Skip to content

Commit

Permalink
Add support for rate limiting
Browse files Browse the repository at this point in the history
Signed-off-by: Wade Barnes <wade@neoterictech.ca>
  • Loading branch information
WadeBarnes committed Apr 26, 2023
1 parent f30ed8b commit 89f1e6d
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 2 deletions.
9 changes: 9 additions & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
ARG build_image=node:fermium
ARG caddy_builder_image=caddy:builder-alpine
ARG runtime_image=caddy:alpine

# build stage
Expand All @@ -9,9 +10,17 @@ RUN npm install
COPY . .
RUN npm run build

# caddy build stage
FROM ${caddy_builder_image} as caddy-build-stage

# Install ratelimit/v0.2.0
RUN xcaddy build \
--with github.com/RussellLuo/caddy-ext/ratelimit@3497b19617f19deca8a4a625a93d2b774bb0dd29

# production stage
FROM ${runtime_image} as production-stage

COPY --from=caddy-build-stage /usr/bin/caddy /usr/bin/caddy
COPY --from=build-stage /app/dist /srv

# Fix permissions issue with Caddy image
Expand Down
7 changes: 6 additions & 1 deletion docker/config/Caddyfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
# See https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
auto_https off
{$RATE_LIMIT_ORDERING}
}

{$WEB_HOST_NAME}:{$WEB_HOST_PORT} {
Expand Down Expand Up @@ -32,9 +33,11 @@
# Enable gzip, zstd compression
encode zstd gzip

# Enable templates module - required for
# Enable templates module - required for
templates

{$DEFAULT_RATE_LIMIT}

# Openly exposed health check endpoint for OpenShift
respond /health 200

Expand All @@ -49,6 +52,7 @@

# Proxy requests to API service
route /api/* {
{$API_RATE_LIMIT}
reverse_proxy {$API_HOST}:{$API_PORT} {
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
Expand All @@ -57,6 +61,7 @@

# Proxy requests to Hooks
route /hooks/* {
{$API_RATE_LIMIT}
reverse_proxy {$API_HOST}:{$API_PORT} {
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
Expand Down
6 changes: 5 additions & 1 deletion docker/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
version: "3"
services:
services:
orgbook-web:
image: orgbook-web:latest
environment:
Expand All @@ -8,6 +8,10 @@ services:
WEB_HOST_TLS: ${PUBLIC_WEB_HOST_TLS}
API_HOST: ${PUBLIC_API_HOST}
API_PORT: ${PUBLIC_API_PORT}

RATE_LIMIT_ORDERING: ${RATE_LIMIT_ORDERING}
DEFAULT_RATE_LIMIT: ${DEFAULT_RATE_LIMIT}
API_RATE_LIMIT: ${API_RATE_LIMIT}
volumes:
- ./config/Caddyfile:/etc/caddy/Caddyfile
ports:
Expand Down
4 changes: 4 additions & 0 deletions docker/manage
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@ configureEnvironment() {
export PUBLIC_WEB_HOST_TLS=${PUBLIC_WEB_HOST_TLS:-off}
export PUBLIC_API_HOST=${PUBLIC_API_HOST:-https://orgbook.gov.bc.ca}
export PUBLIC_API_PORT=${PUBLIC_API_PORT:-443}

export RATE_LIMIT_ORDERING=${RATE_LIMIT_ORDERING:-'order rate_limit before basicauth'}
export DEFAULT_RATE_LIMIT=${DEFAULT_RATE_LIMIT:-'rate_limit {remote_host} 50r/s'}
export API_RATE_LIMIT=${API_RATE_LIMIT:-'rate_limit {remote_host} 25r/s'}
}

cleanUpEnvironment() {
Expand Down

0 comments on commit 89f1e6d

Please sign in to comment.