dawarich: dedicated 100/1000 Traefik rate limit (default 10/50 429'd page loads)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Viktor saw dawarich throwing 429s through Traefik and asked to loosen the burst for it. The access log confirms the burst pattern: one page load fires the whole fingerprinted-asset tail (SVG store badges, favicons, webmanifest) from a single client IP and trips the default 10 req/s / burst 50 limiter (repro: 80 parallel GETs -> 28x 429). Same remedy as ha-sofia, ActualBudget, noVNC, tripit, health and authentik: dedicated dawarich-rate-limit middleware (average 100 / burst 1000) + skip_default_rate_limit on the dawarich ingress. Also updates the networking.md middleware enumerations (adding the previously undocumented tripit/health limiters alongside dawarich). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
91d0213d1a
commit
21afae85c9
3 changed files with 38 additions and 4 deletions
|
|
@ -368,6 +368,33 @@ resource "kubernetes_manifest" "middleware_authentik_rate_limit" {
|
|||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Dawarich-specific rate limit. The Rails app serves all its fingerprinted
|
||||
# assets itself (JS/CSS chunks, SVG store badges, favicons, webmanifest) and
|
||||
# the map view adds a points/API burst on load — a single page load from one
|
||||
# client IP blows past the default 10/50 limiter and 429s the asset tail
|
||||
# (seventh instance of the burst pattern, after ha-sofia, ActualBudget, noVNC,
|
||||
# tripit, health and authentik). Background location ingestion (OwnTracks
|
||||
# bridge + mobile api_key POSTs) rides the same host, so 429s here also risk
|
||||
# dropped pings. Burst absorbs a couple of full page loads back-to-back.
|
||||
resource "kubernetes_manifest" "middleware_dawarich_rate_limit" {
|
||||
manifest = {
|
||||
apiVersion = "traefik.io/v1alpha1"
|
||||
kind = "Middleware"
|
||||
metadata = {
|
||||
name = "dawarich-rate-limit"
|
||||
namespace = kubernetes_namespace.traefik.metadata[0].name
|
||||
}
|
||||
spec = {
|
||||
rateLimit = {
|
||||
average = 100
|
||||
burst = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Compress responses to clients at the entrypoint level (outermost).
|
||||
# Applied at websecure entrypoint so all responses get compressed.
|
||||
# Uses includedContentTypes (whitelist) instead of excludedContentTypes:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue