2021-03-10 14:50:11 |
Benjamin Allot |
bug |
|
|
added bug |
2021-03-10 14:50:25 |
Benjamin Allot |
bug |
|
|
added subscriber The Canonical Sysadmins |
2022-04-06 09:58:31 |
Tom Haddon |
content-cache-charm: status |
New |
Confirmed |
|
2022-04-06 09:58:33 |
Tom Haddon |
content-cache-charm: importance |
Undecided |
Medium |
|
2022-04-07 00:14:17 |
Haw Loeung |
description |
We had a situation with a small subset of IP was generating a lot of request, causing service disruption
```
Number of request | IP
60645 | 150.136.170.161
1577168 | 150.136.216.209
1425381 | 150.136.228.9
866199 |150.136.33.22
```
We should add a rate limit per IP (or at least an option allowing to) in either haproxy or iptables to prevent this kind of thing from happening.
For haproxy:
* https://www.haproxy.com/blog/bot-protection-with-haproxy/#vulnerability-scanners
* https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/
For iptables, using the hashlimit extension seems relevant for the purpose here.
* http://manpages.ubuntu.com/manpages/xenial/man8/iptables-extensions.8.html
The threshold are yet to be determined but at least not allowing 100 connections from a single IP in a short period of time seems a good start. |
We had a situation with a small subset of IP was generating a lot of request, causing service disruption
```
Number of request | IP
60645 | 150.136.170.161
1577168 | 150.136.216.209
1425381 | 150.136.228.9
866199 | 150.136.33.22
```
We should add a rate limit per IP (or at least an option allowing to) in either haproxy or iptables to prevent this kind of thing from happening.
For haproxy:
* https://www.haproxy.com/blog/bot-protection-with-haproxy/#vulnerability-scanners
* https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/
For iptables, using the hashlimit extension seems relevant for the purpose here.
* http://manpages.ubuntu.com/manpages/xenial/man8/iptables-extensions.8.html
The threshold are yet to be determined but at least not allowing 100 connections from a single IP in a short period of time seems a good start. |
|
2023-02-27 04:42:22 |
Haw Loeung |
content-cache-charm: status |
Confirmed |
In Progress |
|
2023-02-27 04:42:25 |
Haw Loeung |
content-cache-charm: assignee |
|
Haw Loeung (hloeung) |
|
2023-04-14 03:06:50 |
Haw Loeung |
merge proposal linked |
|
https://code.launchpad.net/~hloeung/content-cache-charm/+git/content-cache-charm/+merge/441030 |
|
2023-04-14 03:44:12 |
Haw Loeung |
content-cache-charm: status |
In Progress |
Fix Committed |
|
2023-04-14 04:51:31 |
Haw Loeung |
content-cache-charm: status |
Fix Committed |
Fix Released |
|