nginx/files/_limit.conf - salt-formulas/nginx - Gitiles

 {%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}

 {%- if site.get('limit', {}).get('enabled', False) %}
 # Create whitelist for ip addresses
 geo $geo_{{ site_name }} {
     default "enforce";
 {%-   for ip in site.limit.get('ip_whitelist', []) %}
     {{ ip }} "whitelist";
 {%-   endfor %}
 }

 # First, map all whitelisted IP's to the request query
 map $geo_{{ site_name }} $limit_{{ site_name }} {
     default {{ site.limit.get('query', '$binary_remote_addr') }};
     "whitelist" "";
 }
 limit_req_zone $limit_{{ site_name }} zone={{ site_name }}:{{ site.limit.get('size', '100m') }} rate={{ site.limit.get('rate', '30r/m') }};

 {%-   for subfilter_name, subfilter in site.limit.get('subfilters', {}).items() %}

 map "${geo_{{ site_name }}}{{ subfilter.get('input', '$limit_{{ site_name }}') }}" $limit_{{ site_name }}_{{ subfilter_name }} {
     default {% if subfilter.get('mode', 'whitelist') == "whitelist" %}"{{ subfilter.get('input', '$limit_{{ site_name }}') }}";{% else %}""{% endif %};
     "~^whitelist" "";  # Allow previously whitelisted results.
 {%-     for match in subfilter.get('items', []) %}
     "{{ match }}" {% if subfilter.get('mode', 'whitelist') == 'whitelist' %}""{% else %}"{{ subfilter.get('input', '$limit_{{ site_name }}') }}"{% endif %};
 {%-     endfor %}
 }
 limit_req_zone $limit_{{ site_name }}_{{ subfilter_name }} zone={{ site_name }}_{{ subfilter_name }}:{{ subfilter.get('size', site.limit.get('size', '100m')) }} rate={{ subfilter.get('rate', site.limit.get('rate', '30r/m')) }};
 {%-   endfor %}

 {%- endif %}

   {%- set location = {} %}
   {%- if site.get('location') %}
     {%- do location.update(site.location) %}
     {%- for path, location in location.items() %}
       {%- if location.limit is defined %}
       {%- if location.get('limit', {}).get('enabled', False) and location.limit.methods is defined %}
         {%- if location.limit.methods.ip is defined and location.limit.methods.get('ip').get('enabled',False) %}
       # Create whitelist for ip addresses
 geo $ip_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} {
     default "enforce";
   {%- for ip in location.limit.methods.ip.get('ip_whitelist', []) %}
     {{ ip }} "whitelist";
   {%- endfor %}
 }
       # First, map all whitelisted IP's to the request query
 map $ip_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} $limit_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} {
     default {{ location.limit.methods.ip.get('query', '$binary_remote_addr') }};
     "whitelist" "";
 }

 limit_req_zone $limit_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} zone=ip_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }}:{{ location.limit.methods.ip.get('size', '10m') }} rate={{ location.limit.methods.ip.get('rate','10r/s') }};
       {%- endif %}

 {%- for method, method_data in location.limit.methods.items() %}
 {%- if method != 'ip' %}
 map $request_method $limit_{{ method }}_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} {
     default "";
     {{ method|upper }} "limit_{{ method }}";
 }
 limit_req_zone $limit_{{ method }}_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }} zone={{ method }}_{{ site_name }}_{{ path|regex_replace("[^A-Za-z0-9]", "") }}:{{ location.limit.methods.get(method,{}).get('size', '10m') }} rate={{ location.limit.methods.get(method,{}).get('rate','10r/s') }};
 {%- endif %}
 {%- endfor %}
       {%- endif %}
       {%- endif %}
     {%- endfor %}
   {%- endif %}
	{%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}

	{%- if site.get('limit', {}).get('enabled', False) %}
	# Create whitelist for ip addresses
	geo $geo_{{ site_name }} {
	default "enforce";
	{%- for ip in site.limit.get('ip_whitelist', []) %}
	{{ ip }} "whitelist";
	{%- endfor %}
	}

	# First, map all whitelisted IP's to the request query
	map $geo_{{ site_name }} $limit_{{ site_name }} {
	default {{ site.limit.get('query', '$binary_remote_addr') }};
	"whitelist" "";
	}
	limit_req_zone $limit_{{ site_name }} zone={{ site_name }}:{{ site.limit.get('size', '100m') }} rate={{ site.limit.get('rate', '30r/m') }};

	{%- for subfilter_name, subfilter in site.limit.get('subfilters', {}).items() %}

	map "${geo_{{ site_name }}}{{ subfilter.get('input', '$limit_{{ site_name }}') }}" $limit_{{ site_name }}_{{ subfilter_name }} {
	default {% if subfilter.get('mode', 'whitelist') == "whitelist" %}"{{ subfilter.get('input', '$limit_{{ site_name }}') }}";{% else %}""{% endif %};
	"~^whitelist" ""; # Allow previously whitelisted results.
	{%- for match in subfilter.get('items', []) %}
	"{{ match }}" {% if subfilter.get('mode', 'whitelist') == 'whitelist' %}""{% else %}"{{ subfilter.get('input', '$limit_{{ site_name }}') }}"{% endif %};
	{%- endfor %}
	}
	limit_req_zone $limit_{{ site_name }}_{{ subfilter_name }} zone={{ site_name }}_{{ subfilter_name }}:{{ subfilter.get('size', site.limit.get('size', '100m')) }} rate={{ subfilter.get('rate', site.limit.get('rate', '30r/m')) }};
	{%- endfor %}

	{%- endif %}

	{%- set location = {} %}
	{%- if site.get('location') %}
	{%- do location.update(site.location) %}
	{%- for path, location in location.items() %}
	{%- if location.limit is defined %}
	{%- if location.get('limit', {}).get('enabled', False) and location.limit.methods is defined %}
	{%- if location.limit.methods.ip is defined and location.limit.methods.get('ip').get('enabled',False) %}
	# Create whitelist for ip addresses
	geo $ip_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} {
	default "enforce";
	{%- for ip in location.limit.methods.ip.get('ip_whitelist', []) %}
	{{ ip }} "whitelist";
	{%- endfor %}
	}
	# First, map all whitelisted IP's to the request query
	map $ip_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} $limit_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} {
	default {{ location.limit.methods.ip.get('query', '$binary_remote_addr') }};
	"whitelist" "";
	}

	limit_req_zone $limit_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} zone=ip_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }}:{{ location.limit.methods.ip.get('size', '10m') }} rate={{ location.limit.methods.ip.get('rate','10r/s') }};
	{%- endif %}

	{%- for method, method_data in location.limit.methods.items() %}
	{%- if method != 'ip' %}
	map $request_method $limit_{{ method }}_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} {
	default "";
	{{ method\|upper }} "limit_{{ method }}";
	}
	limit_req_zone $limit_{{ method }}_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }} zone={{ method }}_{{ site_name }}_{{ path\|regex_replace("[^A-Za-z0-9]", "") }}:{{ location.limit.methods.get(method,{}).get('size', '10m') }} rate={{ location.limit.methods.get(method,{}).get('rate','10r/s') }};
	{%- endif %}
	{%- endfor %}
	{%- endif %}
	{%- endif %}
	{%- endfor %}
	{%- endif %}