Rate limit the catalog endpoint by auth token and IP address

conf/nginx/rate-limiting.conf

@@ -2,8 +2,6 @@
 
 # Check the Authorization header and, if it is empty, use their proxy protocol
 # IP, else use the header as their unique identifier for rate limiting.
-# Enterprise users will never be using proxy protocol, thus the value will be
-# empty string. This means they will not get rate limited.
 map $http_authorization $registry_bucket {
   ""      $proxy_protocol_addr;
   default $http_authorization;
@@ -11,5 +9,6 @@ map $http_authorization $registry_bucket {
 
 limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
 limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
+limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
 limit_req_status 429;
 limit_req_log_level warn;

conf/nginx/server-base.conf.jnj

@@ -75,6 +75,12 @@ location ~ ^/(v1/repositories|v2/auth)/ {
     limit_req zone=repositories burst=10;
 }
 
+location ~ ^/v2/_catalog(.*)$ {
+    proxy_pass http://registry_app_server;
+    proxy_read_timeout 10;
+    limit_req zone=catalog;
+}
+
 location /secscan/ {
     proxy_pass http://jwtproxy_secscan;
 }
@@ -136,10 +142,6 @@ location ~ ^/v2 {
     client_max_body_size {{ maximum_layer_size }};
 }
 
-location /v2/_catalog {
-  return 400;
-}
-
 location ~ ^/v1 {
     # Setting ANY header clears all inherited proxy_set_header directives
     proxy_set_header X-Forwarded-For $proper_forwarded_for;

endpoints/v2/catalog.py

@@ -1,6 +1,6 @@
 import features
 
-from flask import jsonify, abort
+from flask import jsonify
 
 from auth.auth_context import get_authenticated_user
 from auth.registry_jwt_auth import process_registry_jwt_auth