add dddos protection in ingress factory [ci skip]

2025-01-16 22:08:19 +00:00 · 2025-01-16 22:08:19 +00:00 · 7e1a28fb27
commit 7e1a28fb27
parent 842f7a961a
1 changed files with 12 additions and 0 deletions
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@ -85,6 +85,18 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
      "nginx.ingress.kubernetes.io/proxy-connect-timeout" : var.proxy_timeout
      "nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout
      "nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout
+      "nginx.ingress.kubernetes.io/proxy-buffering" : "on"
+
+      # DDOS protection
+      "nginx.ingress.kubernetes.io/limit-connections" : 5
+      "nginx.ingress.kubernetes.io/limit-rps" : 2
+      "nginx.ingress.kubernetes.io/limit-rpm" : 5
+      "nginx.ingress.kubernetes.io/limit-burst-multiplier" : 10
+      "nginx.ingress.kubernetes.io/limit-rate-after" : 10
+      "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
+        limit_req_status 429;
+        limit_conn_status 429;
+      EOF

    }, var.extra_annotations)
  }