Nginx how to use limit_req_zone on auth_basic to protect against brute force attack?

Question

I have an Nginx server that works as an SSL proxy for a service running on a localhost that doesn't support SSL authentication.

I would like to use Nginx's limit_req_zone function to protect the Basic_Auth against brute force attacks. There is a similar question with the answer to use Fail2ban, but I would like to use limit_req_zone if possible.

I've got it working - It is done using these two lines of code:

http {
  limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; # only one login in 2 seconds allowed
  ...

  location / {
    limit_req zone=one burst=5 nodelay; # only five connections allowed for the whole / root
    ...
    proxy_pass      http://127.0.0.1:2222/myapp/www/; # redirections to my unauthenticated service
  }
}

The problem is it also blocks number of requests when user is authenticated which results in fact, that http://127.0.0.1:2222/myapp/www/ is not fully loaded.

What location directive should I use to block only number of attempts to use Basic_Auth?

Answer 1

You can set some secret cookie header after authorisation. And block only requiress without the "secret cookie"

http {

    map $cookie_SECRET_NAME $is_limited{
        default $binary_remote_addr;
        "SECRET_VALUE" "";
    }

    limit_req_zone $is_limited zone=one:10m rate=30r/m; # only one login in 2 seconds allowed
    ...

    location / {
        limit_req zone=one burst=5 nodelay; # only five connections allowed for the whole / root
        ...
        proxy_pass      http://127.0.0.1:2222/myapp/www/; # redirections to my unauthenticated service
    }
}

In php script you can add the cookie after first success login

<?php
setcookie("SECRET_NAME", "SECRET_VALUE");
?>