Smalyshev has uploaded a new change for review.
https://gerrit.wikimedia.org/r/319010
Change subject: Limit concurrent connections by client IP
......................................................................
Limit concurrent connections by client IP
Bug: T108488
Change-Id: I079e0a5d19e54cce72ea54aeed512315fec4825f
---
M modules/wdqs/templates/nginx.erb
1 file changed, 13 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/10/319010/1
diff --git a/modules/wdqs/templates/nginx.erb b/modules/wdqs/templates/nginx.erb
index 2fef012..4599016 100644
--- a/modules/wdqs/templates/nginx.erb
+++ b/modules/wdqs/templates/nginx.erb
@@ -3,7 +3,9 @@
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time '
- '$upstream_response_time';
+ '$upstream_response_time $http_x_client_ip $remote_addr';
+
+limit_conn_zone $http_x_client_ip zone=byaddr:10m;
server {
listen 80 default_server;
@@ -26,6 +28,12 @@
if (-f /var/lib/nginx/wdqs/maintenance) {
return 503;
}
+ # Rate limit error
+ error_page 429 @rate_limit;
+ location @rate_limit {
+ echo Rate limit exceeded;
+ echo_flush;
+ }
location / {
root <%= @package_dir %>/gui;
@@ -47,6 +55,10 @@
location /bigdata/namespace/wdq/sparql {
proxy_pass http://localhost:9999;
+ # Allow only 3 connections per IP
+ limit_conn byaddr 3;
+ limit_conn_status 429;
+
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--
To view, visit https://gerrit.wikimedia.org/r/319010
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I079e0a5d19e54cce72ea54aeed512315fec4825f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Smalyshev <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
