[MediaWiki-commits] [Gerrit] operations/puppet[production]: Limit concurrent connections by client IP

Gehel (Code Review) Mon, 28 Nov 2016 21:59:26 -0800

Gehel has submitted this change and it was merged.

Change subject: Limit concurrent connections by client IP
......................................................................



Limit concurrent connections by client IP

Bug: T108488
Change-Id: I079e0a5d19e54cce72ea54aeed512315fec4825f
---
M modules/wdqs/templates/nginx.erb
1 file changed, 14 insertions(+), 1 deletion(-)

Approvals:
  Gehel: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/wdqs/templates/nginx.erb b/modules/wdqs/templates/nginx.erb
index 2fef012..36db081 100644
--- a/modules/wdqs/templates/nginx.erb
+++ b/modules/wdqs/templates/nginx.erb
@@ -3,7 +3,9 @@
     '"$request" $status $body_bytes_sent '
     '"$http_referer" "$http_user_agent" '
     '$request_time '
-    '$upstream_response_time';
+    '$upstream_response_time $http_x_client_ip $remote_addr';
+
+limit_conn_zone $http_x_client_ip zone=byaddr:10m;
 
 server {
     listen 80 default_server;
@@ -26,6 +28,13 @@
     if (-f /var/lib/nginx/wdqs/maintenance) {
         return 503;
     }
+    # Rate limit error
+    error_page 429 @rate_limit;
+    location @rate_limit {
+        add_header Cache-Control no-cache always;
+        echo Rate limit exceeded;
+        echo_flush;
+    }
 
     location / {
         root <%= @package_dir %>/gui;
@@ -47,6 +56,10 @@
     location /bigdata/namespace/wdq/sparql {
         proxy_pass http://localhost:9999;
 
+        # Allow only 5 connections per IP
+        limit_conn byaddr 5;
+        limit_conn_status 429;
+
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

-- 
To view, visit https://gerrit.wikimedia.org/r/319010
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I079e0a5d19e54cce72ea54aeed512315fec4825f
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Smalyshev <smalys...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Gehel <gleder...@wikimedia.org>
Gerrit-Reviewer: Smalyshev <smalys...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Limit concurrent connections by client IP

Reply via email to