Merge pull request #3106 from quay/catalog-limit
Add limits to the catalog endpoint
This commit is contained in:
Joseph Schorr
GitHub
commit
44bb000fa5
3 changed files with 14 additions and 7 deletions
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
# Check the Authorization header and, if it is empty, use their proxy protocol
|
||||
# IP, else use the header as their unique identifier for rate limiting.
|
||||
# Enterprise users will never be using proxy protocol, thus the value will be
|
||||
# empty string. This means they will not get rate limited.
|
||||
map $http_authorization $registry_bucket {
|
||||
"" $proxy_protocol_addr;
|
||||
default $http_authorization;
|
||||
|
|
@ -11,5 +9,6 @@ map $http_authorization $registry_bucket {
|
|||
|
||||
limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
|
||||
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
|
||||
limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
|
||||
limit_req_status 429;
|
||||
limit_req_log_level warn;
|
||||
|
|
|
|||
|
|
@ -75,6 +75,12 @@ location ~ ^/(v1/repositories|v2/auth)/ {
|
|||
limit_req zone=repositories burst=10;
|
||||
}
|
||||
|
||||
location ~ ^/v2/_catalog(.*)$ {
|
||||
proxy_pass http://registry_app_server;
|
||||
proxy_read_timeout 10;
|
||||
limit_req zone=catalog;
|
||||
}
|
||||
|
||||
location /secscan/ {
|
||||
proxy_pass http://jwtproxy_secscan;
|
||||
}
|
||||
|
|
@ -136,10 +142,6 @@ location ~ ^/v2 {
|
|||
client_max_body_size {{ maximum_layer_size }};
|
||||
}
|
||||
|
||||
location /v2/_catalog {
|
||||
return 400;
|
||||
}
|
||||
|
||||
location ~ ^/v1 {
|
||||
# Setting ANY header clears all inherited proxy_set_header directives
|
||||
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
||||
|
|
|
|||
|
|
@ -14,8 +14,14 @@ from endpoints.v2.models_pre_oci import data_model as model
|
|||
@anon_protect
|
||||
@paginate()
|
||||
def catalog_search(limit, offset, pagination_callback):
|
||||
username = get_authenticated_user().username if get_authenticated_user() else None
|
||||
include_public = bool(features.PUBLIC_CATALOG)
|
||||
if not include_public and not get_authenticated_user():
|
||||
return jsonify({'repositories': []})
|
||||
|
||||
username = get_authenticated_user().username if get_authenticated_user() else None
|
||||
if username and not get_authenticated_user().enabled:
|
||||
return jsonify({'repositories': []})
|
||||
|
||||
visible_repositories = model.get_visible_repositories(username, limit + 1, offset,
|
||||
include_public=include_public)
|
||||
response = jsonify({
|
||||
|
|
|
|||
Reference in a new issue