dawarich: dedicated 100/1000 Traefik rate limit (default 10/50 429'd page loads)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Viktor saw dawarich throwing 429s through Traefik and asked to loosen the burst for it. The access log confirms the burst pattern: one page load fires the whole fingerprinted-asset tail (SVG store badges, favicons, webmanifest) from a single client IP and trips the default 10 req/s / burst 50 limiter (repro: 80 parallel GETs -> 28x 429). Same remedy as ha-sofia, ActualBudget, noVNC, tripit, health and authentik: dedicated dawarich-rate-limit middleware (average 100 / burst 1000) + skip_default_rate_limit on the dawarich ingress. Also updates the networking.md middleware enumerations (adding the previously undocumented tripit/health limiters alongside dawarich). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
91d0213d1a
commit
21afae85c9
3 changed files with 38 additions and 4 deletions
|
|
@ -16,7 +16,7 @@ resource "kubernetes_namespace" "dawarich" {
|
|||
name = "dawarich"
|
||||
labels = {
|
||||
"istio-injection" : "disabled"
|
||||
tier = local.tiers.edge
|
||||
tier = local.tiers.edge
|
||||
"keel.sh/enrolled" = "true"
|
||||
}
|
||||
}
|
||||
|
|
@ -330,7 +330,7 @@ resource "kubernetes_deployment" "dawarich" {
|
|||
}
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
||||
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
||||
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
|
||||
metadata[0].annotations["keel.sh/policy"],
|
||||
metadata[0].annotations["keel.sh/trigger"],
|
||||
|
|
@ -458,6 +458,13 @@ module "ingress" {
|
|||
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
||||
name = "dawarich"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
# Rails serves all its fingerprinted assets itself and the map view adds an
|
||||
# API burst per page load — the default 10/50 limiter 429s the asset tail
|
||||
# from a single client IP (and risks dropping OwnTracks/mobile ingestion
|
||||
# POSTs on the same host). Dedicated 100/1000 limiter defined in
|
||||
# stacks/traefik/modules/traefik/middleware.tf.
|
||||
skip_default_rate_limit = true
|
||||
extra_middlewares = ["traefik-dawarich-rate-limit@kubernetescrd"]
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Dawarich"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue