jack/PocketVeto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: brute-force protection on auth endpoints (v1.1.0)

Browse Source 
- Nginx rate limit: 20 req/min per IP on /api/auth/login and /register
- slowapi rate limit: 10/min on login, 5/hour on register (Redis-backed)
- Real client IP extracted from X-Forwarded-For for accurate per-IP limiting

Authored by: Jack Levy
This commit is contained in:
Jack Levy
2026-03-15 18:07:53 -04:00
parent 47bc8babc2
commit d6ebbf75d0
5 changed files with 44 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
nginx/nginx.conf
View File

@@ -22,6 +22,10 @@ http {
'"$http_user_agent"';
access_log /var/log/nginx/access.log main;
# Rate limiting — cap auth endpoints at 20 req/min per IP at the proxy layer
limit_req_zone $binary_remote_addr zone=auth:10m rate=20r/m;
limit_req_status 429;
# Use Docker's internal DNS; valid=10s forces re-resolution after container restarts.
# Variables in proxy_pass activate this resolver (upstream blocks do not).
resolver 127.0.0.11 valid=10s ipv6=off;
@@ -32,6 +36,17 @@ http {
client_max_body_size 10M;
# Auth endpoints — rate limited at proxy layer
location ~ ^/api/auth/(login|register)$ {
set $api http://api:8000;
limit_req zone=auth burst=5 nodelay;
proxy_pass $api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# API — variable forces re-resolution via resolver on each request cycle
location /api/ {
set $api http://api:8000;