Add nginx rate limiting #188
Conversation
Codecov Report
@@ Coverage Diff @@
## master #188 +/- ##
=======================================
Coverage 45.83% 45.83%
=======================================
Files 2 2
Lines 48 48
Branches 3 3
=======================================
Hits 22 22
Misses 25 25
Partials 1 1Continue to review full report at Codecov.
|
| @@ -1,3 +1,6 @@ | |||
| limit_req_zone $binary_remote_addr zone=jenkins:10m rate={{ nginx_request_limit }}; | |||
There was a problem hiding this comment.
What does this '10m' number mean? Is this something that should be parameterized?
There was a problem hiding this comment.
This value is the size of the rate limiting state cache for this rate limit zone in nginx. 10m comes to about 160,000 ip addresses. I don't see a need to parameterize this one but am up for it if that would be valuable.
There was a problem hiding this comment.
I don't see a downside to parameterizing all the number values. It gives users an opportunity to tweak those values if needed, and even if they are never changed by anyone, having the values documented with comments in our vars files (with links to specific nginx docs) makes it easier for cinch users to understand what's going on.
| @@ -19,7 +22,11 @@ server { | |||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
| proxy_set_header X-Forwarded-Proto $scheme; | |||
| proxy_pass http://jenkins; | |||
| } | |||
| limit_req zone=jenkins burst=100 nodelay; | |||
There was a problem hiding this comment.
What does this 'burst=100' number mean? Is this something that should be parameterized?
There was a problem hiding this comment.
burst gives a little 'padding' by putting requests into a queue if one hits a limit. So here adding an additional 100 slot queue to lessen the impact of being rate limited. Seems to be recommended on nginx.com's blog and docs. Maybe we can parameterize this one.
There was a problem hiding this comment.
I don't see a downside to parameterizing all the number values. It gives users an opportunity to tweak those values if needed, and even if they are never changed by anyone, having the values documented with comments in our vars files (with links to specific nginx docs) makes it easier for cinch users to understand what's going on.
| @@ -38,7 +41,11 @@ server { | |||
| proxy_set_header X-Forwarded-Proto $scheme; | |||
| proxy_redirect http:// https://; | |||
| proxy_pass http://jenkins; | |||
| } | |||
| limit_req zone=jenkins burst=100 nodelay; | |||
There was a problem hiding this comment.
What does this 'burst=100' number mean? Is this something that should be parameterized?
| @@ -245,6 +245,17 @@ firewall_tcp_ports: | |||
| - "22/tcp" | |||
| - "80/tcp" | |||
| - "{{ https_enabled | ternary('443/tcp', omit) }}" | |||
| # The following values are used in nginx to prevent undesired impact of the | |||
There was a problem hiding this comment.
I think there is a use case for optionally setting all these values to nginx defaults, for the purposes of debugging or testing without any rate limiting in the mix. Can we parameterize this in such a way that all rate limiting is turned off based on some flag? Or alternatively, we could document in the comments what the default values are, and from there a user could set those to turn off the rate limiting. Ideally we could auto-inherit the defaults from the nginx upstream configuration.
There was a problem hiding this comment.
Agreed on this comment, across the board.
There was a problem hiding this comment.
It appears there are no default nginx values for these, curiously enough. Where applicable I am using info from nginx.com/blog posts about rate limit features, and also things I have tested.
I will make rate limiting opt-in only and document values in place if users want to customize from suggested values.
|
Thanks - good points all, let me work on this. |
scottlinux
force-pushed
the
nginx-rate-limit
branch
2 times, most recently
from
fb04bd7
to
27dead1
Compare
| limit_rate_after {{ nginx_bandwidth_limit_after_size }}; | ||
| limit_rate {{ nginx_max_bandwidth_outbound }}; | ||
| {% endif %} | ||
| } |
There was a problem hiding this comment.
Is the indentation level here correct?
| limit_rate_after {{ nginx_bandwidth_limit_after_size }}; | ||
| limit_rate {{ nginx_max_bandwidth_outbound }}; | ||
| {% endif %} | ||
| } |
There was a problem hiding this comment.
Is the indentation level here correct?
There was a problem hiding this comment.
Thanks - should be fixed now if you can double check me
| # Limit maximum number of simultaneous connections per ip: | ||
| nginx_max_connections_per_ip: 25 | ||
| # Enable bandwidth limiting for files this size or larger: | ||
| nginx_bandwidth_limit_after_size: "100m" |
| # Enable bandwidth limiting for files this size or larger: | ||
| nginx_bandwidth_limit_after_size: "100m" | ||
| # Set bandwidth limit for downloading large files: | ||
| nginx_max_bandwidth_outbound: "5m" |
scottlinux
force-pushed
the
nginx-rate-limit
branch
2 times, most recently
from
eab1d80
to
5616178
Compare
|
Ok updated comments should be resolved now. I likely made a mess of this PR via multiple amends. :/ |
|
May have missed the indentation fix here: |
scottlinux
force-pushed
the
nginx-rate-limit
branch
from
5616178
to
b3511fe
Compare
|
Let's please remember to add this to the CHANGELOG file before the next release that it's included in. |
|
I'll take care of the CHANGELOG. |
For #143