Chore/hos/rate limiting (#46)

* chore: setup rate-limiting

nginx.conf

@@ -3,11 +3,31 @@ events {
 }
 
 http {
+    map $http_x_forwarded_for $client_ip {
+    # Default to $remote_addr if X-Forwarded-For is empty
+    "" $remote_addr;
+    # Extract the second to last IP
+    ~^(?:[^,]+,)*([^,]+),[^,]+$ $1;
+    # Use the only IP if there's just one
+    ~^[^,]+$ $1;
+    }
+    limit_req_zone $client_ip zone=addr_limit:10m rate=10r/s;
+    limit_req_status 429;
+    # Add headers for rate limiting
+    add_header X-RateLimit-Limit 10 always;
+    add_header X-RateLimit-Burst 20 always;
+    add_header X-RateLimit-Delay 5 always;
     server_tokens off;
     server {
 
+        # Use the mapped $client_ip
+        set_real_ip_from 10.0.0.0/8;
+        real_ip_header X-Forwarded-For;
+        real_ip_recursive on;
+
         listen 8080;
         server_name default_server;
+        limit_req zone=addr_limit burst=20 delay=5;
 
 
         proxy_connect_timeout       600;
@@ -66,7 +86,7 @@ http {
 # The problem is cors call for server. Because it has accept html, would it be sent to frontend server, which does not implement cors
 # as a work-around, we implement cors here in nginx for both cases
 
-        location ~* /dataset-catalogs {            
+        location ~* /dataset-catalogs {
             proxy_pass http://dataset-catalog-gui:8080;
         }
 
@@ -98,12 +118,12 @@ http {
             proxy_pass http://new-dataset-catalog-gui:8080;
         }
 
-         location /search {
-              proxy_pass http://dataset-catalog:8080;
-         }
+        location /search {
+            proxy_pass http://dataset-catalog:8080;
+        }
 
         location /terms-and-conditions {
-             proxy_pass http://terms-and-conditions-gui:8080;
+            proxy_pass http://terms-and-conditions-gui:8080;
         }
 
         location / {