-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nginx rate limiting #188
Conversation
Codecov Report
@@ Coverage Diff @@
## master #188 +/- ##
=======================================
Coverage 45.83% 45.83%
=======================================
Files 2 2
Lines 48 48
Branches 3 3
=======================================
Hits 22 22
Misses 25 25
Partials 1 1 Continue to review full report at Codecov.
|
@@ -1,3 +1,6 @@ | |||
limit_req_zone $binary_remote_addr zone=jenkins:10m rate={{ nginx_request_limit }}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this '10m' number mean? Is this something that should be parameterized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This value is the size of the rate limiting state cache for this rate limit zone in nginx. 10m comes to about 160,000 ip addresses. I don't see a need to parameterize this one but am up for it if that would be valuable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see a downside to parameterizing all the number values. It gives users an opportunity to tweak those values if needed, and even if they are never changed by anyone, having the values documented with comments in our vars files (with links to specific nginx docs) makes it easier for cinch users to understand what's going on.
@@ -19,7 +22,11 @@ server { | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header X-Forwarded-Proto $scheme; | |||
proxy_pass http://jenkins; | |||
} | |||
limit_req zone=jenkins burst=100 nodelay; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this 'burst=100' number mean? Is this something that should be parameterized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
burst gives a little 'padding' by putting requests into a queue if one hits a limit. So here adding an additional 100 slot queue to lessen the impact of being rate limited. Seems to be recommended on nginx.com's blog and docs. Maybe we can parameterize this one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see a downside to parameterizing all the number values. It gives users an opportunity to tweak those values if needed, and even if they are never changed by anyone, having the values documented with comments in our vars files (with links to specific nginx docs) makes it easier for cinch users to understand what's going on.
@@ -38,7 +41,11 @@ server { | |||
proxy_set_header X-Forwarded-Proto $scheme; | |||
proxy_redirect http:// https://; | |||
proxy_pass http://jenkins; | |||
} | |||
limit_req zone=jenkins burst=100 nodelay; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this 'burst=100' number mean? Is this something that should be parameterized?
@@ -245,6 +245,17 @@ firewall_tcp_ports: | |||
- "22/tcp" | |||
- "80/tcp" | |||
- "{{ https_enabled | ternary('443/tcp', omit) }}" | |||
# The following values are used in nginx to prevent undesired impact of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is a use case for optionally setting all these values to nginx defaults, for the purposes of debugging or testing without any rate limiting in the mix. Can we parameterize this in such a way that all rate limiting is turned off based on some flag? Or alternatively, we could document in the comments what the default values are, and from there a user could set those to turn off the rate limiting. Ideally we could auto-inherit the defaults from the nginx upstream configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed on this comment, across the board.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It appears there are no default nginx values for these, curiously enough. Where applicable I am using info from nginx.com/blog posts about rate limit features, and also things I have tested.
I will make rate limiting opt-in only and document values in place if users want to customize from suggested values.
Thanks - good points all, let me work on this. |
fb04bd7
to
27dead1
Compare
limit_rate_after {{ nginx_bandwidth_limit_after_size }}; | ||
limit_rate {{ nginx_max_bandwidth_outbound }}; | ||
{% endif %} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the indentation level here correct?
limit_rate_after {{ nginx_bandwidth_limit_after_size }}; | ||
limit_rate {{ nginx_max_bandwidth_outbound }}; | ||
{% endif %} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the indentation level here correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks - should be fixed now if you can double check me
# Limit maximum number of simultaneous connections per ip: | ||
nginx_max_connections_per_ip: 25 | ||
# Enable bandwidth limiting for files this size or larger: | ||
nginx_bandwidth_limit_after_size: "100m" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What unit is 'm'?
# Enable bandwidth limiting for files this size or larger: | ||
nginx_bandwidth_limit_after_size: "100m" | ||
# Set bandwidth limit for downloading large files: | ||
nginx_max_bandwidth_outbound: "5m" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What unit is 'm'?
eab1d80
to
5616178
Compare
Ok updated comments should be resolved now. I likely made a mess of this PR via multiple amends. :/ |
May have missed the indentation fix here: |
5616178
to
b3511fe
Compare
Let's please remember to add this to the CHANGELOG file before the next release that it's included in. |
I'll take care of the CHANGELOG. |
For #143