# vim: ft=nginx

# Check the Authorization header and, if it is empty, use their proxy protocol
# IP, else use the header as their unique identifier for rate limiting.
map $http_authorization $registry_bucket {
  ""      $proxy_protocol_addr;
  default $http_authorization;
}

limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
limit_req_zone $registry_bucket zone=api:10m rate=25r/s;
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
limit_req_zone $registry_bucket zone=catalog:10m rate=20r/m;
limit_req_zone $registry_bucket zone=registry:10m rate=20r/s;
limit_req_status 429;
limit_req_log_level warn;