komuw
commented
2 years ago Closed komuw closed 2 years ago
komuw
commented
2 years ago komuw
commented
2 years ago I think we should have two(possibly more) ratelimiters;
I'm not sure whether we want to ratelimit by IP range. What if most requests are coming from the cloudflare IP range? It is not co-ordinated attack, it is just unrelated customers of cloudflare.
komuw
commented
2 years ago I have tuned that to do rate limiting, circuit breaking (stop sending requests to an upstream when
it returns too many errors), idle connection termination, and to shed load when a certain amount
of memory is in use, so without any additional configuration for a new service behind the proxy it's
somewhat difficult to get the proxy and other services to not respond at all.
I use a custom rate limit service to aggregate rate limits across a /24.note:
105.162.13.216 then it's /24 range is 105.162.13.0 to 105.162.13.255 and its CIDR is 105.162.13.0/24komuw
commented
2 years ago komuw
commented
2 years ago komuw
commented
2 years ago komuw
commented
2 years ago I'm not sure whether we want to ratelimit by IP range. What if most requests are coming from the cloudflare IP range? It is not co-ordinated attack, it is just unrelated customers of cloudflare.
In [1], it is argued that you could have multiple rate-limiters; one that limits per-ip, another that limits per /64, another per /48 etc.
See also[2] on how golang/pkgsite/ does ratelimiting.
komuw
commented
2 months ago
see;