vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #3119 from quay/joseph.schorr/QUAY-976/rate-limit-audit

Browse source 
Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
This commit is contained in:
Joseph Schorr 2018-06-20 15:50:48 -04:00 committed by GitHub
commit ebb5d17641
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conf/nginx/rate-limiting.conf
View file

@ -8,7 +8,9 @@ map $http_authorization $registry_bucket {
}
limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
limit_req_zone $registry_bucket zone=api:10m rate=1r/s;
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
limit_req_zone $registry_bucket zone=catalog:10m rate=20r/m;
limit_req_zone $registry_bucket zone=registry:10m rate=20r/s;
limit_req_status 429;
limit_req_log_level warn;

12
conf/nginx/server-base.conf.jnj
View file

@ -49,7 +49,6 @@ location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
proxy_read_timeout 60s;
}
location = /_storage_proxy_auth {
proxy_pass http://web_app_server;
proxy_pass_request_body off;
@ -78,7 +77,7 @@ location ~ ^/(v1/repositories|v2/auth)/ {
location ~ ^/v2/_catalog(.*)$ {
proxy_pass http://registry_app_server;
proxy_read_timeout 10;
limit_req zone=catalog;
limit_req zone=catalog burst=5;
}
location /secscan/ {
@ -105,6 +104,11 @@ location ~ ^/cnr {
limit_req zone=repositories burst=10;
}
location ~ ^/api {
proxy_pass http://web_app_server;
limit_req zone=api burst=5;
}
location ~ ^/api/suconfig {
proxy_pass http://web_app_server;
@ -140,6 +144,8 @@ location ~ ^/v2 {
proxy_temp_path /tmp 1 2;
client_max_body_size {{ maximum_layer_size }};
limit_req zone=registry burst=100;
}
location ~ ^/v1 {
@ -158,6 +164,8 @@ location ~ ^/v1 {
proxy_temp_path /tmp 1 2;
client_max_body_size {{ maximum_layer_size }};
limit_req zone=registry burst=100;
}
location /v1/_ping {