From 1d94e4d605beff91281c1db1da9f5dca75973550 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Mon, 18 Jun 2018 14:40:09 -0400
Subject: [PATCH] Audit out endpoints and ensure everything has a defined rate
 limit (even if quite large)

For registry operations, these were the numbers found at time the PR was written:

download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet

With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.

Fixes https://jira.coreos.com/browse/QUAY-976
---
 conf/nginx/rate-limiting.conf   |  4 +++-
 conf/nginx/server-base.conf.jnj | 12 ++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/conf/nginx/rate-limiting.conf b/conf/nginx/rate-limiting.conf
index f5c3117f7..9521f9a82 100644
--- a/conf/nginx/rate-limiting.conf
+++ b/conf/nginx/rate-limiting.conf
@@ -8,7 +8,9 @@ map $http_authorization $registry_bucket {
 }
 
 limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
+limit_req_zone $registry_bucket zone=api:10m rate=1r/s;
 limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
-limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
+limit_req_zone $registry_bucket zone=catalog:10m rate=20r/m;
+limit_req_zone $registry_bucket zone=registry:10m rate=10r/s;
 limit_req_status 429;
 limit_req_log_level warn;
diff --git a/conf/nginx/server-base.conf.jnj b/conf/nginx/server-base.conf.jnj
index 84af02d6f..803861007 100644
--- a/conf/nginx/server-base.conf.jnj
+++ b/conf/nginx/server-base.conf.jnj
@@ -49,7 +49,6 @@ location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
     proxy_read_timeout 60s;
 }
 
-
 location = /_storage_proxy_auth {
     proxy_pass http://web_app_server;
     proxy_pass_request_body off;
@@ -78,7 +77,7 @@ location ~ ^/(v1/repositories|v2/auth)/ {
 location ~ ^/v2/_catalog(.*)$ {
     proxy_pass http://registry_app_server;
     proxy_read_timeout 10;
-    limit_req zone=catalog;
+    limit_req zone=catalog burst=5;
 }
 
 location /secscan/ {
@@ -105,6 +104,11 @@ location ~ ^/cnr {
     limit_req zone=repositories burst=10;
 }
 
+location ~ ^/api {
+    proxy_pass   http://web_app_server;
+    limit_req zone=api burst=5;
+}
+
 location ~ ^/api/suconfig {
     proxy_pass   http://web_app_server;
 
@@ -140,6 +144,8 @@ location ~ ^/v2 {
     proxy_temp_path /tmp 1 2;
 
     client_max_body_size {{ maximum_layer_size }};
+
+    limit_req zone=registry burst=100;
 }
 
 location ~ ^/v1 {
@@ -158,6 +164,8 @@ location ~ ^/v1 {
     proxy_temp_path /tmp 1 2;
 
     client_max_body_size {{ maximum_layer_size }};
+
+    limit_req zone=registry burst=100;
 }
 
 location /v1/_ping {