103.31.4.0/22;
+    allow 141.101.64.0/18;
+    allow 108.162.192.0/18;
+    allow 190.93.240.0/20;
+    allow 188.114.96.0/20;
+    allow 197.234.240.0/22;
+    allow 198.41.128.0/17;
+    allow 162.158.0.0/15;
+    allow 104.16.0.0/13;
+    allow 104.24.0.0/14;
+    allow 172.64.0.0/13;
+    allow 131.0.72.0/22;
+    allow 2400:cb00::/32;
+    allow 2606:4700::/32;
+    allow 2803:f800::/32;
+    allow 2405:b500::/32;
+    allow 2405:8100::/32;
+    allow 2a06:98c0::/29;
+    allow 2c0f:f248::/32;
+    deny all; #if ip is not from the above list then they will get 403
+
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    keepalive_timeout 15s;
+    send_timeout 10s;
 
     # --- API proxy ---
     location = /banners {
+        if ($bad_bot) {
+            return 403; #Forbidden
+        }
+        limit_conn limit_conn_per_ip 5;
+        limit_req zone=create_limit burst=3 nodelay;
+        limit_req zone=create_hourly burst=50 nodelay;
+
         proxy_pass http://api;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
     }
     location ^~ /banners/preview {
+        if ($bad_bot){
+            return 403; #Forbidden
+        }
+        limit_conn limit_conn_per_ip 10;
+        limit_req zone=preview_limit burst=10 nodelay;
+        limit_req zone=preview_hourly burst=200 nodelay;
+
         proxy_pass http://api;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;