Like many apps, I have some endpoints that are more sensitive than others, such as login & password reset, and need rate limiting. However, nginx handles all requests for PHP resources through a standard location handler that proxies PHP-FPM:
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass php80;
}
This means that I can't also use location directives to match my sensitive endpoints as it will prevent them being passed on to PHP.
For example, if I define a rate limit and use it in a location for the login URL:
limit_req_zone $binary_remote_addr zone=sensitive:2m rate=3r/m;
location /login {
limit_req zone=sensitive burst=3 nodelay;
}
It will rate limit the requests to that endpoint, but they will no longer be processed by PHP.
I could do a dumb copy/paste and have this kind of thing for every endpoint:
location /login {
limit_req zone=sensitive burst=3 nodelay;
try_files $uri =404;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass php80;
}
but I'm sure there's a better way.
How should I define rate limits inside the PHP location directive?
