Rate-limit nginx based on a prior request

Question

It's not a problem, but I get a huge number of vulnerability scanners and script kiddies hitting my site, constantly.

My site doesn't run WordPress, but it gets constantly scanned for WordPress exploits, and trying to hit nonexistant urls such as /admin /wp-admin.php.

What I'd like to do is rate-limit particular IPs once they've hit any URL in a blacklist. I know I can't stop the script kiddies completely, but I'd like to slow them down to discourage it. For example:

1. Say I'm running a vulnerability scanner that first tries /wp-admin.php.
2. Nginx sees this specific location and adds my IP to a list of IPs that are banned or rate-limited for a period of time.

Is there a way of achieving this purely through Nginx config? I know it's achievable using OpenResty/Lua, but as far as I know that's a relatively high-effort task.

Fail2ban also isn't an option since I'm running behind a load-balancer and therefore need to rely on X-Forwarded-For headers which obviously iptables can't match on.

Answer 1

According this post one could rate limit Nginx as follows:

location /account/login/ {
    # apply rate limiting
    limit_req zone=login burst=5;

    # boilerplate copied from location /
    proxy_pass http://myapp;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
}

and test it after a restart as follows:

for i in {0..20}; do (curl -Is https://example.com/accounts/login/ | head -n1 &) 2>/dev/null; done