Skip to content

Commit 7bcb25e

Browse files
JacobCoffeeJacobCoffee
committed
feat: granularize the rate limit configs
1 parent 86785be commit 7bcb25e

File tree

2 files changed

+16
-5
lines changed

2 files changed

+16
-5
lines changed

pillar/base/haproxy.sls

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ haproxy:
1717
- docs.python.org
1818
- doc.python.org
1919
check: "HEAD /_check HTTP/1.1\\r\\nHost:\\ docs.python.org"
20+
rate_limit: 100
2021

2122
downloads:
2223
domains:
@@ -75,6 +76,7 @@ haproxy:
7576
- {{ config.server_name }}
7677
verify_host: bugs.psf.io
7778
check: "HEAD / HTTP/1.1\\r\\nHost:\\ {{ config.server_name }}"
79+
rate_limit: {{ config.get('rate_limit', 10) }}
7880
{% endfor %}
7981

8082
moin:

salt/haproxy/config/haproxy.cfg.jinja

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,12 @@ global
5252
# Lower the amount of space we reserve for header rewriting
5353
tune.maxrewrite 1024
5454

55+
# rate limits only if there is a rate_limit in haproxy.sls
56+
{% for service, config in haproxy.services.items() %}
57+
{% if config.get('rate_limit') %}
58+
stick-table type ip size 100k expire 30s store http_req_rate(1s) name {{ service }}_ratelimit
59+
{% endif %}
60+
{% endfor %}
5561

5662
defaults
5763
log global
@@ -117,11 +123,14 @@ frontend main
117123
bind :::80
118124
bind 127.0.0.1:19001 # This is our TLS socket.
119125

120-
# Client rate limiting
121-
# See: https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting
122-
stick-table type ip size 100k expire 15s store http_req_rate(10s)
123-
http-request track-sc0 src
124-
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
126+
# Apply rate limits per srvice
127+
{% for service, config in haproxy.services.items() %}
128+
{% if config.get('rate_limit') %}
129+
acl is_{{ service }} hdr(host) -i {% for domain in config.domains %}{{ domain }} {% endfor %}
130+
http-request track-sc{{ loop.index }} src table {{ service }}_ratelimit if is_{{ service }}
131+
http-request deny deny_status 429 if is_{{ service }} { sc{{ loop.index }}_http_req_rate() gt {{ config.rate_limit }} }
132+
{% endif %}
133+
{% endfor %}
125134

126135
# Custom logging format, this is the same as the normal "httplog" in
127136
# HAProxy except information about the TLS connection is included.

0 commit comments

Comments
 (0)