Update Nginx configuration to enhance real IP handling and adjust rate limiting parameters

Author: mbuechner

config/nginx/nginx.conf

@@ -20,7 +20,8 @@ http {
                                           '"$request" $status $body_bytes_sent '
                                           'rt=$request_time urt=$upstream_response_time '
                                           'ust=$upstream_status uaddr=$upstream_addr '
-                                          'xff="$http_x_forwarded_for" ua="$http_user_agent" '
+                                          'xff="$http_x_forwarded_for" xri="$http_x_real_ip" '
+                                          'rip_orig="$realip_remote_addr" ua="$http_user_agent" '
                                           'cache="$upstream_cache_status"';
 
     access_log                  /dev/stdout main_timing;
@@ -120,19 +121,22 @@ http {
                                 text/x-component
                                 text/x-cross-domain-policy;
 
-    real_ip_header              X-Forwarded-For;
+    real_ip_header              X-Real-IP;
     real_ip_recursive           on;
 
     set_real_ip_from            127.0.0.1;
+    set_real_ip_from            ::1;
     set_real_ip_from            10.0.0.0/8;
     set_real_ip_from            172.16.0.0/12;
     set_real_ip_from            192.168.0.0/16;
+    set_real_ip_from            fc00::/7;
+    set_real_ip_from            fe80::/10;
 
     limit_req_status            429;
     limit_conn_status           429;
 
-    limit_req_zone              $binary_remote_addr zone=drupal_rps:20m rate=5r/s;
-    limit_req_zone              $binary_remote_addr zone=drupal_heavy:20m rate=1r/s;
+    limit_req_zone              $binary_remote_addr zone=drupal_rps:20m rate=20r/s;
+    limit_req_zone              $binary_remote_addr zone=drupal_heavy:20m rate=3r/s;
     limit_conn_zone             $binary_remote_addr zone=perip_conn:20m;
 
     fastcgi_cache_path          /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=drupal_microcache:50m inactive=60m max_size=500m;

config/nginx/preset.conf

@@ -75,7 +75,7 @@ location / {
 
     location ~* ^/(search|jsonapi|graphql)(/|$) {
         limit_conn perip_conn 5;
-        limit_req  zone=drupal_heavy burst=10 nodelay;
+        limit_req  zone=drupal_heavy burst=30;
         try_files $uri @drupal;
     }
 
@@ -103,7 +103,7 @@ location / {
 
 location @drupal {
     limit_conn perip_conn 10;
-    limit_req  zone=drupal_rps burst=30 nodelay;
+    limit_req  zone=drupal_rps burst=150;
 
     fastcgi_cache           drupal_microcache;
     fastcgi_cache_key       "$scheme$request_method$host$request_uri";
@@ -122,7 +122,7 @@ location @drupal {
 
 location @drupal-no-args {
     limit_conn perip_conn 10;
-    limit_req  zone=drupal_rps burst=30 nodelay;
+    limit_req  zone=drupal_rps burst=150;
 
     fastcgi_cache           drupal_microcache;
     fastcgi_cache_key       "$scheme$request_method$host$request_uri";
@@ -141,7 +141,7 @@ location @drupal-no-args {
 
 location = /index.php {
     limit_conn perip_conn 10;
-    limit_req  zone=drupal_rps burst=30 nodelay;
+    limit_req  zone=drupal_rps burst=150;
 
     fastcgi_cache           drupal_microcache;
     fastcgi_cache_key       "$scheme$request_method$host$request_uri";