add rate limiting

[maxlath]

Doing rate limiting from nginx based on status code seems like a good option; some readings:

• Use Nginx to rate-limit only when origin server response code is 401
• Nginx: Limit request based on response status code

That would contribute to address attacks trying to mimic a user session.

Another rate limiting strategy could be setup to address denial of service attacks, which would then need to include non-error status codes