Add reasonable rate limit defaults in Nginx config

[jcalazan]

http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

Should probably add a var to check as well before including it in the config: enable_nginx_limit_req

[YPCrumble]

@jcalazan I've been deploying a site and making some updates to my nginx config so thought to look at this issue as well. These are the best tutorials I've found:

• https://lincolnloop.com/blog/rate-limiting-nginx/
• https://product.reverb.com/first-line-of-defense-blocking-bad-post-requests-using-nginx-rate-limiting-507f4c6eed7b#.46zv7kssf

The issue is that it appears the limits need to be applied to specific locations (i.e., in the Lincoln Loop tutorial they apply it to the login page). This would be specific to every site, so I suppose we'd need to let the user supply a list of url endpoints they'd like to rate-limit.

This would mean a pretty extensive set of configuration options:

• requests/time period setting

• List of rate-limiting "zones" and their associated locations
• Types of requests to rate-limit (i.e., do we limit only POST or GET and POST? This is somewhat covered in the second tutorial which only limits POST requests. Not sure what the best implementation is here, or whether we should just make the limit apply to all requests by default.)

What do you think?