From 5e1543e9a8ac0380b7b6a0bc04086225c9e57097 Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Mon, 2 Mar 2026 15:46:31 +0100
Subject: [PATCH] nginx: relax admin rate limit to 60r/m burst=20 (was 10r/m
 burst=5)

---
 nginx/posterg.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nginx/posterg.conf b/nginx/posterg.conf
index 669628c..7d14ba9 100644
--- a/nginx/posterg.conf
+++ b/nginx/posterg.conf
@@ -6,7 +6,10 @@
 # Rate limiting zones
 limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
-limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
+# Admin: already protected by HTTP Basic Auth; rate limiting here only guards
+# against brute-force on the auth layer, not normal browsing.
+# 60r/m = 1r/s sustained, burst=20 covers rapid page navigation.
+limit_req_zone $binary_remote_addr zone=admin:10m rate=60r/m;
 
 # Main server block
 server {
@@ -118,7 +121,7 @@ server {
         auth_basic_user_file /etc/nginx/.htpasswd-posterg;
 
         # Rate limiting for admin
-        limit_req zone=admin burst=5 nodelay;
+        limit_req zone=admin burst=20 nodelay;
 
         # Content-Security-Policy - Tighter policy for admin
         add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;