# rate limiting: https://www.nginx.com/blog/rate-limiting-nginx/ limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=restricted_ip:10m rate=10r/m; # http server server { server_name _; listen 8080 default_server; return 404; } # https server server { listen 443 ssl; server_name home_vod_server; ssl_certificate /certificate/cert.pem; ssl_certificate_key /certificate/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; server_tokens off; # hide nginx version in response # static media location /media { root /media-data/; autoindex on; auth_request /require_media_access; limit_req zone=ip burst=12 delay=8; # enable cache expires 1d; add_header Cache-Control "public, no-transform"; # kill cache # add_header Last-Modified $date_gmt; # add_header Cache-Control 'no-store, no-cache'; # if_modified_since off; # expires off; # etag off; } # auth request, passes query as header location /require_media_access { internal; proxy_pass https://localhost:443/has_media_access; proxy_pass_request_body off; proxy_pass_request_headers on; proxy_set_header Content-Length: ""; proxy_set_header X-Original-URI $request_uri; } # flask server location / { include uwsgi_params; uwsgi_pass unix:///tmp/myapp.sock; limit_req zone=ip burst=12 delay=8; } # flask server login location /login { include uwsgi_params; uwsgi_pass unix:///tmp/myapp.sock; limit_req zone=restricted_ip burst=4; } # flask server otp_verification location /otp_verification { include uwsgi_params; uwsgi_pass unix:///tmp/myapp.sock; limit_req zone=restricted_ip burst=4; } }