Nginx rate limiting

[395ShikharSingh]

NGINX Rate Limiter

Implements rate limiting using Nginx limit_req to block high-volume or burst traffic before it reaches FastAPI, protecting the API from overloaded repeated attacks.

Key Features

• Edge Protection: Nginx blocks excessive requests at the edge before they reach FastAPI
• Endpoint-Specific Limits:
  • OPDS endpoints: No rate limiting
  • /items: No rate limiting
  • /upload & /authenticate: Strict (20/min + 5 burst)
  • Other endpoints: General (100/min + 10 burst)
• Burst Handling: Allows controlled bursts with nodelay for better user experience

Changes

Nginx Configuration (docker/nginx/nginx.conf):

• Added 3 limit_req_zone definitions:
  • general_limit: 100 requests/minute
  • lenient_limit: 300 requests/minute (defined but reserved for future use)
  • strict_limit: 20 requests/minute

Nginx Location Blocks (docker/nginx/conf.d/lenny.conf):

• /v1/api/opds* → No rate limiting (regex location)
• /v1/api/items → No rate limiting (exact match)
• /v1/api/(upload|authenticate) → Strict rate limiting (20/min)
• /v1/api/* (all other endpoints) → General rate limiting (100/min)
• Fixed regex location blocks to use proxy_pass without URI path (Nginx requirement)

Rate Limiting Strategy

1. No Rate Limiting:

   • /v1/api/opds and /v1/api/opds/{book_id} - Public catalog feeds for e-reader apps
   • /v1/api/items - Public items listing

2. Strict Rate Limiting (20/min + 5 burst = 25 total):

   • /v1/api/upload - File uploads (resource-intensive)
   • /v1/api/authenticate - Authentication (security-sensitive)

3. General Rate Limiting (100/min + 10 burst = 110 total):

   • All other API endpoints

Testing Results

OPDS endpoints: 20/20 requests passed (no rate limiting)
/items endpoint: 20/20 requests passed (no rate limiting)
General endpoints: 11 requests passed, then 503 (rate limited)
Strict endpoints: 8 requests passed, then 503 (rate limited)

Verification

• Nginx configuration valid:
• Rate limit zones configured: 3 zones
• Location blocks correctly applied:
• Edge protection working:

Technical Details

Nginx Location Matching Order:

1. Exact matches (=)
2. Regex matches (~) - in order of appearance
3. Prefix matches - longest match first

This ensures OPDS and /items endpoints are matched before general rate limiting is applied.

Burst Handling:

• burst=N: Allows N additional requests beyond the rate
• nodelay: Processes burst requests immediately instead of queuing

Notes

• Rate limiting is implemented entirely at the Nginx layer (no application-level rate limiting)
• The lenient_limit zone (300/min) is defined but not currently used; reserved for future endpoint-specific needs
• All rate limiting uses $binary_remote_addr as the key (client IP address)

PTAL @ronibhakta1

[Copilot]

Pull request overview

This PR implements edge-level rate limiting using Nginx to protect the FastAPI application from high-volume traffic and attacks, with tiered rate limits for different endpoint categories.

Key Changes:

• Added three rate limit zones in nginx.conf (general: 100/min, lenient: 300/min, strict: 20/min)
• Configured location-specific rate limiting in lenny.conf with OPDS and items endpoints unprotected, strict limits on upload/authenticate, and general limits on other API endpoints
• Used regex and exact location matches to apply different rate limiting policies

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
docker/nginx/nginx.conf	Defines three rate limit zones (general_limit, lenient_limit, strict_limit) based on client IP address
docker/nginx/conf.d/lenny.conf	Adds location blocks with rate limiting for different endpoint categories, keeping OPDS and items endpoints unrestricted

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[395ShikharSingh]

Converting to draft , have to check some endpoints.