Content Cache Charm

  1. Bug #1918439
  2. Activity log

Activity log for bug #1918439

Date Who What changed Old value New value Message
2021-03-10 14:50:11 Benjamin Allot bug added bug
2021-03-10 14:50:25 Benjamin Allot bug added subscriber The Canonical Sysadmins
2022-04-06 09:58:31 Tom Haddon content-cache-charm: status New Confirmed
2022-04-06 09:58:33 Tom Haddon content-cache-charm: importance Undecided Medium
2022-04-07 00:14:17 Haw Loeung description We had a situation with a small subset of IP was generating a lot of request, causing service disruption ``` Number of request | IP 60645 | 150.136.170.161 1577168 | 150.136.216.209 1425381 | 150.136.228.9 866199 |150.136.33.22 ``` We should add a rate limit per IP (or at least an option allowing to) in either haproxy or iptables to prevent this kind of thing from happening. For haproxy: * https://www.haproxy.com/blog/bot-protection-with-haproxy/#vulnerability-scanners * https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/ For iptables, using the hashlimit extension seems relevant for the purpose here. * http://manpages.ubuntu.com/manpages/xenial/man8/iptables-extensions.8.html The threshold are yet to be determined but at least not allowing 100 connections from a single IP in a short period of time seems a good start. We had a situation with a small subset of IP was generating a lot of request, causing service disruption ``` Number of request | IP   60645 | 150.136.170.161 1577168 | 150.136.216.209 1425381 | 150.136.228.9  866199 | 150.136.33.22 ``` We should add a rate limit per IP (or at least an option allowing to) in either haproxy or iptables to prevent this kind of thing from happening. For haproxy: * https://www.haproxy.com/blog/bot-protection-with-haproxy/#vulnerability-scanners * https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/ For iptables, using the hashlimit extension seems relevant for the purpose here. * http://manpages.ubuntu.com/manpages/xenial/man8/iptables-extensions.8.html The threshold are yet to be determined but at least not allowing 100 connections from a single IP in a short period of time seems a good start.
2023-02-27 04:42:22 Haw Loeung content-cache-charm: status Confirmed In Progress
2023-02-27 04:42:25 Haw Loeung content-cache-charm: assignee Haw Loeung (hloeung)
2023-04-14 03:06:50 Haw Loeung merge proposal linked https://code.launchpad.net/~hloeung/content-cache-charm/+git/content-cache-charm/+merge/441030
2023-04-14 03:44:12 Haw Loeung content-cache-charm: status In Progress Fix Committed
2023-04-14 04:51:31 Haw Loeung content-cache-charm: status Fix Committed Fix Released