DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1058 from sethpollack/rpm

Browse source 
add per minute rate limiting
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-08-03 20:44:49 -04:00 committed by GitHub
commit 6403efe0d4
5 changed files with 50 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
controllers/nginx/configuration.md
View file

@ -193,13 +193,15 @@ Please check the [rewrite](/examples/rewrite/nginx/README.md) example.
### Rate limiting
The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus).
The annotations `ingress.kubernetes.io/limit-connections`, `ingress.kubernetes.io/limit-rps`, and `ingress.kubernetes.io/limit-rpm` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus).
`ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address.
`ingress.kubernetes.io/limit-rps`: number of connections that may be accepted from a given IP each second.
If you specify both annotations in a single Ingress rule, `limit-rps` takes precedence.
`ingress.kubernetes.io/limit-rpm`: number of connections that may be accepted from a given IP each minute.
If you specify multiple annotations in a single Ingress rule, `limit-rpm`, and then `limit-rps` takes precedence.
### SSL Passthrough

19
controllers/nginx/pkg/template/template.go
View file

@ -349,6 +349,17 @@ func buildRateLimitZones(variable string, input interface{}) []string {
}
}
if loc.RateLimit.RPM.Limit > 0 {
zone := fmt.Sprintf("limit_req_zone %v zone=%v:%vm rate=%vr/m;",
variable,
loc.RateLimit.RPM.Name,
loc.RateLimit.RPM.SharedSize,
loc.RateLimit.RPM.Limit)
if !zones.Has(zone) {
zones.Insert(zone)
}
}
if loc.RateLimit.RPS.Limit > 0 {
zone := fmt.Sprintf("limit_req_zone %v zone=%v:%vm rate=%vr/s;",
variable,
@ -366,7 +377,7 @@ func buildRateLimitZones(variable string, input interface{}) []string {
}
// buildRateLimit produces an array of limit_req to be used inside the Path of
// Ingress rules. The order: connections by IP first and RPS next.
// Ingress rules. The order: connections by IP first, then RPS, and RPM last.
func buildRateLimit(input interface{}) []string {
limits := []string{}
@ -387,6 +398,12 @@ func buildRateLimit(input interface{}) []string {
limits = append(limits, limit)
}
if loc.RateLimit.RPM.Limit > 0 {
limit := fmt.Sprintf("limit_req zone=%v burst=%v nodelay;",
loc.RateLimit.RPM.Name, loc.RateLimit.RPM.Burst)
limits = append(limits, limit)
}
return limits
}