refactor: update Dockerfile to use nginx-tsuru and enhance nginx configuration with rate limiting

wpjunior · wpjunior · commit 069d86611745 · 2025-03-18T16:37:08.000-03:00
diff --git a/Dockerfile.nginx b/Dockerfile.nginx
@@ -1,21 +1,7 @@
-FROM alpine:3.21.2 as libjwt-builder
+FROM tsuru/nginx-tsuru:1.26.3-main
 
-WORKDIR /home/app
-RUN apk add --no-cache git cmake make gcc g++ jansson-dev openssl-dev 
-RUN git clone https://github.com/benmcollins/libjwt.git && \
-    cd libjwt && \
-    git checkout 8ac4200
+COPY ./nginx.conf /etc/nginx/nginx.conf
+COPY ./lib/resty/libjwt /usr/local/lib/lua/5.1/resty/libjwt
 
-RUN mkdir -p /home/app/libjwt/build && \
-    cd /home/app/libjwt/build && \
-    cmake .. && make && make install
-
-FROM openresty/openresty:1.27.1.1-1-alpine
-
-COPY ./nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
-COPY ./lib/resty/libjwt /usr/local/openresty/lualib/resty/libjwt
-
-RUN apk add --no-cache jansson
-COPY --from=libjwt-builder /usr/local/lib/libjwt.so /usr/local/lib/libjwt.so
 EXPOSE 8888
-CMD ["openresty", "-g", "daemon off;"]
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf
@@ -1,11 +1,17 @@
 worker_processes 1;
 
+include modules/*.conf;
+
 events {
     worker_connections 1024;
 }
 
 http {
-    log_format mylog '$remote_addr - "$request"\tStatus: $status JWT-Subject: $jwt_sub JWT-Email: $jwt_email';
+    limit_req_zone $jwt_email zone=one:10m rate=1r/s;
+    limit_req_status 429;
+    limit_req_log_level error;
+
+    log_format mylog '$remote_addr - "$request"\tStatus: $status JWT-Subject: $jwt_sub JWT-Email: $jwt_email RateLimit: $limit_req_status';
     access_log /dev/stdout mylog;
     server {
         listen 8888;
@@ -22,22 +28,30 @@ http {
         location /private {
             access_by_lua_block {
                 local libjwt = require("resty.libjwt")
-                local cjson = require("cjson.safe")
-                local token = libjwt.validate({
+                libjwt.validate({
                     jwks_files = {"/usr/share/tokens/jwks.json"},
                     extract_claims = {"sub", "email"},
                 })
-                if token then
-                    local claim_str = cjson.encode(token) or "Invalid Token"
-                    ngx.status = ngx.HTTP_OK
-                    return ngx.say(claim_str)
-                end
-                ngx.status = ngx.HTTP_UNAUTHORIZED
-                local response = {
-                    message = "Unauthorized"
-                }
-                return ngx.say(cjson.encode(response))
             }
+
+            echo 'private';
+        }
+
+        location /private_limited {
+            limit_req zone=one burst=1 nodelay;
+            rewrite_by_lua_block {
+                local libjwt = require("resty.libjwt")
+                libjwt.validate({
+                    jwks_files = {"/usr/share/tokens/jwks.json"},
+                    extract_claims = {"sub", "email"},
+                })
+            }
+
+            echo 'private+rate-limited';
+        }
+
+        location /ratelimit-api {
+            limit_req_rw_handler;
         }
     }
 }
