ops(nginx): extend register rate limit to /bots/bootstrap + /bots/import-source

kenneives · kenneives · commit b34f7ecd0563 · 2026-05-20T13:06:05.000-07:00
Defense-in-depth on remaining entity-creating endpoints after the
attacker pivoted from /auth/register to /agents/register. Backend
has app-layer limits (5/hr per IP on bootstrap) but nginx layer
keeps probes from reaching backend.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -227,6 +227,26 @@ http {
             proxy_set_header X-Request-ID $request_id;
         }
 
+        location = /api/v1/bots/bootstrap {
+            limit_req zone=register nodelay;
+            proxy_pass http://backend:8000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+        }
+
+        location = /api/v1/bots/import-source {
+            limit_req zone=register nodelay;
+            proxy_pass http://backend:8000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+        }
+
         # Auth endpoints — stricter rate limit
         location /api/v1/auth/ {
             limit_req zone=auth burst=10 nodelay;
