From d0b8ff3544376f6841f8e82e133c2ae2cb2b8c58 Mon Sep 17 00:00:00 2001
From: Edward Oliveira <edwardr@senado.gov.br>
Date: Wed, 20 May 2026 13:29:06 -0300
Subject: [PATCH] Align nginx rate limit zones with Django rate limiter
 thresholds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- sapl_general: 90 → 120r/m (matches RATE_LIMITER_RATE anon 120/m)
- sapl_media:  180 → 240r/m (matches RATE_LIMITER_RATE_AUTHENTICATED 240/m)
- sapl_api:     60 → 120r/m (matches API_RATE_LIMIT_THRESHOLD 120/m)
- Set limit_req_log_level warn to reduce error log noise from burst rejections

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker/config/nginx/nginx.conf | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/docker/config/nginx/nginx.conf b/docker/config/nginx/nginx.conf
index 1a4ef0c3b..62d822f5c 100644
--- a/docker/config/nginx/nginx.conf
+++ b/docker/config/nginx/nginx.conf
@@ -51,15 +51,17 @@ http {
 
     # ----------------------------------------------------------------
     # Rate limiting zones (effective once real_ip is resolved).
-    # sapl_general : 90 req/min  — HTML pages (burst absorbs parallel assets)
-    # sapl_media   : 180 req/min — /media/ has its own bucket; doesn't drain general
-    # sapl_api     : 60 req/min  — API quota layer is the real binding constraint
+    # sapl_general : 120 req/min — aligned with Django anon rate (RATE_LIMITER_RATE)
+    # sapl_media   : 240 req/min — aligned with Django auth rate (RATE_LIMITER_RATE_AUTHENTICATED)
+    # sapl_api     : 120 req/min — aligned with Django rate limiter threshold
     # sapl_heavy   : 10 req/min  — PDF generation; slow by design
     # Burst values are env-var configurable at container start (start.sh).
     # ----------------------------------------------------------------
-    limit_req_zone $binary_remote_addr zone=sapl_general:20m rate=90r/m;
-    limit_req_zone $binary_remote_addr zone=sapl_media:20m   rate=180r/m;
-    limit_req_zone $binary_remote_addr zone=sapl_api:20m     rate=60r/m;
+    limit_req_log_level warn;
+
+    limit_req_zone $binary_remote_addr zone=sapl_general:20m rate=120r/m;
+    limit_req_zone $binary_remote_addr zone=sapl_media:20m   rate=240r/m;
+    limit_req_zone $binary_remote_addr zone=sapl_api:20m     rate=120r/m;
     limit_req_zone $binary_remote_addr zone=sapl_heavy:10m   rate=10r/m;
 
     # ----------------------------------------------------------------