chore: setup rate-limiting

nginx.conf

@@ -6,13 +6,33 @@ events {
 }
 http {
 
+    map $http_x_forwarded_for $client_ip {
+    # Default to $remote_addr if X-Forwarded-For is empty
+    "" $remote_addr;
+    # Extract the second to last IP
+    ~^(?:[^,]+,)*([^,]+),[^,]+$ $1;
+    # Use the only IP if there's just one
+    ~^[^,]+$ $1;
+    }
+    limit_req_zone $client_ip zone=org_bff_limit:10m rate=1r/s;
+    limit_req_status 429;
+    # Add headers for rate limiting
+    add_header X-RateLimit-Limit 1 always;
+    add_header X-RateLimit-Burst 3 always;
+    add_header X-RateLimit-Delay 1 always;
+
     ## Main Server Block
     proxy_cache_path /data/nginx/cache keys_zone=my_cache:15m max_size=5g inactive=15m loader_threshold=300
                          loader_files=200 max_size=400m use_temp_path=off;
 
     server_tokens off;
     server {
 
+        # Use the mapped $client_ip
+        set_real_ip_from 10.0.0.0/8;
+        real_ip_header X-Forwarded-For;
+        real_ip_recursive on;
+
         ## Open by default.
         listen                8080;
 
@@ -48,22 +68,12 @@ http {
         # today) would display gibberish if their proxy gave them the gzipped version.
         gzip_vary          on;
 
-        #healthcheck
-        location /ready {
-            return 200;
-        }
-
-        #livenesscheck
-        location /ping {
-            return 200;
-        }
-
         ## Main site location.
         location / {
+            limit_req zone=org_bff_limit burst=3 delay=1;
             proxy_cache my_cache;
             proxy_http_version 1.1;
             proxy_pass http://fdk-organization-bff:8080;
         }
-
     }
 }