Skip to content

Commit

Permalink
PHRAS-3588 manage http request limits by verbs
Browse files Browse the repository at this point in the history
  • Loading branch information
@moctardiouf
moctardiouf committed Nov 13, 2024
1 parent 2b435b5 commit 9c147df
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 1 deletion.
13 changes: 13 additions & 0 deletions .env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,19 @@ GATEWAY_DENIED_IPS=
# @run
GATEWAY_USERS=



# Manage http incoming request limits by verbs
# this feature is based on ip adresses and need PHRASEANET_TRUSTED_PROXIES
# defined to get real_ip
# READ is for GET and HEAD requests
# WRITE is for POST, PUT, DELETE and PATCH requests
# @run
HTTP_READ_REQUEST_LIMIT_MEMORY=10m # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
HTTP_READ_REQUEST_LIMIT_RATE=5r/s # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second
HTTP_WRITE_REQUEST_LIMIT_MEMORY=10m # For Exemple 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses.
HTTP_WRITE_REQUEST_LIMIT_RATE=5r/s # Sets the maximum request rate. By default here the rate cannot exceed 10 requests per second

# https and reverse proxy (on/off)
# set to on in the case : https behind a proxy
# @run
Expand Down
5 changes: 5 additions & 0 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ services:
- GATEWAY_DENIED_IPS
- GATEWAY_USERS
- GATEWAY_CSP
- HTTP_READ_REQUEST_LIMIT_MEMORY
- HTTP_READ_REQUEST_LIMIT_RATE
- HTTP_WRITE_REQUEST_LIMIT_MEMORY
- HTTP_WRITE_REQUEST_LIMIT_RATE

ports:
- ${PHRASEANET_APP_PORT}:80
networks:
Expand Down
3 changes: 2 additions & 1 deletion docker/nginx/root/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ else
envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
fi

cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g" | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g" | sed "s/\$NEW_TARGET/$NEW_TARGET/g" | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf
cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g" | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g" | sed "s/\$NEW_TARGET/$NEW_TARGET/g" | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_MEMORY/$HTTP_READ_REQUEST_LIMIT_MEMORY/g" | sed "s/\$HTTP_READ_REQUEST_LIMIT_RATE/$HTTP_READ_REQUEST_LIMIT_RATE/g" sed "s/\$HTTP_WRITE_REQUEST_LIMIT_MEMORY/$HTTP_WRITE_REQUEST_LIMIT_MEMORY/g" | sed "s/\$HTTP_WRITE_REQUEST_LIMIT_RATE/$HTTP_WRITE_REQUEST_LIMIT_RATE/g" > /etc/nginx/conf.d/default.conf

cat /fastcgi_timeout.conf | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params

echo `date +"%Y-%m-%d %H:%M:%S"` " - Setting for real_ip_from using Trusted Proxies"
Expand Down
10 changes: 10 additions & 0 deletions docker/nginx/root/nginx.conf.sample
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@

send_timeout $GATEWAY_SEND_TIMEOUT;
keepalive_timeout $GATEWAY_SEND_TIMEOUT;
proxy_connect_timeout $GATEWAY_PROXY_TIMEOUT;
proxy_send_timeout $GATEWAY_PROXY_TIMEOUT;
client_header_timeout $GATEWAY_SEND_TIMEOUT;
client_body_timeout $GATEWAY_SEND_TIMEOUT;
fastcgi_read_timeout $GATEWAY_FASTCGI_TIMEOUT;
limit_req_status 429;
limit_req_zone $binary_remote_addr zone=readlimitsbyip:$HTTP_READ_REQUEST_LIMIT_MEMORY rate=$HTTP_READ_REQUEST_LIMIT_RATE;
limit_req_zone $binary_remote_addr zone=writelimitsbyip:$HTTP_WRITE_REQUEST_LIMIT_MEMORY rate=$HTTP_WRITE_REQUEST_LIMIT_RATE;
resolver $NEW_RESOLVER;

upstream backend {
Expand Down Expand Up @@ -53,6 +57,12 @@ server {
include fastcgi_params;
$GATEWAY_FASTCGI_HTTPS
include restrictions;
if ($request_method ~ ^(GET|HEAD)$) {
limit_req zone=readlimitsbyip;
}
if ($request_method ~ ^(POST|PUT|DELETE|PATCH)$) {
limit_req zone=writelimitsbyip;
}
}

location ~ ^/(status|ping)$ {
Expand Down

0 comments on commit 9c147df

Please sign in to comment.