[MediaWiki-commits] [Gerrit] operations/puppet[production]: ratelimits: double the default anon limit

Thu, 15 Jun 2017 12:29:13 -0700 

BBlack has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/359231 )

Change subject: ratelimits: double the default anon limit
......................................................................

ratelimits: double the default anon limit

Commentary updated a bit too

Bug: T163233
Change-Id: I951fd6d18000968ce352f04530216525f372e18b
---
M modules/varnish/templates/text-frontend.inc.vcl.erb
1 file changed, 10 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/31/359231/1

diff --git a/modules/varnish/templates/text-frontend.inc.vcl.erb 
b/modules/varnish/templates/text-frontend.inc.vcl.erb
index 7202e47..3e8e22d 100644
--- a/modules/varnish/templates/text-frontend.inc.vcl.erb
+++ b/modules/varnish/templates/text-frontend.inc.vcl.erb
@@ -208,9 +208,15 @@
                }
        }
 
-       // Limit miss/pass requests from the same IP to 600/60s (RB at 1000/10s)
-       // Exempt seemingly-authenticated requests and IPs in wikimedia
-       // networks (including labs for now)
+       // Ratelimit miss/pass requests per IP:
+       //   * Excluded for now:
+       //       * all WMF IPs (including labs)
+       //       * seemingly-authenticated requests (simple cookie check)
+       //   * RB and MW API: 1000/10s (100/s long term, with 1000 burst)
+       //   * All others: 1000/50s (20/s long term, with 1000 burst)
+       //       (current data leads us to believe sustaining 20/s should be
+       //       nearly impossible against standard MW outputs without
+       //       concurrency>1)
        if (req.http.Cookie !~ "([sS]ession|Token)=" &&
            std.ip(req.http.X-Client-IP, "192.0.2.1") !~ wikimedia_nets) {
                if (req.url ~ "^/(api/rest_v1/|w/api.php)") {
@@ -218,7 +224,7 @@
                                return (synth(429, "Too Many Requests"));
                        }
                } else {
-                       if (vsthrottle.is_denied("general:" + 
req.http.X-Client-IP, 600, 60s)) {
+                       if (vsthrottle.is_denied("general:" + 
req.http.X-Client-IP, 1000, 50s)) {
                                return (synth(429, "Too Many Requests"));
                        }
                }

-- 
To view, visit https://gerrit.wikimedia.org/r/359231
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I951fd6d18000968ce352f04530216525f372e18b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to