Align nginx rate limit zones with Django rate limiter thresholds

- sapl_general: 90 → 120r/m (matches RATE_LIMITER_RATE anon 120/m)
- sapl_media:  180 → 240r/m (matches RATE_LIMITER_RATE_AUTHENTICATED 240/m)
- sapl_api:     60 → 120r/m (matches API_RATE_LIMIT_THRESHOLD 120/m)
- Set limit_req_log_level warn to reduce error log noise from burst rejections

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker/config/nginx/nginx.conf

@@ -51,15 +51,17 @@ http {
 
     # ----------------------------------------------------------------
     # Rate limiting zones (effective once real_ip is resolved).
-    # sapl_general : 90 req/min  — HTML pages (burst absorbs parallel assets)
-    # sapl_media   : 180 req/min — /media/ has its own bucket; doesn't drain general
-    # sapl_api     : 60 req/min  — API quota layer is the real binding constraint
+    # sapl_general : 120 req/min — aligned with Django anon rate (RATE_LIMITER_RATE)
+    # sapl_media   : 240 req/min — aligned with Django auth rate (RATE_LIMITER_RATE_AUTHENTICATED)
+    # sapl_api     : 120 req/min — aligned with Django rate limiter threshold
     # sapl_heavy   : 10 req/min  — PDF generation; slow by design
     # Burst values are env-var configurable at container start (start.sh).
     # ----------------------------------------------------------------
-    limit_req_zone $binary_remote_addr zone=sapl_general:20m rate=90r/m;
-    limit_req_zone $binary_remote_addr zone=sapl_media:20m   rate=180r/m;
-    limit_req_zone $binary_remote_addr zone=sapl_api:20m     rate=60r/m;
+    limit_req_log_level warn;
+
+    limit_req_zone $binary_remote_addr zone=sapl_general:20m rate=120r/m;
+    limit_req_zone $binary_remote_addr zone=sapl_media:20m   rate=240r/m;
+    limit_req_zone $binary_remote_addr zone=sapl_api:20m     rate=120r/m;
     limit_req_zone $binary_remote_addr zone=sapl_heavy:10m   rate=10r/m;
 
     # ----------------------------------------------------------------