On 4/14/20 6:25 PM, Jason Sherman wrote:
I was wondering if you were planning on exposing some kind of rate-limiting
option for the web proxies in horizon? I'm thinking this will effectively mean
no more rate-limiting per remote address at the instance level. Every once in a
while, our project gets hammered by script kiddies and our application service
gets brought down. I've gone ahead and implemented rate limiting in nginx that
has a very high limit set across all ip addresses that should basically work,
but typically I would set the limits to be per-client-ip to the extent allowed
by the practicalities of NAT. This is not a blocker in any way for us, and I'd
rather make do with less user info wherever possible.
What you did seems correct to me, that is, implementing the controls on your own
That being said, I understand your concern. We have mechanisms in place for
banning concrete abusers. If we detected a more wide-spread problems we could
introduce other mechanisms and controls to ensure service availability.
Should you detect someone is hammering your servers in CloudVPS, please contact us.
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services