From 084478150e12cbc67ccadccfeeebf33f3320657f Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 5 Mar 2024 16:06:47 +0100 Subject: [PATCH] charts/nginz: Fixup Rate limit for claiming MLS key-pacakges by requesting and target user (#3923) Previous logic limited how many keys could be claimed for one user, but continued limiting claims on multiple users. This causes problems while creating conversations when a lot of key package claims are needed. This commit introduces a concept of specific_rate_limits which allow setting multiple rate limit zones in nginz. Here we use one for limiting how many key packages can be claimed by a user per target and another for limiting how many key packages claimed by a user for any target. --- charts/nginz/templates/conf/_nginx.conf.tpl | 4 ++++ charts/nginz/values.yaml | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 33d532b41bb..e50fadfa021 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -280,6 +280,10 @@ http { limit_req zone={{ $location.specific_user_rate_limit }}{{ if hasKey $location "specific_user_rate_limit_burst" }} burst={{ $location.specific_user_rate_limit_burst }}{{ end }} nodelay; {{- end }} + {{- range $specific_limit := $location.specific_rate_limits }} + limit_req zone={{ $specific_limit.zone }}{{ if hasKey $specific_limit "burst" }} burst={{ $specific_limit.burst }}{{ end }} nodelay; + {{- end }} + if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS"; add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"; diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index e661490112d..7d9f8b22cb1 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -67,7 +67,8 @@ nginx_conf: user_rate_limit_request_zones: - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s; - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m; - - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims:12m rate=100r/m; + - limit_req_zone $rate_limited_by_zuser zone=key_package_claims_per_user:12m rate=3000r/m; + - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims_per_user_per_target:12m rate=100r/m; - limit_req_zone $rate_limited_by_zuser zone=one2one_conv:12m rate=3000r/m; # The origins from which we allow CORS requests. These are combined with @@ -214,8 +215,17 @@ nginx_conf: - path: /mls/key-packages/claim envs: - all - specific_user_rate_limit: key_package_claims - specific_user_rate_limit_burst: 100 + specific_rate_limits: + # This endpoint gets called for every user that will get added to a + # conversation. A lot of these are expected during conversation + # creation. + - zone: key_package_claims_per_user + burst: 600 + - zone: key_package_claims_per_user_per_target + burst: 100 + # The name is a little misleading, this just disables default rate + # limiting in favour of the specific one defined above. + unlimited_requests_endpoint: true - path: /mls/key-packages envs: - all