The trouble is I want to take the load from the backend and dump it onto nginx.
The solution you're offering is good only for phpBB. How do you want to implement that for a server having 10k multiple websites, some having attacks against post.php, wp-login.php, wp-comments-post.php etc ?
My idea was to create a simple website managed by nginx which will be displayed if $request_uri matches then if "token" will be valid redirect to the original destination.
Some sort of server wide protection not single website plugin.
Thank you.