Flexible management of map,geo and rate_limit instances
This patch gives full flexibility in managing mentioned instances
in nginx configurations.
Co-Authored-By: Oleksandr Bryndzii <obryndzii@mirantis.com>
Related-Prod: PROD-24400
Change-Id: Iebdc66351c24c9c847d6d4d0c6d4efcf1b1a57ae
diff --git a/README.rst b/README.rst
index eadade3..0e04cf8 100644
--- a/README.rst
+++ b/README.rst
@@ -271,41 +271,149 @@
name: gitlab.domain.com
port: 80
-Proxy with rate limiting scheme:
+Use nginx `ngx_http_map_module` that creates variables whose values depend on
+values of other variables.
.. code-block:: yaml
- _dollar: '$'
+ nginx:
+ server:
+ enabled: true
+ map:
+ enabled: true
+ items:
+ mymap:
+ enabled: true
+ string: input_string
+ variable: output_map_variable
+ body:
+ default:
+ value: '""'
+ example.com:
+ value: '1'
+ example.org:
+ value: '2'
+
+Use nginx `ngx_http_geo_module module` that creates variables with values
+depending on the client IP address.
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ geo:
+ enabled: true
+ items:
+ my_geo_map:
+ enabled: true
+ variable: output_get_variable
+ body:
+ default:
+ value: '""'
+ cl1
+ name: 10.12.100.1/32
+ value: '1'
+ cl2
+ name: 10.13.0.0/16
+ value: 2'
+
+Use `ngx_http_limit_req_module` module that is used to limit the request
+processing rate per a defined key, in particular, the processing rate of
+requests coming from a single IP address. The limitation is done using
+the `leaky bucket` method.
+The `limit_req_module` might be configured globally or applied to specific
+nginx site.
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ limit_req_module:
+ limit_req_zone:
+ global_limit_ip_zone:
+ key: global_limit_ip_var
+ size: 10m
+ rate: '1r/s'
+ limit_req_status: 503
+ limit_req:
+ global_limit_zone:
+ burst: 5
+ enabled: true
+
+There is an example to to limit requests to all sites based on IP.
+In the following example all clients are limited except of 10.12.100.1
+with 1 req per second.
+
+#. Create geo instance that will match IP and set `limit_action` var.
+ "0" - is unlimited, 1 - limited
+
+#. Create a `global_geo_limiting_map` that will map `ip_limit_key` to
+ `ip_limit_action`
+
+#. Create global `limit_req_zone` called `global_limit_zone` that limits
+ number of requests to 1r/s
+
+#. Apply `global_limit_zone` globally to all requests with 5 req burst.
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ geo:
+ enabled: true
+ items:
+ global_geo_limiting:
+ enabled: true
+ variable: ip_limit_key
+ body:
+ default:
+ value: '1'
+ unlimited_client1:
+ name: '10.12.100.1/32'
+ value: '0'
+ map:
+ enabled: true
+ items:
+ global_geo_limiting_map:
+ enabled: true
+ string: ip_limit_key
+ variable: ip_limit_action
+ body:
+ limited:
+ name: 1
+ value: '$binary_remote_addr'
+ unlimited:
+ name: 0
+ value: '""'
+ limit_req_module:
+ limit_req_zone:
+ global_limit_zone:
+ key: ip_limit_action
+ size: 10m
+ rate: '1r/s'
+ limit_req_status: 503
+ limit_req:
+ global_limit_zone:
+ burst: 5
+ enabled: true
+
+To apply request limiting to particular site only `limit_req` should be
+applied on site level, for example:
+
+.. code-block:: yaml
+
nginx:
server:
site:
- nginx_proxy_site01:
- enabled: true
- type: nginx_proxy
- name: site01
- proxy:
- host: local.domain.com
- port: 80
- protocol: http
- host:
- name: gitlab.domain.com
- port: 80
- limit:
- enabled: True
- ip_whitelist:
- - 127.0.0.1
- burst: 600
- rate: 10r/s
- nodelay: True
- subfilters:
- heavy_url:
- input: ${_dollar}{binary_remote_addr}${_dollar}{request_uri}
- mode: blacklist
- items:
- - "~.*servers/detail[?]name=.*&status=ACTIVE"
- rate: 2r/m
- burst: 2
- nodelay: True
+ nginx_proxy_openstack_api_keystone:
+ limit_req_module:
+ limit_req:
+ global_limit_zone:
+ burst: 5
+ enabled: true
+
Gitlab server with user for basic auth: