Merge pull request #7121 from Budibase/proxy-env-support-and-webhook-limiting

Add separate rate limiting config for webhooks + environment variable support
2022-08-10 09:00:20 +01:00 · 2022-08-10 09:00:20 +01:00 · ae5f0464b5
parent 022054389a c94d916050
commit ae5f0464b5
3 changed files with 38 additions and 3 deletions
--- a/hosting/docker-compose.yaml
+++ b/hosting/docker-compose.yaml
@ -75,7 +75,9 @@ services:
    ports:
      - "${MAIN_PORT}:10000"
    container_name: bbproxy
-    image: budibase/proxy
+    image: proxy-service
+    environment:
+      - PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND=10
    depends_on:
      - minio-service
      - worker-service
--- a/hosting/nginx.prod.conf.hbs
+++ b/hosting/nginx.prod.conf.hbs
@ -9,7 +9,11 @@ events {
 }

 http {
+  # rate limiting
+  limit_req_status 429;
  limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=20r/s;
+  limit_req_zone $binary_remote_addr zone=webhooks:10m rate=${PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND}r/s;
+
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  proxy_set_header Host $host;
@ -126,6 +130,25 @@ http {
      proxy_pass      http://$apps:4002;
    }

+    location /api/webhooks/ {
+      # calls to webhooks are rate limited
+      limit_req zone=webhooks nodelay;
+
+      # Rest of configuration copied from /api/ location above
+      # 120s timeout on API requests
+      proxy_read_timeout 120s;
+      proxy_connect_timeout 120s;
+      proxy_send_timeout 120s;
+
+      proxy_http_version  1.1;
+      proxy_set_header    Connection          $connection_upgrade;
+      proxy_set_header    Upgrade             $http_upgrade;
+      proxy_set_header    X-Real-IP           $remote_addr;
+      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+
+      proxy_pass      http://$apps:4002;
+    }
+
    location /db/ {
      proxy_pass      http://$couchdb:5984;
      rewrite ^/db/(.*)$ /$1 break;
--- a/hosting/proxy/Dockerfile
+++ b/hosting/proxy/Dockerfile
@ -1,3 +1,13 @@
 FROM nginx:latest
-COPY .generated-nginx.prod.conf /etc/nginx/nginx.conf
-COPY error.html /usr/share/nginx/html/error.html
+
+# nginx.conf
+# use the default nginx behaviour for *.template files which are processed with envsubst
+# override the output dir to output directly to /etc/nginx instead of /etc/nginx/conf.d
+ENV NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
+COPY .generated-nginx.prod.conf /etc/nginx/templates/nginx.conf.template
+
+# Error handling
+COPY error.html /usr/share/nginx/html/error.html
+
+# Default environment
+ENV PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND=10