PHRAS-3588 change limit method

alchemy-fr · Nov 13, 2024 · 9b9b403 · 9b9b403
1 parent 9c147df
commit 9b9b403
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 12 deletions.
diff --git a/.env b/.env
@@ -232,10 +232,10 @@ GATEWAY_USERS=
 # READ is for GET and HEAD requests
 # WRITE is for POST, PUT, DELETE and PATCH requests
 # @run
-HTTP_READ_REQUEST_LIMIT_MEMORY=10m  # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
-HTTP_READ_REQUEST_LIMIT_RATE=5r/s  # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
-HTTP_WRITE_REQUEST_LIMIT_MEMORY=10m  # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
-HTTP_WRITE_REQUEST_LIMIT_RATE=5r/s  # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
+HTTP_READ_REQUEST_LIMIT_MEMORY=10   # (m)   For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
+HTTP_READ_REQUEST_LIMIT_RATE=5      # (r/s) Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
+HTTP_WRITE_REQUEST_LIMIT_MEMORY=10  # (m)   For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
+HTTP_WRITE_REQUEST_LIMIT_RATE=5  # (r/s) Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
 
 # https and reverse proxy (on/off)
 # set to on in the case : https behind a proxy

diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh
@@ -35,7 +35,7 @@ else
   envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
 fi
 
-cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_MEMORY/$HTTP_READ_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_READ_REQUEST_LIMIT_RATE/$HTTP_READ_REQUEST_LIMIT_RATE/g" sed "s/\$HTTP_WRITE_REQUEST_LIMIT_MEMORY/$HTTP_WRITE_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_RATE/$HTTP_WRITE_REQUEST_LIMIT_RATE/g" > /etc/nginx/conf.d/default.conf
+cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_MEMORY/$HTTP_READ_REQUEST_LIMIT_MEMORY/g"  | sed "s/\$HTTP_READ_REQUEST_LIMIT_RATE/$HTTP_READ_REQUEST_LIMIT_RATE/g" | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_MEMORY/$HTTP_WRITE_REQUEST_LIMIT_MEMORY/g" | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_RATE/$HTTP_WRITE_REQUEST_LIMIT_RATE/g" > /etc/nginx/conf.d/default.conf
 
 cat /fastcgi_timeout.conf  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params
 

diff --git a/docker/nginx/root/nginx.conf.sample b/docker/nginx/root/nginx.conf.sample
@@ -6,9 +6,20 @@ proxy_send_timeout          $GATEWAY_PROXY_TIMEOUT;
 client_header_timeout       $GATEWAY_SEND_TIMEOUT;
 client_body_timeout         $GATEWAY_SEND_TIMEOUT;
 fastcgi_read_timeout        $GATEWAY_FASTCGI_TIMEOUT;
+
+map $request_method $postlimit {
+  default         "";
+  POST            $binary_remote_addr;
+}
+
+map $request_method $getlimit {
+  default         "";
+  GET            $binary_remote_addr;
+}
+
 limit_req_status 429;
-limit_req_zone $binary_remote_addr zone=readlimitsbyip:$HTTP_READ_REQUEST_LIMIT_MEMORY rate=$HTTP_READ_REQUEST_LIMIT_RATE;
-limit_req_zone $binary_remote_addr zone=writelimitsbyip:$HTTP_WRITE_REQUEST_LIMIT_MEMORY rate=$HTTP_WRITE_REQUEST_LIMIT_RATE;
+limit_req_zone $getlimit zone=readlimitsbyip:$HTTP_READ_REQUEST_LIMIT_MEMORYm rate=$HTTP_READ_REQUEST_LIMIT_RATEr/s;
+limit_req_zone $postlimit zone=writelimitsbyip:$HTTP_WRITE_REQUEST_LIMIT_MEMORYm rate=$HTTP_WRITE_REQUEST_LIMIT_RATEr/s;
 resolver $NEW_RESOLVER;
 
 upstream backend {
@@ -40,7 +51,6 @@ server {
         if (-f /var/alchemy/Phraseanet/datas/nginx/maintenance.html) {
             return 503;
         }
-
         # First attempt to serve request as file, then
         # as directory, then fall back to index.html
         try_files $uri $uri/ @rewriteapp;
@@ -57,12 +67,8 @@ server {
         include        fastcgi_params;
         $GATEWAY_FASTCGI_HTTPS
         include        restrictions;
-        if ($request_method ~ ^(GET|HEAD)$) {
             limit_req zone=readlimitsbyip;
-        }
-        if ($request_method ~ ^(POST|PUT|DELETE|PATCH)$) {
             limit_req zone=writelimitsbyip;
-        }
     }
 
     location ~ ^/(status|ping)$ {