nginz: enable unlimited_requests_endpoint for authenticated requests, too (#3138)

jschaul · web-flow · commit 4c39f7d2faf3 · 2023-03-28T13:51:25.000+02:00
Fix a rate-limit exemption whereby authenticated endpoints did not get the unlimited_requests_endpoint, if set, applied. This is a concern for the webapp and calls to /assets, which can happen in larger numbers on initial loading. A previous change in [this PR](#2786) had no effect. This PR also increases default rate limits, to compensate for [new ingress controller chart](#3140 default topologyAwareRouting.
diff --git a/changelog.d/3-bug-fixes/rate-limit-adjustments b/changelog.d/3-bug-fixes/rate-limit-adjustments
@@ -0,0 +1 @@
+Fix a rate-limit exemption whereby authenticated endpoints did not get the unlimited_requests_endpoint, if set, applied. This is a concern for the webapp and calls to /assets, which can happen in larger numbers on initial loading. A previous change in [this PR](https://github.com/wireapp/wire-server/pull/2786) had no effect. This PR also increases default rate limits, to compensate for [new ingress controller chart](https://github.com/wireapp/wire-server/pull/3140)'s default topologyAwareRouting.
diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl
@@ -162,8 +162,6 @@ http {
   limit_req_log_level warn;
   limit_conn_log_level warn;
 
-  # Limit by $zauth_user if present and not part of rate limit exemptions
-  limit_req zone=reqs_per_user burst=20;
   limit_conn conns_per_user 25;
 
   #
@@ -257,6 +255,12 @@ http {
         limit_conn conns_per_addr 20;
                 {{- end }}
               {{- end }}
+            {{- else }}
+              {{- if ($location.unlimited_requests_endpoint) }}
+                 # Note that this endpoint has no rate limit per user for authenticated requests
+              {{- else }}
+                 limit_req zone=reqs_per_user burst=20;
+              {{- end }}
             {{- end }}
 
             {{- if ($location.oauth_scope) }}
diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -56,8 +56,8 @@ nginx_conf:
   - /search/common
 
   default_client_max_body_size: "256k"
-  rate_limit_reqs_per_user: "10r/s"
-  rate_limit_reqs_per_addr: "5r/m"
+  rate_limit_reqs_per_user: "30r/s"
+  rate_limit_reqs_per_addr: "15r/m"
 
   # This value must be a list of strings. Each string is copied verbatim into
   # the nginx.conf after the default 'limit_req_zone' directives. This should be

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix a rate-limit exemption whereby authenticated endpoints did not get the unlimited_requests_endpoint, if set, applied. This is a concern for the webapp and calls to /assets, which can happen in larger numbers on initial loading. A previous change in [this PR](https://github.com/wireapp/wire-server/pull/2786) had no effect. This PR also increases default rate limits, to compensate for [new ingress controller chart](https://github.com/wireapp/wire-server/pull/3140)'s default topologyAwareRouting.