From 9b9b40311090b6b95ea6dedf99068f944a16dc6a Mon Sep 17 00:00:00 2001
From: Moctar <diouf@alchemy.fr>
Date: Wed, 13 Nov 2024 17:22:41 +0100
Subject: [PATCH] PHRAS-3588 change limit method

---
 .env                                |  8 ++++----
 docker/nginx/root/entrypoint.sh     |  2 +-
 docker/nginx/root/nginx.conf.sample | 20 +++++++++++++-------
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/.env b/.env
index 3acf8d19b5..e1fd1338df 100644
--- a/.env
+++ b/.env
@@ -232,10 +232,10 @@ GATEWAY_USERS=
 # READ is for GET and HEAD requests
 # WRITE is for POST, PUT, DELETE and PATCH requests
 # @run
-HTTP_READ_REQUEST_LIMIT_MEMORY=10m  # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
-HTTP_READ_REQUEST_LIMIT_RATE=5r/s  # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
-HTTP_WRITE_REQUEST_LIMIT_MEMORY=10m  # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
-HTTP_WRITE_REQUEST_LIMIT_RATE=5r/s  # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
+HTTP_READ_REQUEST_LIMIT_MEMORY=10   # (m)   For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
+HTTP_READ_REQUEST_LIMIT_RATE=5      # (r/s) Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
+HTTP_WRITE_REQUEST_LIMIT_MEMORY=10  # (m)   For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
+HTTP_WRITE_REQUEST_LIMIT_RATE=5  # (r/s) Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
 
 # https and reverse proxy (on/off)
 # set to on in the case : https behind a proxy
diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh
index a27d66330a..2c16bcc8de 100755
--- a/docker/nginx/root/entrypoint.sh
+++ b/docker/nginx/root/entrypoint.sh
@@ -35,7 +35,7 @@ else
   envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
 fi
 
-cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_MEMORY/$HTTP_READ_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_READ_REQUEST_LIMIT_RATE/$HTTP_READ_REQUEST_LIMIT_RATE/g" sed "s/\$HTTP_WRITE_REQUEST_LIMIT_MEMORY/$HTTP_WRITE_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_RATE/$HTTP_WRITE_REQUEST_LIMIT_RATE/g" > /etc/nginx/conf.d/default.conf
+cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_MEMORY/$HTTP_READ_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_READ_REQUEST_LIMIT_RATE/$HTTP_READ_REQUEST_LIMIT_RATE/g" | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_MEMORY/$HTTP_WRITE_REQUEST_LIMIT_MEMORY/g" | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_RATE/$HTTP_WRITE_REQUEST_LIMIT_RATE/g" > /etc/nginx/conf.d/default.conf
 
 cat /fastcgi_timeout.conf  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params
 
diff --git a/docker/nginx/root/nginx.conf.sample b/docker/nginx/root/nginx.conf.sample
index 5c3bea848e..b58ffb5bbf 100644
--- a/docker/nginx/root/nginx.conf.sample
+++ b/docker/nginx/root/nginx.conf.sample
@@ -6,9 +6,20 @@ proxy_send_timeout          $GATEWAY_PROXY_TIMEOUT;
 client_header_timeout       $GATEWAY_SEND_TIMEOUT;
 client_body_timeout         $GATEWAY_SEND_TIMEOUT;
 fastcgi_read_timeout        $GATEWAY_FASTCGI_TIMEOUT;
+
+map $request_method $postlimit {
+  default         "";
+  POST            $binary_remote_addr;
+}
+
+map $request_method $getlimit {
+  default         "";
+  GET            $binary_remote_addr;
+}
+
 limit_req_status 429;
-limit_req_zone $binary_remote_addr zone=readlimitsbyip:$HTTP_READ_REQUEST_LIMIT_MEMORY rate=$HTTP_READ_REQUEST_LIMIT_RATE;
-limit_req_zone $binary_remote_addr zone=writelimitsbyip:$HTTP_WRITE_REQUEST_LIMIT_MEMORY rate=$HTTP_WRITE_REQUEST_LIMIT_RATE;
+limit_req_zone $getlimit zone=readlimitsbyip:$HTTP_READ_REQUEST_LIMIT_MEMORYm rate=$HTTP_READ_REQUEST_LIMIT_RATEr/s;
+limit_req_zone $postlimit zone=writelimitsbyip:$HTTP_WRITE_REQUEST_LIMIT_MEMORYm rate=$HTTP_WRITE_REQUEST_LIMIT_RATEr/s;
 resolver $NEW_RESOLVER;
 
 upstream backend {
@@ -40,7 +51,6 @@ server {
         if (-f /var/alchemy/Phraseanet/datas/nginx/maintenance.html) {
             return 503;
         }
-
         # First attempt to serve request as file, then
         # as directory, then fall back to index.html
         try_files $uri $uri/ @rewriteapp;
@@ -57,12 +67,8 @@ server {
         include        fastcgi_params;
         $GATEWAY_FASTCGI_HTTPS
         include        restrictions;
-        if ($request_method ~ ^(GET|HEAD)$) {
             limit_req zone=readlimitsbyip;
-        }
-        if ($request_method ~ ^(POST|PUT|DELETE|PATCH)$) {
             limit_req zone=writelimitsbyip;
-        }
     }
 
     location ~ ^/(status|ping)$ {