Merge pull request #3106 from quay/catalog-limit

Add limits to the catalog endpoint
This commit is contained in:
Joseph Schorr 2018-06-05 18:26:30 -04:00 committed by GitHub
commit 44bb000fa5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 7 deletions

View file

@ -2,8 +2,6 @@
# Check the Authorization header and, if it is empty, use their proxy protocol # Check the Authorization header and, if it is empty, use their proxy protocol
# IP, else use the header as their unique identifier for rate limiting. # IP, else use the header as their unique identifier for rate limiting.
# Enterprise users will never be using proxy protocol, thus the value will be
# empty string. This means they will not get rate limited.
map $http_authorization $registry_bucket { map $http_authorization $registry_bucket {
"" $proxy_protocol_addr; "" $proxy_protocol_addr;
default $http_authorization; default $http_authorization;
@ -11,5 +9,6 @@ map $http_authorization $registry_bucket {
limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s; limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s; limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
limit_req_status 429; limit_req_status 429;
limit_req_log_level warn; limit_req_log_level warn;

View file

@ -75,6 +75,12 @@ location ~ ^/(v1/repositories|v2/auth)/ {
limit_req zone=repositories burst=10; limit_req zone=repositories burst=10;
} }
location ~ ^/v2/_catalog(.*)$ {
proxy_pass http://registry_app_server;
proxy_read_timeout 10;
limit_req zone=catalog;
}
location /secscan/ { location /secscan/ {
proxy_pass http://jwtproxy_secscan; proxy_pass http://jwtproxy_secscan;
} }
@ -136,10 +142,6 @@ location ~ ^/v2 {
client_max_body_size {{ maximum_layer_size }}; client_max_body_size {{ maximum_layer_size }};
} }
location /v2/_catalog {
return 400;
}
location ~ ^/v1 { location ~ ^/v1 {
# Setting ANY header clears all inherited proxy_set_header directives # Setting ANY header clears all inherited proxy_set_header directives
proxy_set_header X-Forwarded-For $proper_forwarded_for; proxy_set_header X-Forwarded-For $proper_forwarded_for;

View file

@ -14,8 +14,14 @@ from endpoints.v2.models_pre_oci import data_model as model
@anon_protect @anon_protect
@paginate() @paginate()
def catalog_search(limit, offset, pagination_callback): def catalog_search(limit, offset, pagination_callback):
username = get_authenticated_user().username if get_authenticated_user() else None
include_public = bool(features.PUBLIC_CATALOG) include_public = bool(features.PUBLIC_CATALOG)
if not include_public and not get_authenticated_user():
return jsonify({'repositories': []})
username = get_authenticated_user().username if get_authenticated_user() else None
if username and not get_authenticated_user().enabled:
return jsonify({'repositories': []})
visible_repositories = model.get_visible_repositories(username, limit + 1, offset, visible_repositories = model.get_visible_repositories(username, limit + 1, offset,
include_public=include_public) include_public=include_public)
response = jsonify({ response = jsonify({