Enable dynamic ratelimiting / adjust clamav resource limits (#8213)

netomi · web-flow · commit 35c3dde495a5 · 2026-02-18T16:39:26.000+01:00
* increase resource limits for clamav

* enable dynamic rate limiting and disable static one

* use v0.32.2

* revert unrelated change

* get rid of warnings about invalid media type

* formatting
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
-ARG SERVER_VERSION=v0.32.1
-ARG SERVER_VERSION_STRING=v0.32.1
+ARG SERVER_VERSION=v0.32.2
+ARG SERVER_VERSION_STRING=v0.32.2
 
 # Builder image to compile the website
 FROM ubuntu:24.04 AS builder
diff --git a/charts/openvsx/values.yaml b/charts/openvsx/values.yaml
@@ -121,10 +121,10 @@ clamav:
     pullPolicy: Always
   resources:
     requests:
-      cpu: 2
+      cpu: 4
       memory: 4Gi
     limits:
-      cpu: 4
+      cpu: 6
       memory: 6Gi
   service:
     port: 9000
@@ -134,7 +134,7 @@ clamav:
     MAX_FILE_COUNT: 100000
     MAX_SINGLE_FILE_MB: 256
     MAX_RECURSION: 16
-    MAX_THREADS: 4
+    MAX_THREADS: 10
     SCAN_TIMEOUT_MINUTES: 5
 
 yara:
diff --git a/configuration/application.yml b/configuration/application.yml
@@ -6,6 +6,8 @@
 logging:
   level:
     root: "info"
+    # avoid log messages like: Received invalid Accept header. Assuming all media types are accepted
+    org.springframework.boot.autoconfigure.web.servlet.WelcomePageHandlerMapping: "error"
 
 server:
   address: 0.0.0.0
@@ -103,60 +105,60 @@ org:
     miscellaneous:
       allow-anonymous-data-usage: false
 bucket4j:
-  enabled: true
-  cache-to-use: redis-cluster-jedis
-  filters:
-    - cache-name: buckets
-      url: '/api/-/(namespace/create|publish)'
-      http-response-headers:
-        Access-Control-Allow-Origin: '*'
-        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
-      rate-limits:
-        - cache-key: getParameter("token")
-          bandwidths:
-            - capacity: 15
-              time: 1
-              unit: seconds
-    - cache-name: buckets
-      url: '/vscode/asset/.*/.*/.*/Microsoft.VisualStudio.Services.Icons.Default'
-      http-response-headers:
-        Access-Control-Allow-Origin: '*'
-        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
-      rate-limits:
-        - cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
-          bandwidths:
-            - capacity: 75
-              time: 1
-              unit: seconds
-    - cache-name: buckets
-      url: '/vscode/(?!asset/.*/.*/.*/Microsoft.VisualStudio.Services.Icons.Default).*'
-      http-response-headers:
-        Access-Control-Allow-Origin: '*'
-        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
-      rate-limits:
-        - cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
-          bandwidths:
-            - capacity: 75
-              time: 1
-              unit: seconds
-    - cache-name: buckets
-      url: '/api/(?!(.*/.*/review(/delete)?)|(-/(namespace/create|publish))).*'
-      http-response-headers:
-        Access-Control-Allow-Origin: '*'
-        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
-      rate-limits:
-        - execute-condition: getParameter("token") != null
-          cache-key: getParameter("token")
-          bandwidths:
-            - capacity: 15
-              time: 1
-              unit: seconds
-        - execute-condition: getParameter("token") == null
-          cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
-          bandwidths:
-            - capacity: 15
-              time: 1
-              unit: seconds
+  enabled: false
+#  cache-to-use: redis-cluster-jedis
+#  filters:
+#    - cache-name: buckets
+#      url: '/api/-/(namespace/create|publish)'
+#      http-response-headers:
+#        Access-Control-Allow-Origin: '*'
+#        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+#      rate-limits:
+#        - cache-key: getParameter("token")
+#          bandwidths:
+#            - capacity: 15
+#              time: 1
+#              unit: seconds
+#    - cache-name: buckets
+#      url: '/vscode/asset/.*/.*/.*/Microsoft.VisualStudio.Services.Icons.Default'
+#      http-response-headers:
+#        Access-Control-Allow-Origin: '*'
+#        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+#      rate-limits:
+#        - cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
+#          bandwidths:
+#            - capacity: 75
+#              time: 1
+#              unit: seconds
+#    - cache-name: buckets
+#      url: '/vscode/(?!asset/.*/.*/.*/Microsoft.VisualStudio.Services.Icons.Default).*'
+#      http-response-headers:
+#        Access-Control-Allow-Origin: '*'
+#        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+#      rate-limits:
+#        - cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
+#          bandwidths:
+#            - capacity: 75
+#              time: 1
+#              unit: seconds
+#    - cache-name: buckets
+#      url: '/api/(?!(.*/.*/review(/delete)?)|(-/(namespace/create|publish))).*'
+#      http-response-headers:
+#        Access-Control-Allow-Origin: '*'
+#        Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+#      rate-limits:
+#        - execute-condition: getParameter("token") != null
+#          cache-key: getParameter("token")
+#          bandwidths:
+#            - capacity: 15
+#              time: 1
+#              unit: seconds
+#        - execute-condition: getParameter("token") == null
+#          cache-key: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
+#          bandwidths:
+#            - capacity: 15
+#              time: 1
+#              unit: seconds
 ovsx:
   token-prefix: ovsxat_
   storage:
@@ -211,7 +213,7 @@ ovsx:
     namespace-details-json:
       ttl: PT1H
     database-search:
-      ttl:PT1H
+      ttl: PT1H
     extension-json:
       ttl: PT1H
     latest-extension-version:
@@ -233,17 +235,15 @@ ovsx:
       subject: 'Open VSX Access Tokens Revoked'
       template: 'revoked-access-tokens.html'
 
-  # tier-based rate limiting configuration
+  # dynamic tier-based rate limiting configuration
   rate-limit:
-    enabled: false
+    enabled: true
     ip-address-function: '(getHeader("X-Forwarded-For")?: getRemoteAddr()).split(",")[0].trim()'
-    usage-stats:
-      job-schedule: '*/30 * * * *'
     filters:
       - url: '/(api|vscode)/.*'
         http-response-headers:
           Access-Control-Allow-Origin: '*'
-          Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+          Access-Control-Expose-Headers: Retry-After, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
     default-http-content-type: application/json
     default-http-response-body: >
       {
