What are good NGINX rate limits for my public site with static and API routes?

Hey everyone! I'm currently running a Node/Express backend with NGINX and I'm trying to establish a solid rate limiting strategy. My site features around 40 different endpoints, including public APIs, static content like images and fonts, and some POST routes for actions like login and registration.

I've observed that when someone visits the homepage, especially in incognito mode, it triggers over 60 requests for various resources such as HTML, JS, CSS, fonts, and some API calls. While some of these are internal, others are requests to external services like Google Fonts and inline images.

I'm aiming for a rate limiting setup that:
* Doesn't block genuine users just browsing my site.
* Prevents abuse or scraping (like limiting to 1000 requests per minute per IP).

I know that `limit_req_zone` could be beneficial, and that I should use `burst` to allow for minor request spikes. Right now, I'm considering a configuration like this:

`limit_req_zone $binary_remote_addr zone=general_limit:10m rate=5r/s;`

`location /api/ {`

`limit_req zone=general_limit burst=20 nodelay;`

`}`

* Are the settings of `5r/s` and `burst=20` reasonable for my public endpoints?
* Should I apply different limits for POST requests like login and registration?
* Would it be more effective to manage rate limiting in Node.js per route with something like `express-rate-limit`, or is it better to have NGINX handle this globally?