New to Voyager? Please start here.
Rate limiting
You can define a limit on the connections that can be opened by a single client IP address through annotations. This can be used to mitigate DDoS Attacks.
ingress.appscode.com/limit-connection
: number of concurrent connections allowed from a single IP address.ingress.appscode.com/limit-rps
: number of connections that may be accepted from a given IP each second.ingress.appscode.com/limit-rpm
: number of connections that may be accepted from a given IP each minute.
These rules will be applied globally to all frontends. Note that, limit-rpm
will takes precedence if you specify both limit-rpm
and limit-rps
.
Ingress Example
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: test-ingress
namespace: default
annotations:
ingress.appscode.com/limit-connection: "3"
ingress.appscode.com/limit-rpm: "15"
spec:
rules:
- host: voyager.appscode.test
http:
paths:
- path: /foo
backend:
service:
name: test-server
port:
number: 80
Generated haproxy.cfg:
# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
daemon
stats socket /tmp/haproxy
server-state-file global
server-state-base /var/state/haproxy/
# log using a syslog socket
log /dev/log local0 info
log /dev/log local0 notice
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
hard-stop-after 30s
defaults
log global
# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
# https://github.com/voyagermesh/voyager/pull/403
option dontlognull
option http-server-close
# Timeout values
timeout client 50s
timeout client-fin 50s
timeout connect 5s
timeout server 50s
timeout tunnel 50s
# Configure error files
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
frontend http-0_0_0_0-80
bind *:80
mode http
stick-table type ip size 100k expire 2m store conn_cur
acl __mark_as_overload_conn__ sc1_conn_cur gt 3
tcp-request content track-sc1 src
http-request deny if __mark_as_overload_conn__
tcp-request inspect-delay 5s
stick-table type ip size 1m expire 5m store conn_rate(60s)
acl __mark_as_overload__ sc1_conn_rate gt 15
tcp-request content track-sc1 src
http-request deny if __mark_as_overload__
option httplog
option forwardfor
acl is_proxy_https hdr(X-Forwarded-Proto) https
acl acl_voyager.appscode.test hdr(host) -i voyager.appscode.test
acl acl_voyager.appscode.test hdr(host) -i voyager.appscode.test:80
acl acl_voyager.appscode.test:foo path_beg /foo
use_backend test-server.default:80 if acl_voyager.appscode.test acl_voyager.appscode.test:foo
backend test-server.default:80
server pod-test-server-68ddc845cd-6rnwn 172.17.0.4:80