docs-rs: implement rate limiting in cloudfront

[marcoieni]

Generated with AI starting from the docs.rs nginx config. Didn't review yet. But terraform plan works

[syphar]

after thinking about it:

It seems like the AWS WAF is running before the cache, so the rate limit rules would apply before too.

Right now, we only check rate limits in the backend, so only uncached requests.

Seeing the difference from the stats (average of 100k rpm on cloudfront, 30k on the backend), at the very least we have to adapt the rate limit accordingly.

But:
The only reason for the rate limit (for me) is protecting the backend. Cached requests can go as high as they want.

So I wonder if we should choose another approach generally, leaving cached requests open, and only rate limiting the origin requests.

Would we have an ALB anyways? Then we could use a regional WAF in front of it?

Even for malicious cases I mostly see a problem when these requests hit the origin, not before.