From a0e82a353b508c2517d0abea9e54f2208fad8710 Mon Sep 17 00:00:00 2001
From: Akshay Mankar <akshay@wire.com>
Date: Mon, 4 Mar 2024 14:15:03 +0100
Subject: [PATCH 1/3] charts/nginz: Rate limiting claiming MLS key-pacakges by
 requesting and target user

When creating a conversation a client needs to get a lot of key packages, each
for a different user. If we merely just bump the limit for this endpoint, we
will allow for DoS by someone targetting a particular user. So here we rate
limit by ensuring that the target user is included in the rate limiting key.
---
 charts/nginz/templates/conf/_nginx.conf.tpl | 5 +++++
 charts/nginz/values.yaml                    | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl
index d2c92d579b2..33d532b41bb 100644
--- a/charts/nginz/templates/conf/_nginx.conf.tpl
+++ b/charts/nginz/templates/conf/_nginx.conf.tpl
@@ -125,6 +125,11 @@ http {
       0 "";
   }
 
+  map $rate_limit $rate_limited_by_zuser_path {
+      1 "$zauth_user$uri";
+      0 "";
+  }
+
   map $http_origin $cors_header {
       default "";
     {{ range $origin := .Values.nginx_conf.allowlisted_origins }}
diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
index a5b8e568c6a..92427cccbd1 100644
--- a/charts/nginz/values.yaml
+++ b/charts/nginz/values.yaml
@@ -67,6 +67,7 @@ nginx_conf:
   user_rate_limit_request_zones:
     - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s;
     - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;
+    - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims:12m rate=100r/m;
 
   # The origins from which we allow CORS requests. These are combined with
   # 'external_env_domain' and 'additional_external_env_domains' to form a full
@@ -209,6 +210,11 @@ nginx_conf:
     - path: /clients
       envs:
       - all
+    - path: /mls/key-packages/claim
+      envs:
+      - all
+      specific_user_rate_limit: key_package_claims
+      specific_user_rate_limit_burst: 100
     - path: /mls/key-packages
       envs:
       - all

From 4154bc69830614c2eb35480c83fe2b1e2fca7e0a Mon Sep 17 00:00:00 2001
From: Akshay Mankar <akshay@wire.com>
Date: Mon, 4 Mar 2024 14:22:27 +0100
Subject: [PATCH 2/3] charts/nginz: Allow 3000 reqs/m on
 /conversations/one2one/:user_domain/:user

During migration from proteus to MLS, this endpoint gets called for every
connection. Slowing it down just causes login to take very long.
---
 charts/nginz/values.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
index 92427cccbd1..e661490112d 100644
--- a/charts/nginz/values.yaml
+++ b/charts/nginz/values.yaml
@@ -68,6 +68,7 @@ nginx_conf:
     - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s;
     - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;
     - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims:12m rate=100r/m;
+    - limit_req_zone $rate_limited_by_zuser zone=one2one_conv:12m rate=3000r/m;
 
   # The origins from which we allow CORS requests. These are combined with
   # 'external_env_domain' and 'additional_external_env_domains' to form a full
@@ -446,6 +447,15 @@ nginx_conf:
       - all
       max_body_size: 40m
       body_buffer_size: 256k
+    - path: /conversations/one2one/
+      envs:
+      - all
+      # During MLS migration, this endpoint gets called _a lot_.
+      specific_user_rate_limit: one2one_conv
+      specific_user_rate_limit_burst: 1000
+      # The name is a little misleading, this just disables default rate
+      # limiting in favour of the specific one defined above.
+      unlimited_requests_endpoint: true
     - path: /conversations/([^/]*)/([^/]*)/protocol
       envs:
       - all

From 44d30d74888fba52c9dc576b172a50f8f7a98b6d Mon Sep 17 00:00:00 2001
From: Akshay Mankar <akshay@wire.com>
Date: Mon, 4 Mar 2024 14:28:48 +0100
Subject: [PATCH 3/3] changelog

---
 changelog.d/2-features/claim-key-packages-rate-limit | 1 +
 changelog.d/2-features/one2one-rate-limit            | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changelog.d/2-features/claim-key-packages-rate-limit
 create mode 100644 changelog.d/2-features/one2one-rate-limit

diff --git a/changelog.d/2-features/claim-key-packages-rate-limit b/changelog.d/2-features/claim-key-packages-rate-limit
new file mode 100644
index 00000000000..909a084348c
--- /dev/null
+++ b/changelog.d/2-features/claim-key-packages-rate-limit
@@ -0,0 +1 @@
+charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user
\ No newline at end of file
diff --git a/changelog.d/2-features/one2one-rate-limit b/changelog.d/2-features/one2one-rate-limit
new file mode 100644
index 00000000000..355ca6eb253
--- /dev/null
+++ b/changelog.d/2-features/one2one-rate-limit
@@ -0,0 +1 @@
+charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user
\ No newline at end of file