dawarich: dedicated 100/1000 Traefik rate limit (default 10/50 429'd page loads)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Viktor saw dawarich throwing 429s through Traefik and asked to loosen the burst for it. The access log confirms the burst pattern: one page load fires the whole fingerprinted-asset tail (SVG store badges, favicons, webmanifest) from a single client IP and trips the default 10 req/s / burst 50 limiter (repro: 80 parallel GETs -> 28x 429). Same remedy as ha-sofia, ActualBudget, noVNC, tripit, health and authentik: dedicated dawarich-rate-limit middleware (average 100 / burst 1000) + skip_default_rate_limit on the dawarich ingress. Also updates the networking.md middleware enumerations (adding the previously undocumented tripit/health limiters alongside dawarich). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
91d0213d1a
commit
21afae85c9
3 changed files with 38 additions and 4 deletions
|
|
@ -16,7 +16,7 @@ resource "kubernetes_namespace" "dawarich" {
|
|||
name = "dawarich"
|
||||
labels = {
|
||||
"istio-injection" : "disabled"
|
||||
tier = local.tiers.edge
|
||||
tier = local.tiers.edge
|
||||
"keel.sh/enrolled" = "true"
|
||||
}
|
||||
}
|
||||
|
|
@ -330,7 +330,7 @@ resource "kubernetes_deployment" "dawarich" {
|
|||
}
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
||||
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
||||
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
|
||||
metadata[0].annotations["keel.sh/policy"],
|
||||
metadata[0].annotations["keel.sh/trigger"],
|
||||
|
|
@ -458,6 +458,13 @@ module "ingress" {
|
|||
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
||||
name = "dawarich"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
# Rails serves all its fingerprinted assets itself and the map view adds an
|
||||
# API burst per page load — the default 10/50 limiter 429s the asset tail
|
||||
# from a single client IP (and risks dropping OwnTracks/mobile ingestion
|
||||
# POSTs on the same host). Dedicated 100/1000 limiter defined in
|
||||
# stacks/traefik/modules/traefik/middleware.tf.
|
||||
skip_default_rate_limit = true
|
||||
extra_middlewares = ["traefik-dawarich-rate-limit@kubernetescrd"]
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Dawarich"
|
||||
|
|
|
|||
|
|
@ -368,6 +368,33 @@ resource "kubernetes_manifest" "middleware_authentik_rate_limit" {
|
|||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Dawarich-specific rate limit. The Rails app serves all its fingerprinted
|
||||
# assets itself (JS/CSS chunks, SVG store badges, favicons, webmanifest) and
|
||||
# the map view adds a points/API burst on load — a single page load from one
|
||||
# client IP blows past the default 10/50 limiter and 429s the asset tail
|
||||
# (seventh instance of the burst pattern, after ha-sofia, ActualBudget, noVNC,
|
||||
# tripit, health and authentik). Background location ingestion (OwnTracks
|
||||
# bridge + mobile api_key POSTs) rides the same host, so 429s here also risk
|
||||
# dropped pings. Burst absorbs a couple of full page loads back-to-back.
|
||||
resource "kubernetes_manifest" "middleware_dawarich_rate_limit" {
|
||||
manifest = {
|
||||
apiVersion = "traefik.io/v1alpha1"
|
||||
kind = "Middleware"
|
||||
metadata = {
|
||||
name = "dawarich-rate-limit"
|
||||
namespace = kubernetes_namespace.traefik.metadata[0].name
|
||||
}
|
||||
spec = {
|
||||
rateLimit = {
|
||||
average = 100
|
||||
burst = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Compress responses to clients at the entrypoint level (outermost).
|
||||
# Applied at websecure entrypoint so all responses get compressed.
|
||||
# Uses includedContentTypes (whitelist) instead of excludedContentTypes:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue