search

lucaslorentz / caddy-docker-proxy

Caddy as a reverse proxy for Docker
MIT License
2.85k stars 169 forks source link

rate-limit: Do we need to build our own caddy-docker-proxy image? #612

Closed sowinski closed 3 months ago

sowinski commented 5 months ago

Hi,

is it correct that we have to build our own build to integrate rate limit or do I miss something?

Thank you :)

francislavoie commented 5 months ago

Yes, to add additional plugins you need to write your own Dockerfile. See the README for an example. https://github.com/lucaslorentz/caddy-docker-proxy?tab=readme-ov-file#custom-images

sowinski commented 3 months ago

Hi @francislavoie, I build my own image and I can see that is successfully build with this module. (Here you can my Dockerfile: https://github.com/lucaslorentz/caddy-docker-proxy/issues/626#issuecomment-2149417344)

If I run locally my setup with a static defined route it works fine:

This is my Caddyfile for my local setup:

{
    auto_https off
    order rate_limit before basicauth
}

:80
rate_limit {
    distributed
    zone dynamic_global {
        key    {remote_host}
        window 60s
        events 75
    }
}

whoami.example.com:80 {
    reverse_proxy 172.22.0.3:80
}

But if I want to use this in production with the caddy-docker-proxy container "discovery" functionality with labels it is not working. Dockerfile for production:

{
    order rate_limit before basicauth
}

:80
rate_limit {
    distributed
    zone dynamic_global {
        key    {remote_host}
        window 60s
        events 75
    }
}

And is an example service with my labels

...
labels:
      caddy: "www.example.com"
      caddy.log:
      caddy.reverse_proxy: "{{upstreams 8000}}"
      caddy.encode: "gzip"
...

Have you or someone else ever successfully used caddy-docker-proxy with the rate-limit plugin? (https://github.com/mholt/caddy-ratelimit)

francislavoie commented 3 months ago

Rate limit is a directive so it must go within a site block. You can't put it top level, otherwise Caddy will parse it as a site address. If you have two sites, then braces are required. If you use labels, then rate_limit is just another directive, like reverse_proxy etc.

sowinski commented 3 months ago

@francislavoie So I can not set a global rate limit for all https calls? I need to add it to all container manually with labels?

sowinski commented 3 months ago

Rate limit is a directive so it must go within a site block. This is what you mean correct? To add it separately in each docker compose over labels?

Can you confirm that it is not possible to add a global rate limit for all containers/services in the main Caddyfile?

version: '3.7'
services:
  whoami:
    image: traefik/whoami
    networks:
      - caddy
    labels:
      caddy: "whoami.example.com"
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.tls: "internal"
      caddy.rate_limit.distributed:
      caddy.rate_limit.zone: "dynamic_global"
      caddy.rate_limit.zone.key: "{remote_host}"
      caddy.rate_limit.zone.window: "1s"
      caddy.rate_limit.zone.events: "1"

networks:
  caddy:
    external: true
francislavoie commented 3 months ago

There's no such thing as global HTTP routes in Caddy. All HTTP routes must go within a site block.

sowinski commented 3 months ago

@francislavoie Thank you!